Understanding Your Role in the EU AI Act and DORA Compliance

The European Union’s ambitious Digital Strategy aims to address some of the most pressing business challenges today, including digital sovereignty, data privacy and cybersecurity, fair competition, as well as addressing the digital divide. The strategy is designed to raise the bar globally on how to regulate digital markets, ensuring fundamental rights of individuals are at the center. This has a significant impact on companies operating in Europe, especially cloud-based service providers.

A key component of the strategy was introduced in May 2018 in the form of the EU General Data Protection Regulation (GDPR), which required many organizations to overhaul their compliance strategies, investing considerable resources to develop robust privacy programs. Now, with both the EU Artificial Intelligence Act (AI Act) and the EU Digital Operational Resilience Act (DORA) on the horizon, we can recall some valuable lessons learned from our GDPR experience to guide us through this new regulatory landscape.

While some aspects of these new regulations are specific to the financial sector, they will indirectly impact any businesses that interact with banks, including insurance companies, investment groups and pension funds, among others. These financial companies will mainly bear the burden of overhauling their approach to risk management, incident reporting, third-party assessment and audit, as well as data governance and business continuity.

To better understand what this means for a cloud-based services company like Genesys and its customers, let’s look at some key lessons learned from the GDPR implementation and how these lessons help companies comply with the AI Act and DORA.

Defining GDPR, the EU AI Act and DORA


The GDPR is the world’s most renowned data protection regulation. It sets the rules for how organizations that conduct business in Europe or process EU data should handle this information to ensure that the rights and freedoms of individuals are respected.


The AI Act is designed to govern the development, use and market placement of AI systems in the EU. It aims to ensure AI systems are safe, transparent and respectful of fundamental rights, setting rules for data governance, oversight and high-risk AI systems and applications, such as those used for remote biometric identification; emotion recognition; systems used to determine access to education, employment, and the receipt of essential public services for migration-related tasks. It also applies to applications used by or on behalf of law enforcement agencies.


DORA aims to enhance the operational resilience of the EU’s financial sector against cyberthreats and security incidents. It establishes a comprehensive risk and security framework to ensure that banks, insurers, investment firms and other similar organizations can safely rely on digital service providers to maintain market stability. DORA’s obligations apply to both financial companies as well as Information and Communication Technologies (ICT) providers like Genesys.

4 Key Lessons for Compliance

1. Know, Map and Protect Your Data

Compliance begins with understanding the types of data you collect and process. The GDPR taught organizations key principles for collecting and processing data, including transparency, lawfulness of processing, data minimization, purpose limitation, and data security measures. These principles help us identify what data an organization has, why it’s gathering that data, how that data will be used and how to ensure it remains secure.

By following these principles, organizations gain knowledge of data assets and understand the scope of their duties toward clients, how to use this data and in which instances, as well as the parameters to delete data, and how clients’ can access or prevent the use of their data.

The Genesys Cloud™ platform was built with flexibility that enables our customers to determine how they want to use the platform and adapt the data input accordingly.

Transparent data practices powered by the GDPR allow Genesys to provide customers, partners and vendors with the tools to meet the obligations established in the EU AI Act regarding data mapping, data sources and training data requirements.  In regard to DORA, financial services companies need to know the type of customer data processed by their ICT providers, as well as when those providers rely on third parties for data-processing activities. They also must know through which applications or platforms the providers are accessing the data.

2. Assess and Amend Your Contracts

Contractual management is a critical component for security, data processing and risk management. Following GDPR compliance requirements, Genesys set up and re-engineered contract clauses to ensure security, confidentiality and transparency. In that logic, both DORA and the AI Act require clear data processing instructions, proper risk assessments, proportional security measures and diligent incident reporting within agreements, particularly between financial entities and technology vendors.

3. Test and Level Your Security

Security is paramount in the cloud services. GDPR emphasized the need to assess and ensure the proper level of security for data processing activities as per their scope and means.

Genesys Cloud meets these requirements by design and by default. DORA and the EU AI Act also prioritize security, requiring rigorous testing and balancing of technical measures against potential risks to user rights.

4. Raise Awareness

It’s vital for organizations and their employees to know to what extent a regulation applies to them and understand their role in that context and adherence. Genesys employees have completed training on security and compliance topics, including data protection and privacy. This training, initiated under GDPR, ensures employees are equipped to handle personal information and data correctly.

As DORA and the AI Act take full effect, our workforce will be trained on these regulations to maintain compliance and integrate them into our holistic compliance strategy.

Maintaining Compliance with EU Regulations

Leveraging our experience with GDPR compliance positions Genesys to effectively meet EU AI Act and DORA requirements. By understanding the amounts of data we handle, updating our contracts, rigorously testing security measures, properly assessing third parties and raising awareness among our employees, we can ensure that our operations remain compliant — and our clients’ interest and legal duties are duly met.

While the immediate impact of these regulations predominantly stays in Europe, our worldwide operations will allow us to scale this effort globally across our organization to offer the provision of services under this gold standard of conformity. Our teams will keep customers and partners updated on adapting to these regulations. Genesys experts can address any specific questions you have. Learn more about Genesys Cloud security measures today.