Summary statistics
Overlaps: 3 · Conflicts: 0 · Gaps: 2
5 article-level crossrefs catalogued between DORA and ePrivacy Directive from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| DORA Art 10 | ePrivacy Directive Art 4 | overlap | medium | [entity affected: Financial entities providing electronic communications services] Both regulations require entities to implement technical and organizational measures to detect anomalies and safeguar |
| DORA Art 17 | ePrivacy Directive Art 4 | overlap | medium | [entity affected: Financial entities providing electronic communications services] Both regulations mandate the establishment of processes to manage, record, and respond to security incidents or breac |
| DORA Art 14 | ePrivacy Directive Art 4 | overlap | medium | [entity affected: Financial entities providing electronic communications services] Both regulations require entities to inform users or subscribers about security risks, breaches, or incidents that ma |
| DORA Art ? | ePrivacy Directive Art ? | gap | medium | [entity affected: Financial entities using third-party cloud providers for communications] Neither regulation clearly defines the liability split for security incidents occurring within the infrastruc |
| DORA Art ? | ePrivacy Directive Art ? | gap | high | [entity affected: Financial entities processing metadata for AI-driven fraud detection] There is a gap in guidance on how to reconcile DORA's requirement for comprehensive incident detection and loggi |
Overlaps explained
No conflict-type crossrefs were catalogued for this pair, but the 3 overlaps below mean a single control can be designed to satisfy both regulations at once. Plan the controls jointly to avoid duplicate effort:
- DORA Art 10 vs ePrivacy Directive Art 4 (medium severity) — [entity affected: Financial entities providing electronic communications services] Both regulations require entities to implement technical and organizational measures to detect anomalies and safeguard network security against risks.
- DORA Art 17 vs ePrivacy Directive Art 4 (medium severity) — [entity affected: Financial entities providing electronic communications services] Both regulations mandate the establishment of processes to manage, record, and respond to security incidents or breaches of network security.
- DORA Art 14 vs ePrivacy Directive Art 4 (medium severity) — [entity affected: Financial entities providing electronic communications services] Both regulations require entities to inform users or subscribers about security risks, breaches, or incidents that may affect them.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between DORA and ePrivacy Directive. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 3 overlaps as design opportunities — one control, two regulatory anchors. Treat the 0 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- dora article 9 financial entities
- dora obligations central securities depositories
- dora obligations financial services
- dora obligations ict services
Check your full compliance exposure with the 5-minute Fontvera diagnostic →