European financial services sector associations ask for clarity on CRA-DORA overlap. In the context of the European Commission's objective to simplify the European regulatory framework, six leading associations representing the European financial services sector – European Banking Federation, European Association of Co-operative Banks, WSBI-ESBG, EFAMA, AFME and Insurance Europe reiterate the overlap between DORA and CRA. More specifically: 🔷 Financial services offered through digital channels risk falling under both DORA and CRA, despite already being comprehensively regulated under DORA. 🔷 Applying the CRA on top of DORA would introduce unnecessary complexity and compliance costs, whilst not enhancing security due to the duplication of cybersecurity requirements between the two frameworks. 🔷 DORA covers the entire lifecycle of these systems, from development to decommissioning, and includes risk-based management, incident handling, vulnerability management, and customer communication strategies. At a time when the financial industry is expected to finance and facilitate Europe's strategic priorities (competitiveness, defense, green and digital transitions), it is very important that the Commission provides, as soon as possible, a clear exemption from CRA for financial entities subject to DORA (via a delegated act under Article 2(5) of the CRA). This would provide much-needed certainty to the industry as it plans for cyber resilience investments and compliance efforts.
