Cyber Regulation: CRA and NIS

Legal differences

The fundamental difference is the scope: CRA applies to products with digital elements, while NIS-2 applies to organizations that operate critical infrastructure and their services. Therefore, CRA is more of a technical regulation, while NIS-2 is more of an organizational one.

Legal enforcement also differs: while CRA is directly applicable throughout the EU, NIS 2 has been/will be transposed into national law by all member states.

Differences in implementation for product development

In principle, devices for markets regulated by NIS 2 can be developed in a similar or identical manner as for CRA. This is particularly true given the continuing lack of harmonized standards.

The CRA focuses on the security of the product itself in order to minimize the risk of cyberattacks. The GDPR (General Data Protection Regulation) focuses on the protection of personal data processed by these products.

A product secured by the CRA is a powerful technical lever for meeting the requirements of the GDPR.

ETSI EN 303 645 is a technical standard that is intended to translate the cybersecurity component of the RED (Radio Equipment Directive) and/or the CSA (Cybersecurity Act) into clear technical and procedural requirements. The same could also apply to the CRA.

However, since ETSI EN 303 645 is not harmonized with any of the regulations, compliance with the standard does not imply conformity.

What is „Presumption of Conformity”?

The EU Commission can designate standards in the Official Journal as „harmonized” with certain regulations. If a product meets the requirements of the (harmonized) standard, the regulatory authority assumes that the corresponding legal requirements („essential requirements”) of the relevant regulation are also met; this is the presumption of conformity. Clear standards thus make CE marking considerably easier.