Cyber Regulation: CRA and NIS

Legal differences

The fundamental difference is the scope: CRA applies to products with digital elements, while NIS-2 applies to organizations that operate critical infrastructure and their services. Therefore, CRA is more of a technical regulation, while NIS-2 is more of an organizational one.

Legal enforcement also differs: while CRA is directly applicable throughout the EU, NIS 2 has been/will be transposed into national law by all member states.

Differences in implementation for product development

In principle, devices for markets regulated by NIS 2 can be developed in a similar or identical manner as for CRA. This is particularly true given the continuing lack of harmonized standards.

The CRA focuses on the security of the product itself in order to minimize the risk of cyberattacks. The GDPR (General Data Protection Regulation) focuses on the protection of personal data processed by these products.

A product secured by the CRA is a powerful technical lever for meeting the requirements of the GDPR.

The DIN EN 40000 series is a set of technical standards developed to be harmonized with the CRA. They are intended to serve as „horizontal” standards, i.e., to provide general requirements for various products to meet the CRA. This is in contrast to „vertical” standards, which apply to specific product groups (e.g. toys, routers).

Currently, the following standards exist as drafts (prEN):

• prEN 40000-1-1: Cybersecurity requirements for products with digital elements – Part 1-1: Vocabulary
• prEN 40000-1-2:  Cybersecurity requirements for products with digital elements – Part 1-2: Principles for cyber resilience
• prEN 40000-1-3: Cybersecurity requirements for products with digital components – Part 1-3: Vulnerability Handling

The standards are structured in a very practical manner, listing the required input information, the requirements for the process, its output, and the criteria for evaluating these results.

ETSI EN 303 645 is a technical standard that is intended to translate the cybersecurity component of the RED (Radio Equipment Directive) and/or the CSA (Cybersecurity Act) into clear technical and procedural requirements. The same could also apply to the CRA.

However, since ETSI EN 303 645 is not harmonized with any of the regulations, compliance with the standard does not imply a „Presumption of Conformity”.

IEC 62443 is a series of standards for the cybersecurity of industrial automation and control systems. Within this product category, at least some of the standards are also „horizontal” in nature, meaning they are applicable to many or all products. These include, in particular:

• IEC 62443-4-1: Security for industrial automation and control systems –  Part 4-1: Secure product development lifecycle requirements
• IEC 62443-4-2: Security for industrial automation and control systems –  Part 4-2: Technical security requirements for IACS components (IACS: Industrial Automation and Control Systems)

For these, CENELEC (European Committee for Electrotechnical Standardization) has written a supplementary standard for each (making them very tedious to read, as the original standard must always be consulted as well) (EN IEC 62443-4-1:2018/ prAA:2026 and EN IEC 62443-4-2:2019/prAA:2026, respectively), which were intended to make the IEC standards harmonizable with the CRA.

The EU Commission can designate standards in the Official Journal as „harmonized” with certain regulations. If a product meets the requirements of the (harmonized) standard, the regulatory authority assumes that the corresponding legal requirements („essential requirements”) of the relevant regulation are also met; this is the presumption of conformity. Clear standards thus make CE marking considerably easier.