GDPR and DORA: How They Overlap and Where They Don't

For financial entities and ICT third-party service providers in scope of both GDPR and DORA, the two frameworks impose related but distinct obligations. This page covers what each framework requires, where they overlap, and how to coordinate compliance.

What each framework is

GDPR is EU privacy law applicable from 2018. It regulates the processing of personal data of EU residents and is enforced by member state supervisory authorities.

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) entered into application on January 17, 2025. DORA regulates the operational resilience of financial entities and the ICT third-party service providers they rely on. DORA is enforced by financial sector supervisory authorities (typically the national central bank, financial markets authority, or equivalent).

GDPR and DORA are both regulations directly applicable across EU member states.

What each framework covers

GDPR covers lawful processing of personal data. Obligations include lawful basis, transparency, data subject rights, RoPA, DPIAs, DPO appointment, security of processing, breach notification, and international transfers.

DORA covers operational resilience of financial entities including ICT risk management, incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing.

Where they overlap

The overlap is in security and risk management for personal data processing in financial services:

  • Risk management. Both require comprehensive risk management frameworks. DORA's ICT risk management framework covers cybersecurity, business continuity, and operational risk. GDPR's risk management focuses on risks to data subjects.

  • Security measures. Both require appropriate security measures. DORA has more prescriptive cybersecurity measures including specific testing requirements. GDPR Article 32 has principles-based security requirements.

  • Incident response capability. Both require incident detection, response, and reporting capability.

  • Third-party risk management. DORA requires comprehensive ICT third-party risk management. GDPR Article 28 requires processor relationship management. The two overlap substantially for ICT services involving personal data.

  • Documentation. Both require documented evidence of compliance.

  • Accountability. Both place specific accountability on senior leadership.

Where they do not overlap

GDPR-specific obligations not covered by DORA:

  • Lawful basis for processing personal data.

  • Privacy notices and transparency to data subjects.

  • Data subject rights operational capability.

  • DPO appointment.

  • International data transfers.

  • DPIA for high-risk processing.

  • Cookie and tracking compliance under ePrivacy.

DORA-specific obligations not covered by GDPR:

  • Digital operational resilience testing. DORA requires regular testing of ICT systems including advanced threat-led penetration testing for designated entities.

  • Specific contractual requirements for ICT services. DORA Article 30 requires specific terms in ICT services contracts that are broader than GDPR Article 28 processor terms.

  • ICT third-party register. DORA Article 28 requires a register of all ICT third-party service providers.

  • Incident reporting on ICT incidents. DORA has specific timelines for ICT incident reporting (4 hours initial, 72 hours intermediate, 1 month final) that apply to all major ICT incidents, whether or not personal data is involved.

  • Critical ICT third-party provider oversight. DORA establishes oversight by European Supervisory Authorities for critical ICT third-party providers.

  • Information and intelligence sharing arrangements on cyber threats.

Coordinated incident reporting

For incidents that affect both ICT services and personal data, both DORA and GDPR notification obligations apply:

  • DORA timeline: initial notification within 4 hours of incident classification as major, intermediate report within 72 hours, final report within 1 month.

  • GDPR timeline: notification to supervisory authority without undue delay and not later than 72 hours, communication to affected data subjects without undue delay where the breach is likely to result in a high risk.

  • For coordinated incidents, financial entities must report to the relevant financial supervisory authority (under DORA) and to the data protection supervisory authority (under GDPR). The two authorities are typically different entities with different priorities and engagement styles.

Initial DORA notification at 4 hours is significantly faster than GDPR's typical 72-hour notification. Companies need incident classification capability that triggers DORA notification quickly and then prepares the GDPR notification within the longer GDPR window.

Contractual requirements coordination

DORA Article 30 imposes specific contractual requirements on ICT services agreements. GDPR Article 28 requires specific terms in processor agreements. For ICT services involving personal data, both apply.

Practical approach: a single ICT services agreement that addresses both DORA and GDPR requirements, with specific sections covering:

  • Services description, locations, and quality (DORA)

  • Security measures and incident reporting (both)

  • Sub-contracting (both, with DORA having broader scope)

  • Audit and inspection rights (DORA broader, GDPR more privacy-focused)

  • Termination and exit (DORA has specific exit strategy requirements)

  • Processing of personal data (GDPR Article 28 terms)

  • International transfers if applicable (GDPR Chapter V)

  • Data return and deletion (GDPR plus DORA exit considerations)

How to integrate the two

For fintech companies and ICT providers in scope of both frameworks, integration approaches include:

  • Combined risk management. A single risk management function covering operational resilience (DORA) and personal data risks (GDPR).

  • Coordinated incident response. Single incident response process with parallel notification tracks for DORA and GDPR.

  • Integrated vendor management. Single vendor lifecycle management covering DORA ICT third-party register requirements and GDPR processor obligations.

  • Combined contractual templates. Single ICT services agreement template addressing both DORA and GDPR requirements.

  • Coordinated supervisory authority engagement. Documented strategy for engaging financial supervisory authority (DORA) and data protection supervisory authority (GDPR), with clear escalation paths.

  • Combined documentation. Shared documentation infrastructure for policies, risk assessments, asset inventory, and incident logs.

How Engage Compliance helps

For fintech clients in scope of DORA, we provide GDPR fractional DPO services and coordinate with DORA compliance work. Specific support includes:

  • GDPR compliance for fintech-specific processing including payments, KYC, AML, credit scoring, transaction monitoring, fraud detection.

  • Coordinated incident response covering DORA ICT incident reporting and GDPR breach notification.

  • ICT third-party register coordination with vendor management for personal data processing.

  • Contractual template coordination addressing both DORA and GDPR requirements.

  • EU AI Act compliance for AI use in fintech (credit scoring, fraud detection, recommendation systems).

  • For specialist DORA work including operational resilience testing and financial services-specific compliance, we coordinate with financial services compliance specialists.

Get started

If you are a fintech company evaluating combined GDPR and DORA compliance, book a consultation.