Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
European financial institutions have been grappling with a common sentiment in recent years: after investing heavily in EU General Data Protection Regulation compliance programs, many wondered if they would need to start from scratch with each new European regulation. This concern became particularly acute when the Digital Operational Resilience Act emerged as the next major regulatory challenge, perfectly capturing the complexity facing the European financial sector today.
The reality is compliance professionals can no longer afford to think about regulations in isolation. The GDPR, which transformed the data protection landscape when it came into force 25 May 2018, established a foundation that many organizations are still building upon. Now, with the DORA applicable as of 17 Jan. 2025, financial institutions are discovering their GDPR investments weren't just about privacy compliance, they were inadvertently preparing for operational resilience, too.
The convergence isn't immediately obvious. The GDPR fundamentally changed how organizations handle personal data, establishing individual rights and imposing strict obligations on data controllers and processors. Maximum penalties can reach 20 million euros or 4% of annual global turnover, whichever is higher, making compliance a board-level concern from day one. The regulation's emphasis on accountability, transparency and security by design forced organizations to rethink their entire approach to data handling.
The DORA takes a different, but complementary, approach. Rather than focusing on individual privacy rights, it addresses the collective stability of the European financial system by mandating operational resilience standards. The regulation targets five key areas: information and communication technology risk management, incident reporting, operational resilience testing, third-party risk management, and information sharing mechanisms.
The DORA implements a two-part system for penalties. Critical third-party information and communication technology providers face direct oversight from EU regulators, who can impose periodic penalty payments of up to 1% of the provider's average daily worldwide turnover for a maximum period of six months until compliance is achieved.
In contrast, financial entities are subject to administrative penalties defined by their individual EU member states under Article 50, which are required to be effective, proportionate and dissuasive, often translating to maximum fines that may reach 10% of annual turnover or high absolute monetary caps, depending on the national law.
What makes the DORA particularly interesting is how it builds upon existing risk management concepts that many organizations developed for GDPR compliance.
Consider what happens when a cybersecurity incident affects both personal data and operational systems. Under the GDPR, organizations must notify supervisory authorities within 72 hours when a personal data breach is likely to result in risk to individuals' rights and freedoms. The DORA introduces its own timeline requirements, demanding initial notification within four hours of detecting a major ICT incident, followed by an intermediate report within 72 hours and a final report within 30 days.
Smart organizations aren't treating these as separate reporting obligations. They're developing integrated incident response procedures that address both regulatory frameworks simultaneously. This approach reduces administrative burden while ensuring consistent messaging across different regulatory authorities. The European Union Agency for Cybersecurity has published guidance supporting this integrated approach, recognizing that cyber incidents rarely affect just one regulatory domain.
Third-party risk management represents another area where the GDPR and DORA naturally align. The GDPR's requirements for data processing agreements and controller-processor relationships established a foundation for vendor oversight that many organizations are now expanding to cover the DORA's operational resilience requirements. The key insight is that a vendor's ability to protect personal data often correlates strongly with their overall operational resilience capabilities.
Several institutions have transformed their vendor management programs from compliance exercises into genuine competitive advantages. Rather than conducting separate privacy assessments and operational resilience evaluations, they've developed unified frameworks that evaluate both domains simultaneously. This not only reduces vendor fatigue but often produces better risk intelligence than either assessment would generate independently.
The European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority have recognized these synergies in their guidance development. Rather than creating conflicting requirements, they're actively coordinating to ensure the DORA compliments existing privacy frameworks.
This regulatory coordination reflects a broader evolution in European regulatory philosophy. The European Systemic Risk Board now facilitates regular dialogue between financial supervisors and data protection authorities, helping ensure consistent interpretation of overlapping requirements. This coordination is particularly valuable for cross-border institutions that must navigate multiple national implementations of both frameworks.
The practical implications extend beyond incident management and vendor oversight. Organizations that have invested in privacy-by-design principles often find that these investments directly support the DORA's resilience-by-design expectations. The data minimization practices that many institutions adopted for GDPR compliance, for example, often reduce the attack surface that adversaries can exploit during cyber incidents. Similarly, the access controls and audit trails the GDPR requires frequently prove invaluable during operational resilience testing and incident investigation.
Looking ahead, the most successful institutions are those that view the GDPR and DORA as complementary components of a comprehensive risk management strategy rather than separate compliance obligations. They're investing in integrated governance structures that break down traditional silos between privacy, security and operational risk teams. These cross-functional approaches not only improve compliance efficiency but often produce better business outcomes by fostering more holistic risk discussions at senior management levels.
The technology solutions supporting this integration are rapidly evolving. Modern compliance platforms can monitor both GDPR and DORA requirements through unified dashboards, providing real-time visibility into regulatory risks while reducing the complexity of managing multiple frameworks. These tools enable organizations to identify emerging risks earlier and respond more effectively when incidents occur.
Now that the DORA is in effect, the institutions that are thriving are those that recognize this convergence opportunity rather than treating it as an additional burden. The investment required to build integrated compliance capabilities is significant, but the payoff extends far beyond regulatory compliance. Organizations that master this integration are building more resilient operations, stronger vendor relationships and more robust risk management capabilities that serve them well in an increasingly complex regulatory environment.
The future belongs to institutions that can turn regulatory complexity into competitive advantage, and the GDPR-DORA convergence represents exactly that kind of opportunity for forward-thinking compliance professionals.
Raveendra Swarna, CIPT, is information security manager at McKinsey & Company.
