DORA + EU AI Act: The Double Compliance Obligation for Financial Institutions
If your institution is DORA-compliant — or working toward it — you likely already have AI systems in scope for the EU AI Act. Credit scoring models, fraud detection engines, algorithmic trading systems, and customer-facing chatbots all qualify as high-risk AI under Annex III of the AI Act. Managing these two regulatory obligations as separate workstreams is a costly mistake.
This article maps where DORA and the AI Act converge, and shows how a single compliance programme can satisfy both.
Who faces both obligations?
Any EU financial entity that:
- Develops or deploys AI systems (provider or deployer role under AI Act Art. 3)
- Uses those AI systems as part of ICT infrastructure subject to DORA
This covers credit institutions, payment institutions, investment firms, insurance undertakings, and crypto-asset service providers — the full DORA scope — whenever they use AI in regulated activities.
Where DORA and AI Act requirements overlap
Risk management
DORA Art. 5–16 requires an ICT risk management framework: identification, protection, detection, response, recovery. AI Act Art. 9 requires a risk management system for high-risk AI: identification, estimation, evaluation, and mitigation of risks throughout the AI lifecycle.
Dual-mapping approach: Extend your existing DORA ICT risk register to include AI-specific risk dimensions (accuracy, robustness, bias, fundamental rights). A single risk governance process can satisfy both requirements.
Incident reporting
DORA Art. 19–23: major ICT incidents reported to competent authorities within 4h (initial), 72h (intermediate), 1 month (final). AI Act Art. 73: providers of high-risk AI must report serious incidents to market surveillance authorities without undue delay.
Dual-mapping approach: A single incident classification decision tree can determine whether an incident triggers DORA reporting, AI Act reporting, or both simultaneously. Build this into your existing DORA incident management workflow.
Third-party and supply chain
DORA Art. 28–44: comprehensive third-party ICT risk management, contractual requirements, concentration risk monitoring. AI Act: deployers must verify that AI systems they procure have completed conformity assessment (CE marking) and are accompanied by the required technical documentation.
Dual-mapping approach: Add AI Act conformity verification to your existing DORA third-party ICT due diligence questionnaire. One vendor questionnaire, two compliance requirements satisfied.
The 2027 deadline you cannot miss
DORA has applied since 17 January 2025. The AI Act prohibited practices have applied since 2 February 2025. But the critical deadline for financial AI systems is 2 December 2027 — when Annex III high-risk AI systems (including credit scoring, fraud detection, and biometric verification) must be fully compliant: conformity assessment complete, QMS in place, technical documentation filed, EU database registration done.
A realistic compliance programme for a single high-risk AI system takes 12–24 months. Institutions that have not started their AI Act gap analysis in 2026 will not be ready by 2027.
Practical starting point
- AI inventory — catalogue every AI system touching regulated activities. Map each to Annex III categories.
- Risk register extension — add AI Act risk dimensions to your existing DORA ICT risk register.
- Incident procedure update — add dual-threshold assessment (DORA + AI Act Art. 73) to your incident classification tree.
- Third-party questionnaire update — add AI Act conformity verification to your DORA vendor questionnaire.
- Gap analysis — assess each high-risk AI system against Art. 9–17 AI Act requirements.
For detailed AI Act compliance guidance — deadlines, obligations by system type, GPAI rules — see our sister site regulation-ai.eu, including the dedicated AI Act × DORA convergence guide.
This article is analytical guidance for compliance and legal teams, not legal advice. References: EU AI Act (Regulation 2024/1689), DORA (Regulation 2022/2554), Digital Omnibus 2026.
