The fintech compliance landscape has a new horizontal layer. DORA (Regulation (EU) 2022/2554) imposes ICT risk management on financial entities. NIS2 (Directive (EU) 2022/2555) covers the entities as essential or important infrastructure. The CRA (Regulation (EU) 2024/2847) covers the products those entities buy — and imposes obligations on the manufacturer. If your company develops payment terminals, banking APIs, fraud detection modules or any software with digital elements deployed by EU financial institutions, you are the manufacturer under Art. 3(13). Art. 12 governs the relationship with other Union law: where other acts address the same cybersecurity risks, the Commission may limit CRA scope by delegated act under Art. 2(5). Until then, the CRA applies in full. CRACheck generates the 8-document Art. 31 technical file. €149 per product. 15-25 minutes. Client data and banking architecture stay in your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
DORA (Regulation (EU) 2022/2554) regulates financial entities, not software vendors. The CRA (Regulation (EU) 2024/2847) regulates products with digital elements, including banking software. Your client's DORA programme covers their entity risk. Your CRA obligation covers your product's cybersecurity. These are separate, additive obligations on different parties.
Annex III Class I of Regulation (EU) 2024/2847 lists identity management systems (item 1), password managers (item 3), and PKI software (item 9). If your banking product includes authentication, access control, or certificate issuance functionality, it may be Important Class I — requiring conformity assessment beyond internal control.
A vulnerability in your banking product may trigger your 24h CRA Art. 14 notification to ENISA and your client's NIS2 or DORA incident report simultaneously. If you are not prepared for both channels, the lag in one notification delays the other — compounding regulatory exposure for both parties.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines whether your banking software falls under Default, Important Class I (if it includes identity management, PKI, VPN, network management per Annex III) or Important Class II (if it includes firewall/IDS/IPS per Annex III).
Art. 31 and Annex VII file structured for banking software: system architecture, API security, data encryption, authentication mechanisms, component inventory.
Cybersecurity risk assessment per Art. 13(2)-(3) scoped to financial infrastructure deployment: transaction integrity, data confidentiality, authentication bypass risks, API exposure.
Annex II information adapted for financial institution deployment: secure configuration, integration guidelines, support period, vulnerability reporting channel.
EU Declaration per Art. 28 and Annex V for the banking software product.
Coordinated vulnerability disclosure policy aligned with financial sector responsible disclosure expectations.
ENISA notification template per Art. 14. Structured to enable parallel submission with DORA/NIS2 incident channels.
Key CRA dates with DORA alignment: Art. 14 from September 2026, full CRA enforcement December 2027, DORA ICT third-party review cycles.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates the Art. 31 and Annex VII technical documentation for your banking software product. The output serves two purposes: CRA compliance for you as manufacturer and evidence for your financial institution clients' DORA ICT third-party risk assessments. Eight documents per product.
CRACheck does not produce DORA compliance documentation for your clients. It does not conduct penetration testing on your banking APIs. It does not certify your product against PCI-DSS, ISO 27001 or EBA guidelines. It does not perform the conformity assessment if your product requires a notified body under Art. 32 (Important Class II or Critical). It does not submit ENISA or DORA incident notifications on your behalf.
The CRA adds a product layer to financial sector regulation. CRACheck structures that product layer.
Your ENISA notification obligation is separate from your clients' NIS2/DORA reporting. Both channels must be operational.
Banking software placed on the EU market must carry CE marking and Art. 31 documentation. Financial institution procurement will require this as standard.
Independent of any DORA or NIS2 penalty your client may face. The CRA fine applies to you as the product manufacturer.
| Criterio | Financial compliance consultancy | Internal legal team | DORA-only approach | CRACheck |
|---|---|---|---|---|
| Price | €15K-40K | Staff time | Incomplete | €149 per product |
| Covers CRA product obligations | Partially | Depends on expertise | No — DORA covers entities | Yes — 8 Art. 31 documents |
| Feeds DORA Art. 28 assessment | Report only | Possibly | N/A | Structured technical file |
| Data privacy | Shared with consultant | Internal | N/A | 100% browser-side |
| CRACheck | €149 | Yes | Structured | Browser-side |
Pack 10: €99 per product. Pack 30: €79 per product. For fintech companies with multiple EU-deployed products, contact us for enterprise pricing.
Request volume pricingCRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide about your banking software product. The accuracy of the data — including system architecture, security mechanisms and component inventories — is your responsibility as manufacturer.
We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not guarantee acceptance by a market surveillance authority, a financial regulator, or a financial institution's procurement process.
CRACheck is not legal advice. For the interaction between CRA, DORA, NIS2 and sector-specific financial regulation, consult a qualified fintech regulatory lawyer.
If you build the software, Art. 13 applies to you. Product classifier, technical documentation, risk assessment, declaration of conformity, CVD policy, ENISA template. Eight documents. €149 per product.