Between 2016 and 2024, the European Union enacted five major digital regulations – GDPR, DORA, NIS2, the AI Act, and the Cyber Resilience Act. Individually, each is substantial. Collectively, they create an interlocking compliance burden that no organisation can manage in silos.
A 2025 McKinsey analysis estimated that organisations subject to four or more overlapping EU digital regulations dedicate between 3,000 and 5,000 hours per year to compliance activities – a figure that rises sharply when each regulation is managed by a separate team using separate tools. This article maps the overlaps and makes the case for unified eu compliance software.
Which Regulations Apply to Which Organisations?
Not every organisation faces all five frameworks. But the overlap is far wider than most compliance teams initially expect.
GDPR (Regulation (EU) 2016/679) applies to any organisation processing personal data of individuals in the EEA – effectively universal. See our GDPR compliance checklist.
DORA (Regulation (EU) 2022/2554) targets 21 categories of financial entities plus their ICT service providers – over 22,000 entities directly. Our DORA compliance guide covers the full scope.
NIS2 (Directive (EU) 2022/2555) captures approximately 160,000 entities across 18 sectors. Our NIS2 compliance guide details the entity categories.
AI Act (Regulation (EU) 2024/1689) applies to providers and deployers of AI systems on the EU market, with obligations scaling by risk category. See our EU AI Act compliance guide.
CRA (Regulation (EU) 2024/2847) applies to manufacturers and distributors of products with digital elements. Obligations phase in through 2027.
How many regulations does a typical organisation face?
A bank or insurer: GDPR + DORA + NIS2 + AI Act (if using AI in credit or fraud detection) + CRA (if distributing digital products). Five simultaneous frameworks.
A mid-size SaaS provider serving financial clients: GDPR + NIS2 + DORA (as ICT third-party service provider) + AI Act + CRA. Again, potentially five.
A hospital network: GDPR + NIS2 (health sector) + AI Act (AI-assisted diagnostics) + CRA (connected medical devices).
According to the European Commission’s regulatory fitness assessment, 73% of large enterprises in scope for NIS2 are simultaneously subject to at least two other EU digital regulations.
Where Do the Regulations Overlap?
Four domains produce the most friction: incident reporting, third-party management, risk assessment, and documentation.
Incident Reporting: Three Timelines for the Same Event
| Framework | Trigger | Initial Report | Follow-up |
|---|---|---|---|
| GDPR (Art. 33) | Personal data breach posing risk | 72 hours to DPA | Notify data subjects if high risk |
| DORA (Art. 19-20) | Major ICT-related incident | 4 hours (classification), 24 hours (initial) | 72-hour intermediate, 1-month final |
| NIS2 (Art. 23) | Significant incident | 24-hour early warning | 72-hour incident notification, 1-month final |
According to the ESAs’ December 2024 joint report, 62% of ICT incidents at financial institutions involve personal data – activating both DORA and GDPR tracks simultaneously. Add NIS2 for entities in dual scope, and a single ransomware attack generates three parallel workstreams to different authorities. Our incident reporting analysis across DORA, NIS2, and GDPR maps the specific requirements.
How Do Third-Party Management Obligations Stack Up?
GDPR Article 28 requires data processing agreements with every processor, covering specific mandatory clauses.
DORA Articles 28-44 impose a register of information on all ICT third-party arrangements, contractual requirements beyond GDPR Article 28 (audit rights, exit strategies, subcontracting chains, data location), and concentration risk assessment. The DORA vs GDPR overlap analysis details the differences.
NIS2 Article 21(2)(d) requires supply chain security measures for relationships with direct suppliers and service providers.
AI Act Articles 25-27 require due diligence on components and third-party models in high-risk AI systems.
What does this mean in practice?
A single cloud provider relationship requires: a GDPR data processing agreement, a DORA ICT service contract with audit rights and exit plans, a NIS2 supplier security assessment, and AI Act due diligence if AI components are involved. Four layers of obligations for the same vendor. A 2025 Gartner survey found that multi-regulation organisations maintain an average of 2.7 separate vendor assessment processes for the same suppliers.
What Overlaps Exist in Risk Assessment?
Each regulation mandates its own risk assessment, producing four parallel processes over substantially the same infrastructure.
GDPR DPIAs: Required under Article 35 for high-risk processing. Evaluates necessity, proportionality, and data subject risks.
DORA ICT Risk Framework (Art. 5-16): Identification, protection, detection, response, recovery, and learning functions with annual reviews and board oversight.
NIS2 Risk Management (Art. 21): All-hazards risk analysis covering at minimum ten specified security areas.
AI Act Conformity Assessments: High-risk AI providers must demonstrate compliance on risk management, data governance, documentation, and human oversight.
