Financial institutions must navigate AI Act, DORA, and NIS2 with overlapping obligations and timelines. This guide maps the intersections: where obligations overlap, where they conflict, and how to dual-map documentation to reduce compliance burden.
Three regulations, one compliance programme
Financial organisations in the EU face AI Act, DORA, and NIS2 — three regulations that were designed independently but overlap substantially in the context of AI systems used in financial services. Managing them separately creates duplicative documentation, inconsistent governance, and unnecessary cost.
This guide maps the overlaps and shows where a single compliance effort can satisfy multiple regulations simultaneously.
Timeline comparison
| Regulation | Key deadline | Status |
|---|---|---|
| NIS2 | October 2024 | In force |
| DORA | 17 January 2025 | In force |
| AI Act — Prohibited practices | 2 February 2025 | In force |
| AI Act — GPAI rules | 2 August 2025 | In force |
| AI Act — Annex III standalone | 2 December 2027 | Upcoming |
| AI Act — Annex I embedded | 2 August 2028 | Upcoming |
Where AI Act and DORA overlap
Risk management
AI Act Art. 9 requires a risk management system for high-risk AI covering identification, estimation, evaluation, and mitigation of risks throughout the lifecycle.
DORA Art. 5–16 requires an ICT risk management framework covering identification, protection, detection, response, and recovery from ICT risks.
Overlap: Both apply to AI systems used in financial services. A single risk register and governance process can satisfy both, provided it covers the AI-specific risks required by Art. 9 (accuracy, robustness, bias, fundamental rights) in addition to DORA's ICT risk categories (availability, confidentiality, integrity, authentication).
Dual-mapping approach: Extend your DORA ICT risk register to include AI-specific risk dimensions. Document the combined assessment as meeting both Art. 9 and DORA Art. 5–16 requirements.
Incident reporting
AI Act Art. 73 requires providers of high-risk AI to report serious incidents to market surveillance authorities without undue delay.
DORA Art. 19–23 requires financial entities to report major ICT-related incidents to competent authorities within strict timelines (initial: 4 hours; intermediate: 72 hours; final: 1 month).
Overlap: An ICT incident caused by or involving a high-risk AI system may trigger both reporting obligations simultaneously. Build a single incident response procedure that assesses both thresholds and routes to both regulators where required.
Third-party and supply chain
AI Act imposes obligations on providers who develop AI. Deployers who procure high-risk AI systems from providers must verify provider compliance.
DORA Art. 28–44 requires financial entities to manage ICT third-party risk, including for AI providers and cloud services running AI systems.
Overlap: Procurement due diligence for AI systems used by financial entities must satisfy both: DORA's ICT third-party risk assessment and contractual requirements, AND verification of AI Act conformity assessment and CE marking.
Practical tip: Add AI Act compliance verification to your DORA ICT third-party due diligence checklist. Require AI providers to supply their conformity assessment documentation and EU database registration number.
Where AI Act and NIS2 overlap
NIS2 applies broadly to essential and important entities including financial institutions, energy providers, health organisations, and digital infrastructure operators.
NIS2 Art. 21 security measures apply to all ICT — including AI systems. Risk-based security measures, supply chain security, and business continuity planning all apply to AI as ICT components.
NIS2 Art. 23 incident reporting (24-hour early warning, 72-hour notification, 1-month final report) applies to significant incidents, including those involving AI systems.
Integration opportunity: NIS2 security measures and AI Act Art. 15 (accuracy, robustness, cybersecurity) for high-risk AI can be addressed through the same information security management system (ISMS) and cybersecurity programme.
Recommended dual-mapping framework
- Single AI inventory — catalogue all AI systems, mapping each to AI Act risk tier AND DORA/NIS2 applicability
- Combined risk register — extend ICT risk register to include AI-specific dimensions (bias, opacity, fundamental rights impact)
- Unified incident response — single procedure with dual-threshold assessment for AI Act + DORA/NIS2 reporting
- Shared third-party template — DORA ICT due diligence + AI Act conformity verification in one supplier questionnaire
- Joint QMS — design the AI Act quality management system (Art. 17) as an extension of the DORA governance framework, not a separate silo
For DORA-specific guidance, see our sister site regulation-dora.eu — covering DORA's full ICT risk management, incident reporting, and third-party frameworks in depth.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Yes — significantly. The AI Act's risk management system (Art. 9) for high-risk AI overlaps with DORA's ICT risk management framework (Art. 5–16) for ICT systems. AI systems used in financial services that qualify as high-risk under Annex III are subject to both. Dual-mapping is possible: a single QMS can satisfy both regulations' risk management requirements.
DORA does not exempt AI. Any ICT system — including AI — that is part of a financial entity's ICT infrastructure is subject to DORA's operational resilience requirements. DORA's incident reporting (Art. 19–23), ICT third-party risk management (Art. 28–44), and resilience testing (Art. 25–27) all apply to AI-driven ICT systems.
Neither takes precedence; both apply simultaneously. The AI Act is a product regulation (governing the AI system); DORA is an operational resilience regulation (governing the financial entity's ICT environment). A credit scoring AI used by a bank must comply with both: AI Act Annex III obligations as a high-risk AI system, and DORA as an ICT system.
NIS2 applies to essential and important entities in sectors including finance, energy, health, and digital infrastructure. AI systems used in operations of these entities fall under NIS2's security measures (Art. 21) and incident reporting (Art. 23). NIS2 does not specifically address AI, but its risk-based security framework covers AI systems as ICT components.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.