Understand How NIS2 and CRA EU Cyber Rules Are Reshaping Cyber Compliance

The European Union (EU) has introduced two significant updates to its cyber regulation landscape – the NIS2 Directive and the Cyber Resilience Act.

Together they represent one of the most ambitious attempts to strengthen cyber resilience across Europe.

Both frameworks were developed in direct response to the rapid growth of global cyber threats and the significant rise in supply chain attacks we’ve seen in the media over the last couple of years.

The EU wants to reduce systemic risk and create a more secure environment for digital services, connected devices and software products. But how much understanding do you have about these new regulations, what they mean, and how they affect your business – particularly if you’re based in the UK?

In this guide we’re discussing what these frameworks cover, how they affect UK organisations and what you need to do to prepare. You’ll also get insights into where these frameworks overlap and how existing standards such as ISO 27001 and NIST can support your compliance journey. Read on for clear and practical guidance, so you’re ready for the regulatory changes coming in 2025 and beyond.

Key Takeaways

• The NIS2 Directive strengthens organisational cyber resilience across the EU and affects many UK businesses that provide digital services or operate in EU markets.
• The Cyber Resilience Act (CRA) introduces mandatory security requirements for software, hardware and connected products placed on the EU market.
• NIS2 focuses on governance, risk management, incident reporting and supply chain controls, while the CRA focuses on secure by design product development and vulnerability handling.
• Many UK organisations will need to comply with both frameworks, especially SaaS vendors, manufacturers and service providers with EU customers.
• ISO 27001 and NIST CSF provide a strong foundation for NIS2 and CRA alignment but additional legal and product specific requirements still apply.
• Early preparation is essential because both frameworks introduce new accountability, documentation and reporting expectations that take time to implement.

Why the EU’s NIS2 and Cyber Resilience Act Matter

Even though the UK is no longer a part of the EU, many UK organisations still fall into the scope of EU’s cyber regulations.

If you provide services in the EU, or place digital products on the EU market, you may need to comply. These rules will reshape expectations for UK IT Directors, CISOs and Compliance Leads who want to maintain market access, and meet the growing demands of customers and regulators.

A New Wave of EU Cyber Governance

The EU is strengthening its approach to digital security in response to cyber incidents becoming more disruptive and more widespread. Attacks on critical infrastructure, software supply chains and consumer products have significantly increased, which has implications for the stability of EU countries as well as the wider economy.

Even after Brexit, UK organisations can’t ignore NIS2 or the Cyber Resilience Act. If you operate in the EU, provide digital infrastructure, act as a managed service provider (MSP) or supply connected products, you may still be in scope.

Many UK businesses will fall under one or both sets of rules, depending on their sector and product lines. And these frameworks introduce new obligations and wider accountability that you need to be aware of, including stricter reporting timelines, stronger risk management expectations and new documentation requirements.

What’s Changing for You in 2025 and Beyond

The new rules significantly expand the number of sectors and organisations that must meet EU cyber standards. Expectations for product security are rising and the focus on secure by design development is increasing.

Leadership teams will have clearer responsibilities for oversight and accountability. They will need to demonstrate active involvement in cyber risk decisions.

There’s also more pressure on organisations to detect and report incidents quickly. This creates new operational challenges for IT and security teams that need to prepare for compliance now.

NIS2 and Cyber Resilience Act explained

What is NIS2?

NIS2 is the second version of the Network and Information Security Directive (NIS). It replaces the original NIS Directive and introduces more consistent and stricter cyber requirements for essential and important service providers.

NIS2 focuses on organisational cyber resilience. It includes expectations for governance, supply chain security, incident response management and operational monitoring.

Who NIS2 Applies to

NIS2 applies to two categories of entities:

• Essential entities, which includes sectors such as energy, transport, banking, healthcare and digital infrastructure.
• Important entities that includes a wider group of organisations such as manufacturing, food supply, postal and courier services and a number of digital service providers.

For UK organisations, NIS2 applies if you operate in the EU or provide services that fall under an EU Member State version of the directive. This includes managed service providers, cloud providers, SaaS platforms and critical infrastructure operators. Many mid sized organisations that were not previously regulated will now fall into scope.

What NIS2 Requires

NIS2 expects organisations to demonstrate that they can manage cyber risks effectively and maintain continuity of service. You will need to introduce clear governance structures and show that your leadership team understands and oversees cyber risk.

Core requirements include cyber risk management, asset management, access control, system hardening and operational monitoring. You will need effective incident detection processes and the ability to respond quickly. NIS2 also introduces stricter reporting timelines. You may need to submit an early incident notification within 24 hours and follow up with detailed reports.

Supply chain security is a major focus. You will need stronger checks on your third party suppliers and to ensure they meet appropriate security standards.

Business continuity and incident recovery must be documented and tested regularly. NIS2 also requires you to maintain clear logs and monitoring capabilities so incidents can be identified and contained early.

NIS2 Enforcement and Deadlines

EU Member States were required to transpose NIS2 into national law by autumn 2024. Enforcement will increase throughout 2025, as regulators introduce their national requirements. You should expect more regulator engagement, formal registration steps and the possibility of audits.

