DORA for AI in the Financial Sector

What is DORA – and why does it affect AI in the financial sector?

The Digital Operational Resilience Act – DORA for short, formally Regulation (EU) 2022/2554 – has been directly applicable since 17 January 2025 and creates, for the first time, an EU-wide uniform framework for the digital operational resilience of the financial sector. Its addressees are primarily CRR institutions (banks) and Solvency II insurers, alongside numerous other financial entities. DORA bundles four pillars that were previously scattered across various supervisory requirements: ICT risk management (Art. 5-15), reporting of serious ICT incidents, testing of digital operational resilience including Threat-Led Penetration Testing (TLPT, Art. 24-27), as well as the management of ICT third-party risk (Art. 28-30).

The decisive lever for AI: the BaFin guidance document on ICT risks in the use of AI in financial entities of 18 December 2025 expressly anchors AI systems as a subset of "network and information systems" within the meaning of Art. 3(2) DORA. As a result, the full catalogue of DORA obligations also applies to AI and AI Agent workloads – from data sourcing through model development and deployment to ongoing operation with drift monitoring and decommissioning. Anyone deploying an AI Agent productively in a bank or insurer is therefore building not just an AI system, but a regulated ICT system with all resilience, testing and third-party obligations.

The four DORA pillars in the context of AI Agents

ICT risk management (Art. 5-15). AI systems must be integrated into the institution-wide ICT risk management. The BaFin guidance document makes the lifecycle approach the binding standard: data sourcing → model development → deployment → ongoing operation with drift monitoring → decommissioning. Adversarial Training and the monitoring of model drift are explicitly required. The guidance document is formally non-binding, but in supervisory practice it materially reverses the burden of proof: anyone who does not follow it must, in BaFin examinations, document the equivalence of alternative measures.

Resilience testing (Art. 24-27). AI-supported systems fall under the obligation to regularly test digital operational resilience – up to Threat-Led Penetration Testing (TLPT) for significant institutions. For stochastic, LLM-based agents this is methodologically demanding, because classical testing procedures are designed for deterministic systems.

Incident reporting. Vendor-specific AI risks – hallucinated regulatory citations, hallucinated customer portfolio data, model drift in productive scoring systems – are considered material operational risks in the BFSI context and are reportable as ICT incidents. The magnitude is considerable: in the first three quarters of 2025, 525 serious ICT incidents were reported to BaFin, around 70% of them by credit institutions.

ICT third-party risk (Art. 28-30). This is the sharpest lever for AI – and the subject of the next section.

ICT third-party risk and the CTPP designation

AI in the financial sector today almost always runs on external infrastructure: hyperscaler clouds, external model and LLM providers or association data centres. This is precisely where DORA Art. 28-30 comes in. On 18 November 2025, the European Supervisory Authorities (ESAs) designated for the first time 19 critical ICT third-party providers (Critical ICT Third-Party Providers, CTPPs) – including AWS, Microsoft Azure, Google Cloud, Oracle, IBM, SAP, Deutsche Telekom, Equinix and Swift. These 19 providers will be subject to direct EU oversight from 2026; the DORA Joint Oversight Forum will conduct first comprehensive examinations over the course of 2026 and is expected to issue binding recommendations.

For banks and insurers on the deployer side, this has concrete consequences:

• Exit plans must be tested annually – not just documented.
• Multi-cloud strategies are de facto enforced, in order to limit concentration risks.
• AI Agent workloads on hyperscalers remain under additional supervisory observation.

The concentration risk is particularly visible in the DACH region: nearly every bank is reliant for AI workloads either on one of the designated hyperscalers or on association solutions. In Germany, Finanz Informatik (FI) for the savings banks and Atruvia AG for the cooperative banks (Volks- und Raiffeisenbanken) deliberately operate on-premise and sovereign AI stacks (including open-source models such as Mixtral/Llama in their own data centres). The S-KIPilot from FI was rolled out in version 6 in 2025 to around 60,000 savings bank workstations. These association structures are structurally strengthened by the DORA CTPP logic, as long as the designation and BaFin guidance document remain in their current rigour.

DORA Art. 30: The catalogue of contractual clauses as a procurement filter

DORA Art. 30 prescribes binding contractual content for ICT third parties – and thereby turns vendor selection for AI into a hard compliance gate. Mandatory items include, among others, audit rights, exit clauses, sub-processor controls as well as service-level agreements with data residency, latency and compute capacity commitments. With established hyperscalers, these clauses are part of the standard text today; with young AI startups they are a frequent procurement blocker.