Each regulation prescribes a different methodology, different documentation format, and different review cycle – for substantially the same infrastructure and threat landscape. ENISA’s 2025 guidance on NIS2 risk management recommends “building once, reporting to many” – a principle that remains easier to state than to implement without integrated tooling.
How Heavy Is the Documentation Burden?
Every regulation creates its own register or record-keeping obligation.
| Regulation | Required Documentation |
|---|---|
| GDPR (Art. 30) | Records of Processing Activities (ROPA) documenting all personal data processing |
| DORA (Art. 28(3)) | Register of Information on all ICT third-party service arrangements |
| NIS2 (Art. 21, 23) | Records of cybersecurity risk management measures, incident logs, supply chain assessments |
| AI Act (Art. 11, 12) | Technical documentation and automatic logging for high-risk AI systems |
| CRA (Art. 23-24) | Vulnerability handling records, software bills of materials, incident documentation |
A single vendor may appear in the ROPA (as data processor), the DORA register (as ICT provider), NIS2 supply chain records (as critical supplier), and AI Act documentation (as component provider). Four registers, one vendor. A 2025 PwC survey found compliance teams at mid-size financial institutions spend 40% of their time on documentation maintenance across overlapping registers – roughly 1,200-2,000 hours per year.
What Is the Total Compliance Cost?
For a mid-size financial services firm (500-2,000 employees) subject to GDPR, DORA, NIS2, and the AI Act, the estimated annual compliance effort:
- Risk assessments: 400-700 hours
- Third-party management: 500-900 hours
- Incident reporting preparedness: 200-400 hours
- Documentation maintenance: 800-1,400 hours
- Governance and training: 300-500 hours
- Audit and assurance: 400-700 hours
Total: 2,600-4,600 hours per year, with organisations at the higher end routinely exceeding 5,000 hours. At average European compliance professional labour costs, that represents EUR 400,000-750,000 annually before external advisory fees. Deloitte’s 2025 European regulatory outlook found a 35% increase in compliance costs between 2023 and 2025 at firms subject to four or more EU digital regulations.
The Case for a Single-Platform Approach
The numbers reflect a structural problem, not a staffing problem. When each regulation lives in a separate tool with separate workflows, duplication is inevitable: the same vendor in four registers, the same risk assessment written four times, the same incident triggering three disconnected processes.
A unified eu compliance software platform maintains a single source of truth. One risk assessment populates the DPIA, ICT risk framework, NIS2 risk analysis, and AI conformity assessment. One vendor record maps to all applicable obligations. One incident triage triggers all reporting workflows.
Legiscope was built for exactly this multi-regulation reality – a single platform where GDPR, DORA, NIS2, and AI Act obligations are mapped, tracked, and documented together rather than in parallel silos.
The Commission’s 2025 omnibus simplification proposal includes provisions for harmonised reporting templates across frameworks. Until those simplifications materialise in law – a process that will take years – organisations need tooling that bridges the gaps now.
Frequently Asked Questions
What is the EU compliance stack?
The set of overlapping EU digital regulations that organisations must comply with simultaneously: GDPR, DORA, NIS2, the AI Act, and the Cyber Resilience Act. Depending on sector and activities, an organisation may face three, four, or all five.
Which EU regulations overlap the most?
GDPR and DORA share the most direct overlaps in incident reporting, third-party management, and risk assessment. NIS2 adds a third cybersecurity layer. Our DORA vs GDPR overlap analysis provides a detailed comparison.
How many hours does multi-regulation EU compliance require?
Estimates for a mid-size financial services firm subject to GDPR, DORA, NIS2, and the AI Act range from 3,000 to 5,000 hours per year, covering risk assessments, third-party management, incident reporting, documentation, governance, and audit activities. Firms using siloed compliance tools or manual processes tend toward the higher end.
Can GDPR and DORA compliance be managed together?
Yes. GDPR and DORA share structural similarities in third-party management (both Article 28), incident reporting, and risk assessment. A unified approach that maps GDPR data processing activities to DORA ICT service arrangements can reduce duplication by 30-40% according to industry estimates.
What is the penalty exposure across all EU digital regulations?
GDPR fines reach EUR 20 million or 4% of global turnover. NIS2 fines reach EUR 10 million or 2% of turnover. AI Act fines reach EUR 35 million or 7% of turnover. DORA penalties are set by national competent authorities. Cumulative exposure for a firm violating all four frameworks is theoretically uncapped. Organisations subject to three or more of these regulations should evaluate integrated eu compliance software now – the cost of maintaining separate programmes exceeds a unified platform within the first year for most mid-size organisations.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
