CRAdarCheck

Guides

CRA vs NIS2: which EU cybersecurity law applies to you?

The two regimes get confused constantly. One regulates products, the other regulates organizations. Plain-language decision guide with the four cases that trip everyone up.

Updated 2026-07-03

The one-sentence version

The CRA regulates products (software and hardware you supply to others); NIS2 regulates organizations (entities operating critical or important services). You can be under one, both, or neither — and the tests are completely different.

The core differences

  • Trigger: CRA — placing a product with digital elements on the EU market. NIS2 — being a medium+/large entity in a listed sector (energy, health, digital infrastructure, cloud providers, managed services…).
  • Who it binds: CRA — any manufacturer worldwide whose product reaches EU users, no size floor. NIS2 — entities established/operating in the EU, generally 50+ employees or €10M+ turnover (with exceptions).
  • Object: CRA — the product's security lifecycle (secure development, SBOM, updates, vulnerability handling, CE marking). NIS2 — the organization's risk management, governance, supply-chain security and incident response.
  • Reporting: both have 24h early warnings, but to different regimes — CRA reports product vulnerabilities/incidents via the ENISA Single Reporting Platform; NIS2 reports significant service incidents to your national CSIRT/authority.
  • Penalties: CRA up to €15M / 2.5% turnover; NIS2 up to €10M / 2% (essential entities) with personal management liability on top.

The four cases that trip everyone up

  • Pure SaaS, small company: usually neither — CRA doesn't cover services, NIS2 has size floors. But ship one installable component (CLI, agent, mobile app) and the CRA applies to that component regardless of company size.
  • Cloud provider / MSP: NIS2 as an organization (digital infrastructure is a listed sector, some without size floor) — and CRA additionally for any product you supply (agents, appliances, client software).
  • Software vendor selling to NIS2 entities: your customers' NIS2 supply-chain duties land on you contractually — SBOMs, disclosure policies, security attestations — even if NIS2 never names you. Combined with the CRA covering your product, you effectively answer to both.
  • Open-source maintainer: exempt from the CRA when non-commercial; NIS2 simply doesn't apply to individuals. The pressure arrives via downstream users instead.

Which one should you work on first?

If you ship installable software: the CRA, because it has hard product-level deadlines (reporting from 11 September 2026, full compliance 11 December 2027) and no size exemption. NIS2 is already in force but only bites if you're in scope as an organization. The overlap is real though: an SBOM pipeline, a CVD policy and an incident-response process serve both regimes — build them once.

Not sure where your product lands? The free Risk Check resolves the CRA side in 3 minutes.

Where do you stand today?

Run the free 3-minute Risk Check: scope verdict, risk class, readiness score, prioritized fixes.

Or get compliance on autopilot at launch:

Educational guidance on Regulation (EU) 2024/2847 — not legal advice.