A healthcare technology CEO told me last quarter that she wasn't worried about CRA because her products were medical devices regulated under MDR. She was half right. Her Class IIa infusion management system is indeed exempt from CRA product requirements. But the cloud platform that aggregates patient data from those devices? Not exempt. The mobile application clinicians use to monitor alerts? Not exempt. The integration APIs that connect to hospital EHR systems? Not exempt.

Her MDR exemption protected one product. Her ecosystem has seventeen products in CRA scope that nobody was tracking.

In This Episode:

• Healthcare: Why Your MDR Exemption Is Narrower Than You Think
  • MDR exempts medical devices with medical purpose—not the digital ecosystem surrounding them
  • Cloud platforms, clinician dashboards, mobile alert apps, integration APIs: likely in CRA scope
  • The proposed MDR revision (COM(2025)1023): enhanced cybersecurity requirements coming for certified devices
  • Radio Equipment Directive (RED) overlay for WiFi/Bluetooth-enabled products
• Finance: Why DORA Doesn't Satisfy CRA
  • DORA is entity-level regulation (your organization's ICT risk management)
  • CRA is product-level regulation (products placed on the market)
  • Your mobile banking app needs DORA compliance AND CRA compliance—separately
  • Financial industry exemption requests have not prevailed
• The Silo Problem in Both Sectors
  • Healthcare: MDR teams lack DevSecOps velocity; IT Security lacks regulatory documentation expertise
  • Finance: DORA teams don't address product-level compliance; product teams operate outside regulatory structure
  • Result: competent functional performance producing collective compliance failure
• The Integration Opportunity
  • ISO 27001 implementations provide ~60% CRA requirement coverage
  • Healthcare: Extend MDR QMS to cover CRA requirements
  • Finance: Map DORA ICT controls to CRA essential requirements
  • Organizations aren't starting from zero—they're closing specific gaps from established foundations
• Sector-Specific Implementation Paths
  • Healthcare: Ecosystem inventory → QMS extension → Notified body harmonization → RED overlay
  • Finance: Product-vs-entity analysis → DORA-CRA mapping → Evidence integration → Dual reporting

Your Fourteen-Day Action Plan:

Days 1-3: Exemption analysis with documented regulatory rationale Days 4-7: Existing framework inventory (MDR QMS, DORA ICT, ISO 27001, NIST CSF) Days 8-11: Control mapping—CRA requirements vs. existing controls Days 12-13: Gap prioritization by examination risk and implementation effort Day 14: Integration strategy documentation for executive approval

Deliverables:

1. Exemption analysis with documented rationale
2. Existing framework inventory
3. Control mapping showing CRA coverage percentage
4. Gap prioritization with preliminary roadmap

Ready to map your regulatory overlaps?

The First Witness Stress Test includes sector-specific analysis—mapping your existing MDR, DORA, or ISO 27001 controls against CRA requirements to reveal how much coverage you already have and where genuine gaps remain. Stop duplicating compliance effort. Start integrating it.

CRA MDR exemption, healthcare CRA compliance, financial services CRA, DORA CRA overlap, medical device regulation cybersecurity, CRA ISO 27001 mapping, integrated compliance framework, CRA healthcare ecosystem, fintech CRA requirements, connected medical devices, regulatory integration, CRA control mapping