The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied since 17 January 2025. It requires financial entities to manage ICT risk comprehensively. AI systems are ICT systems. DORA doesn't carve them out.
Article 2(1) covers credit institutions, payment and e-money institutions, investment firms, insurers, CCPs, CSDs, trading venues, fund managers, credit rating agencies, crypto-asset service providers, and others. Critical ICT third-party providers designated under Article 31 face direct ESA oversight.
How DORA Applies to AI Systems
ICT Risk Management (Articles 5-16)
AI systems must be included in the entity's ICT risk assessment. This covers model risk, data drift, adversarial attack vectors, inference failures, access controls, change management for model updates, anomaly detection, and business continuity planning for AI system failure.
Incident Reporting (Articles 17-23)
An AI system failure that disrupts a critical function is reportable if it meets materiality thresholds (clients affected, duration, geographical spread, data losses, economic impact). A credit scoring model producing incorrect outputs at scale or a fraud detection system going offline would qualify.
Resilience Testing (Articles 24-27)
AI systems supporting critical functions should be in scope for vulnerability assessments, scenario-based testing, performance testing under stress, and source code reviews. Significant entities must conduct threat-led penetration testing at least every three years.
ICT Third-Party Risk (Articles 28-44)
Every AI vendor, model provider, and cloud AI service must be in your ICT third-party register (Article 28(3)). Contracts must include service levels, data location, audit rights, and exit strategies (Article 30). Over-reliance on a single AI provider is a concentration risk DORA requires you to assess.
DORA + EU AI Act Overlap
Financial entities deploying AI face both regulations. Key overlaps:
- Risk management: DORA Article 5 and EU AI Act Article 9 both require systematic risk identification, scoped differently.
- Incident reporting: DORA Article 19 and EU AI Act Article 73 have different thresholds, authorities, and timelines. A single AI failure may trigger both.
- Documentation: DORA ICT documentation and EU AI Act Annex IV technical documentation overlap in content with different formats.
- Testing: DORA resilience testing and EU AI Act accuracy/robustness requirements (Article 15) both require testing for different purposes.
A single assessment mapping controls across both regulations identifies where one piece of evidence satisfies both.
Penalties
Financial entities: up to 2% of total annual worldwide turnover (Article 50(4)). Critical ICT providers: up to €5,000,000 (Article 35(8)). Natural persons: up to €1,000,000 (Article 50(5)).
Part of our guide: EU AI Act compliance for UK organisations.
Assess both frameworks
HEX 165 evaluates AI systems against DORA (131 criteria) and the EU AI Act (348 criteria) in a single scan, mapping overlapping controls. Book a demo.