DORA AI Compliance: Digital Operational Resilience Act Requirements for AI-Powered Financial Systems

The Digital Operational Resilience Act — Regulation (EU) 2022/2554, known as DORA — became fully applicable on 17 January 2025. It is now the governing framework for ICT risk management, third-party technology oversight, and operational resilience at banks, insurance firms, investment firms, payment institutions, and a range of other financial entities regulated in the European Union.

What DORA does not do, explicitly, is name artificial intelligence or large language models in its text. The regulation was drafted before the generative AI wave that reshaped enterprise technology in 2023 and 2024. This has led a significant number of financial institutions to treat AI governance as a separate compliance track from DORA — a siloing that creates real supervisory risk. AI systems used in financial services workflows are ICT systems under DORA's definitions. The ICT risk management, third-party oversight, incident classification, and resilience testing requirements of DORA apply to them in full.

This article analyzes exactly how DORA's five pillars apply to AI and LLM deployments in financial services, examines where the European Supervisory Authorities' 2025 regulatory technical standards create specific obligations for AI infrastructure, and explains how a pre-execution governance layer satisfies DORA's ICT risk control requirements for AI systems.

DORA Scope and AI System Coverage

DORA applies to entities regulated under EU financial services law: credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers, central counterparties, trading venues, data reporting service providers, insurance undertakings, pension funds, and a broader set of financial market infrastructure providers. The regulation covers these entities' ICT risk across all operational functions, not merely their technology-specific teams.

Article 3(18) defines ICT systems as "a set of software and hardware components, and any other element of digital infrastructure, as well as the related ICT services, in support of the operations of the financial entity." The definition encompasses:

Cloud-hosted inference infrastructure for LLM models
Third-party LLM APIs (OpenAI, Anthropic, Google, Azure AI, Mistral)
Internal fine-tuned models and their serving infrastructure
The pipeline software that connects LLM outputs to business processes
Vector databases, embedding infrastructure, and retrieval-augmented generation systems
Monitoring and observability tooling for AI model behavior

ESA Clarification: AI Tools in Financial Services

The Joint Committee of the European Supervisory Authorities published Q&A guidance in 2025 confirming that AI-based decision tools used in credit assessment, risk management, fraud detection, customer service, and compliance monitoring constitute ICT systems under DORA and must be managed within the ICT risk management framework. Competent authorities reviewing DORA compliance should expect to see AI systems in ICT asset inventories with appropriate risk classifications.

The practical implication: DORA compliance programs that maintain separate AI governance tracks disconnected from their ICT risk management framework are structurally incomplete. The ICT risk framework must cover AI systems; AI governance programs must satisfy DORA's specific requirements for documentation, controls, testing, and third-party management.

DORA Article 9: ICT Risk Management Framework Applied to AI

Article 9 is the operational core of DORA's ICT risk management requirements. It mandates that financial entities establish and maintain an ICT risk management framework covering: asset identification and classification, risk assessment methodology, ICT risk treatment and controls, and ongoing monitoring. Each requirement has direct application to AI systems.

Asset Identification and Classification

Article 9(4) requires financial entities to identify and document all ICT assets "supporting their critical or important functions" and classify them "according to their level of criticality." For AI systems, this requires:

A complete inventory of AI models in production, including version identifiers and deployment dates
Mapping of each AI system to the business functions it supports or influences
Criticality classification based on the function's importance to operational continuity and regulatory obligations
Documentation of third-party dependencies for each AI system, including API providers, cloud hosting, and supporting data feeds

Most financial institutions with mature ICT asset management programs will need to extend their Configuration Management Database (CMDB) or equivalent to include AI-specific attributes: model type, training data provenance, inference provider, policy configuration, and governance layer status. An AI system supporting credit decisioning is a critical ICT asset; one supporting internal knowledge search may be non-critical — but the classification must be documented and defensible.

Risk Assessment and Treatment

Article 9(4)(c) requires risk assessments to identify ICT risks and their potential impact on critical functions. For AI systems, the risk taxonomy must extend beyond traditional ICT risks (availability, integrity, confidentiality) to include AI-specific failure modes:

Category 1

Behavioral Failure Risks

Model drift producing systematically biased outputs; prompt injection causing policy violations; adversarial manipulation of classification systems; hallucination in compliance-relevant contexts; inconsistent outputs under semantically equivalent inputs.

Category 2

Availability and Dependency Risks

Third-party LLM API outages affecting critical functions; latency degradation under load; model version changes by providers altering behavior; rate limiting by providers during high-demand periods; cascading failures from AI dependency chains.

Category 3

Governance and Compliance Risks

AI outputs that violate regulatory obligations (fair treatment, adverse action requirements); failure to detect systematic bias in AI-influenced decisions; audit trail gaps that prevent regulatory examination; undocumented model changes affecting regulatory compliance determinations.

Risk treatment must be documented. Where risks are accepted, the acceptance must be approved at the appropriate governance level. Where risks are mitigated, the mitigation controls must be specific, testable, and monitored. Article 9(4)(d) requires that "protection and prevention" measures be in place for critical ICT assets — for AI systems processing regulated decision inputs, this means a deterministic enforcement layer is a required control, not an optional enhancement.

Article 12: ICT Audit Trails and AI Decision Records

DORA Article 12 requires financial entities to maintain ICT audit trails capable of supporting "internal auditing and monitoring activities" and "enabling the identification of anomalies." For AI systems, this creates specific requirements that traditional application logging typically does not satisfy.

DORA Article 12(1) — Audit Trail Requirements:

"Financial entities shall have in place logging policies and procedures as well as use logging and monitoring solutions, that record ICT-related activities and events... Financial entities shall maintain and review relevant logs, including those relating to changes in the ICT assets to enable the identification of anomalies..."

Applied to AI Governance:

Every AI output in a regulated workflow must be logged with sufficient fidelity to: (1) reconstruct what the AI said; (2) identify which policy rules were evaluated; (3) determine whether a policy block or modification occurred; (4) link the output to the specific model version that produced it. Generic application logs recording only API call status codes do not satisfy this requirement. Signed decision certificates per AI output — recording policy version, rules evaluated, disposition, and timestamp — do.

The audit trail requirement is particularly significant for AI systems because regulatory examinations of AI-influenced decisions require the ability to reconstruct the full decision pathway: what the AI said, what policy constraints were applied to its output, and what eventually reached a human or automated decision-maker. This reconstruction must be available years after the fact, which means audit records must be tamper-evident and durably stored.

Chapter V: Third-Party ICT Risk and LLM API Providers

DORA Chapter V is perhaps the most novel and consequential part of the regulation for AI deployments. It establishes a detailed third-party ICT risk management framework that applies to relationships with all "ICT third-party service providers" — including, emphatically, commercial LLM API providers.

Article 28: General Principles of Third-Party ICT Risk Management

Article 28 requires financial entities to manage third-party ICT risk "as an integral part" of their ICT risk framework. For LLM API providers, this means:

The LLM provider relationship must be documented in the ICT risk register
The risk assessment must evaluate the provider's concentration risk (are multiple critical functions dependent on a single LLM provider?)
The entity must assess substitutability — can the LLM provider be replaced if it fails, changes terms, or is compromised?
Exit strategies must be documented for critical LLM dependencies

The concentration risk requirement deserves particular attention. If a financial institution deploys a single LLM provider across credit assessment, fraud detection, customer service, and compliance monitoring — that is a significant ICT concentration risk that competent authorities will scrutinize. DORA Article 29(2) specifically requires entities to avoid "undue concentrations" in their ICT third-party arrangements.

Article 30: Contractual Requirements for ICT Third-Party Providers

Article 30 specifies minimum contractual requirements for ICT third-party arrangements. For LLM API providers, financial institutions should verify whether their current service agreements satisfy these requirements:

Article 30 Requirement	Typical LLM API Contract Gap	Required Provision
Full service description with performance SLAs (Art. 30(2)(a))	PARTIAL — Generic SLAs often lack AI-specific performance metrics	Latency SLAs, uptime guarantees, model stability commitments, version change notification periods
Data location and processing disclosures (Art. 30(2)(b))	ABSENT — Many LLM providers offer limited contractual data residency guarantees	Explicit EU data residency or transfer mechanism documentation; processing location for inference requests
Audit rights or third-party certification access (Art. 30(2)(f))	PARTIAL — SOC 2 reports available; direct audit rights rarely granted by hyperscale LLM providers	Right to third-party audit reports; acceptance of competent authority inspection access
Incident notification obligations (Art. 30(2)(h))	ABSENT — LLM providers typically publish status page updates, not contractual incident notifications	Timely notification of security incidents, service degradation, and material model changes affecting service behavior
Exit strategy and data return provisions (Art. 30(2)(i))	PARTIAL — Data portability addressed in terms; exit assistance for complex integrations rarely guaranteed	Data export format, timeline for data deletion, transition assistance period for critical service migrations

Critical Third-Party Providers Under DORA's ESA Oversight

DORA establishes a Designation Mechanism under which the Joint Committee of the ESAs can designate individual ICT third-party providers as "critical" — subject to direct supervisory oversight by the ESAs. The criteria for designation include: systemic importance across multiple financial entities, substitutability difficulty, and cross-border reach.

Major LLM API providers operating at scale in EU financial services are realistic candidates for critical designation as the DORA oversight framework matures. Financial entities should monitor ESA designation decisions, as designation changes the supervisory risk profile of any dependency on the designated provider and may require enhanced contractual protections and contingency planning.

Article 17 and Article 18: ICT Incident Classification for AI Failures

DORA Articles 17 and 18, together with the associated Commission Delegated Regulation on incident classification, establish a detailed framework for categorizing and reporting ICT-related incidents. AI system failures can trigger these reporting obligations, and financial entities need incident classification criteria that cover AI-specific failure modes.

Classification Thresholds for AI Incidents

The DORA incident classification framework uses six impact criteria: clients affected, duration, geographic spread, service criticality, economic impact, and reputational impact. For AI incidents, financial entities should establish internal classification triggers that map to these criteria:

API unavailability incidents: A critical LLM provider API outage affecting functions that serve more than the threshold number of clients, or lasting longer than threshold duration, is a reportable ICT incident. Entities need runbooks for AI API outage classification and notification workflows.
Systematic output policy violations: If an AI system is discovered to have been systematically producing outputs that violated regulatory obligations (for example, discriminatory patterns in credit recommendations), the discovery and scope may meet the reporting threshold depending on the number of affected customers and economic impact.
Model compromise incidents: If a prompt injection attack or other adversarial manipulation caused an AI system to produce outputs that bypassed intended controls, this is an ICT security incident under DORA Article 17 and must be classified against the reporting criteria.
Third-party provider security incidents: Under Article 30(2)(h) contractual requirements, LLM providers should notify customers of security incidents. When such notification is received, the financial entity must assess whether the incident meets DORA reporting thresholds based on the dependency's criticality.

Major Incident Notification Timelines

DORA Article 19 establishes a three-phase notification timeline for Major ICT Incidents: initial notification to the competent authority within 4 hours of classifying the incident as major (or 24 hours of detection if earlier); an intermediate report within 72 hours; and a final report within one month. Financial entities deploying AI in critical functions need AI incident classification procedures that can operate within these timelines — informal escalation processes are insufficient.

Article 24 and 25: Digital Operational Resilience Testing

DORA Article 24 requires all in-scope entities to conduct ICT resilience testing, including vulnerability assessments and scenario-based testing. Article 25 requires significant entities to conduct Threat-Led Penetration Testing (TLPT) at least every three years. Both requirements have direct application to AI systems.

Basic Resilience Testing for AI Systems

The basic resilience testing program required by Article 24 must cover AI ICT assets according to their criticality classification. For critical AI systems, the testing program should include:

Availability and recovery testing: How quickly can the AI-dependent function recover if the primary LLM provider is unavailable? Does failover to alternative providers or degraded-mode operation function as documented?
Behavioral consistency testing: Under load conditions and after model version updates, does the AI system continue to produce outputs within expected distributions? This is distinct from traditional load testing — it requires behavioral verification, not just throughput measurement.
Adversarial robustness testing: For critical AI systems, red-team testing of prompt injection and policy bypass attempts should be part of the annual testing program. This feeds directly into the risk assessment documentation required by Article 9.

