Regulation (EU) 2024/1689

The EU AI Act, for firms that already do DORA

Your ICT risk framework, your incident playbook, your third-party register — none of it disappears, and none of it is enough. The AI Act attaches to what your models do, and it asks for four things DORA never asked for. Here is exactly where the gap is.

Check your exposure — free See the cross-obligation table

Start from what you already have

A DORA programme is not a blank slate for the AI Act. Four of its pillars produce artefacts you can reuse directly — and knowing which ones stops you rebuilding what you already own.

ICT risk framework

DORA Art. 5-16. Governance, asset inventory, risk appetite. The AI system is already in your ICT estate — it is already on this register.

What DORA requires →

Incident reporting

DORA Art. 17-23. Detection, classification, the 4h / 72h / one-month clock. The machinery exists; the AI Act simply points it at a second regulator.

Incident reporting →

Third-party risk

DORA Art. 28-30 and the Register of Information. If you bought the model, the vendor is already in your register with contractual and audit rights.

Third-party risk →

Resilience testing

DORA Art. 24-27, up to TLPT. A testing culture and evidence trail the AI Act's conformity work can lean on.

TLPT →

What the AI Act adds, line by line

This is the table that matters. On the left, the DORA artefact you already produce. In the middle, what the AI Act wants that your artefact does not deliver. On the right, the article that says so — on our sister site, in full.

Domain What DORA already gives you What the AI Act adds on top Read it
Risk management ICT risk framework across the estate (Art. 5-16) A risk system for the model itself: accuracy, robustness, bias and fundamental-rights risk, maintained across the whole lifecycle. Your ICT framework does not look at any of these. Art. 9 ↗
Data governance Data classification and integrity controls Governance of the training, validation and test sets: relevance, representativeness, and an examination for bias. There is no DORA equivalent at all. Art. 10 ↗
Documentation ICT policies, Register of Information Technical documentation to Annex IV, plus automatic logging over the system's lifetime. Closer to a product file than to a policy. Art. 11-12 ↗
Human oversight RACI, management body accountability Oversight built into the system by design, with a named, competent human who can actually interrupt or override an output. An org chart does not satisfy this. Art. 14 ↗
Incidents Major ICT incident → competent financial authority, 4h / 72h / 1 month (Art. 19) A serious incident involving a high-risk system also goes to the market surveillance authority. Different regulator, different trigger, different clock. One event, two filings. Art. 73 ↗
Third party Due diligence, contractual clauses, audit rights (Art. 28-30) You must verify the provider actually did the conformity assessment and affixed the CE marking — and know that modifying their model can make you the provider. Art. 25-26 ↗
Transparency — nothing comparable Tell people they are dealing with an AI; mark synthetic content machine-readably. Applies whatever the risk tier — and it is the first deadline to land. Art. 50 ↗
Registration Register of Information, filed with your supervisor High-risk systems must additionally be registered in the EU database. A different register, a different authority, a different purpose. Art. 49, 71 ↗

Read the table as a gap list, not a mapping exercise. Rows one, two, four and seven have no DORA counterpart at all — that is where the real work is.

Are you a provider or a deployer?

This single question decides how heavy your obligations are, and most financial institutions answer it wrongly on their first pass. It does not turn on who you are. It turns on what you did to the model.

Deployer · Art. 26

You bought it and use it as delivered

The default position for most banks. Use the system per its instructions, assign competent human oversight, monitor it, keep the logs, inform the people it decides about — and verify that your provider did their part.

Provider · Art. 16

You built it in-house

The full compliance file lands on you: quality management system, conformity assessment before the system goes live, CE marking, registration in the EU database, post-market monitoring.

The trapdoor · Art. 25

You bought it — then changed it

Put your name on it, modify it substantially, or repurpose it, and you become the provider. All of Article 16 follows. This is not a technicality; it is the most expensive mistake available here.

The one that catches banks

Fine-tuning a purchased credit-scoring model on your own loan book is a substantial modification. You bought a system and you procured a vendor — but under Article 25 you are now its provider, and you owe the conformity assessment, the CE marking and the EU database entry that you assumed the vendor had already handled. Teams discover this after the model is in production.

When each obligation actually bites

The Digital Omnibus on AI moved these dates. The Council gave its green light on 29 June 2026, deferring the high-risk obligations by over a year — but leaving the transparency duties exactly where they were. Plan against the new calendar, not the one in older guidance.

2 February 2025 In force
Prohibited practices (Art. 5) and AI literacy (Art. 4). Already binding. If you run a banned practice, no plan makes it lawful.
2 August 2025 In force
General-purpose AI obligations (Art. 53-55) and the governance architecture. Live already — relevant to you only if you train or fine-tune a general-purpose model, not if you consume an API.
2 December 2026 New
Two things the Omnibus added rather than delayed: the new Article 5 ban on AI generating non-consensual intimate imagery, and the end of the grace period for machine-readable marking of AI-generated content.
2 December 2027 Deferred
Stand-alone Annex III high-risk systems. Credit scoring, insurance pricing, HR screening. Was 2 August 2026; pushed back by the Digital Omnibus. This is where most financial AI lands.
2 August 2028 Deferred
AI embedded in products already regulated under Annex I legislation. Was 2 August 2027.

A deferral is not a reprieve. Conformity assessment on a high-risk system is a year of work, not a quarter — and the transparency deadline does not move.

