CRA vs NIS2: What Is the Difference?
Two major EU cybersecurity regulations are reshaping how European businesses approach security: the Cyber Resilience Act (CRA) and the Network and Information Security Directive (NIS2). Both take effect in 2026, both carry significant penalties, and both require action now. But they target fundamentally different things.
Here is how they differ and what it means for your organization.
The Core Difference
NIS2 regulates organizations. It requires operators of essential and important services to implement cybersecurity risk management measures within their own operations.
The CRA regulates products. It requires manufacturers to build cybersecurity into the products with digital elements that they place on the EU market.
A software company could be subject to both: NIS2 for how they secure their own infrastructure, and CRA for the security of the software they sell to customers.
What NIS2 Requires
NIS2 (Directive 2022/2555) replaces the original NIS Directive from 2016. It applies to essential entities (energy, transport, healthcare, banking, water, digital infrastructure) and important entities (postal services, waste management, food production, manufacturing, digital providers).
Key requirements include:
Cybersecurity risk management measures (risk analysis, incident handling, supply chain security, encryption, access control)
Incident reporting to national CSIRTs within 24 hours
Supply chain security assessments
Regular security audits and testing
Management body accountability with mandatory cybersecurity training for leadership
Member states must transpose NIS2 into national law. Enforcement is through national authorities, not directly by the EU.
What the CRA Requires
The CRA (Regulation 2024/2847) applies to manufacturers, importers, and distributors of products with digital elements placed on the EU market — regardless of where the company is based.
Key requirements include:
Secure design and development practices
Software Bill of Materials (SBOM) for every product
Vulnerability handling processes throughout the product lifecycle
ENISA reporting of actively exploited vulnerabilities within 24 hours
CE marking and conformity assessment
Technical documentation and EU Declaration of Conformity
The CRA is a regulation, meaning it applies directly across all EU member states without transposition.
Reporting Obligations Compared
Both regulations require 24-hour initial reporting, but to different entities.
Under NIS2, organizations report significant incidents to their national CSIRT or competent authority. Under the CRA, manufacturers report actively exploited product vulnerabilities to ENISA.
NIS2 reporting covers operational incidents affecting service delivery. CRA reporting covers product vulnerabilities that are being actively exploited in the wild. If an actively exploited vulnerability in your product causes a service incident, you may need to report under both.
Penalties Compared
NIS2: For essential entities, up to EUR 10 million or 2% of worldwide annual turnover. For important entities, up to EUR 7 million or 1.4% of turnover. Management can be held personally liable.
CRA: For failure to meet essential requirements, up to EUR 15 million or 2.5% of turnover. For other non-compliance, up to EUR 10 million or 2%. Products can be withdrawn from the EU market.
Key Deadlines
NIS2 transposition deadline was October 17, 2024. Member states are at various stages of implementing it into national law. Organizations should already be working toward compliance.
CRA vulnerability reporting begins September 11, 2026. Full compliance is required December 11, 2027. See our CRA compliance checklist for preparation steps.
Do Both Apply to You?
If you are a software company that sells products to EU customers AND your operations fall under an essential or important sector, both apply. NIS2 governs your internal security posture. The CRA governs the security of your products.
If you only develop products but your operations do not fall under NIS2 sectors, only the CRA applies.
If you are a service provider that does not sell products with digital elements but operates in a NIS2 sector, only NIS2 applies.
How to Address Both
Many of the same practices serve both regulations. Vulnerability management, incident response, supply chain security, and security documentation are required by both.
Start with the CRA because it has the nearer hard deadline (September 2026 for reporting). The SBOM and vulnerability monitoring infrastructure you build for CRA compliance also strengthens your NIS2 posture.
Complaro helps engineering teams automate CRA compliance, from SBOM analysis to vulnerability intelligence to ENISA reporting. Join the waitlist to get started.