UK businesses that operate in the EU will also need to assess which national versions of NIS2 apply to them and adjust their compliance programmes accordingly.

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act introduces mandatory security requirements for products with digital elements. These include software, connected devices, embedded systems and many types of consumers and industrial equipment. The aim is to ensure all products entering the EU market follow secure by design principles and include transparent vulnerability disclosure and update processes.

Who the CRA Applies to

The CRA applies to manufacturers, developers, importers and distributors of products with digital elements. If you produce software or hardware that is sold in the EU, you must comply. This affects UK manufacturers and SaaS providers who ship products into EU markets.

This includes consumer devices, enterprise software, IoT equipment, medical technology, industrial systems and other connected products. Even if your organisation is based in the UK, the moment you place your digital product on the EU market you must meet CRA requirements.

Core CRA Requirements

The CRA requires secure by design and secure by default development. This means embedding security into the product lifecycle from initial design through to release and support. You must identify vulnerabilities, address them quickly and communicate transparently with users.

Manufacturers must provide security updates and document the expected support period. Technical documentation must be produced for each product so regulators can assess compliance. Some types of software and hardware are classified as high criticality products and must follow more rigorous assessment routes.

The CRA significantly raises expectations for vulnerability management. You must monitor for issues, accept coordinated vulnerability disclosures and respond within reasonable timelines.

CRA Timeline and Enforcement

The CRA entered into force in late 2024 but the main requirements will apply from 2027 onwards, with some elements applying earlier. This gives you time to update your development processes and documentation. However, given the scale of required changes, preparation needs to begin now.

NIS2 vs CRA: How the Two Frameworks Overlap and Where They Diverge

NIS2 and the CRA work together to strengthen cyber resilience across Europe. Although they focus on different parts of the digital ecosystem, they share common principles and often rely on similar controls.

Both frameworks require improved governance, stronger risk management and transparent processes. They also support coordinated incident and vulnerability reporting. For many UK organisations that provide services and digital products, the two frameworks will apply at the same time.

Organisation vs Product Security

NIS2 focuses on organisational resilience. It targets how you manage cyber risks, monitor systems, respond to incidents and govern your security programme. It applies to how you operate.

The Cyber Resilience Act focuses on product security. It applies to what you build and sell. It requires secure by design development, lifecycle documentation and clear vulnerability handling.

Shared Themes and Obligations

Both frameworks require formal risk management. You must demonstrate that you identify and assess risks, prioritise mitigation measures, and maintain clear oversight.

Both frameworks expect mature vulnerability management. You need to identify issues quickly, remediate them, and notify users or regulators where necessary.

Both frameworks introduce reporting requirements. NIS2 expects rapid incident reporting to authorities. The CRA expects reporting of exploited vulnerabilities or security incidents that affect your products.

Supply chain security is another shared focus. Both frameworks expect organisations to evaluate and manage supplier risks.

State of the art requirements appear in both frameworks. This means you must apply modern security practices that reflect the current threat environment.

Where the Two Create Tension for IT and Engineering Teams

Security and engineering teams will need to collaborate more closely under these new regulations. NIS2 pushes for stronger detection and organisational risk management. The CRA pushes for secure product development and vulnerability handling.

This creates shared responsibilities where evidence for both frameworks needs to be aligned. If you need to adhere to both framework rules, you must start to create governance structures that support collaboration between your product teams, IT teams and compliance functions now.

How NIS2 and CRA Map to ISO 27001, NIST CSF and Other Frameworks

Many organisations already follow established standards and frameworks to manage cyber security risk. ISO 27001, NIST CSF, SOC 2 and IEC 62443 provide strong foundations that can support NIS2 and CRA compliance.

If You Are ISO 27001 Certified, How Much Are You Already Covered?

ISO 27001 aligns closely with many NIS2 requirements. It supports risk management, asset management, access controls, incident management and business continuity. Organisations with a mature ISMS will already have many of the controls NIS2 expects.

ISO 27001 certification also supports CRA compliance through its secure development, vulnerability management and supplier oversight controls. However, it does not cover product level documentation, CE marking or legal reporting requirements. These will need to be added to your compliance programme.

How NIST CSF, SOC 2 and IEC 62443 Fit into the Picture

NIST CSF is widely used by technology and managed service providers. It aligns well with organisational requirements under NIS2 and provides a flexible framework for improving cyber resilience.

SOC 2 focuses on service provider controls and can support some NIS2 obligations. It is useful for demonstrating trust in digital services but does not replace the legal components of NIS2.

IEC 62443 is highly relevant to industrial product manufacturers. It provides detailed technical guidance for securing industrial control systems and software. It can support CRA product security requirements for industrial equipment.

Opportunities for Streamlined Compliance

If your organisation already follows one or more frameworks, you can combine them to meet NIS2 and CRA obligations. Many controls overlap, particularly in the areas of risk management, vulnerability handling and incident response.

Evidence reuse is a major opportunity. Risk assessments, supplier reviews, secure development records and incident logs can be used across multiple frameworks. A unified compliance approach will reduce your costs, speed up audits and simplify documentation.

