The Cyber Resilience Act vs NIS2: Two EU Cybersecurity Laws, One Critical Question
The NIS2 Directive and the Cyber Resilience Act are not two versions of the same obligation. The EU designed them to govern entirely different ground. Knowing which one applies to you — and why — is not straightforward.
Two Laws, Two Different Questions
The EU’s cybersecurity framework is deliberately layered. NIS2 and the CRA occupy adjacent but distinct positions within it, and the distinction matters enormously for what compliance actually requires of your organisation.
In short, the CRA deals with product security, while NIS2 concerns the security of critical sectors and services. They are not interchangeable, and they are not cumulative in the way many assume. The CRA explicitly aims to harmonise the EU regulatory landscape and avoid overlapping requirements stemming from different pieces of legislation. Non-duplication is a design principle — specifically, the same type of obligation is not imposed twice on the same activity. A company can carry distinct CRA product obligations and NIS2 organisational obligations simultaneously; what the framework avoids is duplicating the same requirement across both instruments.
But that does not mean the picture is simple.
NIS2: The Organisational Framework
NIS2 (Directive EU 2022/2555) entered into force on 16 January 2023. Member states were required to transpose it into national law by 17 October 2024, and to apply it from 18 October 2024. It targets organisations operating essential or important services across critical sectors — energy, transport, health, banking, digital infrastructure, public administration, and others — and imposes obligations around governance, risk management, incident reporting, and supply chain security.
Because NIS2 is a directive rather than a regulation, it must be transposed into national law by each member state, and its precise requirements vary across EU jurisdictions. As of early 2026, several major member states had still not completed transposition — creating real compliance complexity for organisations operating across borders.
NIS2 does not care what products you sell. It governs how you run your operations.
The CRA: The Product Framework
The Cyber Resilience Act (Regulation EU 2024/2847) entered into force in December 2024, with full obligations applying from December 2027. It targets anyone placing a product with digital elements on the EU market — manufacturers, importers, and distributors of connected hardware or software.
Unlike NIS2, the CRA is a regulation and is directly applicable in all member states without national transposition. No jurisdictional variation. If you sell a qualifying product in the EU, it applies to you — regardless of where you are based.
The CRA does not care how you run your organisation. It governs what you put on the market and how you support it throughout its life.
Which Lane Are You In?
The EU designed these frameworks to be non-duplicative on the same type of obligation. Software that is a service — not placed on the market as a product — falls outside CRA scope; in that case, NIS2 may apply to the organisation providing it. Software that is developed in-house but shipped as part of a product placed on the market is squarely in CRA scope. “Developed in-house” is not in itself a CRA exclusion — the relevant test is whether the software is placed on the market as part of a product with digital elements.
A pure product manufacturer with no essential service footprint falls only under the CRA. A pure service operator in a critical sector falls only under NIS2.
Where it gets complicated is the edge: a manufacturing firm may be covered by NIS2 as an important entity required to manage cyber risks in its own operations, and also need to comply with the CRA because it produces digital products for the market. Two distinct sets of obligations on the same company — but never the same obligation twice.
There is a further layer. Certain sector-specific EU frameworks — medical devices, aviation, automotive — can take precedence over the CRA for products within their scope. The CRA’s own provisions recognise that where other Union harmonisation legislation sets requirements achieving at least the same level of protection as the CRA’s essential requirements, those sector-specific rules apply. Determining whether and to what extent a sector-specific regime displaces CRA obligations for your products is not a question with an obvious answer.
Key Differences at a Glance
| NIS2 | CRA | |
|---|---|---|
| What it regulates | Organisations | Products |
| Triggered by | Sector + size | Placing a product on the EU market |
| Legal instrument | Directive — requires national transposition | Regulation — directly applicable EU-wide |
| Entry into force | 16 January 2023 | 10 December 2024 |
| Applies from | 18 October 2024 (transposition deadline) | 11 December 2027 (full obligations) |
| Core obligation | Secure operations, governance, incident reporting | Secure product design, lifecycle management, CE marking |
| Incident reporting | Entity reports to national authority | Manufacturer reports to ENISA |
| Penalties | Up to €10M or 2% of global turnover | Up to €15M or 2.5% of global turnover |
Key Dates
| Date | What happens |
|---|---|
| 16 January 2023 | NIS2 entered into force |
| 18 October 2024 | NIS2 transposition deadline — member states required to apply it from this date |
| 11 September 2026 | CRA incident reporting obligations begin |
| 11 December 2027 | CRA full compliance mandatory |
The Question Worth Asking Now
Most organisations find that identifying their regulatory position is harder than it first appears. The sector and size thresholds for NIS2, the product scope boundaries of the CRA, the interaction with sector-specific regimes, the variation in national transpositions — each of these is a substantive question, not a checkbox.
Getting it wrong in either direction carries real consequences: either missing obligations that apply, or building compliance programmes around frameworks that don’t.
Figuring out which of these frameworks applies to your organisation — and what that actually means — is where we start. Get in touch