DORA for AI providers to financial firms
DORA applies from January 2025 and reaches critical ICT third-party providers to EU financial entities. Here is what it means for AI procurement.
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) applies from 17 January 2025. It creates a single, EU-wide framework for the operational resilience of financial entities and, importantly, of the third-party ICT providers those entities depend on. For AI providers serving banks, insurers, investment firms, payment institutions, and other EU financial entities, DORA is the regime that governs the resilience obligations of the AI system in production, from concentration risk and incident reporting through resilience testing and formal contractual requirements. An AI provider that is not familiar with DORA cannot credibly serve EU financial customers.
What DORA is and how it applies to AI providers
DORA applies directly to around twenty categories of financial entities in the EU: credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, and central counterparties, among others. It obliges those entities to manage ICT risk, report significant incidents to competent authorities, test digital operational resilience, manage third-party ICT risk, and, in limited cases, participate in threat-led penetration testing.
The regulation reaches AI providers indirectly through the third-party ICT risk-management pillar (Chapter V) and directly through the oversight framework for critical ICT third-party providers (Article 31 onwards). Any AI provider whose service is deemed to support a critical or important function of a financial entity is a third-party ICT service provider under DORA. If the European Supervisory Authorities designate a provider as a critical ICT third-party provider (CTPP), that provider becomes subject to direct oversight by a lead overseer with powers to conduct investigations, on-site inspections, and issue binding recommendations.
Every contract between a financial entity and a third-party ICT provider must include specific provisions defined in Article 30: description of services, service levels, notice periods, exit strategies, access and audit rights for the financial entity and the competent authority, security controls, incident-reporting protocols, subcontracting terms, and applicable law. A generic services agreement is not compliant. Financial entities are also required to maintain a Register of Information listing all their ICT third-party arrangements, submitted annually to competent authorities.
The five pillars of DORA are: ICT risk management (Chapter II), ICT-related incident classification and reporting (Chapter III), digital operational resilience testing (Chapter IV), third-party ICT risk management (Chapter V), and information and intelligence sharing (Chapter VI). For AI providers, Chapters III, IV, and V carry the operational weight.
What it means for buyers commissioning AI builds in financial services
If you are procuring AI as an EU financial entity, DORA determines what your contract with the AI provider must contain. The provisions in Article 30 are non-negotiable, they must be in the contract before the service commences supporting a critical or important function. A provider who cannot accept those provisions, or who has not previously executed a contract compliant with them, is not yet a viable procurement counterparty for regulated financial engagements.
The classification of your engagement as supporting a critical or important function is decided by you as the financial entity, not by the provider. That classification drives the depth of the due diligence, the resilience-testing requirements, and the exit-strategy planning obligations. A provider serving multiple financial entities across the EU can find itself designated a critical ICT third-party provider through cumulative concentration, at which point it becomes subject to direct oversight by the European Supervisory Authorities.
Incident reporting obligations under Article 19 apply to the financial entity, but the provider is the primary source of the information the financial entity must report. Providers must be contractually obliged to notify the financial entity of ICT-related incidents within timeframes that allow the entity to meet its own reporting deadlines to the competent authority. AI providers who cannot produce incident information at the granularity DORA requires cannot support the financial entity's compliance chain.
Questions that separate DORA-ready providers from generalists
The gap between an AI provider generally familiar with DORA and one operating a DORA-ready contracting and operations posture is significant. Familiarity with Article 30 contract clauses, concrete incident-reporting timelines, a documented exit strategy, and evidence of prior audits under DORA-adjacent frameworks (EBA guidelines on outsourcing, DNB or BaFin sector guidance) are the operational markers. The questions below draw the line.
How Trustgent's verification relates
Trustgent's provider profiles include a DORA readiness attribute. At L2 cross-reference level and above, that attribute is checked against evidence outside the provider's marketing: contracts published in redacted form, references in financial-entity procurement documentation, participation in industry-body working groups, or third-party publications describing the provider's DORA posture. We do not act as a DORA compliance auditor (the financial entity, its competent authority, and the European Supervisory Authorities carry that role) but we distinguish, in the index, between a DORA claim and a corroborated posture.
