Integrated.SocialIntegrated.Social

The DORA AI Compliance Checklist: What Every Financial Services Board Needs to Do Before the ECB Comes Knocking

DORA has been in force since January 2025. Most financial institutions have addressed the obvious pillars. The one most boards have not properly stress-tested is the AI vendor layer. OpenAI, Anthropic, AWS, and Google Cloud are now classified as ICT third-party service providers. The Mythos-class attack scenarios that Article 26 TLPT must now cover did not exist two years ago. Here is the six-pillar checklist your risk committee needs.

Modi Elnadi10 min read
The DORA AI Compliance Checklist: What Every Financial Services Board Needs to Do Before the ECB Comes Knocking
Key Numbers
22,000

EU financial entities in DORA scope

EIOPA

19

AI cloud providers designated as Critical ICT Third-Party Providers

ESAs, Nov 2025

3 yrs

Maximum TLPT cycle for Significant Institutions under Article 26

DORA Article 26

73%

CTF challenge solve rate for Claude Mythos Preview — the new TLPT threat baseline

AISI UK

DORA Is in Force. Your AI Vendor Layer Is the Gap Nobody Wants to Admit

The Digital Operational Resilience Act has been in application since 17 January 2025. Most financial institutions have addressed the obvious pillars: they have updated their incident reporting procedures, reviewed their cloud contracts, and assigned someone to own the ICT risk management framework. What most boards have not properly stress-tested is the AI vendor layer.

OpenAI, Anthropic, Microsoft Azure AI, AWS Bedrock, and Google Cloud AI are not a special category under DORA. They are ICT third-party service providers, subject to the full weight of Articles 28 through 30. The European Supervisory Authorities made this explicit when they published the first official list of 19 designated Critical ICT Third-Party Providers in November 2025 — a list that includes AWS, Microsoft, Google Cloud, Deutsche Telekom, Oracle, and SAP. If your institution uses any of these providers to run AI workloads that support critical or important functions, your Articles 28-30 obligations apply in full, regardless of whether you have formally acknowledged them.

This is not a theoretical concern. EBA supervisory assessments in 2025-2026 show that DORA Pillar 4 — third-party risk management — has the highest rate of compliance gaps of any pillar. The AI vendor layer is the newest and least-mapped component of that gap. This checklist is designed to close it.

Why the Mythos Precedent Changes Your TLPT Baseline

The companion article to this piece covered the Claude Mythos Preview evaluation in detail. The headline finding from the UK AI Safety Institute: Claude Mythos achieved a 73% solve rate on professional-grade CTF cybersecurity challenges, and Anthropic's own threat intelligence report documented an 80-90% automation rate for a nation-state espionage campaign using Claude. These are not edge cases. They represent the new baseline for what a well-resourced threat actor can do with commercially available AI.

DORA Article 26 requires Threat-Led Penetration Testing to be intelligence-led — scenarios must mimic the tactics, techniques, and procedures of real actors who pose a genuine threat to the institution's critical functions. The ECB's TIBER-EU SSM Implementation Guide, published in November 2025, is explicit: Significant Institutions will be tested on live production systems by qualified external teams, based on real threat intelligence. If your TLPT scenarios were designed before AI-assisted attack automation became a documented threat actor capability, they are not meeting the standard the ECB will apply.

This is the regulatory context in which the following checklist should be read. It is not a theoretical compliance exercise. It is the minimum defensible position for a financial institution that will face ECB, PRA, BaFin, or FCA scrutiny in the next 12 to 36 months.

The Six-Pillar DORA AI Compliance Checklist

Pillar 1: AI Vendor Classification and Inventory (Articles 6 and 8)

The first obligation is the most foundational and the most commonly incomplete. Article 8 requires financial entities to identify, classify, and accurately record ICT business operations, information assets, roles, and dependencies. For AI vendors, this means mapping every AI tool in use — generative AI APIs, inference services, AI-enabled SaaS platforms, and embedded AI features in existing software — against DORA's ICT third-party service provider definition.

The practical questions your compliance team must be able to answer are: Which AI vendors support critical or important functions? What is the concentration risk if a single AI provider experiences an outage or a security incident? Does any vendor appear on the ESA CTPP list published in November 2025? Has the institution documented its AI vendor inventory at the entity, sub-consolidated, and consolidated levels as Article 28(3) requires? If any of these questions cannot be answered with documentary evidence, the inventory is incomplete.

Pillar 2: Contract Compliance (Article 30)

Article 30 specifies mandatory contract clauses that must be present in every ICT third-party arrangement. For AI vendors, this means reviewing every contract — including API terms of service, enterprise agreements, and SaaS subscriptions — for the following: service descriptions and SLAs that cover AI-specific failure modes such as model drift, hallucination rates, and inference outages; the financial entity's audit rights; the regulator's audit rights; data security standards; business continuity obligations; and termination rights.

The most common gap is the absence of regulator audit rights. Standard commercial AI vendor agreements are written for enterprise software procurement, not financial services regulation. The regulator's right to audit an AI vendor is not a standard clause in an OpenAI or Anthropic enterprise agreement. It must be negotiated. DORA's text contains no grace period for legacy contracts: arrangements in place before 17 January 2025 must be renegotiated to include these clauses. This is not optional and it is not deferred.

Pillar 3: AI-Specific Threat Detection (Articles 9 and 10)

Article 10 requires financial entities to implement tools to swiftly identify suspicious activity, conduct frequent testing, and allocate adequate resources to track user behaviour and ICT anomalies. The challenge for AI vendor relationships is that the anomaly signatures are different from those of traditional ICT services.

An AI-assisted attack may not look like a conventional intrusion. Prompt injection attacks, model manipulation, automated phishing campaigns generated at scale, and AI-assisted reconnaissance of legacy system vulnerabilities all produce different telemetry patterns than the attack vectors that most financial institution detection systems were calibrated for. Updating detection systems to include AI-assisted attack vectors is not a future-state aspiration under DORA — it is a current Article 10 obligation. The Mythos evaluation documented that AI-assisted attacks can automate the reconnaissance and exploitation phases of an attack at a speed and scale that makes traditional signature-based detection insufficient.

Pillar 4: Incident Response for AI Breaches (Articles 11, 13, 17, and 19)

Articles 11 and 17 require comprehensive ICT business continuity policies, response plans, and incident management processes. Article 13 requires post-incident learning and crisis communication. Article 19 requires mandatory reporting of major ICT incidents to regulators. For AI-assisted breaches, each of these obligations has a specific implication that most existing incident response playbooks do not address.

The practical gaps are: incident classification criteria that do not include AI-assisted attack scenarios; response playbooks that assume a human attacker operating at human speed rather than an AI agent operating at machine speed; post-incident analysis processes that do not specifically examine how AI capabilities were exploited; and reporting chains that have not been updated to include AI-related incidents as a named category. Article 13's learning obligation is particularly important here — the ECB will expect to see evidence that institutions are updating their threat models based on documented AI attack capabilities, not just responding to incidents after the fact.

Pillar 5: TLPT Red-Teaming for AI Attack Vectors (Article 26)

Article 26 mandates Threat-Led Penetration Testing for Significant Institutions at least every three years, covering all critical or important functions on live production systems. The ECB's TIBER-EU SSM Implementation Guide published in November 2025 clarifies the standard: tests must be intelligence-led, scenarios must reflect real threat actor capabilities, and institutions must produce evidence that they are learning and improving from each test cycle — not just completing a periodic compliance exercise.

For institutions that have already completed a TLPT cycle, the question is whether the scenarios used reflected the current AI-assisted threat landscape. A TLPT conducted in 2023 or 2024 that did not include AI-assisted attack automation scenarios is not a defensible baseline for 2026 ECB scrutiny. The scope of TLPT must also include AI vendor dependencies — if a critical function relies on a cloud AI API, that dependency is in scope for the test. Institutions that treat TLPT as an isolated three-year exam rather than a continuous resilience programme are accumulating regulatory exposure between cycles.

Pillar 6: Board and Governance (Articles 5 and 6)

Article 5 places the management body at the centre of ICT risk governance. The management body must formally approve the ICT risk management framework, take direct responsibility for ICT risk, and ensure that adequate resources and capabilities are in place. Article 6 requires the framework to be recorded, periodically reviewed, and internally audited by personnel with the necessary expertise.

For AI risk specifically, this means the board cannot delegate the question to IT middle management. The fiduciary exposure from an AI-assisted breach — particularly one that a regulator determines could have been anticipated and mitigated — sits at director level. The practical governance requirements are: formal board sign-off on the AI vendor due diligence process; AI risk as a standing agenda item on the risk committee; documented board-level awareness of AI-assisted threat scenarios including Mythos-class capabilities; and evidence that the management body has reviewed and approved the institution's TLPT programme and its AI-specific scope.

The EU AI Act Layer: A Second Compliance Clock Running Simultaneously

DORA is not the only regulatory framework that applies to AI vendor relationships in financial services. The EU AI Act (Regulation EU 2024/1689) adds a second layer that runs simultaneously. A single AI vendor relationship can trigger obligations under both frameworks at the same time, and a vendor can satisfy one and fail the other.

DORA governs operational resilience, concentration risk, and contractual adequacy. The EU AI Act governs algorithmic transparency, fairness, human oversight, and conformity assessment for high-risk AI systems. Financial institutions that use AI for credit risk decisioning, insurance underwriting, or employment-related decisions are deployers of high-risk AI systems under the EU AI Act's Annex III classification. As a deployer, the institution must ensure appropriate human oversight, monitor the AI system for risks, report serious incidents to national competent authorities, and maintain documentation sufficient to demonstrate compliance.

The EU AI Act's Annex III high-risk obligations were originally scheduled for August 2, 2026. The Digital Omnibus on AI, agreed politically on May 7, 2026, would extend this deadline to December 2, 2027 — but as of this writing, the Omnibus has not been formally adopted or published in the Official Journal of the European Union. Until formal adoption occurs, the August 2, 2026 deadline remains operative. Institutions should continue compliance preparations in line with the existing deadline, as DLA Piper's April 2026 guidance confirmed.

What the Risk Committee Agenda Should Look Like Now

The question that regulators will ask — and that no board wants to answer unprepared — is not "do you have an AI policy?" It is "can you demonstrate, with documentary evidence, that you have assessed your AI vendors against Articles 28-30, that your TLPT scenarios reflect current AI-assisted threat actor capabilities, that your incident response playbooks cover AI-assisted breach scenarios, and that your management body has formally approved and reviewed all of the above?"

The institutions that will navigate the next wave of regulatory scrutiny without incident are the ones that treat AI risk governance as a board-level fiduciary obligation now, before they are required to explain a gap to the ECB, PRA, or BaFin. The checklist above is the minimum. The institutions that move beyond compliance to genuine operational resilience — continuous TLPT cycles, real-time AI vendor monitoring, board-level AI risk literacy — are the ones that will not be in the news for the wrong reasons.

Finance is the opening act. Every sector with networked infrastructure and legacy code faces this wave next. The question is whether your board is asking the right questions before the regulator does.

About the Author

Modi Elnadi is Founder and Director of Marketing and AI Growth at Integrated.Social, a London-based B2B AI growth marketing agency. Modi works at the intersection of agentic AI strategy, regulatory risk communication, and B2B demand generation for financial services, technology, and professional services clients. He has built AI governance communication frameworks for commercial and compliance stakeholders, translating complex regulatory obligations — including DORA, the EU AI Act, and the UK's AI Cyber Code of Practice — into commercially actionable board-level intelligence. His work spans agentic AI deployment strategy, AI search optimisation, and the pipeline measurement systems that make AI marketing programmes commercially accountable. He writes regularly on AI risk governance, B2B GTM strategy, and the regulatory frameworks shaping enterprise AI adoption in 2026.

