Summary statistics
Overlaps: 3 · Conflicts: 0 · Gaps: 1
4 article-level crossrefs catalogued between Data Act and DORA from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| DORA Art 10 | Data Act Art 11 | overlap | medium | [entity affected: Financial entities acting as data holders or recipients] Both regulations require entities to implement technical and organizational measures to detect anomalies or unauthorized acce |
| DORA Art 14 | Data Act Art 11 | overlap | medium | [entity affected: Financial entities acting as data holders] Both regulations mandate communication obligations in the event of an incident, with DORA focusing on crisis communication for ICT incident |
| DORA Art 12 | Data Act Art 19 | overlap | low | [entity affected: Financial entities acting as data holders] Both regulations require the implementation of measures to ensure data integrity and confidentiality, including backup policies in DORA and |
| DORA Art ? | Data Act Art ? | gap | medium | [entity affected: Financial entities using third-party data processing services] Neither regulation clearly defines the liability split for data loss during a switching process between data processing |
Overlaps explained
No conflict-type crossrefs were catalogued for this pair, but the 3 overlaps below mean a single control can be designed to satisfy both regulations at once. Plan the controls jointly to avoid duplicate effort:
- DORA Art 10 vs Data Act Art 11 (medium severity) — [entity affected: Financial entities acting as data holders or recipients] Both regulations require entities to implement technical and organizational measures to detect anomalies or unauthorized access and to respond to incidents involving data or ICT systems.
- DORA Art 14 vs Data Act Art 11 (medium severity) — [entity affected: Financial entities acting as data holders] Both regulations mandate communication obligations in the event of an incident, with DORA focusing on crisis communication for ICT incidents and the Data Act requiring notification of unauthorized data use or disclosure.
- DORA Art 12 vs Data Act Art 19 (low severity) — [entity affected: Financial entities acting as data holders] Both regulations require the implementation of measures to ensure data integrity and confidentiality, including backup policies in DORA and security/confidentiality measures for received data in the Data Act.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between Data Act and DORA. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 3 overlaps as design opportunities — one control, two regulatory anchors. Treat the 0 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 1 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- data act vs gdpr comparison
- data act vs nis2 comparison
- ai act art 17 provider obligations
- ai act art 70 commission obligations
Check your full compliance exposure with the 5-minute Fontvera diagnostic →