DORA Meets the AI Act: Dual Compliance for Financial Institutions Using AI
DORA Meets the AI Act: Dual Compliance for Financial Institutions Using AI
Two of the European Union's most significant regulatory initiatives are converging on the financial sector simultaneously. DORA (Regulation (EU) 2022/2554) governs the operational resilience of financial institutions' ICT infrastructure. The AI Act (Regulation (EU) 2024/1689) governs the development and deployment of artificial intelligence systems. Financial institutions that deploy AI — which is to say, virtually all of them — must comply with both.
Jones Day's analysis of BaFin's January 2026 guidance on AI in financial services, combined with FinTech Global's assessment of AI compliance trends across European finance, reveals that the intersection is more nuanced than regulators initially anticipated. The same AI system can be simultaneously an "ICT service" under DORA and a "high-risk AI system" under the AI Act, creating overlapping — and sometimes conflicting — regulatory requirements.
The Overlap: Where DORA and the AI Act Intersect
The intersection occurs wherever a financial institution deploys AI for functions that are both operationally critical (DORA scope) and high-risk under the AI Act's classification system.
| AI Application | DORA Classification | AI Act Classification | Dual Compliance Required |
|---|---|---|---|
| Credit scoring / creditworthiness | Critical ICT service (affects lending decisions) | High-risk (Annex III, 5(b)) | Yes — full scope |
| Fraud detection | Critical ICT service (payment security) | Not high-risk (unless biometric) | Partial — DORA dominant |
| AML/KYC screening | Critical ICT service (regulatory function) | High-risk (Annex III, 5(b)) | Yes — full scope |
| Algorithmic trading | Critical ICT service (market function) | Not explicitly classified | Partial — DORA dominant |
| Customer chatbots | Non-critical ICT service | Limited risk (transparency) | Minimal overlap |
| Internal risk models | Critical ICT service (risk management) | Not high-risk (internal tools) | Partial — DORA dominant |
| Cyber threat detection | Critical ICT service (security function) | Not classified | Partial — DORA dominant |
The highest-impact intersection is in credit scoring and AML/KYC screening, where both regulations apply at full strength. These AI systems make decisions that affect individuals' access to financial services (AI Act concern) while simultaneously performing critical ICT functions whose failure would disrupt the institution's operations (DORA concern).
BaFin's AI Guidance: The German Supervisory View
BaFin's January 2026 guidance on AI in financial services is the most detailed national supervisory guidance published to date on the DORA-AI Act intersection. Jones Day's analysis highlights several key positions:
AI as ICT Under DORA
BaFin explicitly classifies AI systems as ICT systems under DORA. This means that AI systems are subject to:
- Article 5-6 ICT risk management framework requirements
- Article 7 ICT systems management and lifecycle requirements
- Article 9 ICT security policies and procedures
- Article 11 business continuity requirements (the AI system must have BCP)
- Article 24-25 resilience testing requirements
This classification has a practical consequence that many institutions have not considered: your AI models must be tested for resilience, not just accuracy. A credit scoring model that achieves 99% accuracy but crashes under load is a DORA compliance failure, even if it meets the AI Act's accuracy and fairness requirements.
The Governance Overlap
Both DORA and the AI Act require governance structures, but they look at governance from different angles:
BaFin recommends an integrated governance approach: rather than creating separate DORA ICT governance and AI Act AI governance structures, financial institutions should establish a unified governance framework that addresses both sets of requirements.
Testing Requirements: The Double Standard
DORA requires resilience testing of ICT systems. The AI Act requires conformity assessment of high-risk AI systems. For a credit scoring AI system, both requirements apply, but they test different things:
| Testing Dimension | DORA Requirement | AI Act Requirement | Integrated Approach |
|---|---|---|---|
| Availability | System must recover within RTO | Not explicitly addressed | Include in DORA testing |
| Accuracy | Not explicitly addressed | Model accuracy validation (Art. 9) | Include in AI Act conformity |
| Fairness/bias | Not addressed | Non-discrimination (Art. 10) | Include in AI Act conformity |
| Robustness | Resilience under stress (Art. 24) | Robustness and cybersecurity (Art. 15) | Combined resilience + robustness testing |
| Explainability | Not addressed | Transparency (Art. 13) | Include in AI Act conformity |
| Failover | Backup/recovery testing (Art. 12) | Not explicitly addressed | Include in DORA testing |
The testing overlap creates an opportunity for efficiency: a single test programme can address both DORA resilience requirements and AI Act conformity requirements, provided it covers all dimensions from both regulations.
The Incident Reporting Complexity
When an AI system fails in a financial institution, the incident potentially triggers reporting obligations under both DORA and the AI Act.
DORA Incident Reporting
Under DORA Article 19, a failure of a critical AI system (e.g., credit scoring going offline, fraud detection producing false results at scale) triggers the major incident reporting process. The 4-hour initial notification, 72-hour intermediate report, and 1-month final report apply.