DORA Is in Force. Your AI Vendor Layer Is the Gap Nobody Wants to Admit

The Digital Operational Resilience Act has been in application since 17 January 2025. Most financial institutions have addressed the obvious pillars: they have updated their incident reporting procedures, reviewed their cloud contracts, and assigned someone to own the ICT risk management framework. What most boards have not properly stress-tested is the AI vendor layer.

OpenAI, Anthropic, Microsoft Azure AI, AWS Bedrock, and Google Cloud AI are not a special category under DORA. They are ICT third-party service providers, subject to the full weight of Articles 28 through 30. The European Supervisory Authorities made this explicit when they published the first official list of 19 designated Critical ICT Third-Party Providers in November 2025 — a list that includes AWS, Microsoft, Google Cloud, Deutsche Telekom, Oracle, and SAP. If your institution uses any of these providers to run AI workloads that support critical or important functions, your Articles 28-30 obligations apply in full, regardless of whether you have formally acknowledged them.

This is not a theoretical concern. EBA supervisory assessments in 2025-2026 show that DORA Pillar 4 — third-party risk management — has the highest rate of compliance gaps of any pillar. The AI vendor layer is the newest and least-mapped component of that gap. This checklist is designed to close it.

Why the Mythos Precedent Changes Your TLPT Baseline

The companion article to this piece covered the Claude Mythos Preview evaluation in detail. The headline finding from the UK AI Safety Institute: Claude Mythos achieved a 73% solve rate on professional-grade CTF cybersecurity challenges, and Anthropic's own threat intelligence report documented an 80-90% automation rate for a nation-state espionage campaign using Claude. These are not edge cases. They represent the new baseline for what a well-resourced threat actor can do with commercially available AI.

DORA Article 26 requires Threat-Led Penetration Testing to be intelligence-led — scenarios must mimic the tactics, techniques, and procedures of real actors who pose a genuine threat to the institution's critical functions. The ECB's TIBER-EU SSM Implementation Guide, published in November 2025, is explicit: Significant Institutions will be tested on live production systems by qualified external teams, based on real threat intelligence. If your TLPT scenarios were designed before AI-assisted attack automation became a documented threat actor capability, they are not meeting the standard the ECB will apply.

This is the regulatory context in which the following checklist should be read. It is not a theoretical compliance exercise. It is the minimum defensible position for a financial institution that will face ECB, PRA, BaFin, or FCA scrutiny in the next 12 to 36 months.

The Six-Pillar DORA AI Compliance Checklist

Pillar 1: AI Vendor Classification and Inventory (Articles 6 and 8)

The first obligation is the most foundational and the most commonly incomplete. Article 8 requires financial entities to identify, classify, and accurately record ICT business operations, information assets, roles, and dependencies. For AI vendors, this means mapping every AI tool in use — generative AI APIs, inference services, AI-enabled SaaS platforms, and embedded AI features in existing software — against DORA's ICT third-party service provider definition.

The practical questions your compliance team must be able to answer are: Which AI vendors support critical or important functions? What is the concentration risk if a single AI provider experiences an outage or a security incident? Does any vendor appear on the ESA CTPP list published in November 2025? Has the institution documented its AI vendor inventory at the entity, sub-consolidated, and consolidated levels as Article 28(3) requires? If any of these questions cannot be answered with documentary evidence, the inventory is incomplete.

Pillar 2: Contract Compliance (Article 30)

Article 30 specifies mandatory contract clauses that must be present in every ICT third-party arrangement. For AI vendors, this means reviewing every contract — including API terms of service, enterprise agreements, and SaaS subscriptions — for the following: service descriptions and SLAs that cover AI-specific failure modes such as model drift, hallucination rates, and inference outages; the financial entity's audit rights; the regulator's audit rights; data security standards; business continuity obligations; and termination rights.

The most common gap is the absence of regulator audit rights. Standard commercial AI vendor agreements are written for enterprise software procurement, not financial services regulation. The regulator's right to audit an AI vendor is not a standard clause in an OpenAI or Anthropic enterprise agreement. It must be negotiated. DORA's text contains no grace period for legacy contracts: arrangements in place before 17 January 2025 must be renegotiated to include these clauses. This is not optional and it is not deferred.

