DORA and AI Governance
DORA — the EU's Digital Operational Resilience Act — has been fully in force since January 17, 2025. It requires financial institutions and their critical ICT service providers to demonstrate ICT risk management, incident reporting, resilience testing, and third-party risk management.
AI workloads operated by financial institutions fall under DORA's resilience requirements. That means AI governance in EU-regulated financial services is not just an EU AI Act obligation — it is also a DORA obligation, enforced by the same authorities.
What DORA Requires
DORA covers five operational domains and applies to financial institutions and critical ICT service providers:
- ICT risk management — documented, continuously maintained programs
- ICT-related incident reporting — tiered notification on strict timelines
- Digital operational resilience testing — regular, evidence-backed exercises
- ICT third-party risk management — including cloud and AI vendors
- Information-sharing arrangements — across institutions and authorities
Major Incident Reporting Timelines
DORA's tiered incident reporting has already proven challenging for organizations without mature SOC operations:
- Initial notification: within four hours of classification (or 24 hours after detection, whichever is earlier)
- Intermediate report: within 72 hours of classification
- Final report: within one month of classification
Where AI Workloads Intersect DORA
AI workloads are ICT systems. They generate ICT incidents. They depend on ICT third parties. They require resilience testing. An AI governance architecture that produces runtime evidence is the same architecture required for DORA compliance on AI workloads — the same evidence, the same audit trails, the same runtime controls.
Treating DORA and EU AI Act compliance as separate programs is expensive. The institutions that recognize the shared evidence-architecture pattern build once and produce evidence across both.