ESBG warns for duplication in the Cyber Resilience Act through a joint industry statement

In the past years, various initiatives to regulate organizations’ cyber resilience were published by the European legislators. One of ESBG’s concerns is the possible overlap between the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA), which could lead to a duplication of requirements and general inefficiencies. Therefore, on 21 November 2023, a joint industry statement was issued by ESBG, Afore Consulting, the Association for Financial Markets in Europe (AFME), the European Association for Co-operative Banks (EACB), the European Banking Federation (EBF) and the European Payment Institutions Federation (EPIF).

Both DORA and the CRA serve to increase the cybersecurity and resilience of the European economy, one through the lens of digital products and the other via the ICT systems of financial entities. With their statement, the stakeholders want to draw attention to the possible duplication between the two initiatives, which could result in a highly complex regulatory landscape for financial services.

All of the objectives outlined in the CRA have not only been successfully accomplished but, in many cases, surpassed within the framework of DORA. Further elaboration into the elevated standards to which the financial sector is held will be provided in the upcoming months as the finalization of the DORA Regulatory Technical Standards unfolds.

The statement stresses the importance of recognizing other sector-specific requirements resulting in similar requirements to the CRA, and underlines that the Commission should have the freedom to set guidance on sector-specific application of its rules.

Read the full statement