DORA & AI Act

DORA requires financial entities to establish a comprehensive ICT risk management framework: policies, procedures, protocols and tools to identify, classify and manage ICT risk. Article 6 establishes that the management body bears ultimate responsibility. Article 8 requires continuous monitoring of ICT vulnerabilities. Article 16 requires smaller entities to maintain a simplified but demonstrable risk management framework.

AI Act Article 9 requires providers of high-risk AI systems to maintain a risk management process throughout the entire lifecycle of the system. This risk management covers identification, analysis and mitigation of risks to health, safety and fundamental rights. For financial institutions deploying AI systems for credit, fraud detection or asset management, both frameworks apply to the same system. The risk management process of Art. 9 AI Act and the ICT risk management framework of DORA must be aligned — or better yet, integrated into a single coherent framework.

DORA Article 19 requires financial entities to classify and report major ICT-related incidents. Classification is based on criteria such as duration of the disruption, number of affected clients, financial impact and reputational damage. Major incidents must be reported to the competent supervisor — DNB in the Netherlands for banks and insurers — with an initial notification within 4 hours, an intermediate report within 72 hours, and a final report within one month.

AI Act Article 62 introduces a comparable but broader notification obligation: providers of high-risk AI systems must report serious incidents — where the AI system poses a risk to life, safety or fundamental rights — to the market supervisory authority. For financial AI systems classified as high-risk, an AI incident can simultaneously be an ICT incident. Consider a defective fraud detection system blocking legitimate customer payments, or a credit scoring model making incorrect decisions due to a data anomaly. Such incidents trigger notification obligations under both regulations simultaneously, with different time windows and different recipients.

DORA pays particular attention to outsourcing and the use of third-party ICT service providers. Article 28 requires financial entities to maintain a strategy for managing ICT third-party risks. Article 29 sets requirements for the due diligence process. Article 30 contains an extensive list of mandatory contract provisions: the right to audit access, processing locations, service levels, data availability, exit strategies and — crucially — availability of information on the provider's ICT security.

When a financial institution obtains an AI system from an external provider — a cloud-based credit scoring model, a SaaS fraud detection platform, an AI-driven asset management module — that provider is simultaneously an ICT third party under DORA and a provider of high-risk AI under the AI Act. The AI Act imposes obligations on providers regarding technical documentation, EU conformity assessment, CE marking and post-market monitoring. Financial institutions acting as deployers must verify that their AI suppliers comply with these AI Act requirements — in addition to DORA contract requirements. This means in practice: extending the DORA due diligence checklist for ICT suppliers with AI Act-specific questions about the technical file, declaration of conformity and incident reporting.

DORA prescribes extensive testing programmes. Article 24 requires financial entities to conduct annual basic resilience tests (vulnerability assessments, open-source-based penetration tests). Article 26 requires the most systemically important institutions to conduct Threat-Led Penetration Tests (TLPT) every three years. TLPT are standardised, supervisor-validated cyber attack simulations on live production systems, executed under the TIBER-EU framework.

AI Act Article 9 requires providers of high-risk AI systems to conduct structured testing throughout the entire development and deployment lifecycle: testing to confirm the system functions as designed, that risks have been adequately mitigated, and that the system performs consistently for all relevant user populations. This includes testing for unintended outcomes, systematic errors and bias. For financial AI systems — credit scoring models, fraud detection algorithms — both DORA tests (technical resilience against attacks) and AI Act tests (functional reliability and fairness) are mandatory on the same system. They do not address the same risks, but both test programmes should be coordinated to leverage overlap in test environments, test data and test timing.

DORA Article 5 places ultimate responsibility for ICT risk management explicitly with the management body of the financial entity. The board of directors or supervisory board must approve the ICT risk management framework, allocate sufficient resources, define specific roles, and foster a culture of digital resilience. This is not a delegatable responsibility: supervisors look at board level in the event of an incident.

AI Act Article 26 defines the obligations of deployers — the organisations that put high-risk AI systems into use. Deployers must organise human oversight, assess the suitability of the system for the intended application, monitor the system for anomalies, and — for public bodies — conduct a Fundamental Rights Impact Assessment (FRIA). The governance requirements of both regulations target the same board level. In practice, this means financial institutions must integrate responsibility for DORA compliance and AI Act compliance at board level. A separate DORA governance committee without an AI Act mandate, or vice versa, creates blind spots.