How does the Cyber Resilience Act differ from DORA?
Direct answer
DORA governs the ICT risk of financial entities — banks, insurers, investment firms — and their critical third-party providers. The Cyber Resilience Act governs the security of products with digital elements placed on the market. A financial entity that also manufactures a connected product is subject to both. The reporting clocks share the same 24-hour and 72-hour stages but the recipient, trigger and final window differ.
Key Facts
- DORA = ICT risk of financial entities; CRA = product security for manufacturers.
- DORA early warning: classification as major must occur without undue delay (within ~24h of awareness); the 4-hour clock for the initial notification then starts at that classification — not at detection (RTS (EU) 2025/301, Art. 5). Confirmed 16 Jul 2026.
- CRA early warning: flat 24 hours from awareness — no classification step, and the clock is absolute: no weekend or bank-holiday deferral.
- DORA contrast: standard financial entities may defer weekend and bank-holiday reporting to the next working day (RTS (EU) 2025/301, Art. 5). The CRA has no equivalent deferral.
- Both: 72-hour intermediate notification; 1-month final report.
- CRA reports to ENISA + national CSIRT (single reporting platform); DORA reports to the competent financial authority.
- A financial entity that also manufactures connected products may be subject to both — obligations are additive, not duplicative.
DORA and the CRA sit at different levels of the regulatory stack (Art. 1 CRA; Art. 1 DORA): | | Cyber Resilience Act | DORA | |---|---|---| | **Instrument** | Regulation (EU) 2024/2847 | Regulation (EU) 2022/2554 | | **What it governs** | Security of products with digital elements | ICT risk of financial entities | | **Who it covers** | Manufacturers, importers, distributors | Financial entities and critical ICT third-party providers | | **Core obligation** | Product security across lifecycle | ICT risk management, third-party oversight, incident reporting | | **What you report** | Actively exploited vulnerabilities · severe incidents | Major ICT-related incidents | | **Early warning** | 24 hours from awareness (absolute, no weekend deferral) | Classification as major must occur without undue delay (within ~24h of awareness); initial notification then due within 4 hours of that classification | | **Intermediate / notification** | 72 hours | 72 hours | | **Final report** | 14 days after fix (vulnerability) · 1 month (incident) | 1 month | | **Report to** | ENISA + national CSIRT (single reporting platform) | Competent financial authority | | **Full application** | 11 December 2027 (reporting from 11 Sep 2026) | Already in force | The key operational differences in the early-warning stage come down to two points: **The DORA clock starts at classification, not detection.** The 4-hour clock for the initial notification begins at the moment the entity classifies the incident as major — not when it first detects a problem. But that classification must occur "without undue delay" (typically within 24 hours of becoming aware), so teams cannot slow-walk classification to buy time. **DORA allows weekend deferrals; the CRA does not.** Standard financial entities may defer weekend and bank-holiday reporting to the next working day under Commission Delegated Regulation (EU) 2025/301, Article 5. The CRA has no equivalent: the 24-hour clock runs from the moment of awareness, seven days a week, 365 days a year. A financial institution that also manufactures connected products — a trading-terminal vendor, an InsurTech building IoT devices — is subject to both. The reporting destinations, triggers, incident definitions and clock mechanics are different enough that the incident process must be explicitly mapped to each regime rather than treated as interchangeable.
Regulatory References