All comparisons

Cyber Resilience Act (CRA)

VS

NIS 2 Directive

Cyber Resilience Act vs. NIS 2 Directive

Two pillars of the EU cybersecurity strategy compared side by side

EU Product Regulation

Governs what a product with digital elements must be capable of before being placed on the EU market

EU Directive for Operators

Governs how organizations in critical sectors must manage their cybersecurity

NIS 2 compliance does not replace CRA conformity. Both frameworks address entirely different obligations. Many companies are subject to both simultaneously.

0 Covered3 Partial6 Not covered

You comply with NIS 2 — what else do you need for CRA?

NIS 2 compliance provides a solid organizational foundation. However, CRA conformity for your products requires additional product-specific requirements. This gap analysis shows what you already have and what's still missing.

036
CRA RequirementCoverage by NIS 2 Directive
Risk management processes
Partial

NIS 2 Art. 21 establishes organizational risk management. The CRA requires a product-specific cyber risk assessment per Art. 13(2) — your methodology needs to be extended to the product level.

Incident reporting processes
Partial

NIS 2 reporting processes to national CSIRTs exist. The CRA additionally requires reporting actively exploited product vulnerabilities to ENISA — different triggers, different platform, different deadlines.

Supply chain awareness
Partial

NIS 2 Art. 21(2)(d) requires supply chain security. The CRA additionally demands a product-specific SBOM and due diligence for third-party components in the product.

Product-level security requirements (Annex I)
Not covered

NIS 2 sets no requirements for product security properties. CRA Annex I defines concrete technical requirements: protection against unauthorized access, data integrity, secure default configuration, and more.

SBOM creation & maintenance
Not covered

NIS 2 contains no SBOM obligation. The CRA requires a machine-readable Software Bill of Materials for every product with digital elements (Annex I Part II in conjunction with Art. 13).

Product vulnerability handling & disclosure
Not covered

NIS 2 governs organizational vulnerability management. The CRA requires a documented vulnerability handling policy for each product throughout the entire support period (Art. 13(6)).

Conformity assessment & CE marking
Not covered

NIS 2 has no conformity assessment in the CRA sense. Manufacturers must complete the CRA conformity assessment procedure (Annex VIII) and affix the CE marking.

Support period declaration
Not covered

The CRA obliges manufacturers to define and communicate a support period during which security updates are provided (minimum 5 years).

Product-specific technical documentation
Not covered

The CRA requires comprehensive technical documentation per Annex VII, including security architecture, risk assessment, and test reports — not part of NIS 2.

01

Product Security vs. Organizational Security

The CRA regulates what a product must be capable of — NIS 2 regulates how an organization must manage cybersecurity. Both apply simultaneously to many companies.

  • CRA (Annex I): Product security — protection against unauthorized access, data integrity, availability, update capability
  • NIS 2 (Art. 21): 10 organizational minimum measures — risk analysis, incident handling, supply chain security, cryptography
  • Perspective: CRA = product market access, NIS 2 = operator resilience
02

Supply Chain Security from Two Perspectives

Both frameworks address supply chain security — from different angles. Companies subject to both must meet both sets of requirements.

  • CRA (Art. 13(5)): Bottom-up — assess risks from third-party components, create SBOM (Annex I Part II)
  • NIS 2 (Art. 21(2)(d)): Top-down — ensure security of the entire supply chain including supplier relationships
  • Synergy: CRA-compliant products make it easier for NIS 2 operators to fulfill their supply chain obligations
CRA: Bottom-Up via SBOMTransparency over every software component in the product through machine-readable Software Bills of Materials. Vulnerability monitoring across the entire supply chain.
NIS 2: Top-Down via Risk ManagementSystematic assessment of supplier risks, contractual security requirements, and regular review of supply chain security as part of organizational risk management.
Synergy EffectCRA-compliant products make it easier for NIS 2 operators to fulfill their supply chain obligations. Conversely, CRA manufacturers benefit when their suppliers are NIS 2-compliant.
03

Reporting Obligations Compared

Both frameworks introduce strict reporting obligations but differ in trigger, addressee, and timelines. Art. 14(8) CRA envisions harmonization of reporting channels.

