Regulatory Convergence

The DPO function exists at the intersection of multiple evolving regulatory frameworks. GDPR establishes the foundational requirement, but NIS2 (cybersecurity), the AI Act (artificial intelligence governance), and DORA (financial regulation) create overlapping compliance obligations. This page explores regulatory convergence and integrated compliance approaches.

Overview: GDPR, NIS2, AI Act, and DORA

The European regulatory landscape has evolved from GDPR's singular focus on personal data protection to a multi-framework ecosystem addressing data protection, cybersecurity, artificial intelligence ethics, and financial stability simultaneously. These frameworks are distinct but interconnected, creating what we term "regulatory convergence"—the necessity for organisations to align governance structures addressing multiple regulatory objectives through coordinated compliance architecture.

This convergence is neither accidental nor inefficient. Each framework addresses a specific policy objective: GDPR protects data subject rights, NIS2 protects critical infrastructure security, the AI Act ensures algorithmic accountability, and DORA protects financial system resilience. However, these objectives overlap significantly, requiring integrated governance to avoid fragmentation, redundancy, and inconsistency.

GDPR and NIS2: The Data Protection Officer and Chief Information Security Officer

NIS2 (Directive 2022/2555/EU), effective October 2024, modernises critical infrastructure and network security requirements across the EU. NIS2 mandates that critical infrastructure operators (designated operators in sectors including energy, transport, water, healthcare, digital services, and public administration) implement cybersecurity governance including appointment of a Chief Information Security Officer (CISO) or equivalent role.

Distinct Responsibilities

The DPO and CISO have distinct mandates. The DPO ensures lawful personal data processing; the CISO ensures network and information system resilience against cyber threats. Confusion arises because both roles involve data security, but from different perspectives:

  • DPO focus: Is personal data being processed lawfully, transparently, and securely? Are data subjects' rights respected? Are breaches of personal data notified appropriately?
  • CISO focus: Are network systems protected against unauthorised access? Are critical infrastructure assets resilient to cyber attacks? Are security incidents logged and investigated?

Complementary, Not Duplicative

Effective organisations structure DPO and CISO functions as complementary, not duplicative. The DPO and CISO should collaborate on personal data breach response: the DPO determines whether a security incident constitutes a "breach of personal data" triggering GDPR notification obligations; the CISO provides technical investigation of how the breach occurred and assesses whether the incident reflects systemic security weaknesses requiring NIS2 incident reporting.

Organisations that fail to distinguish DPO and CISO responsibilities often either: (1) underinvest in CISO capability, leaving the DPO to address cybersecurity issues beyond their expertise and mandate; or (2) duplicate governance efforts, creating confusion about who holds which responsibilities.

Best Practice: Organisations should establish a documented collaboration protocol: DPO and CISO meet monthly to align on data protection and cybersecurity priorities. When a security incident occurs, the DPO and CISO jointly assess: (a) whether the incident qualifies as a GDPR-notifiable breach; (b) whether the incident triggers NIS2 incident reporting to national authorities; (c) what systemic controls or policies should be strengthened to prevent recurrence. This joint governance prevents gaps and ensures consistent incident response.

DPO and AI Officer: Emerging Convergence Under the AI Act

The EU AI Act (Regulation (EU) 2024/1689), applicable from August 2025, introduces requirements for high-risk AI applications. Organisations deploying high-risk AI systems must implement impact assessments, human oversight mechanisms, and governance controls. Some jurisdictions and organisations are establishing "AI Officers" to manage AI governance alongside DPOs and CISOs.

Overlap in Responsibilities

The overlap between DPO and AI Officer responsibilities is significant: high-risk AI applications frequently process personal data. For example, a biometric identification system processes biometric data (regulated by GDPR) whilst deploying AI algorithms (regulated by the AI Act). A single system requires both DPO involvement (ensuring lawful personal data processing, data subject consent, international transfer safeguards) and AI Officer involvement (ensuring algorithmic transparency, testing for bias, implementing human override mechanisms).

Integrated Governance Approach

Best-practice organisations integrate DPO and AI governance through: (1) shared Data Protection Impact Assessment and AI Impact Assessment processes; (2) collaborative requirements for AI system development teams (both DPO and AI expertise required at design stage); (3) joint oversight of high-risk AI systems involving personal data processing. This prevents siloed approaches and ensures consistency.

Some organisations appoint a single individual (with dual expertise) as DPO/AI Officer for smaller entities, or establish DPO and AI Officer roles with explicit collaboration requirements in job descriptions and governance charters.

DPO and Compliance Officer: Integration Within Finance and Regulated Sectors

DORA (Regulation (EU) 2022/2554), applicable from January 2025, establishes digital operational resilience requirements for financial service providers. DORA requires financial institutions to appoint a Chief Information Security Officer (CISO) and implement governance frameworks addressing operational resilience, third-party vendor risk, and incident reporting.

