{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"The AI Governance Brief","title":"CRA COUNTDOWN: Episode 6: Healthcare and Finance: Your Sector-Specific Compliance Maze","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/0b5dbf57\"></iframe>","width":"100%","height":180,"duration":1712,"description":" A healthcare technology CEO told me last quarter that she wasn't worried about CRA because her products were medical devices regulated under MDR. She was half right. Her Class IIa infusion management system is indeed exempt from CRA product requirements. But the cloud platform that aggregates patient data from those devices? Not exempt. The mobile application clinicians use to monitor alerts? Not exempt. The integration APIs that connect to hospital EHR systems? Not exempt.Her MDR exemption protected one product. Her ecosystem has seventeen products in CRA scope that nobody was tracking.In This Episode:Healthcare: Why Your MDR Exemption Is Narrower Than You ThinkMDR exempts medical devices with medical purpose—not the digital ecosystem surrounding themCloud platforms, clinician dashboards, mobile alert apps, integration APIs: likely in CRA scopeThe proposed MDR revision (COM(2025)1023): enhanced cybersecurity requirements coming for certified devicesRadio Equipment Directive (RED) overlay for WiFi/Bluetooth-enabled productsFinance: Why DORA Doesn't Satisfy CRADORA is entity-level regulation (your organization's ICT risk management)CRA is product-level regulation (products placed on the market)Your mobile banking app needs DORA compliance AND CRA compliance—separatelyFinancial industry exemption requests have not prevailedThe Silo Problem in Both SectorsHealthcare: MDR teams lack DevSecOps velocity; IT Security lacks regulatory documentation expertiseFinance: DORA teams don't address product-level compliance; product teams operate outside regulatory structureResult: competent functional performance producing collective compliance failureThe Integration OpportunityISO 27001 implementations provide ~60% CRA requirement coverageHealthcare: Extend MDR QMS to cover CRA requirementsFinance: Map DORA ICT controls to CRA essential requirementsOrganizations aren't starting from zero—they're closing specific gaps from established foundationsSector-Specific Implementation...","thumbnail_url":"https://img.transistorcdn.com/rDqBMJXwlhb2bvZjH0V1qAuqxHAFqIADttstgmIyldM/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8wNzgz/MjhlNjg0NjRjYThi/MGI3YWEzMzkyNzVm/ZTdiYy5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}