Quick Comparison Table
Before diving into the detail, here is a side-by-side summary of DORA and the EU AI Act across the dimensions that matter most for financial institutions deploying AI.
| Dimension | DORA (EU 2022/2554) | EU AI Act (EU 2024/1689) |
|---|---|---|
| Legal form | Regulation (directly applicable) | Regulation (directly applicable) |
| Sector focus | Financial services only | All sectors (horizontal regulation) |
| Primary entities | ~22,000 EU financial entities + critical ICT providers | Providers, deployers, importers, and distributors of AI systems |
| Effective date | 17 January 2025 | Phased: Aug 2024 (entry into force) through Aug 2027 (full application) |
| Core focus | Digital operational resilience (ICT risk, testing, third parties) | Risk-based AI governance (safety, fundamental rights, transparency) |
| Risk classification | ICT risk assessment across all operations | 4-tier AI risk: unacceptable, high, limited, minimal |
| Testing requirements | Annual basic testing + TLPT every 3 years for designated entities | Conformity assessment for high-risk AI before market placement |
| Third-party oversight | Register of Information, mandatory contract clauses, CTPP oversight | Provider obligations flow through value chain; deployer due diligence |
| Incident reporting | 4h initial / 72h intermediate / 1 month final to NCA | Serious incident reporting to market surveillance authorities |
| Penalties | Set by NCAs; CTPP fines up to 1% daily turnover | Up to EUR 35M or 7% turnover (prohibited); EUR 15M or 3% (high-risk) |
| Supervisory model | Financial supervisors (ECB, EBA, ESMA, EIOPA) + Lead Overseers | National market surveillance authorities + EU AI Office |
DORA: Operational Resilience for Financial Services
DORA (Regulation (EU) 2022/2554) is an EU regulation that focuses exclusively on ensuring financial entities can withstand, respond to, and recover from ICT-related disruptions. It addresses the systemic risk that arises when the financial sector depends heavily on technology and a concentrated set of critical technology providers.
DORA applies to around 22,000 financial entities in the EU, including banks, insurers, investment firms, payment institutions, electronic money institutions, crypto-asset service providers, and central counterparties. It also brings critical ICT third-party service providers (CTPPs) under direct EU-level oversight for the first time.
The regulation is organised around five pillars: ICT risk management (Art. 5-16), incident management and reporting (Art. 17-23), digital resilience testing (Art. 24-27), third-party ICT risk management (Art. 28-44), and information sharing (Art. 45). For a complete overview, see our DORA compliance guide.
Critically for the AI discussion, DORA treats all software — including AI systems — as ICT assets. Any AI model or system deployed within a financial entity falls within DORA's scope as part of the ICT environment that must be resilient, tested, and governed.
EU AI Act: Risk-Based AI Governance
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It applies horizontally across all sectors, including financial services, and regulates AI systems based on the level of risk they pose to health, safety, and fundamental rights.
The AI Act classifies AI systems into four risk tiers. Unacceptable risk AI (social scoring, real-time remote biometric identification in public spaces for law enforcement, with narrow exceptions) is prohibited outright. High-risk AI — which includes credit scoring, insurance pricing, and fraud detection in finance — must meet strict requirements for data quality, transparency, human oversight, accuracy, and robustness. Limited-risk AI (chatbots, emotion recognition) requires transparency obligations so users know they are interacting with AI. Minimal-risk AI (spam filters, AI-enabled games) is largely unregulated.
The AI Act assigns obligations along the AI value chain. Providers (those who develop or place AI on the market) bear the heaviest obligations: conformity assessments, technical documentation, quality management systems, and post-market monitoring. Deployers (those who use AI systems) must ensure human oversight, monitor for risks, conduct fundamental rights impact assessments for high-risk AI, and inform individuals when they are subject to AI decisions. Importers and distributors also have specific obligations.
The regulation is enforced by national market surveillance authorities in each member state, coordinated at the EU level by the European AI Office established within the European Commission. The AI Act entered into force on 1 August 2024, with provisions applying in phases through 2 August 2027.
Where DORA and the AI Act Overlap
When a financial institution deploys AI, both regulations apply simultaneously. Several areas of overlap create opportunities for integrated compliance.
Risk Management Frameworks
Both regulations require structured risk management. DORA mandates an ICT risk management framework covering identification, protection, detection, response, and recovery. The AI Act requires a risk management system for high-risk AI that runs throughout the AI system's lifecycle. Financial entities can build a single risk framework that addresses both ICT resilience risks (DORA) and AI-specific risks (accuracy, bias, robustness).
