← All posts

EU CRA, NIS2, DORA, EU AI Act: Which Regulation Applies to You?

DORA: Digital Operational Resilience Act

DORA is specifically aimed at the financial sector. If you are a bank, insurance company, investment firm, payment provider, crypto asset service provider, or any other type of financial entity as defined under EU law, DORA applies to you. It also pulls in the ICT third party providers that these financial entities rely on, which means cloud providers, SaaS vendors, and managed service providers serving finance are in scope too.

The regulation focuses on ICT risk management, incident reporting, resilience testing, and third party oversight. It has been enforceable since January 2025.

Key question to ask yourself: Are you a financial entity, or do you provide ICT services to one? If yes, DORA is on your plate.

NIS2: Network and Information Security Directive

NIS2 casts a much wider net than DORA. It applies across 18 sectors, including energy, transport, healthcare, water, digital infrastructure, public administration, and more. The directive splits organisations into two groups: essential entities and important entities. The distinction mostly affects supervision intensity and penalty levels, but the core obligations are similar.

If your organisation operates in one of the listed sectors and meets the size thresholds (generally 50+ employees or EUR 10M+ turnover), NIS2 likely applies. Member states are transposing NIS2 into national law, so the exact requirements can vary slightly by country.

The obligations cover risk management measures, incident reporting (24 hour early warning, 72 hour full notification), supply chain security, and governance accountability at management level.

Key question to ask yourself: Do you operate in one of the 18 NIS2 sectors, and do you meet the size thresholds? Check your national transposition for specifics.

EU CRA: Cyber Resilience Act

The CRA takes a different angle entirely. Instead of targeting organisations by sector, it targets products. Specifically, it applies to manufacturers, importers, and distributors of products with digital elements sold in the EU market. That includes hardware and software, from IoT devices to desktop applications to cloud based SaaS products.

The CRA requires that products are designed with security in mind from the start, that known vulnerabilities are handled and patched throughout the support period, and that manufacturers report actively exploited vulnerabilities to ENISA within 24 hours. It also introduces conformity assessment requirements, meaning some product categories will need third party certification.

Most obligations start applying from September 2027, though vulnerability reporting requirements kick in earlier in September 2026.

Key question to ask yourself: Do you make, import, or distribute a product that has digital elements and is available on the EU market? Then the CRA will apply.

EU AI Act

The EU AI Act regulates artificial intelligence systems based on risk. It applies to providers who develop or place AI systems on the EU market, deployers who use AI systems in a professional context, and importers and distributors of AI systems.

The regulation creates a tiered system. Unacceptable risk AI (such as social scoring or real time biometric surveillance in public spaces) is banned outright. High risk AI systems, which include things like AI used in recruitment, credit scoring, law enforcement, and critical infrastructure, face the heaviest requirements: risk assessments, data governance, human oversight, transparency, and conformity assessments. Limited risk systems have transparency obligations, and minimal risk systems are largely unregulated.

The prohibitions on unacceptable risk AI apply from February 2025. High risk system obligations phase in through August 2026 and August 2027 depending on the category.

Key question to ask yourself: Do you develop, deploy, or distribute an AI system in the EU? What risk tier does it fall into?

Where They Overlap

Here is where things get interesting. These regulations were not designed in isolation, and many organisations will fall under more than one.

A bank using AI for credit decisions could be subject to DORA (financial entity), NIS2 (depending on national transposition), and the EU AI Act (high risk AI deployer). A SaaS company selling security monitoring tools to European hospitals might need to think about the CRA (product with digital elements), NIS2 (digital infrastructure provider), and potentially the AI Act if the tool uses machine learning.

A few patterns worth noting:

DORA and NIS2 have significant overlap for financial entities. The EU addressed this by making DORA a lex specialis, meaning it takes precedence over NIS2 for organisations in its scope. If DORA applies to you, you generally do not need to separately comply with NIS2 for the same obligations, though NIS2 may still apply to parts of your business outside financial services. The CRA and NIS2 complement each other. NIS2 targets the organisation, CRA targets the product. A software vendor could be subject to NIS2 as a digital service provider and to the CRA for the products it ships. The AI Act and DORA can stack. A financial institution deploying high risk AI needs to meet both DORA's ICT risk management requirements and the AI Act's specific requirements for high risk systems, including fundamental rights impact assessments.

What Should You Do Next?

Start by mapping out which regulations apply to your organisation. For most companies it will not be just one. Then look at where the requirements overlap, because a lot of the foundational work (risk management frameworks, incident response procedures, supply chain due diligence) can serve multiple regulations at once.

Building one integrated compliance programme is far more efficient than trying to run four separate ones. The regulations have different specifics, but the principles are shared: know your risks, manage your suppliers, report incidents quickly, and keep records that prove you are doing all of the above.

If you are looking for a platform that brings DORA, EU CRA, and EU AI Act compliance into a single workflow, that is exactly what we built DORA GRC to do. You can explore the features or start a free trial to see how it fits your situation.

Ready to simplify DORA compliance?

Purpose-built platform for EU financial entities. Start your free trial today.

Get Started →