CRA vs. NIS2 vs. DORA: different subjects of regulation, sometimes the same companies
Three EU legal acts are routinely mentioned in the same breath in the cybersecurity context — and routinely confused: the Cyber Resilience Act (CRA), the NIS2 Directive and the DORA Regulation. They overlap thematically but pursue different subjects of regulation. The key sentence first: the CRA regulates products, while NIS2 and DORA regulate organisations. Keeping these levels apart makes it much easier to place your own exposure correctly.
In short: the CRA (Regulation (EU) 2024/2847) applies to whoever places products with digital elements on the market. NIS2 (Directive (EU) 2022/2555) applies to whoever operates an essential or important entity. DORA (Regulation (EU) 2022/2554) applies to financial entities and their ICT third-party providers. A single company can be caught by more than one at the same time.
The CRA: product regulation with CE marking
The Cyber Resilience Act — Regulation (EU) 2024/2847 — is a horizontal product regulation. It sets cybersecurity requirements for products with digital elements (software and hardware with a direct or indirect data connection to a device or network). The addressees are the economic operators along the supply chain: manufacturers, importers and distributors.
The manufacturer must meet the essential requirements of Annex I, run a conformity assessment procedure, draw up technical documentation, issue an EU declaration of conformity and affix the CE marking. Across the entire support period — at least five years or the shorter expected use — vulnerability handling is required, including an SBOM (software bill of materials) and a mandatory coordinated vulnerability disclosure (CVD) policy.
The CRA applies on a staggered basis: entry into force on 10 December 2024, the reporting obligations under Art. 14 from 11 September 2026, and general application with conformity assessment and CE marking from 11 December 2027. No 2024 or 2025 date is a compliance deadline for the substantive product duties. More on our page about the Cyber Resilience Act.
NIS2: organisational rather than product regulation
The NIS2 Directive — Directive (EU) 2022/2555 — does not regulate the product but the organisation that operates critical services. It distinguishes essential and important entities in sectors such as energy, transport, health, drinking water, digital infrastructure, ICT service management, public administration and others. As a directive, NIS2 must be transposed into national law; the transposition deadline expired on 17 October 2024, and in Germany full national transposition is still pending at the time of writing.
The focus is on organisational duties: risk management, technical and organisational measures, supply-chain security, management-level governance responsibility and reporting obligations for significant incidents. NIS2 requires no CE marking and does not assess individual products for conformity — it is about the security level of the operation.
Important for the boundary: standalone SaaS or pure cloud services tend to fall under NIS2, not under the CRA. The CRA captures cloud/back-end only where it forms integral remote data processing as part of a product with digital elements. That boundary is deliberately fuzzy at the edges and awaits Commission guidance.
DORA: sector-specific for the financial sector
The DORA Regulation — Regulation (EU) 2022/2554, the "Digital Operational Resilience Act" — is sector-specific. It addresses financial entities (banks, insurers, investment firms, payment institutions, crypto-asset service providers and further categories) and their ICT third-party providers. The aim is digital operational resilience: the ability to withstand, respond to and recover from ICT disruptions.
As a directly applicable regulation, DORA has applied since 17 January 2025 — without national transposition. It requires an ICT risk-management framework, incident reporting, resilience testing, third-party risk management (including a register of information) and establishes an EU oversight framework for critical ICT third-party providers.
The comparison table
| Criterion | CRA | NIS2 | DORA |
|---|---|---|---|
| Legal act | Regulation (EU) 2024/2847 | Directive (EU) 2022/2555 | Regulation (EU) 2022/2554 |
| Subject of regulation | Products with digital elements | Organisations / operators | Financial sector + ICT providers |
| Who is subject? | Manufacturers, importers, distributors | Essential & important entities | Financial entities & their ICT providers |
| Focus | Product security, CE marking | Organisational risk management | Operational resilience |
| Legal form | Regulation (direct) | Directive (national transposition) | Regulation (direct) |
| Application | staggered to 11 Dec 2027 | from national transposition | since 17 Jan 2025 |
One company, several regimes
The legal acts do not exclude one another — they overlap. Typical constellations:
- A manufacturer of connected devices that is at the same time a medium or large important entity under NIS2 must have its products conformity-assessed under the CRA and secure its operation under NIS2.
- A bank is subject to DORA for its operational resilience; if it places its own software or hardware products on the market, the CRA may apply in addition.
- An ICT service provider can carry DORA duties (as a third-party provider to financial entities), NIS2 duties (as an entity in its own right) and CRA duties (for products it ships) all at once.
The most common mistake: confusing product regulation (CRA) with organisational regulation (NIS2/DORA). The CRA asks: "Is my product secure and CE-compliant?" NIS2 and DORA ask: "Is my organisation sufficiently resilient?" Both can apply at once — the duties do not replace one another.
Whether and in which combination you are affected is best clarified through a structured exposure assessment. Our page on CRA exposure is a starting point. For smaller companies specifically, we have compiled the reliefs and particularities on our SME page. This information is general technical and organisational in nature and does not replace legal advice in an individual case.
Frequently asked questions
What is the main difference between CRA, NIS2 and DORA?
Can a company be subject to several of these acts at once?
Does a pure SaaS or cloud service fall under the CRA or under NIS2?
When do the three acts each apply?
Why does it matter to separate product and organisational regulation?
Let's talk about your CRA readiness
Unsure which of these regimes apply to your company? A structured exposure assessment places CRA, NIS2 and DORA in your specific context. Clarify your exposure now.
Request a first call Check eligibility