My company is a NIS2 essential entity. Does the CRA apply to the products we manufacture?

Yes. If your organisation places products with digital elements on the EU market as defined in Article 3(1) of Regulation (EU) 2024/2847, the CRA applies to those products regardless of your NIS2 status. NIS2 governs your organisation's cybersecurity posture; the CRA governs the cybersecurity properties and documentation of the products you manufacture.

Does the CRA vulnerability notification (Article 14) replace the NIS2 incident notification (Article 23)?

No. CRA Article 14 covers vulnerabilities and incidents related to the product. NIS2 Article 23 of Directive (EU) 2022/2555 covers incidents affecting the entity's services. If a product vulnerability also causes an entity-level incident, both reporting obligations may trigger simultaneously. CRA Article 14(8) states that notifications shall be carried out in accordance with Article 22 of Directive (EU) 2022/2555.

Are NIS2 risk management measures under Article 21 sufficient to satisfy CRA Article 13?

No. NIS2 Article 21 requires entity-level cybersecurity risk management. CRA Article 13 requires product-level cybersecurity risk assessment as part of the design, development, and production process. The risk assessments serve different purposes and produce different documentation.

Does the CRA apply to software-as-a-service (SaaS)?

The CRA applies to "products with digital elements" including their "remote data processing solutions" if the absence of the remote processing would prevent the product from performing one of its functions (Article 3(2)). Pure cloud services without a client-side component may fall under NIS2 rather than the CRA. The boundary depends on the product architecture.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Directive (EU) 2022/2555 (NIS2) imposes cybersecurity obligations on the entity — risk management, incident reporting, supply chain security. Regulation (EU) 2024/2847 (CRA) imposes cybersecurity obligations on the product with digital elements — secure design, vulnerability handling, technical documentation. If your organisation is both a NIS2 essential or important entity and a manufacturer of products with digital elements, both frameworks apply simultaneously. NIS2 does not exempt you from the CRA. The CRA does not exempt you from NIS2. CRACheck generates the product-level documentation under the CRA.

The confusion is understandable: both laws address cybersecurity, both reference similar risk management concepts, and both mention ENISA. But the legal objects are different. NIS2 (Directive 2022/2555) regulates entities — operators of essential services, digital infrastructure providers, ICT service managers. The CRA (Regulation 2024/2847) regulates products — any software or hardware with a data connection placed on the EU market. NIS2 requires the entity to implement cybersecurity risk management measures under its Article 21. The CRA requires the manufacturer to ensure the product meets the essential cybersecurity requirements of Annex I and to prepare technical documentation under Article 31. Article 14 of the CRA specifically references Article 22 of Directive (EU) 2022/2555 for coordinating vulnerability notifications. CRACheck covers the product documentation layer. €149. 15–25 minutes. 8 PDFs.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Entity vs Product

NIS2 regulates the entity. CRA regulates the product.

Art. 14 CRA

CRA vulnerability notifications coordinate with NIS2 via Directive 2022/2555 Art. 22

€15M

Maximum CRA fine under Art. 64(2). NIS2 fines are separate under Directive 2022/2555 Art. 34.

How to determine which framework applies to what

Identify the entity

Is your organisation an essential or important entity under NIS2 Article 3? If yes, NIS2 entity-level obligations apply (risk management, incident reporting, governance).

Identify the products

Does your organisation manufacture or place on the EU market products with digital elements as defined in CRA Article 3(1)? If yes, CRA product-level obligations apply for each product.

Map the obligations

NIS2 Article 21 covers the entity's cybersecurity risk management. CRA Article 13 covers the product's design, development, and production. CRA Article 14 covers product vulnerability notifications — Article 14(8) of the CRA states that notifications shall be carried out in accordance with Article 22 of Directive (EU) 2022/2555.

Document each product

For each product with digital elements, CRACheck generates the Article 31 + Annex VII technical documentation, the risk assessment, the Declaration of Conformity, and the vulnerability handling documentation.

Coordinate incident reporting

Under NIS2, entity-level incidents are reported to the national CSIRT. Under the CRA, product-level vulnerabilities and incidents are reported to the CSIRT and ENISA via the single reporting platform (Article 16). The CRA Notification Template from CRACheck is structured for the CRA reporting channel.

Common mistakes

❌

SCOPE

Assuming NIS2 compliance covers CRA obligations

NIS2 governs the entity's cybersecurity posture. The CRA governs the product's cybersecurity properties and documentation. An entity fully compliant with NIS2 Article 21 still needs to produce technical documentation under CRA Article 31 for each product it places on the EU market.

❌

ART. 14 CRA

Reporting product vulnerabilities only through NIS2 channels

CRA Article 14 establishes a separate reporting obligation for product vulnerabilities — 24h early warning, 72h notification, 14-day final report — via the single reporting platform under Article 16. NIS2 incident reporting under Directive 2022/2555 Article 23 covers entity-level incidents. Both channels may apply simultaneously but they are distinct.

❌

ART. 13 CRA

Treating CRA as a subset of NIS2 supply chain requirements

NIS2 Article 21(2)(d) requires entities to address supply chain security. The CRA imposes direct obligations on the manufacturer, not as a supply chain requirement of the buyer. Article 13 of the CRA is a standalone product-level obligation, not a delegation from NIS2.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies the CRA category for each product. NIS2 entity status does not affect CRA product classification.

Technical Documentation

Art. 31 and Annex VII file — the product documentation that NIS2 does not produce.

Risk Assessment

CRA cybersecurity risk assessment per Article 13. Separate from NIS2 entity risk assessment under Article 21.

User Information

Annex II information sheet for the product.

Declaration of Conformity

EU Declaration per Article 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II point (5).

Notification Template

ENISA notification template per CRA Article 14. Structured for the CRA reporting channel, coordinated with NIS2 per Art. 14(8).

Obligations Calendar

CRA dates alongside NIS2 entity obligations for cross-reference.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Combined CRA + NIS2 compliance consultancy

€30,000–80,000 for entity + product assessment

6–12 months

Covers both frameworks but charges for both

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history