NIS-2 vs Cyber Resilience Act: Two important EU regulations for more cyber security - but what exactly distinguishes them?

The EU is responding to increasing cyber threats with two new laws that make companies and manufacturers more responsible. However, while they both have the same goal – a more secure digital world – they are aimed at different areas.

NIS-2 (Network and Information Security Directive 2)

The revised NIS-2 directive is aimed at companies and organisations that provide critical or important services. These include energy suppliers, banks, transport and healthcare companies, as well as manufacturers of goods (e.g. chemicals, mechanical engineering, etc.) and their suppliers.

As an EU directive, NIS-2 must be transposed into national law. For Germany, this is not expected before November 2025.

➡️ Companies must actively manage cyber risks and implement robust security measures. The focus is on infrastructure and services (including SaaS).

➡️ Obligation to report cyber incidents: Affected organisations must report security incidents to the authorities in a timely manner.

➡️ Extended scope: Significantly more sectors and companies are covered by the regulation than before.

➡️ High penalties: Companies that do not comply with the requirements, which depend on the importance and size of the company, can expect to face severe fines.

Cyber Resilience Act (CRA)

While NIS-2 focuses on the security of companies, the Cyber Resilience Act goes one step further: It starts with the products themselves.

As an EU Act, the CRA applies immediately and does not need to be transposed into national law. Reporting of vulnerabilities and security incidents will be mandatory from September 2026 and compliance with all requirements will be mandatory from December 2027.

➡️ Applies to manufacturers of hardware and software with digital elements – from IoT devices to operating systems and cloud services.

➡️ Cybersecurity by design: products must be equipped with security measures from the outset.

➡️ Clear requirements for updates & support: Manufacturers must fix security vulnerabilities throughout the entire product life cycle.

➡️ Mandatory CE marking for digital products that fulfil EU security standards.

Why are both regulations so important?

While NIS-2 tightens cyber security measures in companies and organisations, the Cyber Resilience Act ensures that digital products already meet the highest security standards during their development.

To summarize:

📌 NIS-2 = Stronger cyber security for companies & critical infrastructures

📌 Cyber Resilience Act = Secure digital products right from the start

We will be happy to show you what this means for your company and how you can navigate safely through the new EU requirements.

Hildegard von Waldenfels, Cyber Security Expert and Senior Sales Manager at citema, will be happy to advise you!