If I comply with NIS2, am I automatically compliant with the CRA?

No. NIS2 regulates your organisation's cybersecurity risk management and incident reporting. The CRA regulates the cybersecurity of the products you place on the market. NIS2 organisational policies do not produce the technical documentation per Annex VII, the risk assessment per Article 13(2)–(3), or the declaration per Article 28 that the CRA requires. They are separate compliance obligations.

Can a single incident trigger both CRA and NIS2 notifications?

Yes. If a vulnerability in your product (CRA scope) also causes an incident affecting your organisation's services (NIS2 scope), you may need to notify under both: CRA Article 14 to ENISA and NIS2 Article 23 to your competent authority. The recipients, channels, and content requirements differ.

Does the CRA reference NIS2?

Yes. CRA Recital 20 acknowledges complementarity. CRA Article 14(9) references NIS2 in the context of notification coordination. These references establish coordination, not substitution.

Is my company subject to NIS2?

NIS2 applies to entities in sectors listed in Annexes I and II of Directive (EU) 2022/2555 (energy, transport, health, digital infrastructure, ICT service management, etc.). Check your Member State's transposition law for the specific thresholds.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

You manufacture a product with digital elements and your company also operates essential or important services under Directive (EU) 2022/2555. The CRA and NIS2 are not alternatives — they regulate different things. The CRA targets your product. NIS2 targets your organisation. You may need to comply with both, through separate compliance paths. CRACheck generates the documentation that the CRA requires.

Regulation (EU) 2024/2847 (Cyber Resilience Act) imposes cybersecurity requirements on products with digital elements before they are placed on the EU market. Directive (EU) 2022/2555 (NIS2) imposes cybersecurity risk management and incident reporting obligations on essential and important entities that operate network and information systems. The CRA is a product regulation. NIS2 is an operator regulation. They share a common objective — cybersecurity — but they regulate different subjects, through different mechanisms, with different enforcement structures. If you are a manufacturer of connected products and also an essential or important entity under NIS2, both apply in parallel. CRACheck covers the CRA documentation layer: eight documents per Article 31 and Annex VII, in 15–25 minutes, for €149.

Generate CRA product documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Products

CRA regulates products with digital elements placed on the EU market — Art. 2(1) of Reg. (EU) 2024/2847

Operators

NIS2 regulates essential and important entities operating network and information systems — Art. 2 of Dir. (EU) 2022/2555

Both

may apply simultaneously to a company that manufactures products and operates digital services

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Determine CRA scope

Article 2(1) of Regulation (EU) 2024/2847: does your company place products with digital elements on the EU market? If yes, the CRA applies to those products.

Determine NIS2 scope

Article 2 of Directive (EU) 2022/2555: is your company an essential or important entity as defined in Articles 3 and 4? NIS2 had a transposition deadline of 17 October 2024.

Map the CRA product obligations

Article 13 (22 manufacturer obligations), Article 14 (ENISA notification), Article 31 (technical documentation), Article 32 (conformity assessment), Article 28 (declaration of conformity).

Map the NIS2 organisational obligations

Article 21 of NIS2 (cybersecurity risk management for your network and information systems), Article 23 of NIS2 (incident notification to your competent authority/CSIRT within 24 hours).

Identify the overlap zone

Article 14(9) of the CRA references NIS2. Where a manufacturer is also a NIS2 entity, incident notification may trigger both Article 14 of the CRA and Article 23 of NIS2.

Generate the CRA documentation

CRACheck covers the CRA product layer: technical documentation, risk assessment, declaration of conformity, CVD policy, ENISA notification template.

Maintain parallel compliance tracks

CRA enforcement from 11 December 2027 (Art. 14 from 11 September 2026). NIS2 obligations are already applicable in transposing Member States.

Common mistakes

❌

SCOPE CONFUSION

"Believing NIS2 compliance covers CRA obligations"

NIS2 Article 21 requires cybersecurity risk management measures for your organisation's network and information systems. CRA Article 13 requires cybersecurity risk assessment, technical documentation, conformity assessment, and vulnerability handling for each product you place on the market. NIS2 organisational measures do not produce the Annex VII documentation or the Article 28 declaration that the CRA requires. They are separate compliance tracks.

❌

NOTIFICATION

"Assuming a single incident report satisfies both CRA and NIS2"

CRA Article 14 requires notification of actively exploited product vulnerabilities to ENISA via the single reporting platform. NIS2 Article 23 requires notification of significant incidents affecting your organisation's service to the competent authority or CSIRT. The recipients, thresholds, and content requirements differ. A single report to one channel does not discharge the obligation to the other.

❌

TIMELINE

"Waiting for CRA enforcement to start cybersecurity measures"

NIS2 transposition was due by 17 October 2024. If your Member State has transposed the directive, NIS2 obligations already apply. CRA Article 14 reporting applies from 11 September 2026. If you are subject to both, the NIS2 timeline is already running.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Classifies your product under the CRA (default / Important / Critical). NIS2 does not classify products. The Product Classifier addresses only the CRA layer.

Technical Documentation

Per CRA Article 31 and Annex VII. This is a product-level obligation that NIS2 does not impose. NIS2 requires organisational policies, not product technical files.

Risk Assessment

Per CRA Article 13(2)–(3). This assesses the cybersecurity risks of your product. NIS2 Article 21(2) requires a separate organisational risk assessment. Different scope, different output.

User Information

Per CRA Annex II. Product-level user documentation. NIS2 has no equivalent product-level requirement.

Declaration of Conformity

Per CRA Article 28 and Annex V. Product conformity declaration. NIS2 has no declaration mechanism.

CVD Policy

Per CRA Part II, point (5) of Annex I. Product vulnerability handling. NIS2 Article 21(2)(e) requires a separate organisational vulnerability disclosure policy.

Notification Template

CRA Article 14 ENISA notification for product vulnerabilities. NIS2 Article 23 requires a separate notification to the NIS2 competent authority.

Obligations Calendar

Maps CRA dates: Art. 14 from 11 September 2026, full enforcement from 11 December 2027. NIS2 dates depend on Member State transposition. The calendar covers the CRA layer.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 INTEGRATED CRA + NIS2 COMPLIANCE PROJECT

€30,000–€80,000

6–18 months. Covers both regulatory layers but at enterprise-scale cost. Requires dedicated project manager. Suitable for large companies with complex organisational structures.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history