Image for article type insight
Insight

EU: The interplay between DORA and the GDPR

August 14, 2024
Summary

The Regulation on digital operational resilience for the financial sector (DORA) will apply from January 17, 2025, and aims to enhance digital operational resilience by establishing uniform cybersecurity requirements for financial entities in the EU. DORA complements but does not override the General Data Protection Regulation (GDPR), and both will coexist with DORA addressing network and information system security and the GDPR focusing on personal data protection. Financial entities must manage ICT risks, implement specific security measures, and handle ICT-related incidents and third-party ICT service provider relationships in compliance with both DORA and GDPR. The interplay between DORA and GDPR will require financial entities to reassess and possibly update existing policies and procedures to meet the requirements of both regulations.

What is DORA? DORA aims to achieve a high common level of digital operational resilience in the financial sector, therefore it establishes uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. For the financial entities identified as essential or important entities pursuant to national rules transposing the Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive), DORA will apply as a sector-specific Union legal act as per Article 4 of the NIS2 Directive. This means that the requirements of DORA on cybersecurity risk-management measures and incident notifications will ap

Insight

Gain access to unlimited articles with 7 day access to all features, no credit card required.

or

Other options: