CRA Product Classes Compliance

CRA and NIS2: Where Cybersecurity Regulations Overlap for Product Companies

Understanding how CRA and NIS2 interact. A practical guide for organizations that manufacture products and operate critical services.

CRA Evidence Team
Author
January 15, 2026
Updated February 25, 2026, 12:00:00 AM UTC
11 min read
CRA and NIS2: Where Cybersecurity Regulations Overlap for Product Companies
In this article

You manufacture IoT devices for the energy sector. You're subject to both NIS2 (as an operator of essential services) and CRA (as a product manufacturer). Two regulations, overlapping requirements, one compliance budget.

This guide explains how CRA and NIS2 interact and how to manage compliance with both.

Summary

  • CRA regulates products; NIS2 regulates organizations/services
  • Many companies face both: manufacturers who are also essential/important entities
  • Key overlaps: vulnerability management, incident reporting, supply chain security
  • Different scopes: CRA = product lifecycle; NIS2 = organizational cybersecurity
  • Coordination opportunity: Unified security processes serving both regulations

CRA vs NIS2 scope comparison Venn diagram

CRA vs NIS2: Fundamental Difference

CRA: Product Regulation

What it regulates: Products with digital elements placed on the EU market

Who it applies to: Manufacturers, importers, distributors of products with digital elements

Focus: Product security throughout lifecycle

  • Secure design and development
  • Vulnerability handling for products
  • Security updates for products
  • Product-level incident reporting

NIS2: Organizational Regulation

What it regulates: Cybersecurity of essential and important entities

Who it applies to: Organizations in specified sectors meeting size thresholds

Focus: Organizational cybersecurity

  • Governance and risk management
  • Incident handling for services
  • Supply chain security
  • Business continuity

The Overlap Zone

┌─────────────────────────────────────────────────────────────┐
                    YOUR ORGANIZATION                         
                                                              
  ┌──────────────────────┐    ┌──────────────────────┐       
        NIS2 SCOPE               CRA SCOPE               
                                                         
   - Your IT systems         - Products you              
   - Your services             manufacture               
   - Your operations         - Products you              
   - Your supply chain         import                    
     (as procurer)           - Products you              
                               distribute                
          ┌─────────────┴────┴───────────┐                
                  OVERLAP                               
                                                        
           - Vulnerability management                   
           - Incident reporting                         
           - Supply chain security                      
           - Security governance                        
          └──────────────────────────────┘                
  └──────────────────────┘    └──────────────────────┘       
└─────────────────────────────────────────────────────────────┘

Who Faces Both Regulations?

Scenario 1: Essential Entity That Manufactures Products

Example: Energy company that manufactures smart grid components

  • NIS2 applies: Energy sector entity above threshold
  • CRA applies: Manufacturer of products with digital elements

Both regulations require:

  • Cybersecurity risk management
  • Vulnerability handling
  • Incident reporting (to different bodies, different triggers)
  • Supply chain security

Scenario 2: Important Entity That Manufactures IoT

Example: Manufacturing company that makes industrial IoT sensors

  • NIS2 applies: Manufacturing sector entity above threshold
  • CRA applies: Manufacturer of products with digital elements

Scenario 3: Digital Infrastructure Provider

Example: Cloud provider that also sells hardware appliances

  • NIS2 applies: Digital infrastructure provider
  • CRA applies: Manufacturer of hardware products

Scenario 4: Healthcare Product Manufacturer

Example: Medical device adjacent company (not MDR-covered devices)

  • NIS2 applies: Healthcare sector entity
  • CRA applies: Products not covered by MDR exclusion

Overlapping Requirements

Vulnerability Management

Aspect CRA Requirement NIS2 Requirement
Scope Product vulnerabilities Organizational systems
Discovery Monitor product vulnerabilities Monitor all systems
Response Patch products without delay Remediate vulnerabilities
Reporting ENISA (if exploited) National CSIRT (if incident)

Coordination opportunity: Unified vulnerability management program covering both products and organizational systems.

Incident Reporting

Aspect CRA Requirement NIS2 Requirement
Trigger Actively exploited vuln in product Significant incident affecting services
Timeline 24h → 72h → 14/30d 24h → 72h → 1 month
Recipient ENISA + national CSIRT National competent authority/CSIRT
Scope Product security Service availability/integrity

Key distinction: A vulnerability in your product might trigger CRA reporting even if your services aren't affected. A service outage might trigger NIS2 reporting even if no product vulnerability exists.

