GDPR vs. PSD2: Navigating fintech’s contradictory compliance matrix in the shadow of DORA

The financial sector is built on a fundamental paradox: the imperative to innovate and share data to drive competition, and the absolute requirement to protect that data from misuse and breach. For financial institutions and fintechs operating across the US and UK markets, this paradox is codified in two defining European regulations: the Payment Services Directive 2 (PSD2), which mandates data access, and the General Data Protection Regulation (GDPR), which demands data sovereignty.

In the face of relentless cyber threats, these two powerful regulatory forces can feel contradictory. However, the introduction of the Digital Operational Resilience Act (DORA) is now forcing a necessary, unified perspective. Firms can no longer treat PSD2 security and GDPR compliance as separate functions; DORA is the new nexus, demanding a singular, resilient governance model for all digital operations.

This is a deep dive into the regulatory tightrope financial firms must walk, and the strategic pivot required to master it.

The Regulatory Friction

PSD2, implemented across the European Economic Area, has driven the Open Banking revolution by requiring Account Servicing Payment Service Providers (ASPSPs) typically banks to grant authorized Third-Party Providers (TPPs) access to customer data via secure APIs. This is a massive push toward openness and interoperability in the payment landscape. The subsequent expansion of Open Banking APIs is rapidly facilitating growth in account-to-account (A2A) payments and financial management services across Europe and the UK.

Conversely, GDPR imposes one of the world’s most stringent frameworks for personal data protection. It grants individuals control over their data, requiring explicit consent and imposing massive penalties for breaches, transparency issues, or inadequate security measures.

For a fintech or bank, this creates a severe tension:

• PSD2 Mandate: You must open your systems securely to TPPs, increasing your network surface area and complexity.
• GDPR Liability: You remain the primary data controller and are accountable for ensuring that any data sharing via PSD2 rails complies with principles like data minimization, purpose limitation, and the implementation of appropriate technical and organizational security measures (Article 32).

A security failure on an Open Banking API is no longer just a payments risk; it immediately becomes a high-stakes GDPR failure.

GDPR Enforcement

The cost of mismanaging this regulatory tension is escalating dramatically. Since 2018, regulators have issued billions in fines, reshaping business practices globally.

By January 2025, the cumulative total of fines under the GDPR reached approximately €5.88 billion, highlighting the ongoing emphasis on data protection. While the largest penalties often target Big Tech, the financial sector is a persistent focus for enforcement.

Regulators have demonstrated a specific focus on:

• Weak Security: The most common penalties for the finance industry came for weak security and mishandling sensitive data. For instance, a large bank was fined €6.2 million in 2024 by the Spanish DPA for inadequate security measures.
• Inadequate Measures (Article 32): GDPR fine data illustrates a focus on failure to implement sufficient technical and organizational measures to ensure information security. This means even if a breach is not massive, a firm can be penalized for the lack of a robust security posture, which is directly applicable to securing TPP access under PSD2.
• Transparency and Consent: Failure to obtain valid consent or issues with transparency are among the most common GDPR violations, directly affecting how Open Banking access is initiated and maintained.

Navigating the UK’s Evolving Data Law

For the UK-based audience, the landscape has been further complicated by domestic legislative changes. The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on June 19, 2025, and amends the UK GDPR.

The DUAA, phased in between June 2025 and June 2026, introduces new operational burdens that directly impact how financial firms handle personal data and complaints:

• The Complaints Process: All organizations must now have a formal process in place to handle data protection complaints by June 2026, forcing them to try and resolve complaints before the customer escalates to the regulator. This new right introduces greater accountability and may increase operational burden for organizations receiving high volumes of data-related queries.
• SARs Scope: The Act clarifies that organizations only have to make “reasonable and proportionate searches” when responding to Subject Access Requests (SARs). This provision came into force immediately upon Royal Assent.
• The Information Commission (IC): The regulatory body, formerly the ICO, is transitioning to a new structure, the Information Commission, which will be equipped with increased enforcement powers.

These changes underscore that regulatory compliance is a dynamic, rather than static, challenge, demanding that compliance architecture constantly adapt to new legal standards and stricter regulatory oversight.

The DORA Nexus

The strategic answer to the GDPR/PSD2 tension is to stop viewing them as two separate compliance projects and instead integrate them under a single operational resilience framework. This is the mandate of DORA, and the regulatory environment is already moving to reflect this convergence.

Crucially, on January 17, 2025, the European Banking Authority (EBA) formally repealed its PSD2 Guidelines on major incident reporting.

This administrative change is a seismic shift in regulatory philosophy:

• Unification: The PSD2 incident reporting requirements have been replaced by the harmonized incident reporting requirements under DORA.
• Consolidation: DORA now applies to financial entities across banking, securities, insurance, and pensions, covering most Payment Service Providers (PSPs).
• Holistic View: This move forces financial entities to treat operational incidents, including those related to payment services, Open Banking APIs, and underlying IT infrastructure, through one unified lens of digital operational resilience. The security measures implemented to protect data (GDPR) and to facilitate access (PSD2) are now measured against one cohesive standard (DORA).

The DORA framework essentially acts as the unifying umbrella, making robust, testable, and documented operational resilience the necessary prerequisite for both PSD2 functionality and GDPR legality.

Actionable Strategies for Unified RegTech

For financial services CISOs, Security Executives, and Compliance Officers, the path forward requires a strategic investment in RegTech and a focus on converged governance.

1. Unified Incident Governance: Implement a single ICT Incident Management framework compliant with DORA. All security incidents, whether triggered by TPP access failure (PSD2) or data breach (GDPR)must follow this single, robust process, including reporting to the relevant Competent Authorities.
2. Harmonize Identity and Consent: Deploy a centralized identity and access management (IAM) solution that can simultaneously enforce PSD2’s Strong Customer Authentication (SCA) requirements (dynamic linking, MFA) and manage GDPR’s granular consent rights and Subject Access Requests (SARs).
3. Security-by-Design in APIs: Treat Open Banking APIs as a critical, high-risk data egress point. Implement DevSecOps practices to embed security from the start, focusing on API security frameworks, rigorous TPP onboarding, and real-time monitoring to prevent data misuse that would trigger a GDPR violation.
4. Resilience War Gaming: Cybersecurity resilience planning and war gaming must now explicitly include scenarios where PSD2 access points are compromised, and a GDPR fine is the expected regulatory outcome.

By treating GDPR and PSD2 not as opposing directives, but as integrated parts of a cohesive compliance strategy under DORA, financial institutions can pivot from playing catch-up to leading with robust, future-proof operational resilience.