CyberSec Update #20 – CRA and NIS2 in Cybersecurity
CRA and NIS2: Two Pillars of Cyber Resilience That Will Reshape Relationships with Technology Suppliers
Cybersecurity is no longer solely a matter of internal procedures. The EU Cyber Resilience Act (CRA) and the NIS2 Directive shift responsibility towards digital products and the technology suppliers on which organisations rely.
NIS2 and CRA – Different Focus Areas, a Shared Objective
NIS2 focuses on the resilience of essential and important entities, covering risk management, supply chain security and incident reporting. CRA goes one step earlier, addressing products with digital elements, including software, devices, network components and IoT solutions.
In practice, this means that organisations covered by NIS2 should not treat CRA as a regulation applicable only to manufacturers. CRA will have a direct impact on IT procurement, supplier assessments and the content of technology contracts.
Why Does CRA Matter for Organisations?
CRA is intended to enforce product design in line with the principle of security by design. This includes secure default configurations, security updates, technical documentation, vulnerability handling and – in certain cases – conformity assessment and CE marking.
In the context of CRA and NIS2, the “Trojan horse” in the supply chain is no longer a metaphor. It may take the form of a vulnerable component, an outdated library or a device introduced into the organisation without adequate cybersecurity controls. CRA transfers this logic to technology itself: cyber resilience must be built in before a product is placed on the market.
CRA and Relationships with Technology Suppliers
For organisations using technology, CRA will become a key reference point when assessing supplier risk. Technology contracts will increasingly focus on, among others:
- EU declaration of conformity and CE marking,
- the duration of support and security update policies,
- obligations to inform about vulnerabilities and incidents,
- coordinated vulnerability disclosure procedures,
- availability of SBOMs and technical documentation,
- supplier responsibility for maintaining the cybersecurity of the product.
CRA Implementation Timeline
CRA entered into force on 10 December 2024. From 11 September 2026, requirements related to reporting actively exploited vulnerabilities and serious incidents will apply. Full application of CRA will follow on 11 December 2027.
This means that the coming months should be used to prepare relevant processes – both by manufacturers and distributors, as well as by organisations purchasing technology.
What Should Be Done Now?
Technology suppliers should begin mapping their products, determine their role in the supply chain and prepare processes related to updates, vulnerability handling, technical documentation and conformity assessment.
Organisations covered by NIS2 should translate CRA requirements into procurement policies, supplier due diligence processes and contractual standards. The biggest mistake would be to run these projects separately. NIS2 concerns the cyber resilience of organisations, while CRA addresses the cyber resilience of the products they use. In practice, these two regimes will operate together.
