NIS2 vs DORA vs CRA: Which One Applies to Your Company?

The European Union has introduced three major cybersecurity and digital resilience regulations in rapid succession: NIS2, DORA, and CRA. For companies trying to understand their obligations, the overlap between these frameworks creates real confusion. Which one applies to you? Do you need to comply with more than one? And where does IT asset management fit into all of them?

This article breaks down each regulation, explains who is affected, compares key dates and requirements, and identifies the common thread that runs through all three: you need to know what IT assets you have, who is responsible for them, and what has happened to them.

NIS2: The Network and Information Security Directive

What it is

NIS2 (Directive (EU) 2022/2555) is the EU’s updated framework for cybersecurity across essential and important sectors. It replaces the original NIS Directive from 2016, significantly expanding its scope and strengthening enforcement. NIS2 establishes minimum cybersecurity risk management measures and incident reporting obligations for covered entities.

Who it applies to

NIS2 applies to organizations in 18 sectors, divided into “essential” and “important” entities:

• Essential entities: Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space.
• Important entities: Postal and courier services, waste management, manufacturing of certain products (chemicals, medical devices, electronics, machinery, motor vehicles), food production and distribution, digital providers (online marketplaces, search engines, social networking).

The size threshold is generally companies with 50 or more employees or annual revenue exceeding 10 million euros. However, some entities are in scope regardless of size (e.g., providers of DNS services, TLD registries, qualified trust services).

Key dates

• October 17, 2024: Transposition deadline. Member states were required to adopt national implementing legislation.
• 2025-2026: National competent authorities are establishing audit and enforcement programs. Audits are actively underway in multiple member states.

IT asset management requirements

Article 21(2)(i) explicitly lists “asset management” among the required risk management measures. Article 21(2)(e) covers security in network and information systems acquisition, development, and maintenance — which requires lifecycle tracking. Incident reporting under Article 23 requires the ability to identify affected assets during security events.

DORA: The Digital Operational Resilience Act

What it is

DORA (Regulation (EU) 2022/2554) is a sector-specific regulation focused exclusively on the financial sector. It establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities. Unlike NIS2 (which is a directive requiring national transposition), DORA is a regulation — it applies directly in all member states without the need for national implementing legislation.

Who it applies to

DORA covers a broad range of financial entities:

• Credit institutions (banks)
• Payment institutions and electronic money institutions
• Investment firms
• Insurance and reinsurance undertakings
• Pension funds
• Crypto-asset service providers
• Central securities depositories
• Trading venues
• Trade repositories
• Crowdfunding service providers
• ICT third-party service providers to financial entities (critical designation)

The last point is significant: if you are a technology company providing services to financial institutions, DORA may apply to you even if you are not a financial entity yourself.

Key dates

• January 17, 2025: DORA became applicable. Financial entities must be compliant from this date.
• 2025-2026: Supervisory authorities (EBA, ESMA, EIOPA) are monitoring compliance. The European Supervisory Authorities are also designating critical ICT third-party service providers for direct oversight.

IT asset management requirements

DORA Article 8 requires financial entities to “identify, classify, and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions.” Article 8(4) specifically mandates that entities “identify all sources of ICT risk” and requires maintaining an up-to-date inventory of ICT assets. Article 9 covers protection and prevention measures, requiring asset management processes that ensure hardware and software are maintained and updated.

CRA: The Cyber Resilience Act

What it is

The CRA (Regulation (EU) 2024/2847) takes a fundamentally different approach from NIS2 and DORA. Instead of regulating the organizations that use technology, the CRA regulates the products themselves. It establishes cybersecurity requirements for products with digital elements — both hardware and software — placed on the EU market. The CRA aims to ensure that manufacturers, importers, and distributors take security seriously throughout a product’s lifecycle.

Who it applies to

• Manufacturers of hardware and software products with digital elements sold in the EU (including IoT devices, networking equipment, operating systems, and applications).
• Importers who bring products with digital elements into the EU market.
• Distributors who make products available on the EU market.

The CRA does not apply to end-user organizations consuming these products (that is covered by NIS2 and DORA). It applies to the companies that make, import, or distribute the products. However, if your company manufactures hardware devices, develops commercial software, or imports technology products for sale in the EU, the CRA is directly relevant.

Key dates

• December 2024: The CRA entered into force.
• September 11, 2026: Reporting obligations for actively exploited vulnerabilities begin.
• December 11, 2027: Full application date. All essential requirements must be met for products placed on the market.

IT asset management requirements

The CRA’s requirements are product-focused rather than organizational. Manufacturers must maintain a software bill of materials (SBOM), ensure products are designed with security by default, provide security updates for the expected product lifetime, and report actively exploited vulnerabilities. For companies that both manufacture products and operate IT infrastructure, the CRA’s SBOM and vulnerability management requirements overlap with NIS2’s asset management obligations.

Comparison: NIS2 vs DORA vs CRA at a Glance

• Scope: NIS2 covers 18 sectors broadly. DORA covers the financial sector specifically. CRA covers product manufacturers, importers, and distributors.
• Type: NIS2 is a directive (requires national transposition). DORA and CRA are regulations (directly applicable).
• Focus: NIS2 focuses on organizational cybersecurity. DORA focuses on digital operational resilience for finance. CRA focuses on product security.
• Application dates: NIS2 from October 2024. DORA from January 2025. CRA reporting from September 2026, full application from December 2027.
• IT asset management: Required by all three, though from different angles — NIS2 and DORA require organizational asset inventories; CRA requires product-level documentation (SBOM).

Can Multiple Regulations Apply to You?

Yes, and this is common. Consider these scenarios:

• A bank: Subject to both NIS2 (as an essential entity in the banking sector) and DORA (as a financial entity). DORA takes precedence as lex specialis for the financial sector, but NIS2 obligations still apply for aspects not covered by DORA.
• A company manufacturing medical devices: Subject to NIS2 (important entity in manufacturing) and potentially CRA (as a manufacturer of products with digital elements).
• A fintech providing SaaS to banks: Potentially subject to NIS2 (as a digital service provider), DORA (as an ICT third-party service provider to financial entities), and CRA (as a software manufacturer).

The Common Thread: Know Your Assets

Regardless of which regulation applies to your company, one requirement appears in every framework: you must maintain a comprehensive, up-to-date inventory of your IT assets. You must know what you have, who is responsible for it, and what has happened to it over time.

This is not a coincidence. Asset management is the foundation of cybersecurity. You cannot protect what you cannot see. You cannot respond to incidents if you do not know which devices are affected. You cannot report to authorities if you cannot identify the scope of a breach.

For companies subject to multiple regulations, investing in proper IT asset management is the highest-leverage compliance activity. A single, well-maintained asset inventory with full lifecycle tracking, custody management, and incident linking satisfies requirements across NIS2, DORA, and CRA simultaneously.

The regulations are different. The deadlines are different. The supervisory authorities are different. But the foundation is the same: know your assets.