The rapid digital transformation of the past few decades led to huge benefits for businesses, among them the ability to collect, track and analyze consumer behavior. At the same time, however, malicious actors took advantage of this opportunity to launch more sophisticated and frequent cybersecurity attacks. Consumers started demanding stronger privacy rights over their personal data. In addition, the financial crisis of 2008 revealed the vulnerability of the financial sector with its interconnectedness and reliance on third parties for critical operations such as data storage, payment processing and cloud services.
Both the DORA regulation (the Digital Operational Resilience Act) and the GDPR (General Data Protection Regulation) are European regulatory responses to these evolutions in the digital landscape and aimed at ensuring an environment that is better equipped to respond to the evolving threat landscape in the future. These regulations set in motion a snowball effect, with countries all over the world subsequently reviewing their data protection and financial regulation policies and implementing their own regulations.
DORA Regulation vs. GDPR Regulation
While neither the DORA regulation nor the GDPR evolved from thin air, they both have foundations in previous regulations. The GDPR was developed to replace the 1995 Data Protection Directive, while the DORA is based on the NIS2 directive. Due to its relative complexity, scope, and goals of standardizing compliance in the industry, DORA had a longer implementation period than its GDPR counterpart.
Other differences include it goals, scope, enforcement, incident management, and focus with regards to risk management, which you can see in the table below:
GDPR | DORA | |
Goal | Data protection and privacy | Stronger operational resilience, with a focus on third-party management, including data security |
Enforcement | May 25, 2018 | January 17, 2025 |
Geographic focus | EU, and global organizations processing data of EU consumers | EU and organizations with third-party ICT providers servicing consumers in the EU |
Industry focus | All | Financial services organizations and ICT providers |
Notification of security incidents | Report data breaches within 72 hours | Report third-party ICT-related security incidents within 24 hours (initial report) |
Risk Management | Risk-based data protection measures (e.g, encryption, security controls) | Focus on continuous operational resilience testing (e.g., penetration testing, scenario-based tests) |
What is DORA?
The DORA regulation focuses on operational resilience in financial services organizations of the EU. It does this by requiring third-party risk management of ICT (information and communication technologies) technology as it has become an essential technology for automating financial processes, digital payments, data management and analytics.
While the DORA regulation requires “comprehensive third-party risk management,” the regulation itself does not specify the technical and operational measures required, it does stipulate its own requirements for ICT risk management.
These include:
- reporting of ICT-related security incidents
- documentation and classification of security incident
- the implementation of technologies that can detect any anomalies in network behavior
- the monitoring critical ICT services
- resilience testing
- regular risk assessments after changes in IT infrastructure
In addition, the financial service organization is also required to assess ICTs before entering into a business relationship with them and stipulate minimum security requirements in service agreements with these third parties. It also requires financial service organizations to have a Register of Information that details records of all of their ICT services, including which services are critical and which are not. The governing authority must be notified of any changes in the use of these ICT services, their categories, new contracts, and the type of service provided.
Who is Impacted by DORA Regulation?
DORA is applicable to 21 different financial service organizations within the EU and their ICT providers, even if they are not located in the EU.
Here are examples of the types of EU-based financial services and their ICT third-party service providers that must comply with DORA:
Types of Organizations Required to Meet DORA Compliance | |
Financial service entities | ICT third-party service providers |
banksInsurance companiescredit institutionspayment institutionselectronic money institutionsinvestment firmscredit rating agenciescrypto-asset service providerscentral securities depositoriestrading venues | cloud servicesdata centerstelecom systemsinformation systemsrisk management and compliance systemsmobile banking applicationsCMS systemsoperational and incident management systemscybersecurity systemstrading platforms |
The organization must categorize and classify its ICT third-party services, designating those that meet the proper criteria as critical. These ICT providers are subject to additional regulations, testing and increased scrutiny from European regulators.
Critical ICT services are defined as:
‘a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.’
– DORA, Article 3(22)
DORA regulation requires that the respective European Supervisory Authority designate these critical services and that they have EU subsidiaries. Once this occurs, it is much easier for them to be supervised under EU authorities and comply with any regular reporting, auditing and inspections required of them.