DORA Art. 30 does not stand alone here, but within a bundle of procurement tools that have become the de facto benchmark in DACH:

The BSI Test Criteria Catalogue for AI Systems in Finance (published June 2025) comprises six pillars – performance, robustness, fairness, explainability, compliance and consumer protection – with around 100 individual criteria. The EBA adopted these six pillars in October 2025 as the basis for its upcoming AI Risk Management Guidelines, which de facto makes the catalogue the procurement standard for DACH banks and insurers. In practice, AI vendors without BSI AIC4, ISO 42001, SOC 2 or ISO 27001 typically do not reach the final selection round in DACH BFSI RFPs.

DORA obligations for AI Agents in banks and insurers

Six risk areas are sector-specific for AI Agents in the financial sector and must be observed beyond DORA – they appear only at the margins in horizontal AI compliance:

1. Model risk management. MaRisk AT 4.3.5 has, since the 2023/2024 amendments, been explicitly applicable also to AI/ML models and requires lifecycle documentation, independent validation, backtesting and periodic review. The BaFin guidance document additionally requires adversarial training documentation and model drift monitoring.
2. Explainability in credit decisions. Section 504a BGB, Art. 22 GDPR and the future high-risk classification under AI Act Annex III compel that a responsible person can name the driving factors. End-to-end LLM credit scoring is thereby practically excluded; AI remains in triage and explanation roles.
3. Audit trail completeness. For supervisory special examinations (BaFin special audit, FINMA on-site inspection, OeNB examination), every inference must be logged in an audit-proof manner – including prompt, context, retrieval sources, model version and output.
4. Latency requirements. Trading compliance requires <10 ms, fraud detection <1 s. LLM agents in the hot path are rarely feasible.
5. Data residency. In DE and AT, supervisors increasingly emphasise EU or national residency for AI training and inference data; in Switzerland, banking secrecy (Art. 47 BankG) practically requires CH data storage for customer data.
6. Concentration risk through the CTPP designation (see above).

As a consequence, in 2026 fully autonomous credit decisions and fully autonomous multi-agent trading workflows are not in productive operation. Standard, by contrast, are Tier 1 customer-service agents, fraud detection, AML/KYC triage and regulatory reporting – throughout with human-in-the-loop wherever decisions produce legal effect.

DACH relevance: Three tracks instead of one line

DORA shapes Germany and Austria directly as part of the EU acquis; Switzerland adopts it sectorally and autonomously. This leads to a three-track compliance that institutions operating across DACH must observe:

A FINMA survey from April 2025 covering around 400 institutions shows the adoption level: about 50% of Swiss banks and insurers already use AI or are developing applications, a further 25% plan to deploy within three years; on average around 5 applications are productive and around 9 in development. 91% of AI-using institutions deploy generative AI. The FINMA supervisory notice preceded the BaFin guidance document by exactly twelve months, but is not fully congruent with it – FINMA requires, for instance, central AI inventories with risk classification and fallback solutions.

The Austrian regulatory gap is ambivalent: it creates leeway, but increases uncertainty during on-site inspections, because expectations are not codified ex ante. A central AI service point was established in 2024 at RTR-GmbH – for advice, not for sectoral supervision.

Outlook and practical note

The regulatory goalposts are moving: things to watch include further versions of the BaFin guidance document and its interpretation in special examinations, possible concretisations by FINMA beyond AM 08/2024, an expected formal AI guideline from the FMA Austria, as well as the final publication of the EBA AI Risk Management Guidelines over the course of 2026 (based on the six BSI pillars). It is also open whether the first CTPP recommendations expected from 2026 will actually move DACH institutions towards genuine multi-cloud or whether it will remain with symbolic exit plans.

For practice, the following applies: anyone deploying AI productively in the financial sector in 2026 should treat the BaFin guidance document as an internal norm (even where the FMA does not yet have its own guideline), operationalise the DORA incident reporting channel and TLPT, use the BSI Test Criteria Catalogue Finance as a vendor filter and think of AI from the outset as an ICT system with full lifecycle management. The compliance share in regulated DACH industries typically accounts for 30-50% of the implementation effort – this is both a risk and a competitive advantage.

Informational, not legal advice. Status of the underlying sources: May 2026; provisional deadlines and announced guidelines are to be regarded as movable.