As digital systems connect hospitals to homes, the European Union has built a three-layer cybersecurity framework that touches nearly every organisation and product. The NIS2 Directive, the Cyber Resilience Act (CRA), and data protection law work in parallel—sometimes overlapping, sometimes distinct. For engineers and compliance teams, understanding where these regimes apply is the first step toward efficient compliance planning. Confusion between them costs time and money. Getting scope right unlocks smart resource allocation.
This guide maps the landscape: what each regime covers, who must comply, when deadlines apply, and how to plan ahead.
What are NIS2, CRA, and GDPR really regulating?
Three separate regulatory pillars define EU cybersecurity. NIS2 governs organisations providing essential or important services (energy, healthcare, banking, digital infrastructure). CRA governs manufacturers and distributors of products with digital elements (software, devices, firmware). GDPR governs how personal data is processed across all sectors.
Together, they establish a “secure-by-design” approach: security embeds at the engineering stage and continues throughout the product or service lifecycle.
Who must comply with NIS2?
NIS2 applies to two categories: essential entities (large enterprises in critical sectors, plus all organisations providing critical infrastructure regardless of size) and important entities (medium-sized and large enterprises in designated sectors).
The directive covers 18 sectors split into two groups. Annex I includes energy, transport, banking, healthcare, digital infrastructure, and public administration. Annex II covers manufacturing, postal services, waste management, chemicals, food, and research.
Many organisations don’t realise they fall in scope. A manufacturer producing industrial controllers may be classified as an important entity. A software company offering cloud services is automatically in scope as a digital infrastructure provider. Small DNS providers are essential entities by default.
NIS2 size thresholds and scope triggers
Essential entities: 500+ employees or €250 million+ turnover, OR any organisation providing critical infrastructure services regardless of size.
Important entities: 50–499 employees or €10 million to €250 million turnover, AND operating in a designated sector (Annex I or II).
Non-compliance carries significant fines. Essential entities face administrative fines up to €10 million or 2% of global annual turnover. Important entities risk up to €7 million or 1.4% of turnover.
What products fall under the Cyber Resilience Act?
The CRA applies to any product with digital elements placed on the EU market. This includes software, firmware, hardware with embedded processors, connected consumer products, industrial control systems, and medical devices with digital components (with special treatment for MDR-regulated devices).
The scope covers both B2C and B2B products. If your product is sold commercially in the EU, CRA likely applies.
CRA timelines and product classification
CRA obligations begin December 12, 2027 for high-risk products and December 11, 2028 for others. All products with digital elements must comply with Annex I (basic requirements) or Annex II (enhanced, for critical products).
Key manufacturer obligations: cybersecurity risk assessment (similar to ISO 14971), vulnerability reporting within 24 hours, security updates throughout product lifetime, Software Bill of Materials documentation, and conformity assessment with CE marking.
Unlike NIS2, the CRA does not exempt small manufacturers. A startup selling IoT devices in the EU falls under CRA immediately upon market entry. For a comprehensive explainer of CRA mechanics, deadlines, and compliance routes, see the full Cyber Resilience Act guide.
How NIS2 and CRA interact in a single organisation
Many organisations face both regimes simultaneously. A manufacturer producing industrial equipment must comply with CRA (as a product maker) and NIS2 (as a potentially essential or important entity). A critical infrastructure operator running software systems must comply with NIS2 (organisational obligations) and CRA if it develops or integrates products.
Understanding the difference clarifies compliance scope: NIS2 is organisational (who you are); CRA is product-specific (what you make).
Three-regime comparison matrix
| Aspect | NIS2 | CRA | GDPR |
|---|---|---|---|
| Regulates | Organisations providing essential/important services | Products with digital elements on EU market | Personal data processing |
| Who applies to | Service providers, network operators, infrastructure companies | Manufacturers, importers, distributors | Any organisation handling personal data |
| Scope trigger | Sector + employee/turnover threshold | Product type and intended use | Presence of personal data |
| Core focus | Organisational cybersecurity governance, incident response | Product design, vulnerability handling, security updates | Data subject rights, breach notification |
| Key obligation | Risk assessment, incident reporting (24h/72h/1m), CSIRT coordination | Risk assessment, SBOM, vulnerability reporting (24h), CE marking | Lawful processing, subject consent, breach notification (72h) |
| Penalty regime | €10M or 2% turnover (essential); €7M or 1.4% (important) | €15M or 2.5% turnover (high-risk); €10M or 2% (other) | €20M or 4% turnover (higher of two) |
What happens when a single incident triggers multiple reporting obligations?
Here’s where real complexity emerges. A ransomware attack on a hospital can trigger three parallel but distinct reporting timelines.
Under NIS2, the hospital submits an early warning to its national CSIRT within 24 hours. A detailed incident notification follows within 72 hours. A final report with root cause analysis is due within one month.
Under GDPR, if patient records are compromised, the hospital must notify the Data Protection Authority within 72 hours (measured from the same moment as NIS2, but going to a different authority).
Under CRA, if the attack exploited a vulnerability in medical device software, the manufacturer must report the actively exploited vulnerability within 24 hours.