What is GDPR?
The GDPR, or the General Data Protection Regulation, directs organizations on exactly how they can collect, store, generate, process and transfer personal data. In a nutshell, it demands both implicit and explicit consent of consumers in order to share personal information or data. This consent includes understanding how data is processed, the type of data being processed, and the purpose of processing the data. The regulation requires both data controllers and data processors to obey certain principles which include respecting the right of consumers to lawfulness, fairness and transparency with regards to their data privacy; that data should only be collected for the purpose intended; only the data necessary for the purpose intended should be collected (e.g. not more “just in case”); data must be maintained to be as accurate as possible; storage of data should be limited; data gather be accurate (e.g. integrity) and be available only to those with the proper permissions (e.g. confidential); and organizations must be held accountable for regulatory compliance with all of the above principles.
Who is Impacted by GDPR Regulation?
The GDPR focuses on consumer data protection and privacy of customers in the European Union and European Economic Area (EEA) countries. It is also applicable to organizations that target EU customers even if they are not located in the EU. The regulation is also applicable to third-party services that the primary organization shares data with, such as a data processor, payment processor, or cloud provider. To ensure third-party GDPR compliance, organizations must map their supply chain and ensure that the proper data protection requirements are clearly stated in vendor contracts.
Key Differences Between DORA Regulation and GDPR Regulation
Although the GDPR came into effect in 2018, it has not had major legislative updates since then. Due to the rapidly evolving digital landscape and technological innovations such as AI and cross-border payments, many businesses, privacy advocates, regulators, and legal experts have called for reviewing the regulation and updating it accordingly. While DORA was first proposed in 2020, it is set to be enforced in 2025 according to the final revisions to the regulatory text.
Scope and Coverage of DORA Regulation and GDPR Regulation
While both the GDPR regulation and the DORA regulation are focused on EU consumers and businesses, the key difference is with regards to their scope and coverage. DORA focuses on third-party cyber risk management while GDPR relates to data privacy and protection for all organizations, regardless of industry or size. In terms of scope, DORA specifically targets financial service providers and their critical third-party ICT providers that have business with EU customers. In contrast, the GDPR applies to any organization that processes the personal data of EU citizens, regardless of the industry or where it is geographically located. It also demands that organizations ensure their third parties abide by the same data privacy and protection protocols required by the GDPR regulation.
Core Focus of DORA Regulation and GDPR Regulation
DORA’s main goal is to improve the operational resilience of the financial sector through third-party risk management of ICT providers, while the GDPR focuses on data protection and privacy of EU consumers.
DORA requires financial service organizations and their critical third-party ICT providers to maintain specific cybersecurity practices that strengthen their resilience in the event that these critical operations are disrupted. Data privacy rights granted to consumers in the GDPR include the right of consumers to be informed, the right to access, rectification, erasure, restrict processing, data portability, object, and additional rights related to automated decision-making and profiling.
Incident Reporting Requirements
Both DORA regulation and the GDPR require the organization to report any data breaches or security incidents to the proper regulatory authorities within a timely manner. For DORA, an initial report should be filed within 24 hours; for GDPR, within 72 hours.
DORA and GDPR Enforcement and Penalties
Penalties for DORA non-compliance could include fines of up to 1% of the company’s average daily global revenue with individual fines of up to €500,000. However, penalties will ultimately be determined according to the European regulatory authorities and the severity of the violation.
Violation of GDPR enacts greater penalties, imposing fines of either 4% of the organization’s global turnover or a maximum of $20 million. In addition, the data subjects (e.g. consumers whose data are being collected) can also demand compensation. To date, we have seen massive penalties for GDPR violation, with Meta being fined €1.2 billion Euros in 2023.
A critical aspect of the enforcement for both DORA and GDPR is that in many cases, a third-party violation results in penalties imposed on the primary organization rather than the third party.
Key Similarities Between DORA Regulation and GDPR Regulation
While these two regulations have key differences between them, they also share a number of similarities. Both of them regulate data, infrastructure and relationships with third-party service providers. They also both have detailed requirements for incident response and reporting.