TLPT Scope for AI Systems

Threat-Led Penetration Testing under Article 25 requires engagement of qualified external testers and must cover critical ICT systems. For significant financial entities with AI deployments in critical functions, TLPT scope should include AI-specific attack scenarios: prompt injection campaigns against production LLM pipelines, attempts to extract training data or system prompts, and testing of governance layer bypass techniques. TIBER-EU guidance, which DORA references for TLPT methodology, is being updated to incorporate AI-specific threat scenarios.

How CoreGuard Satisfies DORA's ICT Risk Control Requirements for AI

The DORA requirements described above create a specific demand for AI governance infrastructure: not just monitoring dashboards, but documented technical controls that enforce policy at the point of AI output generation and produce the audit evidence that competent authorities expect.

AI Output Governance Flow — DORA Article 9(4) Controls Requirement

Step 1

LLM Generates Output

→

Step 2 — Pre-Execution

CoreGuard Policy Evaluation

→

ALLOW / MODIFY

Signed Certificate Issued

→

Step 4

Output to Business Process

→

BLOCK

Violation Logged & Escalated

DORA Requirement	CoreGuard Capability	Audit Evidence Produced
Art. 9(4)(d) — Protection and prevention controls for critical ICT assets	SATISFIED	Deterministic policy enforcement before AI outputs reach business processes; every output evaluated against defined rules
Art. 12(1) — ICT audit trails with anomaly identification capability	SATISFIED	HMAC-SHA256 signed decision certificates recording policy version, rules evaluated, disposition, timestamp, and output hash for every governed AI interaction
Art. 9(4)(e) — Change management for ICT systems	SATISFIED	Policy version tracking in decision certificates; behavioral change detection from certificate log analysis enables identification of model drift after vendor updates
Art. 17(1) — ICT incident detection and classification	SATISFIED	Real-time policy violation rate metrics from enforcement log support threshold-based incident classification triggers; systematic violation discovery produces evidence for DORA incident scope assessment
Art. 24 — Resilience testing evidence	SATISFIED	Enforcement log provides behavioral baseline for resilience testing; adversarial testing results are captured as policy block events with full context
Art. 28 — Third-party ICT risk management documentation	SATISFIED	Policy pack maps to specific third-party provider dependencies; enforcement behavior changes documented in certificate log support provider change impact assessment

Building a DORA-Compliant AI Governance Program

Financial institutions building or updating AI governance programs to satisfy DORA should structure the work around DORA's five pillars, with AI-specific implementation steps for each:

Pillar 1 — ICT Risk Management (Articles 5–16). Extend the ICT risk management framework to explicitly cover AI systems. This means: adding AI systems to the ICT asset inventory with criticality classification; updating the risk assessment methodology with AI-specific risk categories; documenting AI risk treatment controls in the risk register; and establishing ongoing monitoring metrics for AI system behavior.

Pillar 2 — ICT-Related Incident Management (Articles 17–23). Establish AI-specific incident classification triggers and escalation procedures. The internal classification criteria should map to DORA's six impact criteria, with quantitative thresholds for AI incidents (API downtime duration, number of customers affected by AI-influenced decisions, evidence of systematic policy violations). Classification procedures must operate within DORA's 4-hour initial notification timeline for major incidents.

Pillar 3 — Digital Operational Resilience Testing (Articles 24–27). Include AI systems in the resilience testing program based on criticality classification. For critical AI systems: annual behavioral consistency testing, adversarial robustness assessment, and failover testing for LLM provider unavailability. For significant entities, include AI-specific scenarios in TLPT scope.

Pillar 4 — Third-Party ICT Risk Management (Articles 28–44). Review and remediate LLM API provider contracts against Article 30 requirements. Conduct concentration risk analysis across LLM provider dependencies. Document substitutability assessment and exit strategies for critical LLM provider dependencies. Prepare for potential ESA critical designation of major LLM providers.

Pillar 5 — Information and Intelligence Sharing (Articles 45–49). Participate in sector information-sharing arrangements for AI-specific threat intelligence. DORA Article 45 encourages financial entities to establish intelligence-sharing arrangements about ICT threats — AI-specific threats (prompt injection campaigns, model poisoning incidents) are increasingly relevant to this framework.