Which tier is your system in?

Six questions. Prohibited, high-risk under Annex III, GPAI, transparency-only or minimal — plus whether you are the provider or the deployer, which is the part people get wrong. Free, no signup, instant.

Run the exposure check
Sister site · regulation-ai.eu

Read the article, not a summary of it

This page maps the AI Act onto your existing DORA programme. For the text of each obligation — scope, wording, guidance — go straight to the article on our AI Act site.

Art. 5
Prohibited AI practices

Social scoring, emotion inference at work, untargeted face scraping. Already in force since February 2025.

Read Article 5
Art. 6
Classification of high-risk AI

The test that decides whether your system is high-risk at all. Start here before anything else.

Read Article 6
Art. 9
Risk management system

Your DORA ICT risk framework does not cover accuracy, bias or fundamental-rights risk across the model lifecycle.

Read Article 9
Art. 10
Data and data governance

Training, validation and test sets: representativeness, bias examination. No DORA equivalent.

Read Article 10
Art. 14
Human oversight

Oversight by design, with a real ability to override the model. Goes beyond a RACI matrix.

Read Article 14
Art. 26
Obligations of deployers

What you owe when you buy a high-risk model rather than build it — the default position for most banks.

Read Article 26
Art. 73
Reporting of serious incidents

A second reporting channel, to the market surveillance authority. It does not replace DORA Art. 19.

Read Article 73

All 113 articles on regulation-ai.eu

Questions we actually get asked

Does the EU AI Act apply to banks and insurers?
It applies to what your AI systems do, not to what kind of firm you are. Being a DORA entity neither puts you in scope nor keeps you out. Two financial use cases are named as high-risk in Annex III: creditworthiness evaluation and credit scoring of natural persons (point 5(b)) and risk assessment and pricing in life and health insurance (point 5(c)). A bank whose AI only drafts internal documents faces AI literacy duties and nothing more.
Is fraud detection or AML high-risk?
No — not by nature, and this is the most commonly mis-scoped point in the whole Act. Annex III point 5(b) covers credit scoring but carries an explicit exception for AI systems used to detect financial fraud. The exemption is narrow, though: if the same model also feeds a creditworthiness decision, or profiles individuals in a way that reaches another Annex III point, it comes straight back into scope. Classify by intended purpose, system by system.
We buy our models. Are we a provider or a deployer?
Buying and using a system as delivered makes you a deployer (Art. 26). But Article 25 flips you into a provider — with the full Article 16 file, conformity assessment and CE marking — if you put your name or trademark on it, substantially modify it, or change its intended purpose. Fine-tuning a purchased scoring model on your own book is exactly that.
Does our DORA incident reporting cover AI Act incident reporting?
No. Separate channels to separate regulators. DORA Article 19 sends major ICT incidents to your competent financial authority on the 4h / 72h / one-month clock. AI Act Article 73 sends serious incidents involving a high-risk system to the market surveillance authority, on its own trigger and timeline. One event can require both. Neither filing discharges the other.
When do the obligations actually apply?
Prohibited practices and AI literacy: since 2 February 2025. GPAI: since 2 August 2025. Transparency (Art. 50): 2 August 2026. The Digital Omnibus on AI, approved by the Council on 29 June 2026, deferred the high-risk regime: stand-alone Annex III systems from 2 December 2027, and Annex I embedded AI from 2 August 2028. Note that the Omnibus also added obligations: a new Article 5 ban on AI generating non-consensual intimate imagery, and the end of the grace period for marking AI-generated content — both from 2 December 2026. It was a rebalancing, not a blanket reprieve.
What does the AI Act require that DORA does not?
Four things with no real DORA counterpart. Data governance over training, validation and test sets, including bias examination (Art. 10). Human oversight designed into the system, with a genuine ability to override (Art. 14). Accuracy, robustness and fundamental-rights risk across the model lifecycle, which an ICT risk framework does not address (Art. 9). And registration in the EU database for high-risk systems (Art. 49, 71). Your DORA artefacts are a head start on documentation and third-party control — not a substitute.

Go further — premium resources

Turn this into action

Flagship

Complete DORA Implementation Guide

59-page manual — all five pillars, six-phase roadmap, 34 worked examples.

Free · Certification

DORA Fundamentals Certification

Free self-paced course + a verifiable certificate you can add to LinkedIn. Start here.

Pillar 4

Third-Party Risk Playbook

Article 30 clause library, Register of Information build guide, exit playbooks, CTPP oversight.

Which Option Fits Your Institution?

Consulting delivers momentum. Resiplan keeps it running. Many clients combine both.

Consulting

Expert-led engagements: gap analysis, implementation, TLPT preparation.

Best for: one-off projects, deep expertise, urgent deadlines.
From 149 EUR
RECOMMENDED

Resiplan SaaS

Continuous DORA/GRC automation: register, incidents, vendor risk, dashboards.

Best for: day-to-day compliance, audit-readiness, scaling across subsidiaries.
Try free 14 days →

Hybrid (Best Value)

Consulting to kick-off + Resiplan to sustain. Our most popular combo.

Best for: institutions wanting expert setup then autonomy.
Discuss your needs →

How Compliant Is Your Institution?

Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.

Get Your Free DORA Score Join Free Monthly Webinar