AI Act Incident Reporting
The AI Act requires providers and deployers of high-risk AI systems to report "serious incidents" — defined as incidents that result in death, serious damage to health, serious and irreversible disruption of public services, or harm to fundamental rights. For financial services, a credit scoring system that systematically denies credit to a protected group could constitute a "serious incident" under the AI Act.
The Timing Problem
The two reporting regimes have different timelines and different authorities:
Financial institutions need a unified incident response process that triggers all applicable notifications from a single incident classification decision. Managing three separate reporting workflows in the chaos of an AI system failure is operationally unrealistic.
Practical Dual-Compliance Framework
Based on BaFin's guidance and FinTech Global's industry analysis, the following framework addresses the DORA-AI Act intersection:
Step 1: AI System Inventory with Dual Classification
Create a comprehensive inventory of all AI systems, classifying each under both DORA (critical/non-critical ICT) and the AI Act (high-risk/limited-risk/minimal-risk). The systems that fall into both "critical ICT" under DORA and "high-risk" under the AI Act are the priority for dual compliance efforts.
Step 2: Integrated Governance Structure
Establish a governance structure that satisfies both DORA's Article 5 management body oversight requirement and the AI Act's risk management and quality management requirements. A single AI-ICT governance committee with terms of reference covering both regulations is more effective than separate structures.
Step 3: Combined Testing Programme
Design a testing programme that covers both DORA resilience testing (Articles 24-25) and AI Act conformity assessment. For high-risk AI systems that are also critical ICT:
- Test resilience: availability, failover, recovery
- Test accuracy: model performance validation
- Test fairness: bias detection and mitigation
- Test robustness: adversarial input testing, data poisoning scenarios
- Test explainability: output interpretation validation
Step 4: Unified Incident Response
Build a single incident classification and reporting process that evaluates each AI system incident against DORA's major incident criteria, the AI Act's serious incident criteria, and GDPR's personal data breach criteria. A single classification triggers all applicable notifications.
Step 5: Third-Party AI Provider Governance
Many financial institutions use third-party AI services (vendor credit scoring models, cloud-based fraud detection, external AML screening). These providers are simultaneously ICT third parties under DORA Article 28 and AI providers under the AI Act. Due diligence must cover both dimensions.
| Third-Party Assessment Area | DORA Requirement | AI Act Requirement | Integrated Assessment |
|---|---|---|---|
| Service availability | SLA, BCP, exit strategy | Not explicit | DORA assessment covers |
| Model performance | Not explicit | Accuracy, bias, drift monitoring | AI Act assessment covers |
| Data governance | Data protection, security | Training data quality, representativeness | Combined data governance review |
| Transparency | Contractual provisions (Art. 30) | Technical documentation (Art. 11) | Joint documentation request |
| Change management | Notification of material changes | Model update procedures | Combined change notification |
The Road Ahead: Regulatory Coordination
The European Commission has acknowledged the overlap between DORA and the AI Act and has committed to issuing guidance on the interplay. The EBA and the AI Office are expected to publish joint FAQ documents addressing the most common intersection points.
Until that guidance is published, financial institutions must navigate the intersection using the principles of regulatory coherence: where both regulations address the same risk, comply with the stricter requirement. Where they address different risks, comply with both.
The ESMA has included AI risk in its supervisory priorities, signaling that the dual compliance burden will not be ignored by supervisors. Financial institutions that proactively build integrated compliance frameworks will be better positioned than those that wait for formal guidance.
The intersection of DORA and the AI Act is not a bureaucratic inconvenience — it is the regulatory expression of a real risk: AI systems that are both operationally critical and ethically consequential. Financial institutions that treat this intersection seriously will build AI capabilities that are not just innovative but trustworthy, resilient, and compliant.
Voir aussi: DORA Article 5: Management Body Obligations | DORA Resilience Testing Roadmap | ESMA Cyber Risk Union Priority
Resume en francais
Les institutions financieres deployant des systemes d'IA font face a un double defi de conformite : DORA pour la resilience operationnelle et l'AI Act pour la gestion des risques lies a l'IA. L'orientation de BaFin de janvier 2026, analysee par Jones Day, classe explicitement les systemes d'IA comme des systemes ICT sous DORA. Le credit scoring et le filtrage AML/KYC sont simultanement des services ICT critiques (DORA) et des systemes d'IA a haut risque (AI Act). Les chevauchements cles concernent la gouvernance (conseil d'administration DORA vs systeme de gestion de la qualite AI Act), les tests (resilience DORA vs evaluation de conformite AI Act), et le signalement d'incidents (4h DORA vs sans retard AI Act, vers des autorites differentes). Le cadre pratique recommande un inventaire a double classification, une gouvernance integree, un programme de test combine, une reponse aux incidents unifiee, et une gouvernance des tiers couvrant les deux dimensions. Les systemes les plus impactes sont ceux qui sont simultanement des ICT critiques et des IA a haut risque.