Side-by-side
| Dimension | AI Act | DORA |
|---|---|---|
| Addressee | Provider, deployer, importer, distributor of AI in the EU. | Financial entities and their ICT third-party providers. |
| Trigger | AI system in scope of Article 6 (Annex I or Annex III) or GPAI. | Entity is a regulated financial entity (DORA Article 2) or an ICT TPP serving one. |
| Substantive controls | Article 9–15 lifecycle controls; Article 26 deployer duties; Article 27 FRIA for §5(b)/(c). | Article 6 ICT risk-management framework; Article 28 third-party risk; Articles 24–26 testing. |
| Incident reporting | 15-day serious-incident report (Art 73). | Major ICT-related incident: initial 4 hours after classification; intermediate within 72 hours; final report within one month (Art 19, RTS). |
| Maximum fine | EUR 35M / 7% (prohibited); EUR 15M / 3% (high-risk). | National administrative penalties; periodic penalty payments by ESAs for CTPPs (Art 35). |
| Live since | 2 February 2025 (prohibited); 2 August 2026 (high-risk). | 17 January 2025. |
The ICT third-party hinge
Almost every financial-services AI deployment is a third-party arrangement. DORA Article 28 governs the financial entity's relationship with the AI vendor:
- The AI vendor must be entered in the DORA register of ICT third-party arrangements (Article 28(3)).
- The contract must meet Article 30 minima: clear description of the service, locations, processing categories, audit rights, exit strategy, sub-contracting controls.
- The financial entity's pre-contractual due diligence (Article 28(4)) covers the AI vendor's resilience — for which the AI Act provider's Article 13 instructions and Annex IV technical documentation are the primary inputs.
- The entity's exit strategy (Article 28(8)) must address how it would replace the AI provider — including model artifacts, training-data access, and audit logs.
Critical ICT third-party providers
DORA Article 31 lets the ESAs designate an ICT TPP as critical to the EU financial system. A CTPP is then directly supervised by the lead overseer (one of the three ESAs). For AI providers, designation triggers:
- Direct oversight of the provider, in addition to the financial entities that consume it.
- Annual oversight plan, on-site inspections, recommendations.
- Periodic penalty payments under Article 35 for non-compliance with recommendations.
- The AI Act provider obligations remain — DORA does not displace them; it adds a parallel oversight layer for the largest providers.
Where they overlap on operational resilience
- DORA Article 6 ICT risk-management framework ↔ AI Act Article 9 risk-management system.
- DORA Article 24–26 digital operational resilience testing ↔ AI Act Article 15 accuracy and robustness.
- DORA Article 19 major-incident reporting ↔ AI Act Article 73 serious-incident reporting. The DORA classification thresholds (number of clients affected, geographic spread, data losses, criticality) are different from the AI Act fundamental-rights frame; both must be assessed.
Practical compliance for a bank or insurer
- Build one master AI vendor onboarding pack that covers DORA Article 30 contractual minima and AI Act Article 13/Annex IV documentation in one file.
- Align the DORA register of ICT third-party arrangements with the AI Act provider list — the same vendor on both registers, with cross-references.
- Pre-incident: define which of the three reporting channels (DORA Article 19, AI Act Article 73, GDPR Article 33) each likely event will trigger; pre-write the incident classifications.
- For Article 27 FRIAs in §5(b) and §5(c), include the DORA testing evidence as part of the technical-soundness section.
- Watch for CTPP designations of the AI providers you depend on — designation changes the supervisory landscape but not your own obligations.