Regulation (EU) 2024/2847 (Cyber Resilience Act) imposes cybersecurity requirements on products with digital elements before they are placed on the EU market. Directive (EU) 2022/2555 (NIS2) imposes cybersecurity risk management and incident reporting obligations on essential and important entities that operate network and information systems. The CRA is a product regulation. NIS2 is an operator regulation. They share a common objective — cybersecurity — but they regulate different subjects, through different mechanisms, with different enforcement structures. If you are a manufacturer of connected products and also an essential or important entity under NIS2, both apply in parallel. CRACheck covers the CRA documentation layer: eight documents per Article 31 and Annex VII, in 15–25 minutes, for €149.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
NIS2 Article 21 requires cybersecurity risk management measures for your organisation's network and information systems. CRA Article 13 requires cybersecurity risk assessment, technical documentation, conformity assessment, and vulnerability handling for each product you place on the market. NIS2 organisational measures do not produce the Annex VII documentation or the Article 28 declaration that the CRA requires. They are separate compliance tracks.
CRA Article 14 requires notification of actively exploited product vulnerabilities to ENISA via the single reporting platform. NIS2 Article 23 requires notification of significant incidents affecting your organisation's service to the competent authority or CSIRT. The recipients, thresholds, and content requirements differ. A single report to one channel does not discharge the obligation to the other.
NIS2 transposition was due by 17 October 2024. If your Member State has transposed the directive, NIS2 obligations already apply. CRA Article 14 reporting applies from 11 September 2026. If you are subject to both, the NIS2 timeline is already running.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Classifies your product under the CRA (default / Important / Critical). NIS2 does not classify products. The Product Classifier addresses only the CRA layer.
Per CRA Article 31 and Annex VII. This is a product-level obligation that NIS2 does not impose. NIS2 requires organisational policies, not product technical files.
Per CRA Article 13(2)–(3). This assesses the cybersecurity risks of your product. NIS2 Article 21(2) requires a separate organisational risk assessment. Different scope, different output.
Per CRA Annex II. Product-level user documentation. NIS2 has no equivalent product-level requirement.
Per CRA Article 28 and Annex V. Product conformity declaration. NIS2 has no declaration mechanism.
Per CRA Part II, point (5) of Annex I. Product vulnerability handling. NIS2 Article 21(2)(e) requires a separate organisational vulnerability disclosure policy.
CRA Article 14 ENISA notification for product vulnerabilities. NIS2 Article 23 requires a separate notification to the NIS2 competent authority.
Maps CRA dates: Art. 14 from 11 September 2026, full enforcement from 11 December 2027. NIS2 dates depend on Member State transposition. The calendar covers the CRA layer.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates the documentation required by Articles 13, 28, 31, and Annex VII of Regulation (EU) 2024/2847. This is the product layer: what your product must document before it enters the market. NIS2 does not produce this documentation. If you comply with NIS2 but not the CRA, your product is still non-compliant.
CRACheck does not generate NIS2 organisational risk management policies (Art. 21 of NIS2), NIS2 incident notification reports (Art. 23 of NIS2), or NIS2 governance documentation (Art. 20 of NIS2). These are entity-level obligations that require a separate compliance process.
The CRA product layer and the NIS2 organisational layer are complementary. CRACheck resolves the CRA layer. The NIS2 layer requires a separate approach appropriate to your organisational profile.
Article 64 of Regulation (EU) 2024/2847.
Breach of Annex I or Articles 13/14.
Breach of Art. 31, 28, 32.
NIS2 organisational obligations. Up to €7M/1.4% for important entities (Art. 34(5)).
| Criterion | CRA (Regulation (EU) 2024/2847) | NIS2 (Directive (EU) 2022/2555) |
|---|---|---|
| Regulates | Products with digital elements | Essential and important entities |
| Legal instrument | Regulation (directly applicable) | Directive (requires transposition) |
| Core obligation | Product cybersecurity + documentation + conformity | Organisational risk management + incident reporting |
| Notification target | ENISA (product vulnerabilities) — Art. 14 | Competent authority/CSIRT (incidents) — Art. 23 |
| Max penalty | €15M or 2.5% turnover | €10M or 2% turnover (essential entities) |
CRACheck handles the CRA documentation layer for each product. Free your compliance team to focus on the NIS2 organisational layer. Pack of 10: €99 per product. Pack of 30: €79 per product.
Request Volume PricingCRACheck generates a structured document based on Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. CRACheck does not generate NIS2 compliance documentation.
We guarantee that the CRA document structure follows Article 31 and Annex VII and that all cited CRA legal references are correct. We do not guarantee that the documentation satisfies NIS2 requirements.
CRACheck is not legal advice. For questions about the interplay between CRA and NIS2 for your specific organisation, consult a qualified regulatory professional.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.