  • CRA (Art. 14): Manufacturer reports actively exploited vulnerabilities to ENISA — 24h early warning, 72h full notification, via Single Reporting Platform (from Sept. 2026)
  • NIS 2: Operator reports significant incidents to national CSIRT — 24h early warning, 72h full notification, final report after 1 month
  • Dual applicability: Different reporting channels and forms require coordinated internal processes
04

Dual Applicability: When Do Both Frameworks Apply?

Numerous companies will be subject to both frameworks simultaneously. Integrated compliance management is economically essential.

  • ICS manufacturers: CRA-obligated as product manufacturers, NIS 2-obligated in the Digital Infrastructure or Manufacturing sector
  • Cloud/SaaS providers: SaaS products fall under the CRA, cloud infrastructure under NIS 2
  • Shared processes: Risk assessment, vulnerability management, and documentation serve both requirement catalogs
Critical Product ManufacturersCompanies manufacturing Class I or Class II products (Annex III/IV CRA) while also operating in one of the 18 NIS 2 sectors.
Cloud and SaaS ProvidersCloud service providers whose platform falls under NIS 2 and who simultaneously distribute software products within the meaning of the CRA.
Network and IoT ManufacturersManufacturers of routers, firewalls, and IoT gateways who are subject to the CRA as manufacturers and to NIS 2 as providers of digital infrastructure.

Synergies Between the CRA and NIS 2

Despite different regulatory subjects, there are significant overlaps that companies can leverage strategically.

Shared Risk Assessment

The CRA risk assessment pursuant to Art. 13(2) and the NIS 2 risk analysis pursuant to Art. 21(2)(a) can build on each other methodologically. A product-focused risk analysis can be integrated into organizational risk management.

Vulnerability Management as a Core Competency

The CRA requires vulnerability handling throughout the product lifecycle (Art. 13(6)). NIS 2 demands vulnerability management as an organizational measure (Art. 21(2)(e)). A centralized vulnerability management system serves both requirements.

Convergence of Reporting Channels

The EU is working on a Single Reporting Platform that consolidates CRA and NIS 2 notifications. Companies should already establish unified internal reporting processes.

Supply Chain Resilience

CRA-compliant SBOMs and vulnerability transparency strengthen NIS 2 supply chain security. Conversely, NIS 2-compliant suppliers enhance CRA compliance across the entire value chain.

Your Next Steps

1High priority

Create product SBOM

Implement SBOM generation in your build process. Use CycloneDX or SPDX and capture all dependencies down to the package level.

2High priority

Build product vulnerability management

Establish a documented process for detecting, assessing, remediating, and disclosing vulnerabilities in your products — not just in your IT infrastructure.

3High priority

Prepare technical documentation

Create CRA conformity documentation per Annex VII: product description, security architecture, risk assessment, test reports, and SBOM.

4Medium priority

Conduct conformity assessment

Determine the CRA classification of your products (Default, Class I, Class II) and plan the corresponding conformity assessment pathway per Annex VIII.

