How does CRA interact with DORA for fintech vendors?

DORA (Regulation (EU) 2022/2554) governs ICT risk management for financial entities. CRA (Regulation (EU) 2024/2847) governs product cybersecurity. As a fintech vendor, you are subject to CRA for the products you manufacture. Your bank customer is subject to DORA for managing third-party ICT risk, which includes evaluating your CRA compliance. The two regulations create complementary obligations: CRA makes you document your product's cybersecurity; DORA makes the bank verify that you did.

Our fintech product handles payment transactions. Does it classify as Important or Critical under CRA?

Annex III of Regulation (EU) 2024/2847 lists product categories. Payment processing software does not appear explicitly in Annex III, but if your product performs identity management, authentication, or secure element functions, it may fall under Important Class I or Class II. CRACheck's Product Classifier evaluates your product against the specific criteria in Annex III and Article 7.

We are already audited annually by our bank customers. Does that cover CRA?

Bank vendor audits typically assess your organizational security controls under DORA or contractual requirements. CRA requires product-specific technical documentation per Article 31 + Annex VII, which is a different deliverable. Your annual audit report does not replace the CRA dossier. However, the security controls documented in your audit findings may inform the content of your CRA risk assessment.

Can our bank customer share our CRA documentation with their regulator?

Yes. Article 19(7) requires importers to provide CRA documentation to market surveillance authorities upon reasoned request. Your bank customer, as the entity using your product in the EU, may need to demonstrate their supply chain's compliance. Having structured Article 31 documentation facilitates this.

We process EU financial data in the US. Does CRA address data residency?

CRA does not mandate data residency. It addresses product cybersecurity requirements: data confidentiality, integrity, and availability (Annex I, Part I). However, if your product's remote data processing occurs in the US, you must describe those data flows in your technical documentation per Annex VII. Data residency itself is governed by GDPR and any contractual requirements from your bank customer.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Your European bank customer operates under DORA and PSD2. Now they are extending cybersecurity requirements to their ICT vendors under the Cyber Resilience Act. If your fintech app includes a downloadable component — a mobile banking SDK, an API client, a desktop terminal — Article 13 of Regulation (EU) 2024/2847 classifies you as the manufacturer. The bank's vendor management team needs your Article 31 documentation. CRACheck generates it.

Financial institutions in the EU are subject to the Digital Operational Resilience Act (DORA), which requires them to manage ICT third-party risk. When a bank evaluates your fintech product, it now cross-references CRA obligations for products with digital elements. Article 13 of Regulation (EU) 2024/2847 places the documentation burden on you as the manufacturer. CRACheck generates the 8 documents under Article 31 + Annex VII in 15-25 minutes for €149. The dossier demonstrates to your bank customer that your product's cybersecurity posture is documented, structured, and traceable to the regulation.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 13 + DORA

CRA manufacturer obligations intersect with your EU bank customer's ICT third-party risk management under DORA

€15M

Maximum CRA fine under Art. 64(2) — independent of any DORA penalties your client faces

€149

One-time cost to generate the CRA dossier your bank customer's vendor management team requires

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Profile your fintech product

Enter product name, type (payment processing, risk analytics, lending platform, KYC tool), platform (mobile, desktop, web+API), and the legal entity behind it.

Classify under Annex III

Fintech apps that process payment data or handle authentication may fall under Important Class I or Class II per Annex III. CRACheck's classifier makes this determination explicit.

Describe financial-grade architecture

Encryption standards, authentication mechanisms (including multi-factor), API security, data segregation, PCI DSS controls if applicable. CRACheck structures this into CRA-compatible documentation.

Map third-party components

Financial software relies on payment gateways, fraud detection engines, and compliance APIs. Document these per Article 13(5) supply chain due diligence requirements.

Generate risk assessment

Fintech-specific threat analysis: transaction manipulation, credential theft, API abuse, insider threats, and supply chain compromise through third-party financial APIs.

Produce 8 documents

Technical documentation, risk assessment, declaration of conformity, user information, CVD policy, ENISA notification template, obligations calendar, product classifier.

Deliver to your bank customer

The vendor management team reviews structured documentation alongside your SOC 2, PCI DSS, and ISO 27001 certifications. CRA documentation fills the new regulatory gap they are tracking.

Common mistakes

❌

SUPPLY CHAIN IMPACT

"DORA is the bank's problem, not ours"

DORA (Regulation (EU) 2022/2554) requires financial entities to manage ICT third-party risk. This means your EU bank customer must evaluate your cybersecurity posture, including CRA compliance for products you supply. If you cannot demonstrate CRA documentation, the bank may classify you as a high-risk vendor under DORA Article 28 and reduce or terminate the relationship.

❌

STANDARD MISMATCH

"Our PCI DSS Level 1 certification covers cybersecurity requirements"

PCI DSS addresses cardholder data protection. CRA addresses product cybersecurity requirements under Annex I of Regulation (EU) 2024/2847, including secure-by-default configuration, update mechanisms, vulnerability handling, and product-specific risk assessment. Different regulation, different scope, different documentation. PCI DSS does not produce an Article 31 dossier.

❌

MANUFACTURER IDENTITY

"We sell through a European fintech partner, so they are the manufacturer"

If you developed the software, you are the manufacturer under Article 3(13) regardless of commercial arrangement. Your European partner may be an importer (Article 19) or distributor (Article 20), but the technical documentation obligation under Article 13 stays with the entity that designed and developed the product. White-labeling does not transfer manufacturer status unless the rebrand constitutes a substantial modification per Article 22.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Classification of your fintech product under Annex III. Payment-related software or authentication systems may classify as Important Class I, requiring harmonised standards or third-party assessment.

Technical Documentation

Art. 31 + Annex VII dossier adapted for financial software: security architecture, encryption implementation, access control design, audit logging, and compliance with financial-sector security standards.

Risk Assessment

Fintech-specific analysis: transaction fraud vectors, API injection attacks, credential stuffing, session hijacking, data residency risks, and third-party payment gateway dependencies.

User Information

Annex II for bank users: security properties of the product, data handling procedures, update mechanism, incident notification channels, and known limitations.

Declaration of Conformity

Article 28 + Annex V declaration for your fintech product.

CVD Policy

Vulnerability disclosure policy adapted for financial software: responsible disclosure, bug bounty integration, financial-specific severity triage.

Notification Template

ENISA template per Article 14 for fintech incidents: exploited vulnerabilities in payment processing, authentication bypass, data breach scenarios. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Timeline including CRA milestones, DORA vendor review cycles, and your support period obligations.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 FINANCIAL REGULATORY CONSULTANT

€20,000–€40,000

12-20 weeks. Requires deep briefing on your payment architecture, encryption standards, and regulatory environment. Multiple review cycles with your compliance team.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history