Financial institutions in the EU are subject to the Digital Operational Resilience Act (DORA), which requires them to manage ICT third-party risk. When a bank evaluates your fintech product, it now cross-references CRA obligations for products with digital elements. Article 13 of Regulation (EU) 2024/2847 places the documentation burden on you as the manufacturer. CRACheck generates the 8 documents under Article 31 + Annex VII in 15-25 minutes for €149. The dossier demonstrates to your bank customer that your product's cybersecurity posture is documented, structured, and traceable to the regulation.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
DORA (Regulation (EU) 2022/2554) requires financial entities to manage ICT third-party risk. This means your EU bank customer must evaluate your cybersecurity posture, including CRA compliance for products you supply. If you cannot demonstrate CRA documentation, the bank may classify you as a high-risk vendor under DORA Article 28 and reduce or terminate the relationship.
PCI DSS addresses cardholder data protection. CRA addresses product cybersecurity requirements under Annex I of Regulation (EU) 2024/2847, including secure-by-default configuration, update mechanisms, vulnerability handling, and product-specific risk assessment. Different regulation, different scope, different documentation. PCI DSS does not produce an Article 31 dossier.
If you developed the software, you are the manufacturer under Article 3(13) regardless of commercial arrangement. Your European partner may be an importer (Article 19) or distributor (Article 20), but the technical documentation obligation under Article 13 stays with the entity that designed and developed the product. White-labeling does not transfer manufacturer status unless the rebrand constitutes a substantial modification per Article 22.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Classification of your fintech product under Annex III. Payment-related software or authentication systems may classify as Important Class I, requiring harmonised standards or third-party assessment.
Art. 31 + Annex VII dossier adapted for financial software: security architecture, encryption implementation, access control design, audit logging, and compliance with financial-sector security standards.
Fintech-specific analysis: transaction fraud vectors, API injection attacks, credential stuffing, session hijacking, data residency risks, and third-party payment gateway dependencies.
Annex II for bank users: security properties of the product, data handling procedures, update mechanism, incident notification channels, and known limitations.
Article 28 + Annex V declaration for your fintech product.
Vulnerability disclosure policy adapted for financial software: responsible disclosure, bug bounty integration, financial-specific severity triage.
ENISA template per Article 14 for fintech incidents: exploited vulnerabilities in payment processing, authentication bypass, data breach scenarios. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Timeline including CRA milestones, DORA vendor review cycles, and your support period obligations.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the CRA product documentation your EU bank customer's vendor management team requests. Covers Article 31, Annex VII, Annex V, Annex II, and Article 14 obligations in structured format.
Does not audit your PCI DSS controls. Does not perform transaction security testing. Does not assess your DORA compliance as a service provider. Does not serve as a notified body. Does not produce DORA contractual provisions. Those are separate activities.
CRACheck fills the CRA documentation gap in your bank customer's vendor assessment. Your PCI DSS, SOC 2, and ISO 27001 cover the operational layer. Both are needed.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with essential requirements or manufacturer obligations.
Missing documentation or conformity assessment.
Misleading information to authorities.
| Criteria | Financial regulatory consultant | Generic compliance firm | Internal legal team | CRACheck |
|---|---|---|---|---|
| Time | 12-20 weeks | 6-12 weeks | 4-8 weeks | 15-25 minutes |
| Cost | €20,000-€40,000 | €10,000-€20,000 | Staff hours ($40K+) | €149 |
| Understands fintech architecture | Yes | Partially | Depends | Architecture-agnostic input |
| Deliverable for bank vendor review | Custom report | Custom report | Internal doc | 8 standardized PDFs |
If your bank customer uses your payment module, your risk analytics module, and your KYC module as separately identifiable products, each needs independent CRA documentation. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee the document structure follows Article 31 + Annex VII and that legal references cited are correct. We do not guarantee acceptance by a specific bank's vendor management process.
CRACheck is not legal advice. For DORA-specific vendor obligations or fintech regulatory questions, consult a qualified financial regulatory attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.