The practical reporting collision
These are not optional delays. The 24-hour NIS2 early warning can be preliminary; the 72-hour notification must be substantive. GDPR’s 72-hour window runs from the same start point but goes to a different body. Both deadlines can overlap.
Organisations caught in this bind often undercommunicate early because they lack complete information. NIS2 and GDPR permit supplementary reports after initial filing. Silence is not an option; incomplete reporting beats no reporting. Many compliance failures stem from teams waiting for certainty instead of escalating what they know.
How supply chain security flows through both regimes
Both NIS2 and CRA demand supply chain oversight, but approach it differently.
NIS2 requires essential and important entities to assess suppliers’ cybersecurity and incident reporting capabilities. You inherit responsibility for supplier security posture.
CRA requires manufacturers to document all components, open-source libraries, and third-party services. You must know what you ship.
In practice, a company manufacturing industrial equipment faces both obligations. It must verify that microcontroller suppliers don’t introduce vulnerable firmware and document that firmware in its SBOM. If the microcontroller vendor ships a patch, the equipment manufacturer must evaluate, test, and deliver an update to customers.
This creates pressure downstream. Vendors report that customers increasingly demand CRA evidence or NIS2-ready supply chain documentation before contracts are signed. Compliance becomes a procurement requirement.
Where data protection law fits into the cybersecurity picture
GDPR and ePrivacy Directive requirements don’t disappear under NIS2 and CRA. They operate in parallel.
GDPR requires Data Protection Impact Assessments for high-risk processing, documentation of security measures, notification to authorities within 72 hours of a personal data breach, and notification to affected individuals if the breach poses high risk.
CRA and GDPR interact at product design: if a product processes personal data, its cybersecurity risk assessment must integrate data protection considerations. Manufacturers cannot ignore privacy in security design.
NIS2 and GDPR interact at incident response: organisations subject to both must maintain parallel incident reporting. A significant NIS2 incident that also breaches personal data requires two distinct notifications within overlapping timelines.
The result: compliance teams think in layers. GDPR baseline applies everywhere. NIS2 adds organisational obligations. CRA adds product design obligations. Together, they form a comprehensive framework touching design, operations, and incident response.
How should manufacturers and operators prepare for 2026–2027?
For manufacturers:
- Classify products under CRA Annex I or Annex II
- Perform cybersecurity risk assessment for each product family
- Compile or generate a Software Bill of Materials
- Define vulnerability handling and update procedures
- Plan CE marking and notified body engagement (high-risk products)
- Document technical file evidence for conformity assessment
For service providers and infrastructure operators:
- Determine whether you are an essential or important entity under NIS2
- Perform organisational-level cybersecurity risk assessment
- Document incident response procedures and CSIRT reporting contacts
- Audit supply chains and map critical suppliers’ security posture
- Designate senior management accountability for cybersecurity
- Design incident reporting workflow to handle NIS2 and GDPR timelines in parallel
For both:
- Integrate data protection considerations into cybersecurity planning
- Engage notified bodies early if products or services are high-risk
- Build incident response teams with security, legal, and communications members
- Test incident reporting procedures before a real breach occurs
Frequently Asked Questions
Does the Cyber Resilience Act apply to industrial machinery?
Yes, if the machinery includes digital elements (embedded processors, firmware, network connectivity). Non-networked machinery under the Machinery Directive may escape CRA, but connected systems fall under CRA from December 2027. Industrial machinery manufacturers should assess their product portfolio now.
Can a company comply with both NIS2 and CRA at the same time?
Yes, and many must. A manufacturer that also operates critical infrastructure, or a cloud provider that ships hardened operating systems, falls under both. Regulations complement each other: NIS2 governs the organisation, CRA governs the product. Shared processes (risk assessment, vulnerability handling) reduce duplication.
What’s the difference between NIS2 incident reporting and GDPR breach notification?
NIS2 triggers on a “significant incident” affecting network and information systems; GDPR triggers on a “personal data breach.” The same incident can trigger both. NIS2 reporting goes to your national CSIRT; GDPR goes to your Data Protection Authority. Both must occur within 72 hours (NIS2 early warning is 24 hours).
Do medical device manufacturers have to comply with the Cyber Resilience Act?
Medical devices regulated under MDR and IVDR are explicitly exempt from CRA product requirements. However, if you operate an essential or important service using those devices, NIS2 applies. Additionally, future updates to medical device standards will likely incorporate CRA-equivalent cybersecurity requirements.
What happens if we miss an incident reporting deadline?
Missing NIS2 early warnings or GDPR breach notifications is a serious breach. Authorities investigate and may impose significant fines. Board members can face personal liability. Report what you know within the deadline, even if incomplete, and supplement with additional findings afterward.
Conclusion
The EU’s three-pillar framework—NIS2, CRA, and GDPR—creates a comprehensive but complex landscape. NIS2 and CRA don’t compete; they complete each other. NIS2 ensures organisations managing critical services prioritise cybersecurity governance. CRA ensures products are designed and maintained securely. GDPR ensures personal data remains protected throughout.
For engineers and compliance managers, design early, document thoroughly, and integrate incident response across all three regimes. CRA deadlines begin December 2027. NIS2 enforcement is underway. Start planning now. For curated CRA articles and compliance resources, visit the Cyber Resilience Act Compliance Hub.
