DData Protection

Cyber Resilience Act: The Overlooked Puzzle Piece in Financial IT

Cyber Resilience Act: The Overlooked Puzzle Piece in Financial IT 1
0
Shares
0
0
0
0
0
0

From baby monitors to smartwatches – products and software with digital components are omnipresent.

What many users are less aware of: these devices pose significant security risks, especially when manufacturers delay or fail to provide security updates.

To address this gap, the EU Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements – the Cyber Resilience Act (CRA) – entered into force on 10 December 2024. It complements the European legal framework with a clear objective: to integrate cybersecurity into products right from the start.

But what does the CRA mean for the financial sector?

What is the CRA about?

The CRA imposes direct and binding cybersecurity requirements on manufacturers, importers and distributors of hardware and software. It applies to virtually all “products with digital elements” – from routers and operating systems to complex enterprise software.

Key provisions include:

  • Security by design and by default: Cybersecurity must be built into products from the outset.

  • Obligations throughout the product lifecycle: including planning, design, development and maintenance.

  • Mandatory provision of security updates.

  • CE marking for products that meet CRA requirements.

  • Third-party assessments (conformity assessments) for particularly critical products.

This shifts the responsibility significantly towards manufacturers. Buyers will be better able to identify whether products meet EU security standards.

The application of the CRA will be phased in:

  • From June 2026: Conformity Assessment Bodies (CABs) will be authorised to assess products’ compliance with CRA requirements.

  • From 11 September 2026: Mandatory reporting of vulnerabilities and security incidents comes into force for manufacturers of connected products.

  • From 11 December 2027: All CRA requirements become fully binding, including the need to meet core cybersecurity obligations before a product is placed on the market, to manage vulnerabilities throughout the product lifecycle, and to ensure transparency towards users.

Who is affected?

The CRA targets manufacturers, importers and distributors of products with digital elements. The regulation deliberately goes deep into the supply chain to ensure cybersecurity is embedded “by design and by default”.

Specifically, the following are obliged:

  • Manufacturers of hardware and software: must implement cybersecurity from the planning and development stages and provide security updates throughout the lifecycle.

  • Importers: may only place products on the EU market that meet CRA requirements.

  • Distributors: must ensure that the products they sell are CRA-compliant (e.g. via CE marking).

Exemptions apply to:

  • Certain open-source software, provided it is not supplied as part of a commercial activity.

  • Products already regulated by sector-specific laws (e.g. medical devices, aviation, automotive).

  • Services that are not classed as products with digital elements.

Critical products that are highly relevant for cybersecurity face stricter rules, including mandatory third-party conformity assessments (via Notified Bodies) before they can enter the market. Examples include operating systems, firewalls, password managers, smart cards and widely used network components.

How does the CRA interact with DORA?

Even though banks, insurers, payment institutions or investment firms are not directly subject to the CRA, they are indirectly affected – because nearly all IT systems and products they rely on are produced by manufacturers subject to CRA obligations.

This has two implications:

  1. Increased security in the supply chain: The CRA ensures that standard software, security solutions and infrastructure products reach a consistently higher level of security.

  2. New obligations in third-party and outsourcing management: Under DORA, financial firms must actively manage risks arising from third-party products. In future, CRA compliance will become a central aspect of due diligence, contracting, and ongoing monitoring.

For banks, payment and e-money institutions, insurers, investment firms and all other DORA-regulated entities, the CRA provides an indirect but important supplement:

  • DORA mandates robust ICT risk management, continuous monitoring of ICT resilience, and strict outsourcing controls.

  • The CRA strengthens the product-level security of digital components relied upon by financial institutions – from core banking software to cloud services and network infrastructure.

The result is a dual protection system:
While DORA (Digital Operational Resilience Act) directly regulates ICT risk and resilience management in the financial sector, the CRA reinforces product security at the supply level.
DORA-regulated entities must ensure that third-party ICT vendors develop and operate their products in compliance with the CRA.

Practical impact for DORA-regulated entities

Even though the CRA does not create direct obligations for banks or financial institutions, it will have tangible consequences:

  • Procurement & vendor management: CRA requirements should be integrated into due diligence and contract processes.

  • Outsourcing & third-party control: Critical ICT providers (e.g. cloud or core banking suppliers) should be assessed for CRA compliance.

  • ICT risk management: CRA-related information (e.g. vulnerability disclosures) must be integrated into DORA-compliant risk processes.

  • Compliance synergies: Manufacturer reporting obligations provide additional data points for internal DORA incident reporting.

Conclusion: One regulation strengthens the other

The CRA is not a financial markets regulation – but it reshapes the environment in which DORA-regulated firms operate their IT.

In future, only products with a CE marking for cybersecurity will enter the market.

For banks, payment service providers, investment firms, insurers and other DORA-regulated entities, this means:

  • More secure products in the supply chain

  • New demands on outsourcing management

  • Additional interfaces for ICT risk management

Those who think DORA and CRA together gain a real competitive edge: more resilience, less risk – and greater trust in their digital infrastructure.

0
0

Josefine Spengler is a lawyer and IT law specialist at Annerton's Berlin office. She has many years of in-house experience as Head of Legal and Data Protection Officer at a payment service provider. As an expert in the IT and FinTech segment, Josefine Spengler advises national and international clients on all issues at the interface between regulatory law and IT law as well as on compliance and AML issues. Josefine Spengler is a regular speaker at events on IT law and regulatory requirements for the IT of financial companies.



By continuing, you accept our privacy policy.
You May Also Like