In recent years, the European Union has significantly strengthened its cybersecurity regulatory framework. NIS2, the Cyber Resilience Act (CRA) and DORA are often discussed together, which leads many organisations to treat them as equivalent.
They are not! Each of these regulations addresses different dimensions of digital risk. Understanding these differences is essential to avoid two common mistakes: investing where it is not required or, more critically, leaving gaps where risk is real.
What does each regulation covers? This is where the difference begins
The clearest way to distinguish between NIS2, CRA and DORA is to understand what their main focus is.
NIS2 regulates public or private organisations that provide critical services for society and the economy in the EU.
The focus is on essential and important entities operating in critical sectors, such as energy, healthcare, transport, digital infrastructures or public administration. The objective is to ensure that these organisations have the capacity to manage risk, respond to incidents and develop the necessary resilience to ensure the continuous delivery of their services with minimal disruption.
The CRA regulates products that contain digital elements.
It applies to products with digital elements placed on the EU market. The objective is to ensure that these products are secure from design to the end of the lifecycle.
DORA regulates digital operational resilience in the financial sector.
It applies to financial entities and also establishes a supervisory framework for critical third-party ICT service providers. The focus is on the ability to resist, respond and recover from operational failures related to technology.
Risk management is required by all, but with different approaches
All three regulations require risk management, but not in the same way.
In NIS2, risk management is organisational. Entities must implement appropriate technical and organisational measures, including security policies, incident management, access control and security in the supply chain.
In DORA, risk management is continuous and operational. Financial institutions must implement an ICT risk management framework, with continuous monitoring, resilience testing and structured response capability.
In the CRA, risk management is integrated into the product. Risk must be considered throughout the entire lifecycle of the product, from design to maintenance, including vulnerability management and security updates.
Incidents and reporting: clear obligations, different contexts
Another critical point for companies is incident reporting.
NIS2 requires the notification of critical incidents to the competent authorities, with defined deadlines and follow-up. DORA establishes a detailed model for reporting ICT incidents, with classification, deadlines and structured communication to the financial regulator. The CRA introduces obligations for reporting vulnerabilities and incidents related to products, including communication to European entities and, in some cases, to users.
There is, however, a common point: transparency becomes mandatory.
Supply chain: a risk that all begin to address
All three regulations recognise a critical point: risk is not only within the organisation.
In NIS2, there is a requirement to assess suppliers and partners. In DORA, there is a very strong focus on the management of third parties, especially critical ICT service providers. In the CRA, the supply chain is addressed through the control of components and dependencies, including third-party and open-source software.
In other words, security ceases to be internal and becomes ecosystem-wide.
Who is responsible? There is a clear shift in governance
One of the most relevant points, and often ignored, is accountability.
NIS2 reinforces the responsibility of top management, including possible sanctions. DORA requires direct involvement of management in defining and monitoring risk. The CRA assigns responsibility to manufacturers, importers and distributors for the security of products.
In all cases, cybersecurity ceases to be a typically more technical topic and becomes a governance topic.
What really changes for companies?
For an organisation, the impact of the NIS2 directive and the CRA and DORA regulations depends on its position:
- If it operates in critical sectors – NIS2 applies directly
- If it develops or sells digital products – CRA applies directly
- If it operates in the financial sector – DORA applies directly
But there is a more relevant point:
Even when they do not apply directly, these regulations influence the market. Clients, partners and regulators begin to require levels of security aligned with these standards.
In other words, exposure does not depend only on the law, but on the ecosystem.
The most common mistake: treating regulations as isolated projects
One of the most frequent mistakes is to approach NIS2, CRA and DORA as separate initiatives.
In practice, this generates redundancy, inconsistency and gaps, because despite the differences, there is a common denominator:
- risk management
- continuous processes
- visibility
- response capability
- management involvement
Organisations must build an integrated model that responds to all three, never implement three different responses. Understanding what each one requires is the first step to avoid investment errors and compliance failures.
If your organisation is still assessing the impact of these regulations in isolation, the risk is not only in compliance, but in how gaps accumulate between areas.
At Balwurk, we help organisations interpret and operationalise these requirements in an integrated way, ensuring that the response to NIS2, CRA and DORA is not fragmented, but aligned with the real risk of the business.
