Blackfort TechnologyBlackfort Technology

CRA vs. NIS2 vs. DORA: different subjects of regulation, sometimes the same companies

Blackfort Technology · Cyber Resilience Act knowledge

Note: This article provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and is not legal advice. The applicable text of the Regulation always prevails; this article does not replace a binding assessment of your individual case. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services within the meaning of the German RDG.

Three EU legal acts are routinely mentioned in the same breath in the cybersecurity context — and routinely confused: the Cyber Resilience Act (CRA), the NIS2 Directive and the DORA Regulation. They overlap thematically but pursue different subjects of regulation. The key sentence first: the CRA regulates products, while NIS2 and DORA regulate organisations. Keeping these levels apart makes it much easier to place your own exposure correctly.

In short: the CRA (Regulation (EU) 2024/2847) applies to whoever places products with digital elements on the market. NIS2 (Directive (EU) 2022/2555) applies to whoever operates an essential or important entity. DORA (Regulation (EU) 2022/2554) applies to financial entities and their ICT third-party providers. A single company can be caught by more than one at the same time.

The CRA: product regulation with CE marking

The Cyber Resilience ActRegulation (EU) 2024/2847 — is a horizontal product regulation. It sets cybersecurity requirements for products with digital elements (software and hardware with a direct or indirect data connection to a device or network). The addressees are the economic operators along the supply chain: manufacturers, importers and distributors.

The manufacturer must meet the essential requirements of Annex I, run a conformity assessment procedure, draw up technical documentation, issue an EU declaration of conformity and affix the CE marking. Across the entire support period — at least five years or the shorter expected use — vulnerability handling is required, including an SBOM (software bill of materials) and a mandatory coordinated vulnerability disclosure (CVD) policy.

The CRA applies on a staggered basis: entry into force on 10 December 2024, the reporting obligations under Art. 14 from 11 September 2026, and general application with conformity assessment and CE marking from 11 December 2027. No 2024 or 2025 date is a compliance deadline for the substantive product duties. More on our page about the Cyber Resilience Act.

NIS2: organisational rather than product regulation

The NIS2 DirectiveDirective (EU) 2022/2555 — does not regulate the product but the organisation that operates critical services. It distinguishes essential and important entities in sectors such as energy, transport, health, drinking water, digital infrastructure, ICT service management, public administration and others. As a directive, NIS2 must be transposed into national law; the transposition deadline expired on 17 October 2024, and in Germany full national transposition is still pending at the time of writing.

The focus is on organisational duties: risk management, technical and organisational measures, supply-chain security, management-level governance responsibility and reporting obligations for significant incidents. NIS2 requires no CE marking and does not assess individual products for conformity — it is about the security level of the operation.

Important for the boundary: standalone SaaS or pure cloud services tend to fall under NIS2, not under the CRA. The CRA captures cloud/back-end only where it forms integral remote data processing as part of a product with digital elements. That boundary is deliberately fuzzy at the edges and awaits Commission guidance.

DORA: sector-specific for the financial sector

The DORA RegulationRegulation (EU) 2022/2554, the "Digital Operational Resilience Act" — is sector-specific. It addresses financial entities (banks, insurers, investment firms, payment institutions, crypto-asset service providers and further categories) and their ICT third-party providers. The aim is digital operational resilience: the ability to withstand, respond to and recover from ICT disruptions.

As a directly applicable regulation, DORA has applied since 17 January 2025 — without national transposition. It requires an ICT risk-management framework, incident reporting, resilience testing, third-party risk management (including a register of information) and establishes an EU oversight framework for critical ICT third-party providers.

The comparison table

CriterionCRANIS2DORA
Legal actRegulation (EU) 2024/2847Directive (EU) 2022/2555Regulation (EU) 2022/2554
Subject of regulationProducts with digital elementsOrganisations / operatorsFinancial sector + ICT providers
Who is subject?Manufacturers, importers, distributorsEssential & important entitiesFinancial entities & their ICT providers
FocusProduct security, CE markingOrganisational risk managementOperational resilience
Legal formRegulation (direct)Directive (national transposition)Regulation (direct)
Applicationstaggered to 11 Dec 2027from national transpositionsince 17 Jan 2025

One company, several regimes

The legal acts do not exclude one another — they overlap. Typical constellations:

  • A manufacturer of connected devices that is at the same time a medium or large important entity under NIS2 must have its products conformity-assessed under the CRA and secure its operation under NIS2.
  • A bank is subject to DORA for its operational resilience; if it places its own software or hardware products on the market, the CRA may apply in addition.
  • An ICT service provider can carry DORA duties (as a third-party provider to financial entities), NIS2 duties (as an entity in its own right) and CRA duties (for products it ships) all at once.

The most common mistake: confusing product regulation (CRA) with organisational regulation (NIS2/DORA). The CRA asks: "Is my product secure and CE-compliant?" NIS2 and DORA ask: "Is my organisation sufficiently resilient?" Both can apply at once — the duties do not replace one another.

Whether and in which combination you are affected is best clarified through a structured exposure assessment. Our page on CRA exposure is a starting point. For smaller companies specifically, we have compiled the reliefs and particularities on our SME page. This information is general technical and organisational in nature and does not replace legal advice in an individual case.

Frequently asked questions

What is the main difference between CRA, NIS2 and DORA?
The CRA (Regulation (EU) 2024/2847) regulates products with digital elements (product level, CE marking). NIS2 (Directive (EU) 2022/2555) regulates organisations — essential and important entities — at the operational level. DORA (Regulation (EU) 2022/2554) is sector-specific for the financial sector and its ICT third-party providers.
Can a company be subject to several of these acts at once?
Yes. The regimes overlap. A manufacturer of connected devices that is also an important entity is subject to the CRA for its products and to NIS2 for its operation. An ICT provider to financial entities can even be caught by all three.
Does a pure SaaS or cloud service fall under the CRA or under NIS2?
Standalone SaaS and pure cloud services tend to fall under NIS2, not under the CRA. The CRA captures cloud/back-end only where it forms integral remote data processing as part of a product with digital elements. The boundary is fuzzy at the edges and awaits Commission guidance.
When do the three acts each apply?
DORA has applied directly since 17 January 2025. NIS2 had to be transposed into national law by 17 October 2024 and applies from the respective national transposition. The CRA applies on a staggered basis: reporting obligations from 11 September 2026, general application with CE marking from 11 December 2027.
Why does it matter to separate product and organisational regulation?
Because otherwise exposure and duties get confused. The CRA asks whether a product is secure and CE-compliant; NIS2 and DORA ask whether an organisation is sufficiently resilient. The duties do not replace one another but can exist in parallel.

Let's talk about your CRA readiness

Unsure which of these regimes apply to your company? A structured exposure assessment places CRA, NIS2 and DORA in your specific context. Clarify your exposure now.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.