DORA vs GDPR
How the financial sector's digital resilience framework intersects with EU data protection obligations
Quick Comparison
Side-by-side overview of key regulatory dimensions
Ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and cyber threats
Protect the fundamental right to personal data protection and ensure the free movement of personal data within the EU
Financial entities (banks, insurers, investment firms, payment institutions, crypto-asset providers) and their critical ICT third-party service providers
Any organization worldwide that processes personal data of individuals in the EU, across all sectors
Focuses on the security and resilience of ICT systems processing all types of data (personal and non-personal), with emphasis on availability, integrity, and continuity
Specifically governs the processing of personal data based on lawful bases, principles of minimization, purpose limitation, accuracy, and storage limitation
Major ICT incidents must be reported to financial supervisors: initial notification within 4 hours, intermediate report within 72 hours, final report within 1 month
Personal data breaches must be reported to the supervisory authority within 72 hours of becoming aware; affected data subjects must be notified without undue delay if the breach poses a high risk
Comprehensive ICT third-party risk framework: mandatory register of providers, specific contractual clauses, concentration risk management, and EU-level oversight of critical ICT providers
Controller-processor framework: data processing agreements required under Article 28, sub-processor controls, obligations on international data transfers, and joint controllership arrangements
Management body must approve ICT risk strategy, allocate budgets, undergo regular ICT training, and bear personal accountability for DORA compliance
Data Protection Officer (DPO) mandatory for certain organizations; controller must demonstrate compliance through records, DPIAs, and privacy by design and by default
Set by Member States; for critical ICT providers, periodic penalties up to 1% of average daily worldwide turnover per day of non-compliance (max 6 months)
Up to EUR 20 million or 4% of global annual turnover for the most serious violations; up to EUR 10 million or 2% for less severe infringements
Key Differences
What sets these regulations apart
DORA is sector-specific; GDPR is universal
DORA applies exclusively to financial entities and their critical ICT providers, creating tailored requirements for the financial ecosystem. GDPR applies to any organization processing personal data, regardless of industry. A bank must comply with both, but a retail company processing customer data only needs GDPR.
GDPR protects personal data; DORA protects ICT systems
GDPR's focus is on the rights of individuals whose data is processed: consent, access, erasure, portability. DORA's focus is on the resilience of the technology systems themselves: uptime, recovery, threat resistance. A DORA incident might not involve personal data at all, and a GDPR breach might not involve an ICT disruption.
DORA requires operational resilience testing
DORA mandates specific testing programmes including threat-led penetration testing (TLPT) for significant entities every three years. GDPR requires appropriate security measures but does not prescribe specific testing methodologies or frequencies.
GDPR grants comprehensive individual rights
GDPR provides data subjects with enforceable rights to access, rectify, erase, and port their data, plus the right to object to processing. DORA does not create equivalent individual rights; it focuses on systemic resilience rather than individual empowerment.
DORA creates an EU-level oversight framework for ICT providers
DORA introduces the Lead Overseer mechanism for critical ICT third-party providers, enabling direct EU-level supervision. GDPR relies on national data protection authorities with cross-border cooperation through the one-stop-shop mechanism and the European Data Protection Board.
Where They Overlap
Areas where both regulations share common ground
Both require incident reporting to authorities within defined timelines: DORA for ICT incidents to financial supervisors, GDPR for data breaches to data protection authorities
Both impose contractual requirements on third-party relationships: DORA for ICT service providers, GDPR for data processors
Both require organizations to implement appropriate technical and organizational security measures to protect the data and systems they manage
Both mandate that senior management takes responsibility for compliance and allocates adequate resources for governance
Which Applies to You?
Common scenarios and which regulation takes precedence
You are a bank operating in the EU that processes customer personal data
Both DORA and GDPR apply fully. DORA governs your ICT risk management, resilience testing, and third-party ICT oversight. GDPR governs your processing of customer personal data, breach notifications to data subjects, and data subject rights. An ICT incident that also involves personal data triggers obligations under both frameworks simultaneously.
You are a cloud provider serving EU financial institutions
DORA applies to you as an ICT third-party service provider (and potentially as a critical ICT provider subject to the Lead Overseer). GDPR applies to you as a data processor handling personal data on behalf of financial clients. You must meet both DORA's contractual and resilience requirements and GDPR's data processing agreement obligations.
You are an e-commerce company that does not operate in financial services
DORA does not apply to your organization. Focus on GDPR compliance for your customer data processing activities, including privacy notices, consent management, data subject rights, and breach notification procedures.
Frequently Asked Questions
Common questions about these regulations