On 3 March 2026, the European Commission published draft guidance to help companies apply the Cyber Resilience Act (CRA) — the EU regulation that mandates cybersecurity requirements for products with digital elements. If you've been focused exclusively on NIS 2 compliance, it's time to understand where these two frameworks intersect.
CRA vs. NIS 2: Different Scope, Same Direction
NIS 2 and the CRA address cybersecurity from different angles:
- NIS 2 regulates organizations — their risk management, incident reporting, and governance across 18 critical sectors.
- The CRA regulates products — hardware and software with digital elements must meet security requirements before being placed on the EU market.
For many SMBs, the scope is clear: you're a NIS 2 entity using digital products. But if your organization develops software, manufactures IoT devices, or sells digital services, you may fall under both frameworks simultaneously.
Where the Overlap Occurs
Three areas create practical overlap:
- Vulnerability management. NIS 2 requires organizations to handle vulnerabilities in their network and information systems. The CRA requires manufacturers to provide security updates for the supported lifetime of their products. If you build and deploy your own software, both obligations apply.
- Supply chain security. NIS 2 Article 21(2)(d) requires supply chain risk management. The CRA requires manufacturers to assess the security of third-party components (including open-source libraries). If you procure software from a CRA-regulated vendor, their compliance strengthens your NIS 2 supply chain posture.
- Incident reporting. NIS 2 mandates incident reporting to your NCA. The CRA mandates that manufacturers report actively exploited vulnerabilities and severe incidents to ENISA. Different reporting channels, potentially overlapping events.
The January 2026 Simplification Push
The Commission's January 2026 cybersecurity package explicitly acknowledges the overlap problem. The targeted NIS 2 amendments aim to align risk-management measures so that compliance with one framework contributes to the other. ENISA — which became a CVE Program-Root in November 2025 — is also positioning itself as a central coordination point for vulnerability reporting across both NIS 2 and CRA channels.
What This Means for Your Compliance Program
If you're an SMB that primarily uses digital products (rather than manufacturing them), the CRA mostly works in your favor:
- Better products. The CRA pushes manufacturers to ship more secure products and provide ongoing updates. This reduces your exposure as a NIS 2 entity.
- Supplier due diligence gets easier. CRA compliance by your vendors is a strong signal for your NIS 2 supply chain assessments. Ask vendors whether they're CRA-ready.
- SBOMs become standard. ENISA's December 2025 call for feedback on Software Bill of Materials (SBOM) analysis signals that transparency about software components will become expected practice. This helps you assess what's in the products you depend on.
If You Also Build Products
For organizations that develop software or connected products alongside their NIS 2 obligations:
- Map your obligations side by side. Identify where NIS 2 risk management and CRA product security requirements overlap. Use a single evidence base where possible.
- Coordinate vulnerability management. Establish one process for identifying, patching, and disclosing vulnerabilities — then route notifications appropriately (NCA for NIS 2, ENISA for CRA).
- Design for compliance from the start. The CRA requires "security by design." If you're already building internal software, applying this principle now avoids retrofitting later.
Looking Ahead
The convergence of NIS 2 and the CRA is intentional. The Commission's vision is a coherent cybersecurity framework where organizational security (NIS 2), product security (CRA), and institutional capacity (revised Cybersecurity Act) reinforce each other. For SMBs, the practical implication is straightforward: start with NIS 2 risk management, use the CRA to strengthen your procurement requirements, and keep an eye on the simplification package for further alignment.