Does DORA replace the CRA for banking software?

No. DORA (Regulation (EU) 2022/2554) regulates financial entities' ICT risk management. The CRA (Regulation (EU) 2024/2847) regulates the products those entities buy. Art. 12 of the CRA addresses the relationship with other Union law, and Art. 2(5) allows the Commission to limit CRA scope where sectoral rules achieve equivalent protection. Until such a delegated act is adopted, the CRA applies in full to banking software products placed on the EU market.

If our banking software includes identity management, is it Important Class I?

Annex III Class I item 1 of Regulation (EU) 2024/2847 lists "identity management systems and privileged access management software and hardware, including authentication and access control readers." If your banking software's core function is identity or access management, it falls under Important Class I. If identity management is an ancillary feature of a broader banking platform, classification depends on whether the identity component is placed on the market separately.

Will financial institution procurement require CRA documentation?

DORA Art. 28 requires financial entities to assess ICT third-party service providers. As CRA enforcement approaches, procurement departments will include Art. 31 documentation as part of their ICT risk assessment. Having the documentation ready positions your product for procurement approval.

Our product processes personal data. Does the CRA overlap with GDPR?

Art. 2 of Regulation (EU) 2024/2847 does not exclude products processing personal data. Annex I Part I point (2)(e) requires data confidentiality and encryption. Annex I Part I point (2)(g) requires data minimisation. These CRA requirements complement GDPR but do not replace it. CRACheck's Risk Assessment PDF covers cybersecurity aspects — GDPR's DPIA covers data protection aspects.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You develop banking software or fintech infrastructure deployed by financial institutions across the EU. DORA regulates the institution. The Cyber Resilience Act regulates the product you sell to the institution. Article 13 of Regulation (EU) 2024/2847 applies to you as the manufacturer of a product with digital elements — regardless of what your client's DORA compliance programme covers.

The fintech compliance landscape has a new horizontal layer. DORA (Regulation (EU) 2022/2554) imposes ICT risk management on financial entities. NIS2 (Directive (EU) 2022/2555) covers the entities as essential or important infrastructure. The CRA (Regulation (EU) 2024/2847) covers the products those entities buy — and imposes obligations on the manufacturer. If your company develops payment terminals, banking APIs, fraud detection modules or any software with digital elements deployed by EU financial institutions, you are the manufacturer under Art. 3(13). Art. 12 governs the relationship with other Union law: where other acts address the same cybersecurity risks, the Commission may limit CRA scope by delegated act under Art. 2(5). Until then, the CRA applies in full. CRACheck generates the 8-document Art. 31 technical file. €149 per product. 15-25 minutes. Client data and banking architecture stay in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 12

CRA relationship with DORA and NIS2 — product obligations are additive

Annex III

Banking software may qualify as Important if it includes identity management, PKI or network management

€15M

Maximum fine under Art. 64(2) — separate from any DORA or NIS2 penalty

How to proceed

Distinguish entity regulation from product regulation

DORA and NIS2 regulate the financial institution (the entity). The CRA regulates the software product you sell to the institution. You are the manufacturer, not the regulated entity under DORA. Both regulatory layers coexist.

Classify your product under CRA categories

Identity management systems (Annex III Class I item 1), password managers (item 3), PKI software (item 9), network management systems (item 6), and VPN products (item 5) are Important Class I. Firewalls and IDS/IPS (Annex III Class II items 1-2) are Important Class II. Standard banking applications fall under Default.

Conduct the CRA cybersecurity risk assessment

Art. 13(2)-(3): the assessment must cover the product's intended purpose in financial infrastructure, foreseeable use in regulated environments, and the operational context of banking deployments.

Compile Art. 31 technical documentation

Annex VII applies. Your financial institution clients will request this documentation as part of their DORA ICT third-party risk management under DORA Art. 28.

Align vulnerability handling with DORA expectations

Art. 13(6)-(8): your vulnerability handling and security update delivery must match the SLA expectations of financial institutions. DORA Art. 28 requires financial entities to assess ICT third-party providers — your CRA documentation feeds into their assessment.

Prepare ENISA reporting

Art. 14 applies from September 2026. A vulnerability in your banking software may simultaneously trigger CRA Art. 14 notification (your obligation as manufacturer) and your client's NIS2/DORA incident reporting (their obligation as entity).

Common mistakes

❌

REGULATORY CONFLATION

Assuming DORA compliance by your clients covers your CRA obligations

DORA (Regulation (EU) 2022/2554) regulates financial entities, not software vendors. The CRA (Regulation (EU) 2024/2847) regulates products with digital elements, including banking software. Your client's DORA programme covers their entity risk. Your CRA obligation covers your product's cybersecurity. These are separate, additive obligations on different parties.

❌

CLASSIFICATION UNDERESTIMATION

Treating your banking software as Default category when it includes identity management

Annex III Class I of Regulation (EU) 2024/2847 lists identity management systems (item 1), password managers (item 3), and PKI software (item 9). If your banking product includes authentication, access control, or certificate issuance functionality, it may be Important Class I — requiring conformity assessment beyond internal control.

❌

DUAL REPORTING GAP

Not preparing for parallel CRA and DORA/NIS2 incident reporting

A vulnerability in your banking product may trigger your 24h CRA Art. 14 notification to ENISA and your client's NIS2 or DORA incident report simultaneously. If you are not prepared for both channels, the lag in one notification delays the other — compounding regulatory exposure for both parties.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your banking software falls under Default, Important Class I (if it includes identity management, PKI, VPN, network management per Annex III) or Important Class II (if it includes firewall/IDS/IPS per Annex III).

Technical Documentation

Art. 31 and Annex VII file structured for banking software: system architecture, API security, data encryption, authentication mechanisms, component inventory.

Risk Assessment

Cybersecurity risk assessment per Art. 13(2)-(3) scoped to financial infrastructure deployment: transaction integrity, data confidentiality, authentication bypass risks, API exposure.

User Information

Annex II information adapted for financial institution deployment: secure configuration, integration guidelines, support period, vulnerability reporting channel.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V for the banking software product.

CVD Policy

Coordinated vulnerability disclosure policy aligned with financial sector responsible disclosure expectations.

Notification Template

ENISA notification template per Art. 14. Structured to enable parallel submission with DORA/NIS2 incident channels.

Obligations Calendar

Key CRA dates with DORA alignment: Art. 14 from September 2026, full CRA enforcement December 2027, DORA ICT third-party review cycles.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 FINANCIAL SECTOR COMPLIANCE CONSULTANCY

CRA + DORA gap analysis for banking software

€15,000-40,000 per product

12-24 weeks

Requires sharing source architecture with consultant

Report-based — does not produce Art. 31 file

Re-engagement per product version

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history