Frequently Asked Questions

Can a company be subject to both the CRA and NIS 2 simultaneously?
Yes, and this will frequently be the case in practice. A manufacturer of products with digital elements is subject to the CRA once it places products on the EU market. If the same company falls within one of the 18 NIS 2 sectors — for example as a provider of digital infrastructure, in the manufacturing sector, or in healthcare — NIS 2 obligations apply additionally. Both frameworks have their own requirement catalogs, reporting obligations, and sanction mechanisms. An integrated compliance approach is therefore not just sensible but economically necessary.
Does CRA compliance help with NIS 2 implementation?
To a significant extent. The CRA requirements for vulnerability management, security updates, and documentation create a solid foundation for the NIS 2 risk management measures under Art. 21. Companies that develop their products in a CRA-compliant manner will have already implemented essential technical cybersecurity measures that can feed into the NIS 2-compliant ISMS. In particular, the CRA obligation to create SBOMs and conduct continuous vulnerability monitoring supports the NIS 2 requirement for supply chain security and vulnerability management.
What is the difference in penalties between the CRA and NIS 2?
The CRA provides in Art. 64 for fines of up to EUR 15 million or 2.5% of global annual turnover — whichever is higher. This applies to violations of the essential cybersecurity requirements in Annex I. NIS 2 differentiates: for essential entities, fines of up to EUR 10 million or 2% of annual turnover can be imposed; for important entities, up to EUR 7 million or 1.4%. Additionally, NIS 2 provides for personal liability of management bodies (Art. 20(1)), which is not provided for in the CRA in this manner.
How do the reporting obligations differ in practice?
The key difference lies in the trigger and the addressee. The CRA obliges manufacturers to report actively exploited vulnerabilities in their products to ENISA within 24 hours (Art. 14 CRA). NIS 2 obliges operators to report significant security incidents in their operations to the competent national CSIRT — with an early warning within 24 hours, a full notification within 72 hours, and a final report within one month. For a company that must comply with both frameworks, a unified incident response process covering both reporting channels is recommended.
What role does supply chain security play in both frameworks?
Both frameworks emphasize supply chain security, but from different perspectives. The CRA requires manufacturers to consider risks from third-party components in their risk analysis and to create a Software Bill of Materials (SBOM) that makes all software dependencies transparent (Art. 13(5) and Annex I Part II). NIS 2 requires operators to assess the security of their entire supply chain — including contractual security requirements for suppliers (Art. 21(2)(d)). In practice, both requirements reinforce each other: CRA-compliant products with transparent SBOMs make it easier for NIS 2 operators to assess supply chain risks.
Has NIS 2 been transposed into national law in Germany?
The transposition deadline for the NIS 2 Directive expired on 17 October 2024. Germany presented a draft with the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which as of March 2026 has not yet fully completed the legislative process. Similar delays exist in other Member States. The CRA, in contrast, is directly applicable as an EU Regulation and requires no national transposition. Companies should nonetheless prepare for both frameworks, as NIS 2 transposition in most Member States is foreseeable and retroactive obligations may arise.
Which products are exempt from the CRA?
Not all products with digital elements fall under the CRA. Explicitly exempt are: medical devices and in vitro diagnostics (MDR/IVDR), motor vehicles and their type-approval (UN ECE R155/R156), aviation products, products for national security or defense, and certain open-source software not made available in the course of a commercial activity. If your product falls under one of these exemptions, the respective sector-specific cybersecurity requirements apply instead of the CRA.

Further Reading

Official Sources

CRA Full Text (EUR-Lex)

Regulation (EU) 2024/2847 — Cyber Resilience Act in the Official Journal of the European Union

NIS 2 Directive (EUR-Lex)

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union

ENISA NIS 2 Topic Portal

ENISA resources on the NIS 2 Directive: guidelines, reports, and implementation support

More on Kunnus

CRA Knowledge Base

Complete legal text with explanations, articles, and annexes of the Cyber Resilience Act

CRA Explained

Accessible introduction to the Cyber Resilience Act for decision-makers and product managers

Art. 1 CRA: Scope

Detailed explanation of the scope and definitions of the Cyber Resilience Act

CRA Compliance Assessment

Free initial assessment: Determine your CRA compliance gaps in 5 minutes

CRA vs. DORA — Financial Sector

Comparison of CRA and Digital Operational Resilience Act for software vendors in the financial sector

CRA vs. ISO 27001 — Standard vs. Regulation

How the voluntary ISO standard and the binding EU regulation complement each other

Master CRA and NIS 2 — with one platform

Kunnus helps you systematically meet CRA requirements while leveraging synergies with NIS 2 compliance. Start with a free initial assessment.

Discover Features