What the CRA regulates
The CRA is a horizontal EU legal act for products with digital elements. It applies to hardware and software products made available on the Union market where their intended purpose or reasonably foreseeable use includes a direct or indirect connection to a device or network.
For banks and insurers, role allocation is decisive: an institution is not automatically a manufacturer because it uses software. A manufacturer is typically the party that develops, or has developed, a product and markets it under its own name or trademark. Mobile banking apps, insurance apps and white-label arrangements should therefore be assessed early.
| System | CRA assessment question |
|---|---|
| Mobile banking app | Is the app made available under the institution's own brand and responsibility? |
| Insurance app | Is the institution manufacturer, importer, distributor or merely user of a third-party solution? |
| Online banking portal | Is it a product with digital elements made available on the market or primarily an individual online service? |
| Credit calculator with backend connection | Is a separate software component made available on the market? |
| Purchased core software | Does the manufacturer duty primarily sit with the provider while DORA and contractual controls remain with the institution? |
Three key dates
| Date | What applies | Practical consequence |
|---|---|---|
| 10 December 2024 | CRA entered into force | Role allocation, product inventory and development processes should be prepared. |
| 11 September 2026 | Reporting under Art. 14 CRA | Actively exploited vulnerabilities and severe security incidents must be reported through the CRA Single Reporting Platform. |
| 11 December 2027 | Main obligations fully apply | Essential cybersecurity requirements, technical documentation, conformity assessment and CE marking become relevant. |
What the CRA requires in practice
- cybersecurity by design and secure default configurations
- vulnerability handling throughout the product support period
- technical documentation and EU declaration of conformity
- CE marking before placing a product on the market, where the product is in scope
- reporting processes for actively exploited vulnerabilities and severe security incidents
Distinction from DORA
DORA regulates the financial entity as a supervised institution and its ICT risk management. The CRA regulates the digital product and the economic operators in the product chain. Both regimes can be relevant side by side: a security incident in an app may trigger DORA reporting to the FMA and CRA reporting via the CRA Single Reporting Platform.
CRA reporting starts with a 24-hour early warning and a 72-hour notification. For major ICT-related incidents, DORA timelines are specified in particular by Delegated Regulation (EU) 2025/301: initial notification within four hours from classification and no later than 24 hours from detection, intermediate report after 72 hours, final report within one month from the latest intermediate report.
What should be done now
- Product inventory: which apps, portals and components are made available under the institution's own brand?
- Role allocation: manufacturer, importer, distributor, deployer/user or DORA-relevant third-party provider?
- Gap analysis against Annex I CRA and existing secure-development processes
- Prepare CRA and DORA reporting routes as separate organisational processes
Connection to other topics
EU AI Act, vendor AI and audit readiness belong in the same governance map: roles, duties, evidence and reporting channels must be documented for each system.