Appearance
EU AI Act vs DORA
The EU AI Act and DORA (the Digital Operational Resilience Act — Regulation (EU) 2022/2554) are the two binding EU regulations most relevant to AI programs in EU financial services. They are separate Regulations of equal legal status, operating on different objects: DORA addresses ICT risk management for in-scope financial entities; the EU AI Act addresses AI systems placed on the market, put into service, or used in the Union.
This page compares the two and shows how to run one integrated compliance program for AI in EU financial services.
Quick decision
- In-scope EU financial entity (per DORA Art 2 — credit institutions, payment institutions, investment firms, insurers, etc.) using AI → manage ICT risk under DORA. EU AI Act obligations apply separately if the AI system and the entity's role fall within AI Act scope (provider / deployer of high-risk AI / GPAI / limited-risk; placing on market / putting into service / using in the Union).
- ICT service provider to in-scope EU financial entities → expect contractual flow-down requirements under DORA Arts 28–30. Direct EU-level oversight under DORA Arts 31–44 applies only if designated as a critical ICT TPP by the European Supervisory Authorities under Art 31.
- Non-financial-entity firm deploying AI in the EU for its own use → EU AI Act applies if AI Act scope criteria are met (Art 2). DORA does not apply to your own deployment. But: if you provide AI or ICT services to in-scope financial entities, you may be an ICT third-party service provider under DORA Art 2(1)(u) and face DORA flow-down obligations via Arts 28–30 — and direct ESA oversight under Arts 31–44 if designated critical.
- Building AI for in-scope financial-entity clients → DORA flow-through via Arts 28–30 contractual clauses. This is not a direct DORA obligation on you unless you are designated as a critical ICT TPP under Art 31.
TL;DR
- EU AI Act (Regulation (EU) 2024/1689) is a horizontal (sector-agnostic) product regulation for AI systems placed on or used in the EU market. Entered into force 1 August 2024; staggered application per Art 113.
- DORA (Regulation (EU) 2022/2554) is a vertical (financial-services-specific) regulation for ICT risk management. Adopted 14 December 2022; published in the OJ on 27 December 2022; entered into force 16 January 2023; applies from 17 January 2025 (per DORA Art 64).
- The two are not equivalent and not substitutes. They operate in parallel for AI used by in-scope financial entities and share operational themes (ICT risk, third-party risk, incident reporting) without sharing legal triggers, competent authorities, or timelines.
- DORA's scope is gated by Art 2 (specific financial entities + ICT third-party service providers that contract with them); the EU AI Act's scope is gated by Art 2 (AI systems placed on market / put into service / used in the Union, regardless of sector).
- Consequence: in-scope financial entities deploying AI face two regimes at the same time. Build one integrated program — but track each regime's obligations separately, because the legal triggers, authorities, and remedies do not merge.
Side-by-side comparison
| Dimension | EU AI Act | DORA |
|---|---|---|
| Publisher | European Parliament and Council | European Parliament and Council |
| Regulation | (EU) 2024/1689 | (EU) 2022/2554 |
| Entered into force | 1 August 2024 | 16 January 2023 |
| Applies from | Staggered per Art 113 (Art 5 from 2 February 2025; most other provisions later in 2025–2027) | 17 January 2025 |
| Type | Horizontal product regulation (AI systems) | Vertical sectoral regulation (ICT risk for financial entities) |
| Scope | Art 2 — AI placed on the market, put into service, or output used in the Union; extraterritorial | Art 2 — listed financial entities + ICT third-party service providers contracting with them; extraterritorial via TPP designation |
| Regulated subject | AI systems + GPAI models | ICT risk in financial-entity operations + ICT third-party arrangements |
| Primary roles | Provider, deployer, importer, distributor; GPAI model provider | Financial entity (Art 2 list); ICT third-party service provider; "critical ICT TPP" (designated under Art 31) |
| Risk approach | Risk-tiered (prohibited under Art 5 / high-risk under Art 6 / GPAI under Arts 51–56 / limited-risk transparency under Art 50 / minimal-risk default) | Continuous ICT risk management framework (Chapter II, Arts 5–16) |
| Documentation | Technical documentation (Art 11 + Annex IV), QMS (Art 17) | ICT risk management framework documentation (within Art 6); register of information for ICT third-party contractual arrangements (Art 28(3), supported by Implementing Regulation 2024/2956) |
| Incident reporting | Art 73 — serious-incident reporting for high-risk AI to market surveillance authorities | Arts 17–23 — major ICT-related incident reporting to financial-sector competent authorities |
| Third-party risk | Art 25 — value-chain responsibilities for AI providers | Arts 28–30 — contractual flow-down requirements for financial entities; Arts 31–44 — direct EU-level oversight of designated critical ICT TPPs |
| Penalties | Art 99 — up to 7% of worldwide annual turnover or €35M (whichever higher) for Art 5 infringements; smaller tiers for other infringements | National competent authorities set penalties; severe administrative measures including periodic penalty payments for ICT TPP oversight non-compliance |
| Enforcement authority | National competent authorities + European AI Office (GPAI) | National financial-sector authorities; European Supervisory Authorities (EBA, ESMA, EIOPA) for critical ICT TPP oversight |
How EU AI Act and DORA map onto each other
The two Regulations overlap operationally on ICT risk, third-party risk, and incident reporting. The overlap is operational, not legal substitution — each Regulation maintains its own legal trigger, authority, and remedy. The mapping below shows where an in-scope financial entity's compliance work touches both Regulations:
| Topic | EU AI Act | DORA | Notes |
|---|---|---|---|
