CRA vs NIS2 — when both apply and how to handle the overlap

Two major EU cybersecurity regulations apply to hardware manufacturers in 2026: the Cyber Resilience Act (CRA) and the NIS2 Directive. Confusing their scope and obligations is one of the most common compliance mistakes we see — they have similar names, similar acronyms, and address related concerns, but they impose different obligations on different addressees.

This article explains the fundamental difference between the two regimes, when both apply to the same organisation, how the obligations interact, and the practical implications for hardware manufacturers and their customers.

The fundamental distinction

The simplest framing: CRA addresses the products; NIS2 addresses the operators.

Who is covered by NIS2

NIS2 covers two tiers of entity in 18 sectors. Essential entities (NIS2 Annex I) operate critical infrastructure:

• Energy (electricity, oil, gas, district heating, hydrogen)
• Transport (air, rail, water, road)
• Banking
• Financial market infrastructure
• Health (healthcare providers, EU reference laboratories, manufacturing and distribution of medicinal products, certain medical devices, R&D)
• Drinking water
• Wastewater
• Digital infrastructure (DNS, TLDs, cloud providers, data centres, CDNs, trust service providers, electronic communications networks and services)
• ICT service management — B2B managed services
• Public administration
• Space (operators of ground-based infrastructure for space-based services)

Important entities (NIS2 Annex II) operate other key services:

• Postal and courier services
• Waste management
• Manufacture/production/distribution of chemicals
• Production, processing, and distribution of food
• Manufacturing:
  • Medical devices and in-vitro diagnostics
  • Computers, electronics, and optical products
  • Electrical equipment
  • Machinery and equipment
  • Motor vehicles, trailers, and semi-trailers
  • Other transport equipment
• Digital providers (online marketplaces, online search engines, social networking platforms)
• Research

Size thresholds: NIS2 applies to medium-sized enterprises (50+ employees or €10M+ turnover) and larger by default. Smaller entities can be covered if member-state authorities designate them as essential based on criticality criteria.

A hardware manufacturer above the size threshold is almost certainly a NIS2 important entity under the manufacturing sub-sector for computers/electronics/electrical equipment/machinery.

Who is covered by CRA

CRA applies to every manufacturer placing a product with digital elements on the EU market — regardless of the manufacturer's size or sector. Article 3(1) defines "product with digital elements" broadly: any software or hardware product and its remote data processing solutions.

There are limited exclusions: medical devices under MDR, vehicles under Type Approval, maritime equipment, aviation products. See CRA Annex I explained for full scope discussion.

For practical purposes: every commercial connected hardware product placed on the EU market from 11 December 2027 is subject to CRA.

When both apply

Both apply simultaneously when an organisation is:

• A NIS2-covered entity (essential or important) AND
• A CRA manufacturer placing products with digital elements on the EU market

This is the typical situation for medium and large hardware manufacturers. A connected industrial sensor manufacturer with 200 employees is a NIS2 important entity (manufacturing sector) and a CRA manufacturer (placing connected products on the market). Both regimes apply but to different aspects:

• CRA governs the products the manufacturer ships
• NIS2 governs the operation of the manufacturer's own IT systems, vulnerability management, supply chain risk, business continuity, and incident response

NIS2 supply chain — when CRA products meet NIS2 buyers

NIS2 Article 21(2)(d) explicitly covers supply chain security:

"supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers"

In practice this means NIS2-covered entities require evidence of cybersecurity practices from their suppliers — including manufacturers of CRA-covered products. Procurement asks typically include:

• SBOM in CycloneDX or SPDX format
• Vulnerability handling policy
• Coordinated vulnerability disclosure programme
• Security certifications (ISO 27001, SOC 2, EUCC where applicable)
• Incident response and notification commitments

For a CRA-compliant manufacturer, these artefacts already exist as part of CRA Annex I Part II compliance. Selling into NIS2-covered customers becomes easier because the CRA artefacts directly satisfy the NIS2 procurement ask.

This creates a commercial pull effect for CRA compliance — NIS2 customers will increasingly require CRA-compliant suppliers years before the December 2027 CRA application date.

Incident reporting — similar timelines, different channels

Both regimes have 24-hour early warning + 72-hour notification + final report cascades. They differ in addressee, threshold, and final report deadline:

A single incident at a NIS2-covered manufacturer involving a CRA-covered product can trigger both reports — to the member-state CSIRT (as NIS2 entity) and to ENISA + CSIRT via the ENISA platform (as CRA manufacturer). The factual content is similar but goes to different recipients under different legal bases.

Fines — independent and potentially cumulative

Both regimes have their own fine regimes:

National implementing law determines how the two fine regimes interact in member states. Some member states apply the higher of the two penalties for facts that constitute violations of both; others stack them. The administrative cost of dealing with two parallel investigations exceeds the direct fine in most cases.

Practical compliance approach

For a hardware manufacturer subject to both regimes:

1. Build CRA Annex I Part II compliance once. SBOM, vulnerability handling policy, security testing, coordinated vulnerability disclosure. These satisfy CRA on the products and feed directly into NIS2 supply chain evidence.
2. Operate NIS2 Article 21 risk management on top. ISMS-style risk management covering the manufacturer's own IT, including the production environment, IT systems used to design products, and customer-data systems.
3. Configure dual incident reporting workflows. A CRA-relevant incident triggers reporting to ENISA via the single platform; a NIS2-relevant incident triggers reporting to the member-state CSIRT directly. Some incidents trigger both.
4. Track both regulatory regimes for amendment. The Commission can amend CRA Annexes by Delegated Act; member states can amend NIS2 transposition. Both feed regulatory change monitoring.

