DORA
The Digital Operational Resilience Act (DORA) is an EU regulation that sets uniform requirements for the digital operational resilience of financial entities, including their use of AI and ICT third-party service providers.
What is DORA?
DORA applies from January 2025 to banks, insurers, investment firms, payment institutions, and many of their critical ICT providers. Requirements cover ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing. AI systems supplied to financial entities must support DORA's testing, monitoring, and exit-strategy obligations.
How does DORA apply to enterprise AI?
Any AI vendor selling into EU financial services must be ready for DORA-aligned diligence: documented incident processes, testing evidence, contractual sub-contracting controls, and exit plans.
Related terms
- EU AI Act - The EU AI Act (Regulation (EU) 2024/1689) is the European Union's horizontal regulation for AI, classifying systems by risk and imposing obligations on providers, deployers, importers, and distributors.
- GDPR - The General Data Protection Regulation (GDPR) is the EU's data-protection regulation, governing the processing of personal data of people in the EU and EEA.
- Sub-processor - A sub-processor is a third party that processes personal data on behalf of a processor, typically an infrastructure or software vendor sitting beneath the primary service provider.
- AI Risk Management - AI risk management is the discipline of identifying, assessing, mitigating, and monitoring the harms an AI system can cause across its lifecycle.
External references
Need help applying DORA to your enterprise? Submit a short brief and we reply within one business day.