Implementation Priority: Start with the Audit Trail

Competent authorities reviewing DORA compliance in 2026 will first ask for evidence of the ICT risk management framework — and for AI systems, that evidence is the audit trail. Financial institutions that have deployed pre-execution governance with signed decision certificates can produce that evidence immediately. Those relying on application logs and periodic sampling reviews will find their evidence hard to defend under examination. The audit trail is both the easiest element to implement and the most frequently requested in supervisory engagements.

DORA AI Compliance FAQ

Does DORA apply to AI and LLM systems used by EU financial institutions?

Yes. DORA (Regulation EU 2022/2554) applies to all ICT systems that financial entities rely upon for their operations — and AI systems, including LLMs used in trading, credit assessment, customer service, fraud detection, and compliance monitoring, are ICT systems under DORA's definition. Article 3(18) defines 'ICT systems' broadly as 'software and hardware components, as well as relevant digital infrastructure.' LLM APIs, inference infrastructure, and the pipelines that connect them to core business processes all fall within this definition. The ESA's DORA RTS and ITS published in 2025 further clarified that AI-based decision tools used in financial services constitute critical ICT dependencies requiring enhanced oversight.

What does DORA Article 9 require for AI system risk management?

DORA Article 9 requires financial entities to identify and document all ICT assets and dependencies, including third-party ICT service providers. For AI systems, this means: maintaining an inventory of all AI models and inference APIs used in production workflows, classifying each by criticality based on its role in core business processes, documenting the dependencies between AI components and critical business functions, and performing risk assessments that account for AI-specific failure modes including model drift, adversarial manipulation, and third-party API availability. Article 9(4) specifically requires entities to classify and document ICT assets 'according to their criticality' — for AI systems that influence credit, trading, or compliance decisions, this typically results in critical or high-criticality classification.

How does DORA's third-party ICT risk framework apply to LLM API providers like OpenAI, Anthropic, or Azure AI?

DORA Chapter V (Articles 28–44) establishes one of the most stringent third-party ICT risk frameworks in global financial regulation. LLM API providers — including OpenAI, Anthropic, Google, and Azure AI — are 'ICT third-party service providers' under DORA if a financial entity uses their APIs in critical or important functions. Article 30 requires written contractual arrangements that include: full service level descriptions, data location and processing location disclosures, security requirements and testing rights, audit rights or third-party certification access, exit strategy provisions, and incident notification obligations. For critical ICT providers designated by the ESAs under DORA's oversight framework, the European Supervisory Authorities can conduct direct supervisory engagements — a power that could reach major LLM providers operating in the EU.

What counts as a DORA-reportable ICT incident for AI system failures?

DORA Article 17 and the associated RTS on incident classification define reportable incidents based on impact thresholds across six criteria: number of clients affected, duration of disruption, geographic spread, criticality of affected services, economic impact, and reputational damage. For AI systems, reportable incidents can include: prolonged API unavailability of a critical LLM provider, discovery of systematic model bias affecting a regulated class of customers, AI-generated outputs that led to material regulatory violations, and model compromise through adversarial manipulation. Under DORA's Major Incident notification requirements, significant AI failures affecting core financial services must be reported to competent authorities within specific timeframes — initial notification within 4 hours of classification, intermediate report within 72 hours, and final report within one month.

How does CoreGuard help satisfy DORA's operational resilience requirements for AI?

CoreGuard addresses DORA's AI compliance requirements across three primary dimensions. First, it satisfies DORA Article 9's ICT risk management requirement by providing a deterministic enforcement layer that classifies every AI output against defined policy rules before it reaches business processes — creating the documented evidence of ICT risk controls that DORA requires. Second, it addresses DORA Article 19's threat-led penetration testing obligation by providing audit logs that demonstrate AI system behavior under policy stress conditions. Third, CoreGuard's signed decision certificates satisfy DORA Article 12's audit trail requirements: every governed AI output is recorded with a cryptographic certificate documenting the policy version, rules evaluated, disposition, and timestamp — providing the tamper-evident audit trail that competent authorities expect when reviewing an entity's ICT risk management practices.