Two new EU regulations are currently keeping companies busy: the Digital Operational Resilience Act (DORA), which came into force in January 2024 and regulates the areas of cyber security, IT risks and resilience in the financial sector, and the Artificial Intelligence Act (AI Act), which was passed in March.
However, companies in Germany are actually well prepared to implement the regulations – if they learn from the past.
Do you remember the year 2018? That was when the EU General Data Protection Regulation (GDPR) came into force. Many German companies had to fundamentally revise their data protection and compliance strategies in order to meet the strict requirements. Now, with the EU AI Act and DORA, two further regulations of a similar scope are in the starting blocks. The goal of the European Union’s ambitious digital strategy remains the same here: To address the most urgent challenges in the digital market while preserving the fundamental rights of the individual in the digital age
The legal basis of the AI Act offers the opportunity for the development and use of AI. DORA provides financial companies with guidelines regarding cyber security. Nevertheless, for many managers, implementation may be more of a chore. However, they can use their experience from the GDPR implementation to prepare proactively. Lessons learned from past implementations can help them to meet the new compliance requirements while protecting the interests of consumers in the best possible way. These four key lessons from the GDPR implementation can also help today:
1. Develop a deep understanding of the company data
A key aspect of the GDPR was that companies had to thoroughly analyze their internal data pools. They had to filter out what personal information they collect. Where does it come from? How is it processed and stored? Only those who were able to comprehensively clarify and subsequently resolve these questions were able to comply with the requirements of the regulation. The AI Act and DORA have similar requirements. To ensure that AI systems are transparent, secure and ethical, companies must document the origin and use of the underlying data in detail. In the financial sector in particular, a precise understanding of the information processed is necessary if they want to remain resilient in terms of IT security. If organizations have already established comprehensive data management as part of GDPR implementation, they can now transfer these structures and processes specifically to the requirements of the AI Act and DORA. This enables them to manage compliance requirements much more efficiently and cost-effectively.
2. Check your contractual relationships
In order to comply with data protection requirements, companies had to adapt their cooperation agreements to the regulations of the GDPR. Similar obligations now also arise from the AI Act and DORA. Here, organizations are required to carefully review and update their contractual relationships – for example, to establish clear instructions on how to handle sensitive data and what appropriate risk analyses look like, as well as to ensure transparent reporting. Those who have already gone through this process as part of the GDPR can now benefit from the experience gained. These companies are familiar with the necessary contractual clauses and test steps and can apply them specifically to the requirements of the AI Act and DORA. This saves them valuable time and resources.
3. Rely on robust security measures
The GDPR has also obliged companies to thoroughly review the security level of their data processing processes and upgrade them if necessary. For cloud-based solutions in particular, many organizations have had to significantly tighten their security measures. The AI Act and DORA also place great emphasis on IT security. Organizations in the financial sector must therefore ensure that their AI systems and critical infrastructure are protected against cyberattacks and other threats – and in the best possible way. This requires extensive security tests, risk analyses and technical protective measures. Those who have already developed robust security concepts as part of the GDPR implementation can now adapt them specifically to the new compliance requirements. This allows you to exploit synergies and significantly reduce implementation costs.
4. Consistently train your staff
A decisive factor for the success of the GDPR was the data protection awareness and competence of employees. Companies could only meet the strict requirements if all employees understood the compliance requirements and applied them in their day-to-day work. This also applies to the AI Act and DORA today. Organizations must also provide their employees with targeted training. In this way, they can ensure that AI systems are used ethically and that they remain resilient to the new cyber risks. Those who have already set up extensive training programs as part of the GDPR introduction can now align these with the new compliance requirements.
Conclusion: Use your GDPR experience for the AI Act and DORA
Companies that have learned from the implementation of the GDPR can now benefit from their knowledge to successfully overcome the new compliance challenges. Even after the AI Act and in DORA, it is essential to fully understand the data being processed, review contractual relationships, maintain a strong infrastructure and continuously train employees. This allows managers to save time, effort and resources. At the same time, they protect the interests of their customers. This strategic foresight transforms compliance from a mandatory exercise into a clear competitive advantage.