Three regulations, one business process
On June 9, 2026, the German digital industry association Bitkom e. V. published the guide “DORA, GDPR and the AI Act as a unified compliance framework for insurance companies”. The document addresses a situation that has been visible in German insurers since DORA took effect on January 17, 2025: three extensive EU regulations apply simultaneously to the same business processes, data sets, ICT systems and service providers – with different terminologies, risk categories and reporting obligations.
According to the Bitkom publication, this multi-regulation environment forces insurers to abandon siloed compliance thinking. The guide advocates an integrated approach structured along shared process, data, system and risk logics. Three guiding principles form the foundation: business processes as a common anchor, better alignment of terms and reporting obligations, and an implementation guided by proportionality, human oversight and auditable governance.
DORA (Regulation (EU) 2022/2554) applies directly to insurance and reinsurance undertakings since January 17, 2025 (Art. 2(1) DORA). The GDPR (Regulation (EU) 2016/679) has been in force since May 2018; the AI Act (Regulation (EU) 2024/1689) takes effect in a staged model – the high-risk obligations most relevant to insurers apply from August 2026.
The overlap is concrete, not abstract: anyone calculating life or health insurance premiums with AI-supported risk assessment in underwriting simultaneously touches Annex III of the AI Act (high-risk application), Art. 22 GDPR (automated individual decision) and Chapter II of DORA (ICT risk management of the processing system).
The three guiding principles of the Bitkom guide
Business processes as the anchor
Instead of implementing one regulation after another, an end-to-end process (e.g. "life-insurance application handling") serves as a shared control point for all three frameworks.
Harmonized terminology
Risk, incident and third-party categories from DORA, GDPR and the AI Act are merged into an internal glossary – including a mapping to reporting obligations.
Proportional governance
Depth and pace of measures depend on risk and complexity. Human oversight and auditable documentation remain binding.
Integrated risk approach
ICT risks (DORA), data protection risks (GDPR) and AI risks live in one common risk register – with consistent assessment criteria.
Don’t start from the regulatory texts – start from your process map. Identify the ten most revenue-relevant business processes and check, for each, where which of the three regulations applies. That heatmap reveals where multi-regulation exposure is highest.
Areas of overlap between the three regimes
The Bitkom guide addresses five concrete real-world scenarios where all three regulations intersect. The following table sketches the regulatory anchors per scenario.
| Scenario | DORA | GDPR | AI Act |
|---|---|---|---|
| AI underwriting | ICT risk management (Art. 5–16) | Art. 22 (automated decisions), Art. 35 (DPIA) | Annex III No. 5 (high-risk) |
| Automated claims handling | Operational resilience for core process | § 37 BDSG (PHI exception, DE) | Transparency & oversight duties |
| Digital customer communication | ICT availability of frontends | Art. 13/14 (information duties) | Art. 50 (chatbot labelling) |
| Third-party management | Art. 28–30 (TPP risk management) | Art. 28 (processors) | Provider & deployer duties |
| Incident management | Art. 17–23 (major ICT incidents) | Art. 33/34 (data-breach notification) | Serious incidents for high-risk AI |
A single security incident in an AI underwriting system can simultaneously trigger three reporting obligations: to BaFin (DORA), to the competent data protection authority within 72 hours (Art. 33 GDPR), and possibly to the market-surveillance authority under the AI Act. Without a harmonized incident-response plan, delayed reports and contradictory factual statements become likely.
Implementation path: from status quo to integrated framework
Anyone setting up DORA, GDPR and AI Act as a joint compliance programme moves along a pragmatic path. The following sequence follows the guiding principles of the Bitkom document and the parallel deadlines, in particular the application date of the AI Act’s high-risk obligations from August 2026.
Six-step rollout
- 1Process inventory: identify the top-10 business processes and map them against data flows, ICT systems and AI components.
- 2Regulation mapping: for each process, determine which DORA, GDPR and AI Act obligations are triggered – including high-risk classification under Annex III of the AI Act.
- 3Consolidate glossary & risk register: merge terms (incident, risk, third party) and risk categories from the three regimes.
- 4Harmonize governance: assign responsibilities (CISO, DPO, AI Officer, Risk Owner) per process via RACI.
- 5Unify incident response: one reporting process that can trigger DORA major incidents, Art. 33 GDPR and AI Act incidents in parallel.
- 6Third-party audit: review contracts and suppliers against all three regulations – processor agreements, ICT third parties and AI providers frequently overlap.
Operationally, a consolidated view of asset and incident inventories helps. Anyone running an ITIL- or ServiceNow-based CMDB can simply add fields for GDPR processing activities and AI Act system IDs instead of building a fourth data store.
# Entry in the integrated risk register asset_id: UW-LIFE-CORE-01 asset_type: AI underwriting (life insurance) business_process: Application intake & pricing classification: dora_icctier: critical # DORA Art. 8 ICT asset register gdpr_data_categories: [health, financial] # GDPR Art. 9 ai_act_risk: high # AI Act Annex III No. 5 controls: human_oversight: required # AI Act Art. 14 art_22_safeguards: yes # GDPR Art. 22(3) resilience_tier: T1 # DORA Ch. IV testing incident_routing: - bafin_dora_major_incident - dpa_art_33_breach_notification - market_surveillance_ai_act review_cycle_days: 90
Common pitfalls and risks
The Bitkom guide explicitly warns against building compliance side-by-side instead of together. In practice we observe the same recurring patterns – patterns that can become expensive for insurers.
Siloed projects: three separate programme streams (DORA, GDPR, AI Act) with their own sponsors, risk registers and tooling produce contradictory classifications for the same system.
Terminology drift: “incident” means different things in different teams – a DORA major ICT incident under Art. 18 is not recognised as a GDPR Art. 33 breach even though personal data is affected.
Forgotten AI inventory: insurers know their processors and ICT third parties but lack a complete list of all AI systems. The duty to register high-risk AI under Art. 49 AI Act catches them off guard.
There’s also the third-party dimension: a single cloud provider can be a critical ICT third party under DORA, a processor under Art. 28 GDPR and an AI system provider under the AI Act – all at once. Without integrated contract clauses and harmonized audit rights, fragmented governance results, and forensic findings won’t hold up in a crisis.
Assessment and next steps
The Bitkom guide is not a normative minimum standard – it is a structuring proposal. Its practical value lies in consistent process orientation: instead of running three compliance programmes in parallel, you build one governance line that covers all three regulations. For insurers with tight compliance budgets, that’s the lever that reduces duplication and controls audit risk.
Time is short. The AI Act’s high-risk obligations apply from August 2026, adding mandatory conformity assessments, technical documentation duties and the EU-wide high-risk database. Anyone consolidating their risk register, third-party inventory and incident-reporting chains now will be able to act in Q4 2026 – rather than being squeezed between three supervisors.
1. Build a heatmap of the top-10 processes and make multi-regulation exposure visible.
2. Consolidate the glossary and risk categories of DORA, GDPR and the AI Act in a single internal mapping.
3. Extend the incident-response playbook so that every security event is automatically assessed against all three reporting channels.
Anyone aiming for a durable governance line is well advised to start from the information security management system as the anchor – most DORA and AI Act requirements dock cleanly onto it. Our ISMS consulting guides you from gap analysis to audit-ready documentation.