Financial entities subject to DORA face simultaneous EU AI Act obligations. This tool identifies where DORA ICT requirements and AI Act obligations overlap for your sector and AI use cases: credit scoring, fraud detection, algorithmic trading, AML.
DORA (Digital Operational Resilience Act) has applied since 17 January 2025. The EU AI Act applies from various dates in 2025–2028. Banks, insurers, investment firms, payment institutions, and other financial entities must satisfy both simultaneously.
The two regulations share significant conceptual ground — both target ICT risk management, third-party dependencies, and operational resilience — but with different scopes and obligations.
| AI Use Case | DORA obligations | EU AI Act obligations |
|---|---|---|
| Credit scoring / loan decisions | ICT risk management (Art. 5-10); third-party risk if vendor-supplied | Annex III high-risk (Art. 6); full Chapter III obligations; deadline Dec 2027 |
| Fraud detection | ICT incident classification (Art. 17-23); third-party TPSP management | Annex III high-risk (law enforcement adjacent — check scope); Art. 13 transparency to deployers |
| Algorithmic trading | ICT change management (Art. 14-16); operational risk | Likely minimal risk or transparency-only; check if GPAI models underpin it |
| AML / transaction monitoring | ICT resilience testing (TLPT for significant entities) | Potentially Annex III (law enforcement nexus); legal analysis required |
| Customer service chatbots | ICT operational risk | Art. 50 transparency — must disclose AI nature to users |
| Insurance risk pricing | ICT third-party risk for model vendors | Annex III high-risk (essential services — insurance risk assessment) |
ICT third-party risk + AI Act provider obligations: DORA Art. 28-44 requires contractual clauses with ICT service providers covering audit rights, exit strategies, and performance standards. When that ICT provider is also an AI Act provider, the AI Act requires the provider to supply technical documentation, instructions for use, and post-market monitoring support. A single well-drafted vendor contract can satisfy both.
Incident reporting: DORA mandates major ICT-related incident reporting to supervisors. The AI Act requires reporting of serious incidents involving high-risk AI to national market surveillance authorities. For financial entities, a single AI failure (e.g., a credit-scoring model outage causing systemic risk) may trigger both reporting chains simultaneously.
Resilience testing: DORA's Threat-Led Penetration Testing (TLPT) for significant entities overlaps with AI Act Art. 15's robustness and cybersecurity requirements. Combining both testing regimes reduces duplication.
For a detailed analysis of the regulatory convergence, see AI Act vs. DORA vs. NIS2 →
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Yes. DORA applies to credit institutions, insurance companies, investment firms, payment service providers, and other financial entities — and has been in effect since January 2025. These same entities are also subject to the EU AI Act for any AI systems they develop or deploy. The two regulations have overlapping requirements around ICT risk management, incident reporting, and third-party service provider management.
DORA requires financial entities to manage their ICT service providers — including AI vendors — under contractual arrangements with specific requirements (Art. 28-44). The AI Act independently requires deployers to implement AI governance measures. When an AI vendor is both a DORA ICT third-party and an AI Act provider, contracts must satisfy both regulatory frameworks.
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.