Should banks really be subject to the same regulations as robot vacuum cleaners?

The Cyber Resilience Act, which will take effect at the end of 2027, expands EU requirements for security, health and safety and environmental protection for networked devices. Those who manufacture and distribute networked hardware and software must, in the future, meet comprehensive cybersecurity requirements in order to receive their CE marking. The goal is to improve cybersecurity awareness in an increasingly networked world.

The European Commission intends to include bank cards and card reading terminals in the catalogue of products subject to this regulation. As such, these rules would also apply to banks. However, banks are already subject to DORA, the Digital Operational Resilience Act, which requires that financial enterprises strengthen their digital operational resilience. Including them under the Cyber Resilience Act would result in duplicate regulatory provisions. The German Banking Industry Committee is thus highly critical of this plan, which introduces redundant requirements.

Electronic device manufacturers – such as those making household appliances – must fulfil security, health, safety and environmental requirements in order to sell their products in the EU. This is confirmed with the CE marking that you see on all electronic products. However, up until now, these requirements have not applied to devices that are networked over the internet. The Cyber Resilience Act will change that.

The new law means that manufacturers and those that introduce networked hardware or software to the market for the first time are now more liable for the cybersecurity of their products. They must meet a long list of cybersecurity requirements in order to receive the CE label. The goal of the new EU requirements is to draw more attention to potential cybersecurity risks in an increasingly networked world.

The European Commission has now proposed that bank cards and card reading terminals be included in the catalogue of products subject to this regulation, in order to improve cybersecurity. Banks, of course, are not the manufacturers of these products – payment cards are made by card manufacturers and card reading terminals are made by specialised companies – however, banks do distribute these items to their clients.

Beginning in December 2027, robot vacuums and baby monitors that connect to the internet must meet the same cybersecurity requirements, listed in the Cyber Resilience Act, as payment cards and digital bank products.

But do bank products need to be subject to this regulation? Obviously not. The significance of the financial sector means that it is already subject to special rules designed to guarantee cybersecurity and resilience, such as the Digital Operational Resilience Act, also known as DORA. This Act already requires the financial enterprises strengthen their digital operational resilience.

That means that in the future, banks will be required to meet cybersecurity provisions from both DORA and the Cyber Resilience Act for products such as bank cards. The result is duplicate cybersecurity regulations for bank products with digital features – all the requirements listed in the Cyber Resilience Act are already addressed via DORA. Just look at the names of both laws: they are practically identical. A sure sign that they cover almost entirely the same ground.

This the core of the German Banking Industry Committee’s critique of the Cyber Resilience Act.  The top banking associations in Germany work together in the German Banking Industry Committee (GBIC) to represent the interests of German banks. GBIC is calling for digital financial products within the financial sector, such as mobile payment solutions and ATMs, to be removed from the remit of the Cyber Resilience Act: DORA already ensures that these products are subject to comprehensive cybersecurity requirements. This is the only way to avoid the creation of additional bureaucratic challenges – a goal that the European Commission has recently claimed is a top priority.