| Risk management | Art 9 (risk management system, high-risk AI) | Chapter II Arts 5–16 (ICT risk management framework; Art 16 is the simplified framework for smaller in-scope entities) | Different objects (AI-system risk vs ICT risk); methodologies can share infrastructure |
| Third-party risk (contractual) | Art 25 (value-chain responsibilities — role-neutral, covering providers and other actors in the AI value chain) | Arts 28–30 (financial-entity contractual requirements for ICT third-party arrangements) | DORA imposes specific contractual clauses; AI Act flows responsibilities along the AI value chain |
| Third-party risk (direct EU-level) | (no direct equivalent) | Arts 31–44 — direct ESA oversight of designated critical ICT TPPs (designation by ESAs under Art 31) | Applies only to TPPs that receive a critical designation; not automatic for all ICT providers |
| Incident reporting | Art 73 — serious incidents for high-risk AI to market surveillance authorities | Arts 17–23 — major ICT-related incidents to financial-sector competent authorities | Separate regimes: different thresholds, different authorities, different timelines — coordinate but do not equate |
| Technical documentation | Art 11 + Annex IV (high-risk AI) | Register of information for ICT third-party contractual arrangements (Art 28(3), supported by Implementing Regulation 2024/2956) + digital operational resilience strategy within Art 6 | Different artefacts addressing different audiences |
| Resilience testing | (no direct equivalent) | Arts 24–27 — digital operational resilience testing (including TLPT for identified financial entities) | DORA-specific; no AI Act equivalent |
When to choose which
For in-scope financial entities, both Regulations apply concurrently — there is no "choose one." The question is which obligations sit closer to your team's effort:
Where EU AI Act is your dominant focus
- You are a provider placing a high-risk AI system on the EU market.
- You are doing AI-Act conformity assessment, CE marking, or scoping GPAI obligations.
- You are running AI literacy training under Art 4.
Where DORA is your dominant focus
- You are running an ICT risk management framework under DORA Chapter II.
- You are reviewing or executing ICT third-party contracts under Arts 28–30.
- You are preparing for digital operational resilience testing under Arts 24–27 (including TLPT for identified financial entities).
When you need both in lockstep
- High-risk AI systems used by in-scope financial entities — both regimes apply.
- AI-related incident response — separate notification regimes under DORA Arts 17–23 and EU AI Act Art 73, often triggered by the same underlying event.
- AI-vendor onboarding for in-scope financial-entity clients — DORA contractual flow-down clauses (Arts 28–30) plus AI Act value-chain considerations (Art 25).
Where they overlap
Both Regulations expect operational resilience as an outcome, third-party risk management as a discipline, and incident reporting as an obligation — but the operational overlap masks legal divergence:
- Risk frameworks coexist. DORA's ICT risk framework (Chapter II, Arts 5–16) and the EU AI Act's high-risk AI RMS (Art 9) can share underlying risk-identification and risk-treatment infrastructure inside an organisation. The legal scope of each remains separate: DORA scopes to ICT systems supporting financial-entity operations; the AI Act scopes to the AI system.
- Third-party governance is shared but stratified. DORA Arts 28–30 set the contractual baseline for financial entities engaging ICT providers. Arts 31–44 add direct EU-level oversight only if the TPP is designated critical. EU AI Act Art 25 (value-chain responsibilities, role-neutral) sits on top for the AI value chain.
- Incident reporting is the most consequential non-overlap. Both regimes require reporting, but to different authorities on different timelines with different thresholds. A serious incident under EU AI Act Art 73 and a major ICT-related incident under DORA Art 19 may both be triggered by the same event — but neither filing extinguishes the other. Build one incident-detection pipeline; route two notifications.
- Documentation is parallel. AI Act Art 11 + Annex IV technical documentation, DORA Art 6 ICT risk management framework documentation, and DORA Art 28(3) register of information for ICT TPP contractual arrangements all need to exist; they describe different things and serve different audiences.
What this looks like in Modulos
Most in-scope financial entities build one integrated compliance pipeline that satisfies both regimes — with separate evidence anchors per Regulation.
1
Inventory
AI system projects (AI Act scope) cross-linked to DORA register-of-information entries for ICT third-party arrangements (Art 28(3))
2
Classify
EU AI Act risk tier per AI system + DORA Art 2 scope + critical-TPP designation status
3
Assess
EU AI Act Art 9 RMS for high-risk AI + DORA Chapter II ICT risk framework
4
Contract
DORA Arts 28–30 contractual clauses for ICT third parties + AI Act Art 25 value-chain provisions
5
Monitor
EU AI Act Art 72 post-market monitoring + DORA continuous ICT monitoring; resilience testing under DORA Arts 24–27
6
Report
Coordinate AI Act Art 73 serious-incident filings and DORA Arts 17–23 major-incident filings — separate notification workflows
Related pages
EU AI Act guide
Risk tiers, high-risk obligations, conformity, post-market monitoring
DORA guide
ICT risk management, third-party arrangements, incident reporting, resilience testing
NIST AI RMF vs EU AI Act
Voluntary US framework vs binding EU regulation
EU AI Act vs GDPR
AI systems processing personal data
AI governance frameworks comparison
Side-by-side across EU AI Act, ISO 42001, NIST AI RMF, OWASP, GDPR, NIS2, DORA
Disclaimer
This page is for general informational purposes and does not constitute legal advice. References to the EU AI Act (Regulation (EU) 2024/1689) and DORA (Regulation (EU) 2022/2554) reflect publicly available text at the time of writing; consult official EUR-Lex sources and qualified legal counsel for binding interpretation in your jurisdiction.