Summary statistics
Overlaps: 5 · Conflicts: 2 · Gaps: 2
9 article-level crossrefs catalogued between DORA and GDPR from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| DORA Art 10 | GDPR Art 5 | overlap | medium | [entity affected: Financial entities] Both regulations require entities to implement technical and organizational measures to detect anomalies and ensure security of processing, specifically protectin |
| DORA Art 12 | GDPR Art 32 | overlap | medium | [entity affected: Financial entities] DORA requires backup policies and restoration procedures for ICT assets, which overlaps with GDPR's requirement for the ability to restore availability and access |
| DORA Art 17 | GDPR Art 33 | overlap | medium | [entity affected: Financial entities] Both regulations mandate the recording and classification of incidents; DORA focuses on ICT incidents while GDPR focuses on personal data breaches, but both requi |
| DORA Art 14 | GDPR Art 34 | overlap | medium | [entity affected: Financial entities] Both regulations require communication plans for incidents; DORA mandates crisis communication for ICT incidents to stakeholders, while GDPR requires notification |
| DORA Art 13 | GDPR Art 24 | overlap | low | [entity affected: Financial entities] Both regulations require entities to demonstrate compliance and maintain records of their risk management and security measures, with DORA focusing on ICT resilie |
| DORA Art 18 | GDPR Art 33 | conflict | high | [entity affected: Financial entities] DORA requires reporting of major ICT incidents to competent authorities based on specific criteria, while GDPR requires notification of personal data breaches to |
| DORA Art 11 | GDPR Art 17 | conflict | medium | [entity affected: Financial entities] DORA requires maintaining records and backups for business continuity and audit trails, which may conflict with GDPR's right to erasure if personal data is retain |
| DORA Art ? | GDPR Art ? | gap | medium | [entity affected: ICT Third-Party Service Providers] While DORA addresses outsourcing and GDPR addresses processors, there is a gap in clear joint liability frameworks for incidents caused by third-pa |
| DORA Art ? | GDPR Art ? | gap | high | [entity affected: Financial entities] Neither regulation clearly defines the protocol for handling incidents that are both major ICT disruptions under DORA and personal data breaches under GDPR, poten |
Conflicts explained
The 2 article-level conflicts between DORA and GDPR mean a control that satisfies one can pull the wrong way on the other:
- DORA Art 18 vs GDPR Art 33 — [entity affected: Financial entities] DORA requires reporting of major ICT incidents to competent authorities based on specific criteria, while GDPR requires notification of personal data breaches to supervisory authorities within 72 hours; differing timelines and definitions may create conflicting reporting priorities.
- DORA Art 11 vs GDPR Art 17 — [entity affected: Financial entities] DORA requires maintaining records and backups for business continuity and audit trails, which may conflict with GDPR's right to erasure if personal data is retained in backups longer than necessary for the original purpose.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between DORA and GDPR. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 5 overlaps as design opportunities — one control, two regulatory anchors. Treat the 2 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- dora article 9 financial entities
- dora obligations central securities depositories
- dora obligations financial services
- dora obligations ict services
Check your full compliance exposure with the 5-minute Fontvera diagnostic →