Procurement checklist
Before signing a contract with an AI provider to support a critical or important function of an EU financial entity, confirm:
Article 30 contract provisions
The contract must include the specific provisions listed in Article 30: services description, service levels, notice periods, exit strategy, access and audit rights for the entity and the competent authority, security controls, incident-reporting protocols, subcontracting terms, and applicable law. Ask the provider to walk through their standard contract against Article 30 clause by clause.
Incident-reporting capability
Under Article 19, the financial entity must report significant ICT-related incidents to the competent authority within tight deadlines. Ask the provider what incident information they can produce and within what timeframe. If the provider cannot produce the granularity the financial entity needs to meet its reporting deadlines, the compliance chain does not close.
Exit strategy
DORA requires the financial entity to have a documented, tested exit strategy for critical ICT third-party arrangements. Ask the provider what artefacts they produce to support the exit strategy: data export formats, transition-support terms, standing runbooks. A provider unwilling to engage on exit planning cannot be a DORA-ready critical provider.
Resilience testing participation
Financial entities are required to conduct regular digital operational resilience testing; larger entities designated for threat-led penetration testing (TLPT) may require the AI provider to participate. Ask whether the provider has participated in TLPT-style exercises for other financial customers and what their standard participation terms are.
Subcontracting chain visibility
Article 30 requires the contract to specify conditions on subcontracting of critical or important functions. Ask for the current subcontractor list, the process for changes, and the notice periods. Concentration risk from a shared subcontractor (a single foundation-model provider or cloud region behind multiple financial-sector AI providers) is a DORA-relevant concern.
How Trustgent's verification relates
Trustgent does not certify DORA readiness. Competent authorities and the European Supervisory Authorities carry the regulatory role. What we do is distinguish, in the provider index, between a claimed DORA readiness and one corroborated by evidence outside the provider's marketing, at L2 verification level and above.
Buyer questions
- What is DORA?
- The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is the EU regulation that establishes a single framework for the operational resilience of financial entities and their ICT third-party providers. It applies from 17 January 2025.
- Which AI providers are affected by DORA?
- Any AI provider whose service supports a critical or important function of an EU financial entity is a third-party ICT service provider under DORA. Providers that reach significant scale across the EU financial sector may be designated critical ICT third-party providers, becoming subject to direct oversight by the European Supervisory Authorities.
- What is a critical ICT third-party provider (CTPP)?
- A CTPP is a third-party ICT provider designated by the European Supervisory Authorities under Article 31 of DORA as sufficiently systemic that direct oversight is warranted. Designated providers are supervised by a lead overseer with powers of investigation, on-site inspection, and binding recommendation.
- Does DORA require ISO/IEC 27001 or SOC 2?
- No, DORA does not require any specific certification. It requires the financial entity to manage ICT risk according to the regulation's provisions and to place contracts with third-party providers that meet Article 30. Certifications like ISO/IEC 27001 or SOC 2 are useful due-diligence evidence but do not replace the specific obligations DORA imposes.
- What is the Register of Information?
- Under Article 28(3), every financial entity must maintain a register listing all its ICT third-party arrangements, with details defined in the regulatory technical standards. The register is submitted annually to the competent authority and is a primary tool for concentration-risk monitoring across the EU financial sector.
- How does DORA interact with the EU AI Act?
- The two regulations apply in parallel. The EU AI Act governs the risk tier and obligations of the AI system itself. DORA governs the operational resilience of the ICT services (including AI services) that financial entities rely on. A high-risk AI system deployed at a bank is subject to EU AI Act obligations for the system and DORA obligations for the services chain around it.
Editorial guidance, not legal advice. Trustgent is a verified reference index, not a legal adviser. Consult a qualified practitioner for advice specific to your circumstances. Official source: Regulation (EU) 2022/2554 (EUR-Lex).
Regulatory readiness