DORA Obligations for AI Providers Supplying Financial Institutions
DORA obligations for AI providers are the regulatory requirements arising from EU Regulation 2022/2554, which cascade contractually onto AI suppliers via financial institutions. Anyone supplying banks, insurers or payment service providers with AI systems qualifies as an ICT third-party provider and must meet audit rights, incident-reporting contributions, exit clauses and sub-outsourcing controls.
Key Takeaways
- ✓DORA (Regulation (EU) 2022/2554, applicable since 17 January 2025) does not obligate AI providers directly but cascades onto them contractually via the commissioning financial institutions.
- ✓Following the BaFin guidance of 18 December 2025, AI systems qualify as network and information systems under Art. 3 No. 2 DORA, triggering the full body of obligations (Art. 5-15, 24-27, 28-30).
- ✓The central lever is the DORA Art. 30 contractual clause canon: audit/access rights, exit clauses, sub-processor controls, SLAs with data residency, latency and computing capacity commitments.
- ✓AI providers must contribute to incident reporting; BaFin alone was notified of 525 serious ICT incidents in the first three quarters of 2025, around 70 per cent from credit institutions.
- ✓On 18 November 2025, the ESAs designated 19 Critical ICT Third-Party Providers (including AWS, Microsoft Azure, Google Cloud, IBM, SAP), which will be subject to direct EU oversight from 2026.
- ✓Without contract-ready DORA clauses, AI startups regularly fail in DACH BFSI tenders; with hyperscalers, the clause canon is already standard text.
DORA obligations for AI providers are the regulatory requirements arising from EU Regulation 2022/2554 (Digital Operational Resilience Act), which cascade contractually onto AI suppliers via the commissioning financial institutions. Anyone supplying banks, insurers or payment service providers with AI systems qualifies as an ICT third-party provider and must meet mandatory contractual content, audit and access rights, contributions to incident reporting as well as exit and sub-outsourcing rules. DORA has been applicable since 17 January 2025.
- Not directly, but cascading fully: DORA does not regulate AI providers directly but compels the financial institutions to pass on all requirements contractually.
- AI is ICT: Since the BaFin guidance of 18 December 2025, AI systems qualify as network and information systems under Art. 3 No. 2 DORA, triggering the full body of obligations.
- The lever is the contract: Without DORA-compliant clauses (Art. 30), AI providers typically do not reach the final selection round in DACH BFSI tenders.
Why DORA cascades onto AI providers
DORA formally addresses the supervised financial institutions, primarily CRR institutions and Solvency II insurers. AI providers are not regulated directly but are captured as ICT third-party providers. The mechanism is indirect but effective: the financial institutions are obliged to pass on the DORA requirements contractually to their suppliers. So anyone who sells a fraud-detection algorithm, a RAG-based employee assistant or an underwriting model to a regulated institution inherits the obligations via the contractual framework.
The decisive interpretative step for AI comes from Germany: the BaFin guidance on ICT risks in the use of AI in financial institutions of 18 December 2025 explicitly anchors AI systems as a subset of network and information systems pursuant to Art. 3 No. 2 DORA. It is formally non-binding, yet in supervisory practice it materially reverses the burden of proof: anyone who does not follow it must document the equivalence of alternative measures during BaFin audits. BaFin thereby draws the full body of DORA obligations into AI governance:
- Art. 5-15 – ICT risk management
- Art. 24-27 – resilience testing, including Threat-Led Penetration Testing (TLPT)
- Art. 28-30 – management of ICT third-party risk
In Switzerland, FINMA Supervisory Notice 08/2024 of 18 December 2024 assumes a functionally comparable role but is not fully congruent with the BaFin line. In Austria, according to the underlying research (May 2026), there is no formal sectoral AI guideline from the FMA; in practice, Austrian institutions lean on BaFin and the EBA.
The five bundles of obligations in detail
For AI providers, DORA crystallises above all in the third-party regime (Art. 28-30) and in the contractual clause canon of Art. 30. The following table translates the central requirements into their significance for AI suppliers.
Requirement (DORA reference) | Significance for AI providers |
|---|---|
Mandatory contractual content (Art. 30 clause canon) | Standardised mandatory clauses must be negotiable and signable: service description, data residency, latency and computing capacity commitments. With hyperscalers standard text, with AI startups a frequent procurement blocker. |
Audit and access rights (Art. 30) | Financial institutions and supervisors (BaFin special audit, FINMA on-site inspection, OeNB on-site audit) receive audit and access rights. AI providers must deliver audit-proof audit trails: per inference prompt, context, retrieval sources, model version and output. |
Contributions to incident reporting | AI incidents (hallucinated regulatory citations, hallucinated portfolio data, model drift) count as material operational risks. Providers must support in such a way that the client can meet its DORA incident-reporting obligation on time. |
Exit strategies (Art. 28) | An orderly exit without business interruption must be contractually safeguarded. Financial institutions test exit plans annually; data export, handover formats and reversibility must be provided. |
Sub-outsourcing controls (Art. 30) | The use of sub-processors (e.g. downstream model, inference or hosting services) is subject to control, information and in part approval rights. The supply chain must remain transparent and controllable. |
Mandatory contractual content and audit rights
The Art. 30 contractual clause canon is the practical core. It requires mandatory audit rights, exit clauses, sub-processor controls as well as service-level agreements with data residency, latency and computing capacity commitments. For AI providers this specifically means: the architecture must be built from the outset so that every inference can be logged in an audit-proof manner. In supervisory special audits, the supervisor expects that an internally responsible person can not only reproduce the AI output but also name the driving factors. This practically rules out pure black-box models in decision-critical roles.
