The CRA is just one piece of a broader EU regulatory puzzle. Depending on your product and sector, you might also need to comply with:
- NIS2, if you’re considered an essential or important entity
- AI Act, for products with high-risk AI functionality
- RED Delegated Act, for wireless devices
- Other horizontal rules like the General Product Safety Regulation or Machinery Regulation
The CRA allows for some exclusions or adaptations when sector-specific legislation already covers cybersecurity risks, but this depends on equivalence and how the Commission defines it via delegated acts.
This category is for topics about how the CRA interacts with other EU laws relevant to your field.
Are you seeing overlaps, gaps, or conflicting requirements? What guidance are you using to navigate it?
Share your sector and experience, this is where we can help each other get clarity.