Pillar 3: AI-Specific Threat Detection (Articles 9 and 10)

Article 10 requires financial entities to implement tools to swiftly identify suspicious activity, conduct frequent testing, and allocate adequate resources to track user behaviour and ICT anomalies. The challenge for AI vendor relationships is that the anomaly signatures are different from those of traditional ICT services.

An AI-assisted attack may not look like a conventional intrusion. Prompt injection attacks, model manipulation, automated phishing campaigns generated at scale, and AI-assisted reconnaissance of legacy system vulnerabilities all produce different telemetry patterns than the attack vectors that most financial institution detection systems were calibrated for. Updating detection systems to include AI-assisted attack vectors is not a future-state aspiration under DORA — it is a current Article 10 obligation. The Mythos evaluation documented that AI-assisted attacks can automate the reconnaissance and exploitation phases of an attack at a speed and scale that makes traditional signature-based detection insufficient.

Pillar 4: Incident Response for AI Breaches (Articles 11, 13, 17, and 19)

Articles 11 and 17 require comprehensive ICT business continuity policies, response plans, and incident management processes. Article 13 requires post-incident learning and crisis communication. Article 19 requires mandatory reporting of major ICT incidents to regulators. For AI-assisted breaches, each of these obligations has a specific implication that most existing incident response playbooks do not address.

The practical gaps are: incident classification criteria that do not include AI-assisted attack scenarios; response playbooks that assume a human attacker operating at human speed rather than an AI agent operating at machine speed; post-incident analysis processes that do not specifically examine how AI capabilities were exploited; and reporting chains that have not been updated to include AI-related incidents as a named category. Article 13's learning obligation is particularly important here — the ECB will expect to see evidence that institutions are updating their threat models based on documented AI attack capabilities, not just responding to incidents after the fact.

Pillar 5: TLPT Red-Teaming for AI Attack Vectors (Article 26)

Article 26 mandates Threat-Led Penetration Testing for Significant Institutions at least every three years, covering all critical or important functions on live production systems. The ECB's TIBER-EU SSM Implementation Guide published in November 2025 clarifies the standard: tests must be intelligence-led, scenarios must reflect real threat actor capabilities, and institutions must produce evidence that they are learning and improving from each test cycle — not just completing a periodic compliance exercise.

For institutions that have already completed a TLPT cycle, the question is whether the scenarios used reflected the current AI-assisted threat landscape. A TLPT conducted in 2023 or 2024 that did not include AI-assisted attack automation scenarios is not a defensible baseline for 2026 ECB scrutiny. The scope of TLPT must also include AI vendor dependencies — if a critical function relies on a cloud AI API, that dependency is in scope for the test. Institutions that treat TLPT as an isolated three-year exam rather than a continuous resilience programme are accumulating regulatory exposure between cycles.

Pillar 6: Board and Governance (Articles 5 and 6)

Article 5 places the management body at the centre of ICT risk governance. The management body must formally approve the ICT risk management framework, take direct responsibility for ICT risk, and ensure that adequate resources and capabilities are in place. Article 6 requires the framework to be recorded, periodically reviewed, and internally audited by personnel with the necessary expertise.

For AI risk specifically, this means the board cannot delegate the question to IT middle management. The fiduciary exposure from an AI-assisted breach — particularly one that a regulator determines could have been anticipated and mitigated — sits at director level. The practical governance requirements are: formal board sign-off on the AI vendor due diligence process; AI risk as a standing agenda item on the risk committee; documented board-level awareness of AI-assisted threat scenarios including Mythos-class capabilities; and evidence that the management body has reviewed and approved the institution's TLPT programme and its AI-specific scope.

The EU AI Act Layer: A Second Compliance Clock Running Simultaneously

DORA is not the only regulatory framework that applies to AI vendor relationships in financial services. The EU AI Act (Regulation EU 2024/1689) adds a second layer that runs simultaneously. A single AI vendor relationship can trigger obligations under both frameworks at the same time, and a vendor can satisfy one and fail the other.

