Lex Specialis

Lex specialis derogat legi generali ("the special law derogates from the general law") is a fundamental principle of legal interpretation that plays a crucial role in the EU's multi-layered regulatory framework. When two regulations address the same subject matter, the more specific regulation takes precedence over the more general one for the areas it specifically covers.

This principle is explicitly invoked in the relationship between DORA and NIS2. DORA is considered lex specialis to NIS2 for the financial sector, as stated in both DORA's recitals and NIS2's Article 4. This means that where DORA provides specific rules on ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management for financial entities, those rules prevail over the corresponding general provisions of NIS2. However, NIS2 provisions may still apply to financial entities in areas not specifically covered by DORA.

The principle is equally relevant in the interaction between the GDPR and sector-specific regulations. For example, the ePrivacy Directive is lex specialis to the GDPR for electronic communications data. Similarly, the EU AI Act recognises the GDPR's primacy for personal data protection matters while establishing specific rules for AI systems. When the AI Act's conformity assessment overlaps with the GDPR's data protection impact assessment, both must be conducted, but the GDPR's requirements for personal data protection are not diminished.

Understanding lex specialis is essential for compliance teams working across multiple regulatory frameworks. It determines which obligations apply, resolves apparent conflicts between regulations, and helps organisations prioritise their compliance efforts. However, the principle does not create exemptions: the general law continues to apply for all matters not specifically addressed by the special law. Organisations must therefore maintain compliance with all applicable frameworks, using lex specialis only to resolve genuine conflicts, not to avoid obligations.