How to Prepare for NIS2 and the CRA: A Practical Readiness Checklist

Many of the changes introduced by NIS2 and the CRA require new processes or updates to existing ones. This section provides a practical checklist to help you prepare.

Step 1: Confirm Whether You’re in Scope

Start by determining whether NIS2 applies to your organisation. Review your sector, services and operational footprint in the EU. You may need legal support to understand Member State requirements.

For the CRA, review which of your software or hardware products enter the EU market. This includes both commercial and consumer products.

Step 2: Gap Assess Your Existing Controls

Compare your current risk management and operational processes against NIS2 expectations. If you are ISO 27001 aligned, you can use your ISMS as a reference.

For the CRA, assess your secure development processes. Review your secure coding practices, vulnerability management and lifecycle documentation. Identify gaps against CRA product requirements.

Step 3: Strengthen Governance and Accountability

Assign clear responsibility for NIS2 and CRA compliance. Your leadership team must demonstrate active oversight for full compliance.

Update your policies to reflect new expectations and ensure that governance structures are documented.

Step 4: Build or Enhance Your Incident and Vulnerability Processes

Review your incident management processes and introduce more formal reporting pathways. Ensure that you can identify, escalate and report incidents within the required timelines.

Strengthen your vulnerability handling processes. This includes monitoring, triage, remediation and communication. Consider improvements to your Security Operations Centre (SOC) or Security Information and Event Management (SIEM) monitoring capabilities.

Understand the difference between SOC vs SIEM.

Step 5: Get Ahead on Product Specific CRA Documentation

Start preparing documentation for each product. Develop lifecycle security documentation, maintain a software bill of materials and ensure that design decisions are transparent. Build evidence of threat modelling and secure development practices.

Step 6: Review Your Supply Chain Risks

Update your supplier due diligence processes. Review contracts and add security expectations where required. Ensure that your third party products and services meet appropriate standards.

Step 7: Establish a Unified Compliance Roadmap

Create a rolling 12-24 month plan. Align your organisational and product teams so that documentation and evidence collection are coordinated. This will help you to meet NIS2 and CRA deadlines efficiently.

Choosing a Partner to Support NIS2 and CRA Compliance

The regulatory landscape is becoming more complex. Many organisations will need specialist support to meet these new requirements.

What You Should Look for in a Partner

Choose a partner with experience in ISO 27001, NIS2, the Cyber Resilience Act and product security. They should offer CREST and CHECK accredited penetration testing to comply with regulation requirements, and offer CREST and NCSC accredited SOC services for 24/7 monitoring.

How DigitalXRAID Can Help

DigitalXRAID provides compliance consultancy and NIS2 readiness assessments, secure development testing and product and coding security reviews.

Our managed SOC service provides state of the art 24/7/365 monitoring and detection.

We also support framework gap analysis, swift time to compliance, and provide compliance roadmaps that will help you to align with both NIS2 and CRA expectations.

Speak to our compliance specialists to assess your position under NIS2 and the Cyber Resilience Act.

Final Thoughts: NIS2 and CRA Compliance

The NIS2 Directive and the Cyber Resilience Act represent a major shift in how organisations and products are assessed for cyber security. Early preparation will reduce your risk, costs and operational disruption.

These frameworks signal a wider global movement towards higher standards for organisational resilience and secure by design products. Aligning IT, engineering and compliance teams now will put your organisation in a strong position for the future.

If you would like help preparing for NIS2 or the Cyber Resilience Act, contact the DigitalXRAID team.

FAQs About NIS2 and the CRA

Are UK companies affected by NIS2?

Yes. UK companies that operate in the EU or provide services covered by NIS2 may fall into scope.

What products fall under the Cyber Resilience Act?

Any product with digital elements that is placed on the EU market. This includes software, connected devices and embedded systems.

What does secure by design mean under the CRA?

It means security must be built into the product from the start, including controls, testing and vulnerability handling.

Do ISO 27001 controls satisfy NIS2 requirements?

ISO 27001 covers many technical and organisational controls but does not replace the legal and reporting requirements of NIS2.

What is the difference between NIS2 incident reporting and CRA reporting?

NIS2 focuses on significant incidents affecting services. The CRA focuses on vulnerabilities and incidents involving products placed on the EU market.

Who needs to comply with both NIS2 and the Cyber Resilience Act?

You may need to comply with both frameworks if you provide essential or important digital services and also sell products with digital elements in the EU. This applies to many SaaS vendors, manufacturers and technology service providers.

When do NIS2 and the Cyber Resilience Act come into force?

NIS2 is being enforced through national laws from 2024 and 2025. The Cyber Resilience Act is already in force, with most product requirements applying from 2027.

Does NIS2 apply to managed service providers?

Yes. Managed service providers and managed security service providers fall into scope under NIS2 if they operate in the EU or support EU customers.

How does the CRA affect software only companies?

The CRA applies to software, not just physical devices. If you sell or supply software into the EU, you must meet secure development, vulnerability handling and lifecycle documentation requirements.