DORA and the AI Act: Strengthening Europe’s Financial Resilience in the Digital Era

1.Introduction DORA

By Pierre E. Berger, Guus Elsbeek, Delphine Goens - DLA Piper

The increasing digitalization of the financial sector has led to a significant reliance on ICT systems, which in turn introduces new risks to the resilience, performance and stability of the European financial system. This development prompted the introduction of the Digital Operational Resilience Act (DORA) in 2020, which entered into application on January 17, 2025.[1]

As technology and (fin)tech companies play an ever-increasing role in delivering and supporting financial services, the sector becomes increasingly vulnerable to technological disruptions, such as cyberattacks. Such incidents can severely undermine the transparency and reliability of European financial and capital markets.

In Belgium alone, more than 100,000 cyberattacks were recorded in 2022, underscoring the urgency of a harmonized legal framework like DORA to safeguard the operational resilience of financial entities across the European Union (EU).[2]

DORA has a broad scope of application within the financial sector, covering a wide range of entities such as banks, investment firms, pension funds, insurance and reinsurance companies, electronic money institutions and payment institutions. This scope also includes fintech companies, meaning they will need to allocate resources as to ensure compliance with the introduced obligations. Additionally, DORA extends beyond the financial entities themselves to also include their ICT third-party service providers, such as cloud providers and software vendors. 

2.Interplay DORA & AI Act 

The AI Act, which entered into force on 1 August 2024 and will be fully applicable in August 2026, aims to establish a uniform legal framework for the use of AI systems within the European Union.[3] The Act takes the form of a Regulation and is directly applicable in all EU member states. The AI Act and DORA do not operate in isolation. On the contrary, they overlap and reinforce one another. 

In practice, this means that financial institutions will frequently encounter the parallel application of both the AI Act and DORA to the same product or service provider. AI systems may be considered so-called “ICT assets” within the meaning of DORA. Additionally, DORA also concerns “ICT services” meaning digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis. Therefore, AI applications, both as ICT assets and as ICT services, must be assessed under DORA to ensure robust risk management and operational resilience.

The EU´s AI Act applies to all providers and deployers of AI systems with the EU, irrespective of whether they are based in the EU or in a third country. This has significant implications for financial institutions, which are increasingly integrating AI technologies into their operations. Financial institutions that develop AI systems are classified as “providers” under the AI act. Conversely, institutions that implement AI systems developed by external vendors are considered “deployers”.

This overlapping applicability underscores the need for financial institutions to carefully assess the nature of their AI systems and determine which regulations apply to which specific systems. Moreover, there are interactions and synergies that can be leveraged for AI & DORA compliance.

Firstly, as concerns ICT risk management. Both DORA and the AI Act underscore the importance of robust ICT risk management, albeit with their own distinct scopes and objectives. 

Secondly, both the AI Act and DORA introduce mandatory incident reporting obligations. DORA mandates financial entities to report major ICT-related incidents to their competent authorities, whereas the AI Act focuses on incidents involving high-risk AI systems. 

Finally, when it comes to the oversight of third-party providers, both sets of regulations apply. On the one hand, DORA establishes a framework regarding the oversight of ICT third-party service providers (especially those that are critical, such as cloud service providers), whereas, on the other hand, the AI Act addresses third-party involvement in the AI value chain.

3.Time for action

Mapping your AI applications and understanding your obligations under the EU AI Act is essential and navigating the intersection with DORA adds another layer of complexity. That’s where DLA Piper comes in.

Our Financial Services & FinTech team is part of a top-tier global law firm, trusted by leading financial institutions, tech giants, and disruptive FinTech innovators. We provide strategic, regulatory, and legal guidance on cutting-edge projects across the globe.

[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

[2] Van den Brande, B. (2024) DORA: Cyber Resilience voor de financiële sector, maar ook voor toeleveranciers. Available at: https://legalnews.be/it-ip/dora-cyber-resilience-voor-de-financiele-sector-maar-ook-voor-toeleveranciers-sirius-legal/.

[3] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act)