§ DORA · ePrivacy Directive COMPARISON

DORA vs ePrivacy Directive: Where They Overlap and Conflict

3 overlaps, 2 conflicts and 2 gaps mapped between DORA and ePrivacy Directive in the Fontvera regulatory corpus.

Summary

DORA and ePrivacy Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two in the Fontvera corpus.

3 overlaps mean the same conduct triggers obligations in both regimes — design controls once, document twice. 2 conflicts mean the two regulations push in opposite directions on a specific question. 2 gaps mean one regulation leaves something on a topic the other addresses.

Who this applies to
Compliance teams who need to map a single control framework onto both DORA and ePrivacy Directive.
Compliance deadline
§ Detail

In depth

Summary statistics

Overlaps: 3 · Conflicts: 2 · Gaps: 2

7 article-level crossrefs catalogued between DORA and ePrivacy Directive from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.

All crossrefs between these regulations

Article (A)Article (B)TypeSeverityDescription
DORA Art 10ePrivacy Directive Art 4overlapmedium[entity affected: Financial entities providing electronic communications services] Both regulations require entities to implement technical and organizational measures to detect anomalies and safeguar
DORA Art 17ePrivacy Directive Art 4overlapmedium[entity affected: Financial entities providing electronic communications services] Both regulations mandate the establishment of processes to manage, record, and respond to security incidents or breac
DORA Art 14ePrivacy Directive Art 4overlapmedium[entity affected: Financial entities providing electronic communications services] Both regulations require entities to inform users or subscribers about security risks, breaches, or incidents that ma
DORA Art 10ePrivacy Directive Art 5conflicthigh[entity affected: Financial entities providing electronic communications services] DORA requires monitoring of user activity and ICT anomalies, which may conflict with ePrivacy's strict prohibition on
DORA Art 12ePrivacy Directive Art 6conflicthigh[entity affected: Financial entities providing electronic communications services] DORA mandates backup and retention of data for business continuity, while ePrivacy requires traffic data to be erased
DORA Art ?ePrivacy Directive Art ?gapmedium[entity affected: Financial entities using third-party cloud providers for communications] Neither regulation clearly defines the liability split for security incidents occurring within the infrastruc
DORA Art ?ePrivacy Directive Art ?gaphigh[entity affected: Financial entities processing metadata for AI-driven fraud detection] There is a gap in guidance on how to reconcile DORA's requirement for comprehensive incident detection and loggi

Conflicts explained

The 2 article-level conflicts between DORA and ePrivacy Directive mean a control that satisfies one can pull the wrong way on the other:

Which regulation takes precedence

EU law does not lay down a universal precedence rule between DORA and ePrivacy Directive. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.

What this means for your compliance team

Treat the 3 overlaps as design opportunities — one control, two regulatory anchors. Treat the 2 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.

Related Fontvera pages

Check your full compliance exposure with the 5-minute Fontvera diagnostic →

§ What Fontvera found

Documents in our corpus

edpb EU Fetched 2026-05
EDPB-EDPS Joint Opinion 02/2023 on the Proposal for a Regulation of the European Parliament and of the Council on the establishment of the digital euro
edpb EU Fetched 2026-05
EDPB-EDPS Joint opinion 2/2026 on the Proposal for a Regulation as regards the simplification of the digital legislative framework (Digital Omnibus)
eurlex EU Fetched 2026-04
Commission Delegated Regulation (EU) 2025/420 of 16 December 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks and working arrangements
eurlex EU Fetched 2026-04
Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat
eurlex EU Fetched 2026-04
Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats
eurlex EU Fetched 2026-04
Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities
eurlex EU Fetched 2026-04
Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information
eurlex EU Fetched 2026-04
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)
§ Cross-references

Related Fontvera intelligence

COMPARISON
AI Act vs DORA: Financial Services AI
COMPARISON
AI Act vs ePrivacy Directive comparison
COMPARISON
Data Act vs DORA comparison
COMPARISON
Data Act vs ePrivacy Directive comparison
COMPARISON
Data Governance Act vs DORA comparison
Need a cross-border briefing on this?
Search Fontvera ↵ Run the AI Act diagnostic
AI Act enforcement
63 days
until 2026-08-02, when most AI Act provisions begin to apply.
Intelligence · About · Pricing · Privacy · Terms
100% European infrastructure