CRA - what it's about & how it relates to NIS/NIS2

The Cyber Resilience Act (CRA) is the first regulation of its kind globally, making product cyber security mandatory. Unlike the NIS2 Directive, which needs to be translated into national law at the member state level (a lengthy process currently delayed in most states), the CRA is EU legislation and directly applicable in all member states. 

On 10 October 2024, the EU adopted a new law, the Cyber Resilience Act (CRA). The CRA entered into force in 2024 and will apply in 2027 to all products with digital elements - meaning lots of products.  

As with many other regulations, the CRA focuses on systematic and risk-based cyber security — in other words, a more proactive approach to avoiding incidents. 

Here are some of the CRA's requirements:  

Secure product design and development 

• Security by design 
  Organizations must ensure that security is integrated into the entire product lifecycle — from design to development, deployment, and beyond. This includes identifying potential security threats during the design phase and building mitigation strategies. 

• Risk-based security 
  The security measures implemented should be proportionate to the risk posed by the product. Organizations should assess the impact of vulnerabilities based on potential harm to users, businesses, or critical infrastructures. 

• Minimal exposure to vulnerabilities 
  Manufacturers must reduce unnecessary data exposure and ensure that products are not unnecessarily open to security flaws. The CRA encourages limiting the attack surface of connected products. 

Security patching and maintenance 

• Vulnerability management 
  Organizations are required to have mechanisms for identifying, assessing, and fixing vulnerabilities in their products. This includes releasing security patches and updates.
  
  
• Timely update 
  Manufacturers must provide security updates for a specific duration after the product’s release, and these updates should be deployed promptly to address critical vulnerabilities. 
  
  
• Notification of vulnerabilities 
  If a critical vulnerability is discovered, organizations must notify their users and provide guidance or updates to fix the issue. They may also need to inform the European Union Agency for Cybersecurity (ENISA) of critical vulnerabilities. 

Read more on the European Council web page:

Council adopts new law on security requirements for digital products

What is the difference between the CRA and NIS/NIS2? 

In brief, the Cyber Resilience Act (CRA) and the NIS2 Directive differ primarily in their focus and scope: 

• CRA 
  The CRA focuses on the cyber security of products with digital components, such as software and hardware. It ensures that products sold in the EU are secure throughout their lifecycle, with requirements for secure design, regular updates, and vulnerability management. It primarily targets manufacturers, developers, and distributors of digital products. 
  
  
• NIS/NIS2 
  NIS and NIS2 focus on the cyber security of critical infrastructure and essential services, such as energy, healthcare, and transportation. They mandate stronger security practices, incident reporting, and risk management for organizations providing essential services.  

In short, the CRA deals with product security, while NIS2 concerns the security of critical sectors and services. 

We support CRA compliance 

Does CRA compliance sound challenging? Contact us and we'll help you take steps toward CRA compliance with Next-Gen Vulnerability Management.