EU

EU Digital Operational Resilience Act (DORA): AI Compliance Requirements

EU DORA (Regulation 2022/2554, in application January 17, 2025) applies to 20 categories of EU-regulated financial entities and their ICT service providers. It mandates a harmonized ICT risk management framework covering AI tools, mandatory third-party ICT risk assessment contracts (including AI vendors), regular resilience testing, and major ICT incident reporting. Financial entities using AI tools must include them in their ICT risk management and third-party oversight programs.

Check your compliance — freeDownload checklist

Key Facts

Effective Date

January 17, 2025

Maximum Penalty

2% of total annual worldwide net turnover for financial entities; up to €5,000,000 for ICT service providers; €1,000,000/day for critical ICT providers

What Your Business Must Do

4 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

ICT Risk Management Framework

Critical

Implement a documented ICT risk management framework covering all ICT assets including AI tools and services. Must include risk identification, protection measures, detection capabilities, response protocols, and recovery procedures. Board-level oversight of ICT risk is required.

Third-Party ICT Risk Assessment (AI Vendors)

Critical

Assess and document ICT risks from all third-party ICT service providers, including AI tool vendors (OpenAI, Microsoft Copilot, etc.). Contracts with ICT service providers must include mandatory clauses: security requirements, audit rights, exit strategies, and incident notification obligations.

Major ICT Incident Reporting

High Priority

Establish incident management processes to detect, classify, and report major ICT-related incidents to the relevant national competent authority. Includes incidents caused by or involving AI systems. Initial report within 4 hours; full report within 72 hours.

Digital Operational Resilience Testing

Medium Priority

Conduct annual resilience testing of ICT systems including AI tools (vulnerability assessments, penetration testing). Significant institutions must conduct Threat-Led Penetration Testing (TLPT) every 3 years.

Frequently Asked Questions

Does EU Digital Operational Resilience Act (DORA) apply to my business?

EU DORA (Regulation 2022/2554, in application January 17, 2025) applies to 20 categories of EU-regulated financial entities and their ICT service providers. It mandates a harmonized ICT risk management framework covering AI tools, mandatory third-par. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.

What is the penalty for non-compliance?

The maximum penalty under EU Digital Operational Resilience Act (DORA) is: 2% of total annual worldwide net turnover for financial entities; up to €5,000,000 for ICT service providers; €1,000,000/day for critical ICT providers. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with EU Digital Operational Resilience Act (DORA)?

The 4 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora

Last updated: 2026-04-12 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan