Two regulations, one AI system in production. Where DORA and the AI Act conflict, overlap and leave gaps.

Scope: which systems fall under both

DORA applies to 20 categories of financial entity listed in Article 2 — credit institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers under MiCA, payment institutions, e-money institutions, central counterparties, central securities depositories, trade repositories, securitisation repositories, account information service providers, crowdfunding service providers, and ICT third-party service providers serving any of the above. Source: Regulation (EU) 2022/2554 (DORA).

The AI Act applies to any AI system placed on the EU market regardless of sector. Financial entities are not exempt. High-risk classification is triggered under Annex III, point 5(b) (creditworthiness assessment and credit scoring) and Annex III, point 5(c) (life and health insurance risk assessment and pricing). Source: Regulation (EU) 2024/1689 (AI Act).

An AI system used for credit decisions inside a bank is therefore inside both. The bank is a DORA financial entity and an AI Act deployer. The AI vendor is an AI Act provider and, under DORA, an ICT third-party service provider.

The three article-level overlaps Fontvera has mapped

Both regulations require the same general control to be implemented under different legal bases. Where one cleared an audit, the other does not — the documentation has to satisfy both.

Treating these as redundant is the failure mode. The AI Act log retention floor (six months) does not satisfy DORA where national rules demand longer; DORA backup obligations do not satisfy AI Act technical documentation rules under Annex IV.

The two structural gaps neither regulation closes

Fontvera flags these as gaps because neither text resolves the boundary on its own:

• AI-specific model risk management for financial entities (severity: high). Neither regulation explicitly defines the integration of AI-specific model risk management — model drift detection, ongoing bias monitoring, performance degradation thresholds — into DORA's ICT risk framework. The AI Act stops at provider obligations under Article 9; DORA addresses ICT risk generically. A bank using a high-risk AI for credit scoring has no harmonised standard for what "ongoing model monitoring" looks like.
• Third-party AI providers serving financial entities (severity: medium). DORA Article 28 governs ICT third-party risk and requires contractual arrangements with key clauses. The AI Act puts conformity assessment, technical documentation and post-market monitoring on the provider. There is no clear mapping between the two — DORA contractual clauses can require things the AI Act does not address (e.g., right of audit on the model itself), and the AI Act provider duties extend beyond DORA's contractual minimum.

Penalty mismatch — and why the higher number wins

DORA does not set EU-wide fine ceilings. Member States set administrative penalties, and DORA Article 35 adds periodic penalty payments on ICT third-party providers up to 1% of average daily worldwide turnover per day of non-compliance, capped at six months. Source: DORA Article 35.

The AI Act sets fixed EU-wide ceilings under Article 99:

• Up to €35,000,000 or 7% of total worldwide annual turnover, whichever is higher, for prohibited practices under Article 5.
• Up to €15,000,000 or 3% of worldwide turnover for breach of provider, deployer, importer, distributor, authorised representative, notified body, or transparency obligations.
• Up to €7,500,000 or 1% for supplying incorrect information to authorities.

For an AI Act high-risk credit scoring system that fails conformity assessment, the AI Act ceiling is the binding number. DORA penalties stack on top under national law.

Real numbers Fontvera tracks

• 743 AI Act obligations across 42 sectors in the structured corpus.
• 430 DORA obligations across the financial sector.
• 5 AI Act ↔ DORA cross-references: 3 overlaps (low and medium severity) and 2 gaps (high and medium severity).
• 312,758 current regulatory documents from 130 sources — including ESMA, EBA, EIOPA, the AI Office, ENISA, and national supervisors — feed the cross-reference graph.

Which obligations come first when both apply

1. AI Act conformity assessment under Article 43 — must be complete before the system is placed on the market or put into service. Fixed gate. No DORA equivalent.
2. DORA ICT risk framework under Article 5 — must be in place before deploying any ICT system, including AI. Continuous obligation, not a one-time gate.
3. DORA threat-led penetration testing under Article 26 — required at least every three years for significant entities. Where it covers a high-risk AI system, the test outcomes also feed AI Act Article 9 risk management.
4. AI Act post-market monitoring under Article 72 — runs in parallel with DORA Article 17 incident reporting. Reports go to different authorities (market surveillance vs financial supervisor) on different timelines.

Authorities and reporting lines

DORA reporting goes to the financial entity's competent authority — typically the national central bank, securities regulator, or prudential authority — and to the European Supervisory Authorities (ESMA, EBA, EIOPA) where applicable. AI Act reporting goes to market surveillance authorities designated under Article 70 of the AI Act, plus the European AI Office for cross-border coordination. These are different bodies with different reporting templates and different deadlines (DORA: tight initial notification within hours; AI Act Article 73: serious incidents within 15 days).

What to do before 2 August 2026

If the same AI system is in production now and you are inside DORA scope, the work is mostly mapping, not new build:

1. Reconcile your DORA Article 5 ICT risk framework against AI Act Article 9 risk management. They are not the same shape — model drift, bias and performance metrics need explicit owners that DORA does not name.
2. Lock the log retention rule in writing. Where ePrivacy, GDPR Article 5 (storage limitation), AI Act Article 19 (≥6 months), and national DORA implementing rules pull in different directions, the longest justified retention wins.
3. Draft your AI Act technical documentation under Annex IV with DORA Article 28 third-party clauses already mapped. The vendor will not deliver this twice for free.
4. Run incident reporting drills under both regimes simultaneously. The window between AI Act Article 73 (15 days) and DORA Article 19 (initial within hours, intermediate, final) is where most teams currently fail audit walkthroughs.

Run your free AI Act compliance diagnostic

Five minutes. No login. Returns the exact AI Act classification (Prohibited / High-Risk Annex III / High-Risk Annex I / Limited-Risk / Minimal-Risk) plus the article list that applies.

→ Run the AI Act diagnostic

Cross-regulatory data update

Auto-merged from the Fontvera archetype dataset on 2026-05-12. The sections below are extracted verbatim from the `obligations` and `obligation_crossrefs` tables; the page itself was last reviewed manually before this update.

Summary statistics

Overlaps: 3 · Conflicts: 0 · Gaps: 2

5 article-level crossrefs catalogued between AI Act and DORA from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.

All crossrefs between these regulations

Overlaps explained

No conflict-type crossrefs were catalogued for this pair, but the 3 overlaps below mean a single control can be designed to satisfy both regulations at once. Plan the controls jointly to avoid duplicate effort:

• AI Act Art 15 vs DORA Art 10 (medium severity) — [entity affected: Financial institutions deploying high-risk AI systems] Both regulations mandate that systems (AI or ICT) be designed for robustness, cybersecurity, and the ability to detect anomalies or errors to ensure operational resilience.
• AI Act Art 19 vs DORA Art 17 (low severity) — [entity affected: Financial institutions providing high-risk AI systems] Both regulations require financial institutions to maintain and record logs of system events and incidents, with DORA specifying incident classification and AI Act specifying retention periods.
• AI Act Art 18 vs DORA Art 12 (low severity) — [entity affected: Financial institutions] Both regulations require financial institutions to maintain technical documentation and backup/recovery procedures as part of their compliance and risk management frameworks.

Which regulation takes precedence

EU law does not lay down a universal precedence rule between AI Act and DORA. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.

Fontvera maps the wider EU digital rulebook alongside this comparison, including AI Act vs Data Act comparison, AI Act vs DORA comparison, AI Act November 2024 deadline, Data Act vs DORA comparison, Data Governance Act vs DORA comparison, DMA vs DORA comparison, DORA vs DSA comparison, DORA vs ePrivacy comparison, DORA vs GDPR comparison, and NIS2 vs DORA comparison.