Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLΒ·EN
Financial district skyline at night
Analysis

The interplay of the AI Act and DORA: one AI system, two supervisory frameworks

Adopted 2026-06-11 Β· ≈ 3 min read Β· Dirk Baaijen

Financial institutions deploying AI fall under DORA (since January 2025) and the AI Act at the same time. This analysis maps where the frameworks meet, where the AI Act explicitly defers to financial services law, and where duplicate work looms.

Since 17 January 2025, DORA (Regulation (EU) 2022/2554) applies to banks, insurers, investment firms, payment institutions and their critical ICT service providers. The AI Act adds a second layer for the same institutions. The two frameworks pursue different goals β€” DORA protects the operational continuity of the financial system, the AI Act protects the safety and fundamental rights of individuals β€” but in practice they bite on the same systems, the same suppliers and the same internal processes.

DORA β€” since 17-01-2025β–ͺ ICT risk managementβ–ͺ Third-party ICT providersβ–ͺ Resilience testingβ–ͺ Incident reporting (ICT)AI Act β€” high-risk layerβ–ͺ High-risk Annex IIIβ–ͺ Data quality + biasβ–ͺ Human oversightβ–ͺ Incident reporting (Art. 73)art. 17(4)art. 26(5)art. 26(6)bridging provisions
Two frameworks, three statutory bridges: the bridging provisions let AI Act duties ride on DORA governance.

Where the AI Act touches the financial sector directly

Annex III of the AI Act designates two typically financial applications as high-risk: AI systems for assessing the creditworthiness or establishing the credit score of natural persons (point 5b, with an exception for systems used to detect financial fraud), and AI systems for risk assessment and pricing in life and health insurance (point 5c). A bank supporting credit acceptance with AI, or an insurer differentiating premiums with AI, is therefore a deployer β€” and sometimes a provider β€” of a high-risk system.

The bridging provisions: the AI Act deliberately leans on financial services law

The legislator sought to avoid duplicate governance through three explicit bridging provisions:

  • Article 17(4): providers that are financial institutions subject to

internal governance requirements under Union financial services law are deemed to fulfil most quality management system requirements by complying with those existing governance rules; a few elements of Article 17(1) remain excepted.

  • Article 26(5): for deployers that are financial institutions, the

monitoring obligation is deemed fulfilled by complying with the internal governance rules under financial services law.

  • Article 26(6): those same institutions retain the logs of high-risk

systems as part of the documentation they already keep under financial services law.

For institutions whose DORA and governance house is in order, this is good news: AI Act quality management need not become a parallel structure but can be embedded in the existing framework.

Where DORA already covers the AI question

DORA treats externally sourced AI β€” a model API, a SaaS scoring service, a cloud-based fraud detection system β€” as an ICT service from a third-party provider. The DORA requirements therefore apply in full: contractual minimum provisions, inclusion in the information register, concentration risk analysis and exit strategies. DORA's ICT risk management framework (identify, protect, detect, recover, learn) covers AI systems embedded in operations just as much as classic ICT.

Where it grinds

Three points demand deliberate design. First, incident reporting: DORA has its own duty to report major ICT incidents to the financial supervisor, while the AI Act (Article 73) requires reporting serious incidents with high-risk systems to the market surveillance authority. A single failure in an AI system can trigger both duties at once, with different deadlines and counters. Second, testing obligations: DORA resilience testing addresses continuity and security, not the data quality and bias requirements of the AI Act; one does not replace the other. Third, timing: DORA applies now, while the AI Act's high-risk obligations are expected β€” under the Digital Omnibus agreement of 7 May 2026 β€” to apply only from 2 December 2027. That makes the DORA framework the natural place to house AI Act preparation already β€” the bridging provisions of Articles 17 and 26 exist precisely for that purpose.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
    Regulation (EU) 2022/2554 (DORA), authentic text; applicable since 17 January 2025.
  2. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act); see Annex III point 5 and Articles 17, 26 and 73.
  3. https://artificialintelligenceact.eu/article/17/
    Article 17 AI Act with paragraph 4 on quality management at financial institutions (unofficial rendering).
  4. https://artificialintelligenceact.eu/article/26/
    Article 26 AI Act with paragraphs 5 and 6 on monitoring and log retention at financial institutions (unofficial rendering).
  5. https://www.dnb.nl/dora
    DNB theme page on DORA and its supervision in the Netherlands.

Share on LinkedIn

Read next

W

AI and digital rules for the financial sector β€” overview

One entry point for banks, insurers and fintech: which AI and digital rules affect your institution β€” from DORA and the AI Act to credit scoring, AML and insurance β€” each with a source-traceable file and the financial scan.

U

National supervisors: how AI Act enforcement is divided (the Dutch case)

The AI Act is largely enforced nationally. In the Netherlands a draft Implementation Act (consultation 20 April–1 June 2026) gives the AP and RDI a coordinating role over ten existing market surveillance authorities, with the AFM and DNB supervising the financial sector.

W

DORA readiness: a roadmap to prepare

DORA has applied since 17 January 2025. A practical roadmap to get a grip: determine scope, map ICT dependencies and the register, set up risk management and incident reporting, plan resilience testing, and review your vendor contracts.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject β€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method β†’

A project or programme? Work with YRproject β†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.