In today’s fast paced business landscape, it is widely accepted that adopting innovative technologies is not just advantageous, it’s essential. Many organizations are leveraging technological advancements to gain a competitive edge over their competition
1st May 2025
The Impact of European Union Regulations on using technology in the commercial collections industry
Written by David Bevan – Compliance & Data Protection Manager, CCI Credit Management and Liam Worthington – ICE Administrator, CCI Credit Management
In today’s fast paced business landscape, it is widely accepted that adopting innovative technologies is not just advantageous, it’s essential. Many organizations are leveraging technological advancements to gain a competitive edge over their competition. The adoption of innovative technologies also raises additional considerations such as ensuring technology is maintained and kept up to date. Recent history has shown that technology can develop at a rapid pace, current tools can become obsolete quickly potentially posing great risks to an organization for example, making them more susceptible to cyber threats allowing bad actors to take advantage of vulnerabilities.
DIGITAL OPERATIONAL RESILIENCE ACT (DORA) The Digital Operational Resilience Act is an EU regulation designed to enhance the operational resilience of organizations operating in the financial sector within the EU. Enacted on 17th January 2025, it serves as a cornerstone of the European Commission’s Digital Finance Strategy. Like many EU regulations, DORA aims to create a harmonized regulatory framework across member states, as well as to protect the financial system from operational disruptions.
DORA was introduced in response to the financial sector’s increasing reliance on information and communications technologies (ICT) and the ever[1]growing prevalence of cyber threats. The regulation addresses critical challenges, including the rising sophistication and frequency of cyberattacks, the necessity to maintain operational continuity during disruptions, and the imperative to enhance trust and stability within the EU financial system. Its scope is extensive, applying to a broad spectrum of entities within the financial ecosystem, including financial businesses, financial market infrastructures, and third-party ICT providers. These organizations must meet stringent requirements to ensure they are prepared to face digital challenges effectively.
To achieve its objectives, DORA imposes several obligations on financial organizations and ICT service providers. These include the implementation of a robust ICT risk management framework so that an organisation can appropriately identify, manage and mitigate risks. Incident reporting is a key aspect of the regulation and places obligations on organizations to promptly report any significant ICT related incidents to their respective regulators. DORA places an emphasis on resilience testing for example, conducting penetration testing on an organizations critical infrastructure to ensure vulnerabilities are identified and addressed. Supply chain management has long been an essential part of organizations security framework and with DORA this is no exception. It places the expectation that organizations will carry out appropriate due diligence to mitigate risks associated with third party suppliers, this includes having appropriate oversight mechanisms and contracts in place. The regulation aims to promote information sharing between organizations in relation to cyber threats and vulnerabilities so that a collective defense can be established. Furthermore, digital operational resilience must be embedded in governance structures, with senior management bearing the ultimate responsibility.
As the innovation of digital technology continues in the financial sector, DORA aims to stand as a guardrail, ensuring that digital advancements do not come at the expense of security and stability. In the coming years DORA is expected to play a pivotal role in safeguarding the EU’s financial sector building operational resilience and confidence.
ARTIFICIAL INTELLIGENCE ACT (AI ACT) The EU Artificial Intelligence Act, enacted on the 1st August 2024, stands as the world’s first comprehensive artificial intelligence legislation. Its primary goal is to ensure the safe and ethical development and use of AI within the EU, safeguarding the fundamental rights of EU citizens, while addressing public concerns about misuse and building trust in AI technology. The AI act aims to take a proactive approach in tackling the associated risks and putting clear rules in place for developers and business users. This legal framework provides the necessary enforcement powers to help prevent its misuse whilst fostering innovation in this emerging technology.
The legislation aims to address significant public concerns surrounding AI, such as privacy violations, discrimination, manipulation, and unethical uses. It prohibits certain activities such as social scoring by governments, biometric surveillance in certain circumstances and the exploitation of vulnerable groups e.g. children. Like many EU regulations, the AI act has a wide scope, applying to developers and distributors of AI systems, organizations that use AI systems within the EU, and Non- EU entities who place AI systems within EU markets or whose systems can have an impact on individuals within the EU.
A defining feature of the act is its risk-based classification approach, meaning different regulatory requirements will apply to AI systems at different risk levels. For example, the act defines a high-risk AI system as a system which could be part of a safety critical component of a product or a safety product in its entirety. AI systems classified at this risk level must meet stringent requirements, including the implementation of a risk management framework, robust data governance ensuring systems use training data, which is high in quality and unbiased, a requirement for transparency providing clear information about a systems functionality and its limitations, accountability ensuring human oversight over AI decisions and demonstrating compliance through certification before a system is deployed. Another classification level for AI systems is limited risk, these systems have much fewer obligations imposed on them; however, transparency remains a core focus. Examples of this could be the labelling of AI generated content or informing an individual they are interacting with an AI chatbot. Where AI systems have been classified as minimal risk, there are no specific obligations under the AI Act. The EU’s AI act is a pioneering regulatory effort to balance the benefits of AI with safeguards for the fundamental rights of EU citizens.
The General Data Protection Regulation (GDPR), enacted in 2018, is arguably one of the most well-known EU regulations worldwide. It had a rippling effect on how personal data relating to EU citizens is processed. It placed obligations not only on EU based organizations but on non-EU organizations who wish to operate in EU markets or process personal data of any citizen residing within the EU. It requires organizations identify how the regulations apply to them, establish the lawful basis under which they are processing personal data, enable certain data subject rights, comply with international data transfer requirements, ensure adequate staff training and awareness, and put in place a robust security framework to protect data. Where a non-EU organization operates in the EU without a physical presence there is an additional requirement to appoint an EU based representative. GDPR also gave data protections authorities the power to impose severe financial penalties on organizations found in breach of the regulations, up to €20 million or 4% of annual global turnover, whichever is higher. For the collections industry, as well as many other sectors, GDPR required organizations to make significant adjustments to their processes and technological safeguards to ensure the security and proper handling of personal data.
As the commercial collections industry, like many others, continues to embrace technological advancements, the influence of EU regulations such as DORA, the AI Act, and GDPR cannot be underestimated. These regulations not only impose legal obligations but also establish a framework that presents opportunities for organizations to enhance operational resilience, build customer trust, and gain a competitive advantage over those who fail to or are not required to comply. By adopting and integrating compliant technologies, organizations can reduce risks while positioning themselves as leaders in their industry. While regulations are often perceived as obstacles to business and concerns often arise with overregulation potentially hampering industries and even national economies, well-balanced frameworks can drive growth, resilience, and long-term sustainability. Ultimately, those who successfully navigate the complexities of EU regulations while leveraging technology effectively have the opportunity to set new benchmarks of excellence and lead the commercial collection industry toward a more sustainable and innovative future.
*Follow this link to read online nvgkzvcab.cc.rs6.net
"*" indicates required fields
CCI Credit Management Ltd
The CCI Centre,
Snowdonia Business Park,
Porthmadog,
LL48 6LD,
United Kingdom
For a full list our contact options
please visit our Contact-Us page
