Cross-regulatory comparison

DORA vs AI Act: What Companies Subject to Both Regulations Must Know

Side-by-side comparison of scope, obligations, penalties, and timelines. Based on 306,000+ regulatory documents.

98
days until AI Act enforcement
August 2, 2026
Side-by-side comparison
DimensionDORAAI Act
ScopeFinancial entities and ICT third-party providersAI systems in the EU market
PenaltiesAdministrative penalties per national law + periodic penalty paymentsUp to EUR 35M or 7% global turnover
TimelineIn force since January 17, 2025Full enforcement August 2, 2026
Where they overlap

AI systems in financial services must comply with both. DORA's ICT risk management applies to AI infrastructure. Algorithmic trading AI falls under both. Third-party AI providers to banks need DORA + AI Act compliance.

Which takes priority

DORA for operational resilience and ICT risk. AI Act for AI-specific obligations (conformity, transparency, human oversight). Both for AI-powered financial services.

Practical advice

Companies subject to both DORA and AI Act should:

  • Map which AI systems fall under each regulation's scope
  • Identify where requirements overlap and can be fulfilled jointly (e.g., risk assessments, documentation)
  • Designate a single compliance lead who understands both frameworks
  • Use the stricter standard where both apply to the same obligation
  • Build a unified compliance timeline working backward from August 2, 2026
Check if your AI system is high-risk. Take the 5-minute diagnostic.
Related intelligence briefings

Get the DORA vs AI Act compliance checklist

Dual-regulation obligations mapped side by side. Free.

We'll email you the PDF. No spam.

Pro tier launching June 2026. Browse all briefings
This is a research tool, not legal advice.
Privacy · Terms
100% European infrastructure