Cenitia handles the CRA-side compliance — Annex I conformity, Technical File, Article 14 reporting workflow. NIS2 risk management for the manufacturer's own operations is a broader ISMS exercise typically requiring separate tooling or consulting; our parent company Inovasense offers NIS2 implementation services.

Common confusion patterns

• "NIS2 doesn't apply to us, we're under the size threshold." Check carefully — the size threshold excludes only the smallest entities, not most SMEs. Important-entity threshold is 50 employees OR €10M turnover, whichever is reached first.
• "CRA replaces NIS2 for products." No. CRA covers the products; NIS2 covers the operators using them. Both can apply.
• "Same reporting goes to both ENISA and CSIRT, so we file once." No. ENISA platform receives the CRA report; the member-state CSIRT receives the NIS2 report directly. Both are filed, even when the underlying facts are the same.
• "Our manufacturer is in the US, NIS2 doesn't apply." NIS2 applies to operators established in the EU. The US manufacturer is not directly a NIS2 entity but its EU-established subsidiary or its NIS2 customers are subject to NIS2 supply chain requirements — which loop back to require evidence from the US manufacturer.

How Cenitia helps with the overlap

Cenitia produces the CRA-side compliance artefacts that NIS2-covered customers require for supply chain evidence: SBOM, vulnerability handling policy, coordinated vulnerability disclosure documentation, security event logging records. These artefacts are exportable in formats commonly required by NIS2 procurement processes — CycloneDX SBOM, CSAF VEX, structured CVD documentation.

Frequently asked questions

What is the fundamental difference between CRA and NIS2?

CRA — the Cyber Resilience Act, Regulation (EU) 2024/2847 — applies to products with digital elements. It imposes obligations on manufacturers to ensure the products they place on the EU market meet essential cybersecurity requirements. NIS2 — the Network and Information Systems Directive 2 (EU) 2022/2555 — applies to operators of essential and important services. It imposes risk management and incident reporting obligations on the entities operating critical infrastructure and key services. CRA addresses the products; NIS2 addresses the operators who use them.

Which entities are subject to NIS2?

NIS2 covers two tiers. Essential entities (Annex I of NIS2) include operators in: energy (electricity, oil, gas, district heating, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (DNS, TLDs, cloud, data centres, content delivery, trust services, electronic communications), ICT service management (B2B managed services), public administration, and space. Important entities (Annex II) include: postal and courier services, waste management, manufacture/production/distribution of chemicals, food production/processing/distribution, manufacturing (medical devices, computers and electronics, machinery, motor vehicles, transport equipment), digital providers (online marketplaces, search engines, social networking platforms), and research. Size thresholds apply — typically medium-sized enterprises and larger.

Can both CRA and NIS2 apply to the same organisation?

Yes. A medium or large hardware manufacturer is a NIS2 important entity under the manufacturing sector and is simultaneously subject to CRA as a manufacturer of products with digital elements. The two regulations impose different obligations on different aspects of the business: CRA on the products produced; NIS2 on the operation of the manufacturer's own IT systems and supply chain. Both require risk management, both require incident reporting, but to different authorities and under different thresholds.

What does NIS2 require of entities that buy CRA-covered products?

Article 21 of NIS2 requires essential and important entities to take 'appropriate and proportionate technical, operational and organisational measures' to manage cybersecurity risks. Paragraph 2(d) explicitly covers supply chain security — the security of the products and services entities use. In practice, NIS2 entities ask suppliers (including CRA-covered product manufacturers) for evidence of cybersecurity practices — typically SBOMs, vulnerability handling policies, security certifications. CRA-compliant manufacturers find that satisfying NIS2 entities' procurement requirements is easier because CRA artefacts directly address the supply chain ask.

Do CRA and NIS2 have the same incident reporting timeline?

Similar but not identical. CRA Article 14 requires 24-hour early warning plus 72-hour incident notification plus 14-day final report to ENISA and member-state CSIRT for actively exploited vulnerabilities and severe incidents — applicable from 11 September 2026. NIS2 Article 23 requires 24-hour early warning plus 72-hour notification plus one-month final report to the member-state CSIRT for significant incidents — applicable since 17 October 2024. The reporting channels and thresholds differ; a single incident at a NIS2-covered manufacturer with a CRA product can trigger both reports.

Do CRA and NIS2 fines stack?

Yes. CRA Article 64 fines (up to €15 million or 2.5% of global turnover for Annex I breaches) and NIS2 Article 34 fines (up to €10 million or 2% for essential entities; €7 million or 1.4% for important entities) apply independently. A single incident that constitutes both a CRA Annex I non-conformity and a NIS2 Article 21 failure can trigger both penalty regimes. National implementing law in each member state defines how the fines are imposed in practice; some member states apply the higher of the two, others stack them.

When did NIS2 take effect?

NIS2 Directive (EU) 2022/2555 entered into force on 16 January 2023. Member states had until 17 October 2024 to transpose it into national law. From that date onwards, essential and important entities in each member state are subject to NIS2 obligations under their member state's transposition. Some member states (Italy, Germany) transposed close to the deadline; others (Spain, Belgium) saw delays into 2025. Coverage and enforcement intensity vary by member state.

Related from the Library

• CRA Annex I explained — the cybersecurity requirements that overlap with NIS2 supply chain expectations
• CRA timeline and reporting obligations — CRA Article 14 reporting in detail
• SBOM CycloneDX vs SPDX — the artefact both regimes care about

Further reading

• NIS2 Directive — full text
• Cyber Resilience Act — full text
• ENISA NIS2 implementation guidance
• NIS2 national transposition tracker

Last reviewed: 25 June 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.