DORA governs operational resilience, concentration risk, and contractual adequacy. The EU AI Act governs algorithmic transparency, fairness, human oversight, and conformity assessment for high-risk AI systems. Financial institutions that use AI for credit risk decisioning, insurance underwriting, or employment-related decisions are deployers of high-risk AI systems under the EU AI Act's Annex III classification. As a deployer, the institution must ensure appropriate human oversight, monitor the AI system for risks, report serious incidents to national competent authorities, and maintain documentation sufficient to demonstrate compliance.

The EU AI Act's Annex III high-risk obligations were originally scheduled for August 2, 2026. The Digital Omnibus on AI, agreed politically on May 7, 2026, would extend this deadline to December 2, 2027 — but as of this writing, the Omnibus has not been formally adopted or published in the Official Journal of the European Union. Until formal adoption occurs, the August 2, 2026 deadline remains operative. Institutions should continue compliance preparations in line with the existing deadline, as DLA Piper's April 2026 guidance confirmed.

What the Risk Committee Agenda Should Look Like Now

The question that regulators will ask — and that no board wants to answer unprepared — is not "do you have an AI policy?" It is "can you demonstrate, with documentary evidence, that you have assessed your AI vendors against Articles 28-30, that your TLPT scenarios reflect current AI-assisted threat actor capabilities, that your incident response playbooks cover AI-assisted breach scenarios, and that your management body has formally approved and reviewed all of the above?"

The institutions that will navigate the next wave of regulatory scrutiny without incident are the ones that treat AI risk governance as a board-level fiduciary obligation now, before they are required to explain a gap to the ECB, PRA, or BaFin. The checklist above is the minimum. The institutions that move beyond compliance to genuine operational resilience — continuous TLPT cycles, real-time AI vendor monitoring, board-level AI risk literacy — are the ones that will not be in the news for the wrong reasons.

Finance is the opening act. Every sector with networked infrastructure and legacy code faces this wave next. The question is whether your board is asking the right questions before the regulator does.

About the Author

Modi Elnadi is Founder and Director of Marketing and AI Growth at Integrated.Social, a London-based B2B AI growth marketing agency. Modi works at the intersection of agentic AI strategy, regulatory risk communication, and B2B demand generation for financial services, technology, and professional services clients. He has built AI governance communication frameworks for commercial and compliance stakeholders, translating complex regulatory obligations — including DORA, the EU AI Act, and the UK's AI Cyber Code of Practice — into commercially actionable board-level intelligence. His work spans agentic AI deployment strategy, AI search optimisation, and the pipeline measurement systems that make AI marketing programmes commercially accountable. He writes regularly on AI risk governance, B2B GTM strategy, and the regulatory frameworks shaping enterprise AI adoption in 2026.

Part of: Gemini Enterprise Agentic AI for Marketing & Sales & AI Governance, Safety & Regulatory Compliance for B2B

This article is part of our Gemini Enterprise Agentic AI marketing topic cluster. Explore related guides:

View all Gemini Enterprise Agentic AI for Marketing & Sales content →

Frequently Asked Questions

What is DORA and when did it come into force?

The Digital Operational Resilience Act (Regulation EU 2022/2554) is an EU regulation that creates a binding ICT risk management framework for approximately 22,000 financial entities. It entered into application on 17 January 2025. It applies to banks, insurance companies, investment firms, payment institutions, and their ICT third-party service providers, regardless of where those providers are headquartered.

Are AI vendors like OpenAI and Anthropic covered by DORA?

Yes. Under DORA, AI vendors including OpenAI, Anthropic, Microsoft, AWS, Google Cloud, and Mistral are classified as ICT third-party service providers. AI inference is treated as an ICT service. Financial entities that purchase AI services carry the full Articles 28-30 obligations, including pre-contract due diligence, mandatory contract clauses, and documented exit strategies.

What are the Article 30 mandatory contract clauses for AI vendors?