Supply Chain Security

Aspect CRA Requirement NIS2 Requirement
Focus Components in your products Suppliers to your organization
Assessment Technical due diligence Supplier security assessment
Monitoring SBOM, vulnerability tracking Ongoing supplier risk management

Coordination opportunity: Integrated supplier management covering both product components and organizational suppliers.

Reporting Comparison

CRA Reporting Path

PRODUCT VULNERABILITY (actively exploited)
         │
         ▼
    24-HOUR EARLY WARNING
    To: ENISA Single Reporting Platform
         │
         ▼
    72-HOUR DETAILED NOTIFICATION
    To: ENISA + relevant CSIRTs
         │
         ▼
    14-DAY FINAL REPORT (vulnerability)
    30-DAY FINAL REPORT (incident)

NIS2 Reporting Path

SIGNIFICANT INCIDENT (affecting services)
         │
         ▼
    24-HOUR EARLY WARNING
    To: National competent authority or CSIRT
         │
         ▼
    72-HOUR INCIDENT NOTIFICATION
    To: National competent authority or CSIRT
         │
         ▼
    1-MONTH FINAL REPORT
    To: National competent authority or CSIRT

When Both Apply

A single event could trigger both:

Example: Zero-day in your product is actively exploited, affecting customers who are essential entities (like energy companies using your smart grid equipment).

CRA reporting: You report the actively exploited vulnerability (you're the manufacturer)

NIS2 reporting: Your affected customers may report the incident (they're the essential entities)

Your internal reporting: If you're also an essential entity using your own products, you might report under both

Harmonization Opportunities

Unified Security Governance

Instead of separate CRA and NIS2 compliance programs:

UNIFIED CYBERSECURITY GOVERNANCE

Board Level:
- Single cybersecurity risk oversight
- Combined reporting to management

Operational Level:
- One vulnerability management program
  ├── Product vulnerabilities (CRA focus)
  └── System vulnerabilities (NIS2 focus)

- One incident response capability
  ├── Product incidents (CRA reporting)
  └── Service incidents (NIS2 reporting)

- One supply chain security program
  ├── Product components (SBOM, CRA)
  └── Service suppliers (NIS2)

Process Mapping

Process CRA Application NIS2 Application
Risk assessment Product risk assessment Organizational risk management
Vulnerability scanning Product/component scanning Infrastructure scanning
Patch management Product updates System patches
Incident response Product incident handling Service incident handling
Security testing Product security testing Penetration testing
Awareness training Secure development training General security awareness

Documentation Efficiency

Some documentation can serve both:

Document CRA Use NIS2 Use
Security policy Product security policy section Organizational security policy
Risk register Product risks Organizational risks
Incident response plan Product incident procedures Service incident procedures
Supplier assessment Component supplier due diligence Service supplier assessment

Different Enforcement

CRA Enforcement

  • Market surveillance authorities monitor products
  • Focus on product compliance
  • Penalties up to €15M or 2.5% global turnover
  • Product withdrawal/recall possible

NIS2 Enforcement

  • National competent authorities supervise entities
  • Focus on organizational compliance
  • Penalties up to €10M or 2% global turnover
  • Personal liability for management possible

Double Jeopardy?

A single failing could theoretically trigger enforcement under both:

Example: Poor vulnerability management leads to unpatched product AND unpatched internal systems.

  • CRA: Non-compliance with vulnerability handling requirements
  • NIS2: Non-compliance with risk management measures

In practice: Regulators should coordinate. Demonstrating unified compliance helps.

Compliance Timeline Interaction

NIS2 Timeline

  • October 2024: NIS2 transposition deadline
  • 2024-2025: Member state implementation
  • Ongoing: Compliance required

CRA Timeline

  • September 2026: Reporting obligations begin
  • December 2027: Full compliance required
  • Ongoing: Product lifecycle obligations

Coordinated Approach

2024                    2025                    2026                    2027
                                                                     
                                                                     
┌───────────────────────────────────────────────────────────────────────┐
 NIS2: Organizational compliance required throughout                   
└───────────────────────────────────────────────────────────────────────┘
                                                                       
                                                                       
                                        ┌───────────────────────────────┐
                                         CRA: Reporting  CRA: Full    
                                        └───────────────────────────────┘

RECOMMENDATION:
Build unified cybersecurity program now that serves both.
Don't build separate NIS2 and CRA compliance programs.

