§ Data Act · DORA COMPARISON

Data Act vs DORA: Where They Overlap and Conflict

3 overlaps, 1 conflicts and 1 gaps mapped between Data Act and DORA in the Fontvera regulatory corpus.

Summary

Data Act and DORA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two in the Fontvera corpus.

3 overlaps mean the same conduct triggers obligations in both regimes — design controls once, document twice. 1 conflicts mean the two regulations push in opposite directions on a specific question. 1 gaps mean one regulation leaves something on a topic the other addresses.

Who this applies to
Compliance teams who need to map a single control framework onto both Data Act and DORA.
Compliance deadline
§ Detail

In depth

Summary statistics

Overlaps: 3 · Conflicts: 1 · Gaps: 1

5 article-level crossrefs catalogued between Data Act and DORA from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.

All crossrefs between these regulations

Article (A)Article (B)TypeSeverityDescription
DORA Art 10Data Act Art 11overlapmedium[entity affected: Financial entities acting as data holders or recipients] Both regulations require entities to implement technical and organizational measures to detect anomalies or unauthorized acce
DORA Art 14Data Act Art 11overlapmedium[entity affected: Financial entities acting as data holders] Both regulations mandate communication obligations in the event of an incident, with DORA focusing on crisis communication for ICT incident
DORA Art 12Data Act Art 19overlaplow[entity affected: Financial entities acting as data holders] Both regulations require the implementation of measures to ensure data integrity and confidentiality, including backup policies in DORA and
DORA Art 18Data Act Art 18conflicthigh[entity affected: Financial entities acting as data holders] DORA requires classification and reporting of ICT incidents based on specific criteria, while the Data Act requires anonymization or pseudo
DORA Art ?Data Act Art ?gapmedium[entity affected: Financial entities using third-party data processing services] Neither regulation clearly defines the liability split for data loss during a switching process between data processing

Conflicts explained

The 1 article-level conflicts between Data Act and DORA mean a control that satisfies one can pull the wrong way on the other:

Which regulation takes precedence

EU law does not lay down a universal precedence rule between Data Act and DORA. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.

What this means for your compliance team

Treat the 3 overlaps as design opportunities — one control, two regulatory anchors. Treat the 1 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 1 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.

Related Fontvera pages

Check your full compliance exposure with the 5-minute Fontvera diagnostic →

§ What Fontvera found

Documents in our corpus

edpb EU Fetched 2026-05
EDPB-EDPS Joint Opinion 02/2023 on the Proposal for a Regulation of the European Parliament and of the Council on the establishment of the digital euro
edpb EU Fetched 2026-05
EDPB-EDPS Joint opinion 2/2026 on the Proposal for a Regulation as regards the simplification of the digital legislative framework (Digital Omnibus)
eurlex EU Fetched 2026-04
Commission Delegated Regulation (EU) 2025/420 of 16 December 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks and working arrangements
eurlex EU Fetched 2026-04
Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat
eurlex EU Fetched 2026-04
Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats
eurlex EU Fetched 2026-04
Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities
eurlex EU Fetched 2026-04
Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information
eurlex EU Fetched 2026-04
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)
§ Cross-references

Related Fontvera intelligence

COMPARISON
AI Act vs Data Act comparison
COMPARISON
AI Act vs DORA: Financial Services AI
COMPARISON
Data Act vs Data Governance Act comparison
COMPARISON
Data Act vs DMA comparison
COMPARISON
Data Act vs DSA comparison
Need a cross-border briefing on this?
Search Fontvera ↵ Run the AI Act diagnostic
AI Act enforcement
63 days
until 2026-08-02, when most AI Act provisions begin to apply.
Intelligence · About · Pricing · Privacy · Terms
100% European infrastructure