How DORA and the EU AI ACT are shaping compliance in the financial services sector

The rapid digital transformation of the financial services sector has led to an increased reliance on Information Communication Technologies (ICT) and AI systems, like core banking, payment processing systems and fraud detection. However, as the financial services sector continues to embrace innovations to improve operations, it also introduces new data privacy risks. To tackle this, the EU has introduced the Digital Operational Resilience Act (DORA) and the EU AI Act- two critical frameworks to address the challenges of digital evolution and enhance the security of AI-driven systems.  

While two distinct regulations, robust data governance is the backbone of compliance for both, and integrating these from the outset can be challenging. An often-missing link is a Data Protection Officer (DPO) who can help assess and restructure an organisation’s existing data risk management frameworks and guide organisations in integrating and complying with this complex fabric of evolving regulations. 

Overlapping regulations 

Despite DORA and the EU AI Act intersecting in financial services, in some instances, one takes precedence (lex specialis) depending on the regulatory focus. While the EU AI Act imposes AI-specific risk compliance requirements and risk assessments, DORA governs ICT risk management, digital resilience and incident reporting.  

For example, when AI is used in instances such as fraud detection and credit scoring, the EU AI Act takes precedence. However, if an AI system failure disrupts financial services, DORA’s resilience framework governs incident handling, but there may still be EU AI Act obligations that apply.  

A DPO can assess which regulation takes precedence as lex specialis, to ensure that the most pertinent and rigorous standards are applied to the governance and management of high-risk AI systems. A DPO can thus help avoid regulatory confusion, embedding AI that is not only legally compliant but also operationally resilient. 

ICT risk management 

Though with different scopes and focuses, both the EU AI Act and DORA place emphasis on the importance of robust ICT risk management. DORA mandates that financial entities maintain and establish comprehensive risk management systems that encompass risk identification, analysis, evaluation and mitigation to address a broad spectrum of ICT risks and ensure operational stability. 

Similarly, the EU AI Act mandates implementing robust risk management frameworks that identify, assess, and mitigate potential ICT-related vulnerabilities that could impact a user’s fundamental rights, security and safety. 

This shared focus presents opportunities for harmonised implementation. A DPO can leverage and oversee existing ICT risk management structures, enhancing them to create a single, comprehensive framework. This can be done by conducting regular risk assessments like Data Protection Impact Assessments (DPIAs) and Fundamental Rights Impact Assessment(FRIA), as mandated under the GDPR and EU AI Act.  

While AI systems can work autonomously, a DPO can also deliver employee training across key stakeholders to mitigate risks related to human error.  

Third-party vendor assessments 

Contracts between financial entities and technology vendors are at the forefront of third-party contracts in this sector, which directly impact both a business’s operations and privacy safeguards. DORA mandates strict oversight of ICT third-party providers, including risk assessments, contractual provisions, and continual monitoring to ensure operational resilience. Similarly, the EU AI Act regulates third-party involvement in the AI value chain, with a particular focus on general-purpose AI models.  

One of many ways a DPO can support the privacy team is by regularly reviewing existing or pending third-party vendor contracts and due diligence practices. Appointing a DPO ensures that Data Processing Agreements (DPAs) between financial institutions and their third-party AI providers are not outdated and are aligned with DORA, the EU AI Act and the GDPR. 

DORA and the EU AI Act are recent regulations that are continually evolving. As a global DPO, HewardMills and its data protection and privacy specialists can help youleverage your organisation’s existing frameworks to create a single, comprehensive framework that integrates these complex regulations.