Focus on Risk Management
Both the DORA regulation and the GDPR are concerned with sensitive and personal data and how it is processed through third-party vendors and ICT providers and their contractual obligations. However, while GDPR is concerned with mostly personal data, DORA is concerned with any data related to a financial services organization.
In addition, the DORA regulation is more detailed and has stricter demands with regards to testing for operational resilience against IT disruptions. This is a direct result of its focus on the financial services industry, one that is increasingly reliant on third-parties for critical resources, making its supply chain complex. As a result, risk management for DORA regulation must be continuous and regularly enforced.
Third-Party Vendor Requirements
Both DORA and GDPR demand that their third parties adhere to the same standard that the regulation requires of their organization. For example, while DORA requires regular testing of third-party critical services to assess risk and operational resilience, the GDPR demands both operational and technical controls on data centers, networks and cloud services of the organization’s infrastructure. Third parties are also accountable to requirements for incident response and reporting.
Incident Response and Reporting
While both the DORA regulations and GDPR emphasize timely reporting of data breaches and cybersecurity incidents, DORA focuses on those that have the potential to disrupt critical financial services. The GDPR, on the other hand, focuses on incident response and reporting of incidents related to the compromise of personal data that infringes on the privacy rights of consumers. DORA’s requirements for incident response are more detailed, including business continuity and disaster recovery protocols. Its reporting requirements are also stricter, requiring 24 hours for initial reports as opposed to 72 hours for the GDPR.
Practical Implications for Businesses
To streamline the regulatory process and save time and resources, organizations will need to integrate compliance with both DORA the regulation and GDPR.
Here are a few practical suggestions for how to achieve this:
- Data protection impact assessments (DPIAs) should be required in the ICT risk assessments for DORA
- A single incident report system that includes both ICT-related security incidents (DORA) and personal data breaches (GDPR)
- Technical controls (e.g., encryption, backup, access, etc) that address the requirements of both regulations
- Standardized vendor contracts that include obligations of the third-party with regards to both operational resilience and data protection
- Data mapping that includes both ICT providers and the requirements of data flow mapping per the GDPR
Integrating DORA and GDPR Compliance
For example, a European banking institution suffering a third-party breach to its CRM platform would be required to adhere to both GDPR and DORA regulations. According to the DORA regulation, it would be required to have the proper systems in place for real-time threat detection as well as a business continuity plan to minimize any possible downtime. According to the GDPR, it would be required to assess the scope of a cyberattack and determine the extent of any data privacy violations. The results would be reported to a Data Protection Officer in the relevant region within 72 hours. For DORA compliance, an initial report of the attack would also need to be communicated within 24 hours to the relevant authority (since the CRM is considered a critical ICT provider). For future mitigation required by DORA, the bank institution would need to review its ICT systems (including third-party risk assessments), the origin of the attack, and decide how to improve its resilience in the future. It would make similar reviews, including regular data protection impact assessments (DPIAs), ensuring its third parties comply with GDPR regulation and make subsequents improvements to its technical controls as well.
DORA Regulation and GDPR Regulation Solutions
Though the DORA regulations and GDPR share a resolution to increased risk management and third-party management, they also have different coverages and scopes. Since each regulation typically has a different focus and scope, organizations often struggle to achieve continuous compliance of different regulations, and look to solutions such as Panoray’s contextual third-party cyber management solution to help them.
With its supply chain discovery and mapping of third parties and contextualized third-party risk assessments that can be personalized according to the needs of different organizations, it facilitates accurate and continuous compliance of multiple regulations simultaneously.
It also offers:
- Compiling a central repository of third parties so that you can check them for compliance
- A quick GDPR readiness rating that ranges from full to zero compliance
- An automated DORA Register of Information with one click
- Categorization of third-party ICTs based on the level of reliance on critical functions
- A Risk DNA score that calculates an evolving and contextual risk for each vendor, taking into account both GDPR and DORA compliance requirements
Want to ensure continuous compliance for your organization? Get a demo of our risk management platform today.