Governance and Accountability
DORA requires the management body to approve and oversee the ICT risk management framework, with personal accountability. The AI Act requires deployers of high-risk AI to assign human oversight roles and ensure staff competence. Both demand board-level awareness of the risks posed by the technologies the entity uses. A unified governance structure can satisfy both sets of requirements.
Documentation and Record-Keeping
DORA requires an ICT asset register, a Register of Information on ICT third-party arrangements, and detailed incident records. The AI Act requires technical documentation, logging of AI system operations, and records of conformity assessments. AI systems that are also ICT assets will need documentation that satisfies both frameworks — a combined documentation approach avoids duplication.
Third-Party and Supply Chain Risk
DORA imposes detailed third-party oversight for ICT providers: mandatory contract clauses, pre-contract risk assessments, concentration risk monitoring, and exit strategies. The AI Act requires that obligations flow through the AI value chain, with deployers conducting due diligence on AI providers. When an AI system is procured from an external vendor, both DORA's ICT third-party requirements and the AI Act's value chain obligations apply simultaneously.
Where DORA and the AI Act Diverge
Despite the overlap, the two regulations address fundamentally different concerns and impose distinct obligations that cannot be satisfied by a single compliance activity.
Incident reporting vs serious incident reporting. DORA requires financial entities to report ICT-related incidents to their national competent authority within 4 hours of classification, with intermediate and final reports to follow. The AI Act requires providers and deployers to report serious incidents — those involving death, serious damage to health, property, or the environment, or serious fundamental rights violations — to market surveillance authorities. The triggers, timelines, recipients, and formats are different. An AI system outage that disrupts banking services may trigger DORA incident reporting (ICT disruption) without triggering AI Act serious incident reporting, and vice versa.
Resilience testing vs conformity assessment. DORA requires ongoing resilience testing: vulnerability assessments, penetration testing, scenario testing, and for designated entities, threat-led penetration testing (TLPT) every three years. The AI Act requires a conformity assessment before a high-risk AI system is placed on the market or put into service. DORA testing is continuous and operationally focused; AI Act conformity assessment is a pre-market gate that verifies the system meets essential requirements. Both are needed, but they serve different purposes and follow different procedures.
CE marking and prohibited practices. The AI Act introduces concepts with no DORA equivalent: CE marking for high-risk AI systems, an EU database of high-risk AI, outright prohibition of certain AI practices (e.g., social scoring, manipulative AI, untargeted facial recognition databases), and requirements for general-purpose AI models. These are AI-specific governance mechanisms that exist outside DORA's operational resilience scope.
Fundamental rights impact assessments. The AI Act requires deployers of high-risk AI to conduct fundamental rights impact assessments before putting those systems into use. DORA does not address fundamental rights directly — its risk assessments focus on operational resilience, business continuity, and financial stability. A bank deploying AI for credit scoring must conduct both a DORA ICT risk assessment (operational resilience of the AI system) and an AI Act fundamental rights impact assessment (discriminatory effects on loan applicants).
Transparency and explainability. The AI Act requires that high-risk AI systems be sufficiently transparent for deployers to interpret outputs, and that individuals be informed when they are subject to AI-based decisions. DORA does not impose AI-specific transparency requirements. Financial entities must address transparency under the AI Act even if their DORA compliance programme is fully mature.
Financial Services AI: Where Both Regulations Bite
Several AI use cases in financial services are classified as high-risk under AI Act Annex III and simultaneously fall within DORA's scope as ICT services. These dual-regulated use cases demand careful compliance planning.
Credit scoring and creditworthiness assessment. AI Act Annex III, point 5(b) classifies AI systems used to evaluate creditworthiness or establish credit scores as high-risk. Under DORA, the same system is an ICT asset supporting a critical or important function (lending). The bank must ensure the AI model meets AI Act requirements for data quality, bias testing, human oversight, and transparency, while also ensuring the underlying ICT infrastructure is resilient, tested, and covered by the ICT risk management framework under DORA.
Insurance risk assessment and pricing. AI Act Annex III, point 5(c) classifies AI used for risk assessment and pricing in life and health insurance as high-risk. Insurers using AI for underwriting must comply with AI Act conformity assessment requirements and DORA operational resilience requirements simultaneously. The AI model's accuracy and fairness are governed by the AI Act; the system's availability, recoverability, and third-party risk are governed by DORA.