Financial organisations frequently have Compliance Officers separate from DPOs and CISOs. The Compliance Officer typically oversees: regulatory reporting, conduct risk, market abuse prevention, and anti-money laundering (AML). The convergence challenge arises because:

  • Data protection (DPO responsibility) intersects with AML (Compliance Officer responsibility): customer personal data is processed for AML purposes under GDPR lawfulness obligations
  • DORA operational resilience overlaps with CISO cybersecurity responsibilities, but DORA also addresses broader operational resilience beyond cybersecurity
  • Compliance reporting (compliance function) must often incorporate DPO-collected data protection compliance metrics

Integrated financial sector governance establishes regular coordination meetings between DPO, CISO, and Compliance Officer to align on customer data handling, operational risk reporting, and incident response procedures. Some financial institutions create an integrated "Chief Compliance and Risk Officer" role overseeing compliance, data protection, and operational resilience holistically.

Integrated Compliance: The Convergence Framework

Rather than viewing DPO, CISO, AI Officer, and Compliance Officer as separate functions, forward-thinking organisations adopt "Integrated Compliance" frameworks where governance structures deliberately align across regulatory objectives. Key components of integrated compliance include:

1. Unified Governance Committee

Establish a senior governance committee (e.g., Compliance, Risk, and Data Governance Committee) bringing together DPO, CISO, AI Officer (if applicable), Compliance Officer, and relevant business leadership. This committee meets regularly (monthly minimum) to discuss risks, regulatory developments, and cross-functional initiatives. This prevents siloed decision-making and ensures consistency.

2. Shared Impact Assessment Methodology

Rather than separate Data Protection Impact Assessments (GDPR), AI Impact Assessments (AI Act), and Risk Assessments (NIS2/DORA), organisations should develop integrated impact assessment methodologies addressing all regulatory perspectives. A single assessment for a new system should cover: data protection risks, cybersecurity implications, AI algorithmic concerns (if applicable), and operational resilience impacts. This reduces redundancy and improves assessment quality.

3. Coordinated Vendor Management

Third-party vendor risks span data protection (processor agreements under GDPR), cybersecurity (NIS2 vendor resilience), AI governance (AI Act third-party risks), and operational resilience (DORA vendor management). Organisations should establish unified vendor risk assessment and management processes reviewed jointly by DPO, CISO, and procurement teams.

4. Integrated Training and Awareness

Rather than separate data protection training, cybersecurity awareness, and compliance training, organisations should develop integrated governance training covering all regulatory frameworks and explaining interdependencies. This improves employee understanding of how compliance functions interrelate and supports holistic compliance culture.

5. Unified Incident Response Protocol

When a security incident occurs, response should be coordinated across DPO (GDPR breach notification assessment), CISO (incident investigation), Compliance Officer (regulatory reporting), and AI Officer (if applicable). Organisations should establish pre-incident protocols specifying roles, responsibilities, and communication procedures to prevent delays or inconsistencies in incident response.

Example: Integrated Incident Response A financial organisation suffers a ransomware attack affecting customer data and operational systems. The CISO leads technical investigation and incident containment (NIS2 responsibility). The DPO assesses whether the incident constitutes a notifiable GDPR breach and notifies affected data subjects and the CNPD (GDPR responsibility). The Compliance Officer evaluates whether the incident triggers DORA incident reporting to financial regulators (DORA responsibility). A unified incident response protocol ensures all three functions coordinate timelines, messaging, and remedial actions, preventing conflicting communications to regulators or data subjects.

Organisational Structure and Resource Implications

Regulatory convergence affects how organisations structure governance functions and allocate resources:

Small Organisations (< 250 employees)

Small organisations often appoint a single individual (DPO) with responsibility for data protection, cybersecurity, and compliance. This individual may lack deep expertise in all areas, but can coordinate across functions. Investment in training, external specialist consultation, and clear documentation of governance procedures is critical.

Mid-Size Organisations (250-2,000 employees)

Mid-size organisations typically maintain DPO and CISO roles (if NIS2-applicable) with separate Compliance Officer and potentially a separate AI Officer. These functions should have explicit coordination requirements in their charters and regular cross-functional meetings. Resource allocation should reflect that these functions overlap, not duplicate.

Large Organisations (> 2,000 employees)

Large organisations often maintain distinct DPO, CISO, AI Officer, and Compliance Officer teams, potentially with sub-specialisms. These organisations should invest heavily in integrated governance structures: shared impact assessment methodologies, unified incident response protocols, and governance committees ensuring consistency across functions.

Regulatory Authorities' Perspective on Convergence

European supervisory authorities increasingly recognise regulatory convergence. The CNPD, for example, acknowledges that data protection governance cannot be isolated from cybersecurity and broader operational resilience. CNPD enforcement actions increasingly consider whether organisations have established adequate governance structures addressing both data protection and security resilience. This reinforces the necessity of integrated compliance frameworks.

Conclusion

The Data Protection Officer function has evolved from a GDPR-specific role to a central node in broader regulatory compliance frameworks. Organisations must structure DPO functions not in isolation, but integrated with CISO (NIS2), AI Officer (AI Act), and Compliance Officer (DORA, sector-specific regulations) roles. This integration reduces duplication, prevents gaps, and ensures organisations respond holistically to evolving regulatory requirements. Investment in integrated compliance governance is increasingly a differentiator between organisations that manage regulatory obligations efficiently versus those struggling with fragmented, overlapping compliance structures.