Key obligations
ICT risk management framework
DORA requires an ICT risk management framework that treats AI systems in operations the same as classic ICT (identify, protect, detect, recover, learn).
Management of third-party ICT providers
For externally sourced ICT/AI, contractual minimum provisions, a register of information, a concentration-risk analysis and exit strategies apply.
Reporting duty for major ICT incidents
DORA has its own duty to report major ICT incidents to the financial supervisory authority; an AI incident may simultaneously trigger the AI Act reporting duty (Art. 73).
Digital resilience testing
DORA resilience testing checks the continuity and security of ICT and AI systems; it does not replace the data-quality and bias requirements of the AI Act.