Incident reporting
AI-specific error patterns are treated as operational risks in the BFSI context and may be subject to reporting requirements. The order of magnitude illustrates the relevance: BaFin alone was notified of a total of 525 serious ICT incidents in the first three quarters of 2025, around 70 per cent of them from credit institutions. AI providers are rarely subject to reporting requirements themselves but must ensure contractually and technically that the financial institution receives the necessary information in time.
Exit strategies and sub-outsourcing
Exit plans are to be tested annually; in combination with the CTPP designation, multi-cloud strategies are effectively enforced. For AI providers this means demonstrating data portability, documented handover processes and reversibility. With sub-outsourcing, the entire chain must be disclosed and controllable – particularly relevant when an AI provider itself sources foundation-model inference, vector databases or GPU capacity from third parties.
Concentration risk and the 19 CTPPs
On 18 November 2025, the ESAs (EBA, EIOPA, ESMA) designated 19 Critical ICT Third-Party Providers (CTPPs) for the first time – including AWS, Microsoft Azure, Google Cloud, Oracle, IBM, SAP, Deutsche Telekom, Equinix and Swift. These 19 providers will be subject to direct EU oversight from 2026; the DORA Joint Oversight Forum will conduct its first comprehensive examinations over the course of 2026 and is expected to issue binding recommendations. For AI providers whose workloads run on one of these hyperscalers, this means additional scrutiny and a heightened concentration risk on the client side. In October 2025, the EBA also adopted the six pillars of the BSI Test Criteria Catalogue (performance, robustness, fairness, explainability, compliance, consumer protection) as the basis for its forthcoming AI Risk Management Guidelines – a de facto procurement benchmark for DACH banks and insurers.
Important for context: the EBA Outsourcing Guidelines (EBA/GL/2019/02) and the ESMA Outsourcing Guidelines (ESMA50-164-4285) continue to apply but were substantially modified by DORA Art. 28-30. DORA is thus not the only, but the decisive, third-party regime.
Practical example: AI knowledge agent in the RFP of a mid-sized bank
An AI provider offers a mid-sized DACH institution (total assets in the low double-digit billions) a RAG-based employee assistant for internal research. In the procurement process it is not the model that fails, but the contract. Typical blockers and their resolution:
```text
RFP gate (DORA-driven) Status startup Required (Art. 30 / 28)
-------------------------------- --------------- ----------------------------
Audit/access rights for BaFin missing contractually commit
Audit-proof inference log partial prompt + source + model version
Exit clause + data export missing annually testable, reversible
Sub-processor transparency unclear disclose chain + control right
Data residency (EU / sovereign) hyperscaler US EU/sovereign cloud option
AIC4 / ISO 42001 / 27001 / SOC 2 only ISO 27001 submit attestations
```
Only after the provider contractually commits to EU data residency, full inference logging and an orderly exit process does it reach the final round. AI vendors without BSI AIC4, ISO 42001, SOC 2 or ISO 27001 typically do not reach the final selection in DACH BFSI tenders in 2026. Preference is given to sovereign clouds (such as STACKIT, Open Telekom Cloud, IONOS Sovereign Cloud in DE; Swisscom, Exoscale, Infomaniak in CH) or on-premise consortium solutions.
Note: This article serves as professional orientation and does not constitute legal advice. The specific DORA obligation situation, article references and deadlines must be assessed on a case-by-case basis with qualified legal and compliance functions; the regulatory sources are in flux in 2025/2026.
For agencies and B2B providers
Anyone developing AI products or content for the financial sector should treat DORA compliance not as a legal afterthought but as an architectural and go-to-market prerequisite from the outset. In regulated DACH industries, the compliance layer typically accounts for 30 to 50 per cent of the implementation effort – higher than in horizontal industries. For marketing and tech agencies this is a twofold signal: first, content that explains DORA requirements for AI providers precisely and robustly is sought by decision-makers in banks and insurers. Second, demonstrable audit capability, data residency and a testable exit path are what decide between acceptance and rejection in the RFP. Blck Alpaca helps you set up and communicate AI initiatives for regulated clients in such a way that they pass the procurement gates of the financial sector.
FAQ
Does DORA apply directly to AI providers?
Why do AI systems fall under DORA at all?
What contractual content does DORA Art. 30 specifically require?
What does the CTPP designation mean for AI providers?
Must AI providers contribute to incident reporting?
Want to go deeper?
Get new analyses straight to your inbox – or see how we put this knowledge to work for companies.