How does the Cyber Resilience Act differ from NIS2?

Alexis Hirschhorn· CEO, Acuna16 July 2026

Direct answer

NIS2 governs the cybersecurity of essential and important organisations across 18 sectors; the Cyber Resilience Act governs the security of products with digital elements placed on the market. Many organisations are subject to both. The obligations do not duplicate each other — NIS2 covers what your organisation does; the CRA covers what your product is.

Key Facts

  • NIS2 = organisational cybersecurity (18 sectors); CRA = product cybersecurity (supply chain).
  • Both share a 24-hour early warning and 72-hour notification requirement.
  • CRA final report: 14 days after fix (vulnerability) or 1 month (incident). NIS2: 1 month.
  • CRA reports go to ENISA + national CSIRT; NIS2 reports go to the CSIRT / competent authority.
  • Many manufacturers are subject to both; controls overlap but the obligations are additive, not duplicative.
  • CRA penalty ceiling: EUR 15m or 2.5 %; NIS2 ceiling: EUR 10m or 2 % for essential entities.

The two regulations operate at different levels of the supply chain, which is why so many organisations are subject to both (Art. 1 CRA; Art. 1 NIS2): | | Cyber Resilience Act | NIS2 Directive | |---|---|---| | **Instrument** | Regulation (EU) 2024/2847 | Directive (EU) 2022/2555 | | **What it governs** | Security of products with digital elements | Cybersecurity of essential and important entities | | **Who it covers** | Manufacturers, importers, distributors | Entities in 18 critical sectors | | **Core obligation** | Product security across lifecycle | Organisational risk management and incident handling | | **What you report** | Actively exploited vulnerabilities · severe incidents | Significant incidents | | **Early warning** | 24 hours | 24 hours | | **Notification** | 72 hours | 72 hours | | **Final report** | 14 days after fix (vulnerability) · 1 month (incident) | 1 month | | **Report to** | ENISA + national CSIRT (single reporting platform) | CSIRT / competent authority | | **Penalties** | EUR 15m or 2.5 % turnover | EUR 10m or 2 % turnover (essential) | | **Full application** | 11 December 2027 | Already in force | The 24-hour and 72-hour reporting stages rhyme across both regimes, but the recipient, the trigger definition and the final-report window differ -- which is exactly why a single, well-documented incident process that is mapped to both is more robust than two parallel playbooks. For a manufacturer of connected products that also operates as an essential or important entity under NIS2, the CRA adds product-specific duties: classifying each product, maintaining the SBOM, carrying out the conformity assessment and drawing up the EU declaration of conformity. The NIS2 organisational obligations (risk management, supply chain security, incident handling) remain separate but the underlying controls -- vulnerability tracking, access management, evidence documentation -- overlap heavily.

What's next

See how Acuna handles this