Fraud detection and anti-money laundering. AI systems used in transaction monitoring, fraud detection, and AML screening are ICT assets under DORA and may fall under the AI Act's provisions depending on how they affect individuals. Where such systems make or materially influence decisions about individuals (e.g., blocking transactions, flagging accounts), they may be classified as high-risk and subject to human oversight and transparency requirements.
Dual compliance in practice
For financial entities deploying high-risk AI, dual compliance means maintaining two parallel but interconnected governance tracks. The DORA track covers operational resilience: is the AI system in your asset register, is it tested for resilience, is the third-party provider governed by appropriate contracts, do you have an exit strategy? The AI Act track covers AI governance: has the system passed conformity assessment, is human oversight in place, are individuals informed, is the system monitored for accuracy and bias? Both tracks feed into the same management body reporting, but they address different risks and require different expertise.
Supervisory Expectations: AI as ICT Under DORA
European financial supervisors have begun to address the intersection of AI and operational resilience. The European Banking Authority (EBA) and national competent authorities have signalled that AI systems deployed by financial entities are squarely within DORA's scope as ICT assets and services.
In December 2025, the EBA published guidance clarifying that AI and machine learning models used in decision-making processes constitute ICT services under DORA and must be included in the ICT risk management framework, the asset register, third-party risk assessments (where externally provided), and resilience testing programmes. The guidance emphasises that the opacity of AI models does not exempt financial entities from DORA's requirements for understanding, testing, and documenting their ICT environment.
BaFin (Germany's Federal Financial Supervisory Authority) has similarly indicated that AI systems fall within the scope of DORA's ICT risk management and third-party oversight requirements. BaFin's supervisory practice treats AI vendors as ICT third-party service providers subject to the same contractual, risk assessment, and exit planning requirements as any other technology provider.
The practical implication is clear: financial entities cannot treat DORA compliance and AI Act compliance as separate workstreams that never intersect. Supervisors expect AI to be governed as part of the ICT environment under DORA, and as a regulated technology under the AI Act. The DORA GRC platform supports both dimensions, with integrated ICT asset management, AI system tracking, and risk assessment capabilities.
Compliance Timeline Comparison
Understanding the phased timeline of both regulations is essential for planning. DORA is already fully in force; the AI Act is applying in stages.
| Date | DORA | EU AI Act |
|---|---|---|
| Jan 2023 | Entered into force (16 Jan 2023) | — |
| Aug 2024 | — | Entered into force (1 Aug 2024) |
| Jan 2025 | Full application (17 Jan 2025) | — |
| Feb 2025 | — | Prohibited AI practices apply (2 Feb 2025) |
| Aug 2025 | — | GPAI model obligations apply (2 Aug 2025) |
| Aug 2026 | Ongoing (first CTPP designations expected) | High-risk AI obligations apply (2 Aug 2026) |
| Aug 2027 | — | Full application for all AI systems, including Annex I high-risk (2 Aug 2027) |
Frequently Asked Questions
Yes. The EU AI Act (Regulation 2024/1689) applies across all sectors, including financial services. Financial institutions that develop, deploy, or use AI systems are subject to the AI Act's requirements. Annex III specifically lists creditworthiness assessment and credit scoring as high-risk AI use cases, along with AI used for risk assessment and pricing in life and health insurance. Banks, insurers, and other financial entities using AI in these areas must comply with both DORA and the AI Act simultaneously.
Yes. DORA defines ICT assets broadly to include software, hardware, and services that support business operations. An AI system deployed within a financial entity — whether built in-house or procured from a third party — qualifies as an ICT asset under DORA. This means it must be included in the entity's ICT asset register, covered by the ICT risk management framework, subject to resilience testing, and if provided by a third party, governed by the third-party risk management requirements including the Register of Information.
The AI Act entered into force on 1 August 2024 with a phased compliance timeline. Prohibited AI practices applied from 2 February 2025. Requirements for general-purpose AI (GPAI) models apply from 2 August 2025. High-risk AI system obligations — most relevant to financial services — apply from 2 August 2026. Financial entities should be preparing now, as high-risk AI systems used in creditworthiness assessment, insurance pricing, and fraud detection will need to meet conformity assessment, transparency, and human oversight requirements by August 2026.
Partially. Both regulations require risk management, governance accountability, documentation, and incident-related processes. A financial entity can build an integrated compliance framework that addresses both. However, they have distinct requirements: DORA focuses on operational resilience, incident reporting to financial supervisors, third-party oversight, and resilience testing. The AI Act focuses on conformity assessment, CE marking, fundamental rights impact assessments, transparency obligations, and human oversight of AI decisions. The overlap is strongest in risk management and governance; the divergence is greatest in testing and certification.