EPIF is delighted to share with you the joint statement on duplication in the Cyber Resilience Act co-signed by EPIF together with the associations AFME, EBF, EPIF, ESBG and EACB regarding the duplication between the Cyber Resilience Act (CRA) and DORA.

With this statement the co-signatories aim to draw your attention to the the overlap between the CRA and DORA which could result in a highly complex regulatory landscape for financial services.

Therefore, the associations co-signing this statement support the amendments by the European Parliament (Recitals 4(a) and 14(b)) that emphasize the necessity for CRA’s compatibility with other Union rules, notably DORA:

• 4a: The horizontal nature of this Regulation means that it will have an impact on very different segments of the Union’s economy. It is therefore important that the specificities of each sector are taken into account and that the cybersecurity requirements laid down in this Regulation are proportional to the risks. The Commission should therefore issue guidelines which explain in a clear and detailed manner how to apply this Regulation.
• 14b: Regulation (EU) 2022/2554 of the European Parliament and of the Council establishes a number of requirements to ensure the security of network and information systems supporting the business processes of financial entities. The Commission should monitor the implementation of this Regulation in the financial sector, to ensure compatibility and to avoid overlaps for products with digital elements that may also be covered by Regulation.

You can find below the Joint Statement on duplication on the CRA.