Practical Coordination Checklist

Governance Integration

DUAL-REGULATION GOVERNANCE CHECKLIST

ORGANIZATIONAL:
[ ] Single cybersecurity governance structure
[ ] Board-level oversight covers both product and service security
[ ] Combined cybersecurity strategy
[ ] Unified budget allocation

RISK MANAGEMENT:
[ ] Integrated risk assessment (products + services)
[ ] Combined risk register
[ ] Unified risk treatment process
[ ] Single risk reporting framework

VULNERABILITY MANAGEMENT:
[ ] One vulnerability intake channel
[ ] Combined triage process
[ ] Integrated remediation workflow
[ ] Unified metrics and reporting

INCIDENT RESPONSE:
[ ] Combined incident response plan
[ ] Clear routing for CRA vs NIS2 reporting
[ ] Integrated communication procedures
[ ] Unified post-incident review

Reporting Integration

DUAL-REGULATION REPORTING MATRIX

Event Type                        Report Under
─────────────────────────────────────────────────────────────
Product vuln (not exploited)      Neither (CVD process only)
Product vuln (exploited)          CRA  ENISA
Service incident (no product)     NIS2  National authority
Both (product vuln  service)     Both (coordinate)
─────────────────────────────────────────────────────────────

Internal Escalation:
1. Security team assesses event
2. Determine: Product impact? Service impact?
3. Route to appropriate reporting path(s)
4. Coordinate if both apply

Supply Chain Integration

UNIFIED SUPPLY CHAIN SECURITY

For Product Components (CRA focus):
- SBOM maintained
- Component vulnerability monitoring
- Supplier security questionnaire
- Technical due diligence

For Service Suppliers (NIS2 focus):
- Supplier risk assessment
- Security requirements in contracts
- Ongoing monitoring
- Incident notification clauses

INTEGRATED APPROACH:
- Single supplier management system
- Combined risk assessment framework
- Unified contract security requirements
- Coordinated monitoring program

Special Considerations

Industrial Control Systems

IACS (Industrial Automation and Control Systems) face particular complexity:

  • CRA: If you manufacture IACS for essential entities (NIS2), it's Important Class II
  • NIS2: If you operate IACS as an essential entity, they're in scope

Double requirement: Product must meet CRA; operation must meet NIS2.

Cloud Services + Products

Cloud providers selling hardware appliances:

  • NIS2: Cloud service operations
  • CRA: Hardware appliances sold

Example: A cloud provider's firewall appliance must comply with CRA; their cloud service operations must comply with NIS2.

Healthcare Adjacent

Medical device manufacturers might have:

  • Some products under MDR (excluded from CRA)
  • Some products under CRA (not MDR-covered)
  • Organization under NIS2 (healthcare sector entity)

Careful scoping required: Map each product to applicable regulation.

Common Questions

Do I report the same incident twice?

Not usually. CRA and NIS2 have different triggers:

  • CRA: Actively exploited vulnerability in your product
  • NIS2: Significant incident affecting your services

If an exploited product vulnerability causes a service incident, you may need to report under both, but the reports go to different recipients and focus on different aspects.

Can NIS2 compliance cover CRA requirements?

Partially. Strong NIS2 compliance demonstrates:

  • Security governance capability
  • Vulnerability management maturity
  • Incident response capability

But CRA has product-specific requirements (SBOM, conformity assessment, CE marking) that NIS2 doesn't cover.

Can CRA compliance cover NIS2 requirements?

No. CRA is product-focused. NIS2 requires:

  • Organizational risk management
  • Business continuity
  • Supply chain security (broader than product components)
  • Governance measures

Which is more demanding?

Different scope, different demands:

Aspect CRA NIS2
Documentation Technical file per product Organizational policies
Assessment Conformity assessment Risk management
Ongoing Product support (5+ years) Continuous compliance
Reporting Product-focused Service-focused

Neither is strictly "more demanding." They're demanding different things.

Important: CRA applies to PRODUCTS. NIS2 applies to ORGANIZATIONS operating essential/important services. A company can be subject to BOTH regulations.

Tip: If you're already working on NIS2 compliance, leverage your incident response and supply chain security measures for CRA.

Related guides:

How CRA Evidence Helps

CRA Evidence supports organizations facing both regulations:

  • Product focus: Full CRA compliance capabilities
  • Integration ready: Vulnerability management data exportable
  • SBOM management: Serves CRA directly, supports NIS2 supply chain
  • Incident tracking: Can route to appropriate reporting paths
  • Documentation: Centralized for regulatory requests

Manage your product compliance at app.craevidence.com.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.

Topics covered in this article

Share this article

Related Articles

Does the CRA apply to your product?

Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.

Check Now

Ready to achieve CRA compliance?

Start managing your SBOMs and compliance documentation with CRA Evidence.

Start 14-Day Free Trial
Back to all articles