Software Engineering & Electronics

Reservoir and dam from above

Cyber Regulation: CRA and NIS

What Exactly do I Have to Do? What Are the Standards? What do I have to Bear in Mind?

Time to Read 1 min

The entry into force of the Cyber Resilience Act (CRA) means that almost no electronic product can be developed without taking cybersecurity into account, without a dam to the internet. Many things that previously only applied to critical infrastructures (NIS-2: Network and Information Systems Directive 2022/2555) now affect most electronic products.

What does this mean for you? We have compiled information here on various aspects of CRA and NIS-2:

  • Questions concerning both CRA and NIS-2 can be found at the bottom of this page
  • General questions about CRA can be found on the general CRA page
  • Questions that are mainly of interest to developers can be found on the developer CRA page

Please feel free to contact me if you have any further questions!

What are the Differences between CRA and NIS-2?

Legal differences

The fundamental difference is the scope: CRA applies to products with digital elements, while NIS-2 applies to organizations that operate critical infrastructure and their services. Therefore, CRA is more of a technical regulation, while NIS-2 is more of an organizational one.

Legal enforcement also differs: while CRA is directly applicable throughout the EU, NIS 2 has been/will be transposed into national law by all member states.

Differences in implementation for product development

In principle, devices for markets regulated by NIS 2 can be developed in a similar or identical manner as for CRA. This is particularly true given the continuing lack of harmonized standards.

 

Alois Cavelti

Do you have additional questions? Do you have a different opinion? If so, email me  or comment your thoughts below!

Author

Comments

No Comments

What is Your Opinion?

Write a comment

Projects? Ideas? Questions? Let's do a free initial workshop!

+41 (0)44 555 39 00