Article 30 requires contracts with ICT third-party service providers to include: service descriptions and SLAs, the financial entity's audit rights, the regulator's audit rights, data security standards, business continuity obligations, and termination rights. There is no grace period for legacy contracts predating January 17, 2025 — they must be renegotiated to include these clauses.

What is TLPT and which institutions must conduct it?

Threat-Led Penetration Testing (TLPT) is mandated under DORA Article 26 for Significant Institutions that meet the significance threshold. Tests must be conducted on live production systems at least every three years, covering all critical or important functions. The ECB is the TLPT authority for Significant Institutions and published its TIBER-EU SSM Implementation Guide in November 2025. Tests must be intelligence-led, mimicking real threat actor tactics, techniques, and procedures.

How does the Mythos AI hacking tool change TLPT requirements?

Mythos-class AI attack capabilities — where models like Claude can automate 73% of CTF cybersecurity challenges and handle 80-90% of a nation-state espionage campaign — represent a new threat baseline that TLPT scenarios must now reflect. Article 26 requires TLPT to cover realistic threat actor capabilities. Institutions that run TLPT scenarios designed for pre-AI attack patterns are not meeting the spirit of the regulation.

What does DORA Article 13 require for AI-related incidents?

Article 13 (Learning and Evolving) requires financial entities to have adequate resources to identify and assess cyber threats and vulnerabilities, conduct post-incident analysis after significant ICT-related occurrences, develop a crisis communication strategy for clients and the public, and establish internal and external communication policies. For AI-assisted breaches, this means the post-incident review must specifically analyse how AI capabilities were exploited and what detection or prevention measures failed.

How does the EU AI Act interact with DORA for financial institutions?

A single AI vendor relationship can trigger obligations under both DORA and the EU AI Act simultaneously. DORA governs operational resilience, concentration risk, and contractual adequacy. The EU AI Act governs algorithmic transparency, fairness, human oversight, and conformity assessment for high-risk AI systems. A vendor can satisfy one framework and fail the other. The EU AI Act's Annex III high-risk obligations deadline is August 2, 2026 (operative until the Digital Omnibus is formally adopted in the Official Journal).

What is the board's fiduciary responsibility under DORA for AI risk?

Under DORA Article 5, the management body must formally approve the ICT risk management framework and take direct responsibility for ICT risk governance. This means AI risk is no longer an IT middle-management concern — it is a directors' fiduciary duty. Boards that cannot demonstrate formal sign-off on AI vendor due diligence, documented concentration risk assessments, and board-level awareness of AI-assisted threat scenarios face direct regulatory exposure if a breach occurs.

Further Reading & References

About the Author

Modi Elnadi

Founder & Director of Marketing and AI Growth · Integrated.Social

MBA, University of Surrey (Honours) · London, UK · Founded 2014

Modi Elnadi is the founder of Integrated.Social, a boutique B2B growth marketing agency established in London in 2014. With 16+ years deploying revenue-generating marketing systems across B2B SaaS, FinTech, Ecommerce, Sports Media, FMCG, Telecoms, and Travel & Tourism, Modi specialises in Agentic AI lead generation, AI Search Optimisation (SEO/AEO/GEO/LLMO), and PPC & Performance Max. He has managed $25M+ in paid media, delivered 5x–35x ROAS, and built multi-agent AI systems that generate pipeline daily at scale. Every engagement is consultative, data-driven, and ROI-accountable.

Sectors

B2B SaaSFinTechEcommerceSports MediaFMCGTelecomsTravel & TourismCybersecurityEnterprise AI

Expertise

Agentic AI SystemsGTM StrategyAI Search (SEO/AEO/GEO/LLMO)PPC & Performance MaxDemand GenerationAccount-Based MarketingCRM & RevOpsBrand PositioningPersona-Driven CampaignsA/B Testing & CRO

Ready to deploy a lead generation system?

We deploy agentic AI systems for B2B marketing and sales teams, live infrastructure that generates leads daily, not strategy decks. Get a free AI growth audit.

Found this useful? Share it with your network.

Help a colleague stay ahead of the AI marketing curve.

Keep Reading

All articles