EU regulation

DORA (financial sector)

DORA (Regulation (EU) 2022/2554) requires financial entities and their critical ICT service providers to manage ICT risk, report incidents and oversee third-party providers; applicable since 17 January 2025.

Key obligations

ICT risk management framework
DORA requires an ICT risk management framework that treats AI systems in operations the same as classic ICT (identify, protect, detect, recover, learn).
Management of third-party ICT providers
For externally sourced ICT/AI, contractual minimum provisions, a register of information, a concentration-risk analysis and exit strategies apply.
Reporting duty for major ICT incidents
DORA has its own duty to report major ICT incidents to the financial supervisory authority; an AI incident may simultaneously trigger the AI Act reporting duty (Art. 73).
Digital resilience testing
DORA resilience testing checks the continuity and security of ICT and AI systems; it does not replace the data-quality and bias requirements of the AI Act.

Follow this topic

Get an email whenever something changes here. No account needed; confirm by email (double opt-in).

We use your email address only to send updates about this topic. You can unsubscribe at any time. See our privacy policy.

← Back to Trusq