# CRA vs NIS2: which one applies to you (and when both do)

Source: https://scadable.com/blog/cra-vs-nis2
Published: 2026-07-07

---

**The CRA and NIS2 regulate different things. The Cyber Resilience Act regulates products with digital elements placed on the EU market and binds their manufacturers, with no size threshold. NIS2 regulates organisations in critical sectors, so-called essential and important entities, and binds how they run their own operational security. A connected-device company can sit under both at once, the product under the CRA and the company under NIS2.**

The confusion is understandable, because both arrived in the same EU cybersecurity push and both talk about incident reporting and risk management. But they attach to different subjects. The CRA, [Regulation (EU) 2024/2847](https://eur-lex.europa.eu/eli/reg/2024/2847/oj), entered into force on 10 December 2024 and follows the product wherever it is sold in the EU; our [Cyber Resilience Act framework page](/frameworks/cyber-resilience-act) covers its full scope. NIS2, Directive (EU) 2022/2555, follows the organisation, and only if that organisation is in one of the listed sectors.

## What is the difference between the CRA and NIS2?

The shortest accurate version: the CRA asks "is this product secure and supported?", NIS2 asks "is this organisation running its operations securely?". The CRA puts obligations on manufacturers (and importers and distributors) of hardware and software with digital elements: secure-by-design development, a Software Bill of Materials, vulnerability handling, security updates through the support period, conformity assessment, and CE marking. NIS2 puts obligations on essential and important entities in sectors like energy, transport, health, digital infrastructure, and certain manufacturing categories: risk-management measures, management accountability, supply-chain security, and incident reporting for incidents affecting their services.

A useful test: if you removed your product from the market tomorrow, your CRA obligations for new placements would stop. Your NIS2 obligations, if you have them, would not, because they attach to your company, not to what you ship.

## CRA vs NIS2 at a glance

| | CRA | NIS2 |
| --- | --- | --- |
| Legal form | Regulation (EU) 2024/2847, applies directly in every member state | Directive (EU) 2022/2555, applies through national transposing laws |
| Regulates | Products with digital elements placed on the EU market | Organisations (essential and important entities) in listed critical sectors |
| Who is bound | Manufacturers, importers, distributors, regardless of company size or location | In-scope organisations, generally medium-sized and above, in the listed sectors |
| Core obligations | Secure by design, SBOM, vulnerability handling, security updates, conformity assessment, CE marking | Risk-management measures, management accountability, supply-chain security, incident reporting |
| Reporting trigger | Actively exploited vulnerability or severe incident in the product, 24-hour early warning | Significant incident affecting the entity's services, 24-hour early warning |
| Key dates | In force 10 December 2024, reporting from 11 September 2026, full requirements 11 December 2027 | National transposition deadline was 17 October 2024, national regimes apply now |
| Maximum fines | Up to 15 million EUR or 2.5% of global annual turnover for essential-requirement violations | Up to 10 million EUR or 2% of global annual turnover for essential entities, 7 million EUR or 1.4% for important entities |

For what the CRA fine tiers mean in practice, and why the market-access powers behind them matter more, see [CRA penalties and fines](/blog/cra-penalties-and-fines).

## Does the CRA apply to my company or my product?

Your product. The CRA has no size threshold and no sector list: if you place a product with digital elements on the EU market commercially, you carry manufacturer obligations for it, whether you are a three-person firmware startup or a multinational. That is the opposite shape from NIS2, which starts from a sector list and size thresholds and can leave a small device maker entirely out of scope as an organisation. Who counts as a manufacturer, importer, or distributor under the CRA is its own question; [who does the CRA apply to](/blog/who-does-the-cra-apply-to) walks through the roles.

## Does NIS2 apply to device manufacturers at all?

Sometimes, and this is where the two overlap. NIS2's annexes include manufacturing categories, for example manufacturers of medical devices, computers and electronics, machinery, and motor vehicles, as important entities when they meet the size thresholds. So a mid-sized medical-device manufacturer can be an important entity under NIS2 for how it runs its own factories, networks, and incident response, while every device it ships is separately covered by the CRA. Two regimes, two subjects, one company.

## When do both apply, and do they double the work?

Both apply when an in-scope organisation also places products with digital elements on the EU market. The obligations do not merge, but they overlap usefully. The same underlying capabilities, knowing what you run and what you ship, monitoring vulnerabilities, being able to report within 24 hours, serve both. The reporting duties stay distinct though: a CRA report concerns an actively exploited vulnerability or severe incident in your product and goes via your CSIRT and ENISA from 11 September 2026, while a NIS2 report concerns a significant incident affecting your services under your national regime. One event can trigger both. The mechanics of the CRA side are covered in [CRA vulnerability reporting under Article 14](/blog/cra-vulnerability-reporting-article-14).

## Which one should I prioritise?

If you make connected products, the CRA, for three reasons. It applies to you no matter your size or sector. Its first hard deadline, the 24-hour reporting obligation from 11 September 2026, is operational and cannot be back-filled with paperwork. And it is checked at the point of sale: conformity is what your EU customers and their procurement teams will ask for, so it is the one that decides whether you can sell. If your organisation is also a NIS2 entity, treat NIS2 as the second track and reuse the same inventory, monitoring, and reporting muscle. If you are comparing the CRA against EU data law instead, we cover that split in [GDPR vs the Cyber Resilience Act](/blog/gdpr-vs-cyber-resilience-act).

## Frequently asked questions

**What is the difference between the CRA and NIS2?** The CRA, Regulation (EU) 2024/2847, regulates products with digital elements placed on the EU market and puts obligations on their manufacturers. NIS2, Directive (EU) 2022/2555, regulates organisations in critical sectors, called essential and important entities, and puts obligations on how those organisations run their own security. One is product law, the other is organisational law.

**Can a company be subject to both the CRA and NIS2?** Yes. A manufacturer of connected devices is under the CRA for every product it places on the EU market, and if the company itself operates in a NIS2 sector, for example certain manufacturing categories or digital infrastructure, it is also an essential or important entity under NIS2 for its own operations.

**Does NIS2 apply to product manufacturers?** NIS2 can apply to a manufacturer as an organisation if it falls into one of the listed sectors and meets the size thresholds, but NIS2 does not regulate the products themselves. Product-level cybersecurity requirements come from the CRA, which applies regardless of company size or sector.

**Which should a device company prioritise, CRA or NIS2?** For most connected-product companies the CRA, because it applies to every product placed on the EU market with no size threshold, and its 24-hour reporting obligation applies from 11 September 2026. NIS2 only applies if your organisation is in scope as an essential or important entity, which many smaller device makers are not.

**Is NIS2 already in force?** NIS2 is a directive, so it applies through national laws. Member states were required to transpose it by 17 October 2024, and national NIS2 regimes are being enforced now. The CRA is a regulation, so it applies directly in every member state without transposition, with its obligations phasing in through 2026 and 2027.

Last reviewed: July 7, 2026.

## Where Scadable fits

Scadable is the compliance engine for connected-product companies, and the CRA is exactly the product-side obligation it runs: it identifies what is actively exploited across your fleet, fixes it, files the report inside the 24-hour window, and keeps you certified. The same live inventory and reporting muscle carries over if NIS2 applies to your organisation too. Run the free two minute [CRA readiness check](/cra-readiness-check) to see which obligations apply to your product, or [book a walkthrough](https://cal.com/rahbaral/quick-chat).