Position paper - Letter for financial services stakeholders on CRA and DORA

The Cyber Resilience Act (CRA) does not delineate between products and services and applies to all elements of a financial institution’s software or digitally accessible services, despite them being covered by existing financial services regulation. This causes duplication in the requirements faced by industry operating in the EU. In order to prevent compliance and risk management inefficiencies, policymakers should further clarify how the CRA applies to services and how this legislation overlaps with the Digital Operational Resilience Act (DORA) to avoid unnecessary duplication.

Read our letter below.