Insight · Regulatory Framework

DORA and AI Act: where governance gaps emerge

Two regulatory frameworks. One governance problem. A separate approach per regulation creates blind spots that supervisors will find first.

The misconception

Most institutions treat DORA and the AI Act as separate compliance tracks. DORA goes to IT risk. The AI Act goes to a dedicated AI governance team — or worse, to no one yet.

This separation is the problem.

DORA requires institutions to manage ICT risks, including outsourced ICT services. AI models procured from external vendors are ICT services. The AI Act requires these same systems to be registered, classified, and governed with human oversight.

The result: one AI system, two regulatory frameworks, often two different teams — and nobody managing the intersection.

Where the overlap creates gaps

DORA requirement AI Act requirement Gap when managed separately
ICT risk management framework Risk management system per high-risk AI Different teams managing overlapping risks without coordination
Third-party ICT service provider register AI system register with provider classification Separate registers that don't cross-reference vendor AI dependencies
ICT incident reporting Serious incident reporting for AI systems Duplicate reporting processes with inconsistent thresholds
Digital operational resilience testing Ongoing monitoring and post-market surveillance Testing programs that don't cover AI-specific failure modes
Contractual arrangements with ICT providers Provider obligations for technical documentation Vendor contracts that meet DORA but miss AI Act documentation requirements

The third layer: AML/Wwft

It gets more complex. AI systems used for transaction monitoring and suspicious activity detection also fall under AML obligations. This means a single AML AI system simultaneously faces DORA requirements for ICT risk management, AI Act requirements for high-risk system governance, and AML requirements for decision accountability.

Three regulatory frameworks. One system. And if governance is fragmented across three teams, the institution cannot demonstrate integrated control.

One framework, not three projects

Structural governance means a single control plane that registers systems once, classifies all applicable obligations, enforces controls that satisfy all frameworks, and generates evidence that serves every regulator.

ActReady delivers this infrastructure. The platform maps DORA, AI Act, and AML obligations to each registered system and enforces governance conditions that satisfy all three simultaneously.

One register. One classification. One enforcement layer. One evidence trail.

Frequently asked questions

Does DORA apply to AI systems? +
Yes. AI systems functioning as or depending on ICT services fall under DORA's requirements for risk management, incident reporting, and third-party oversight.
Can DORA and AI Act compliance be managed in one framework? +
Yes, and it should be. Both require system registration, risk classification, control enforcement, and evidence generation. A unified framework avoids duplication and eliminates blind spots.
What happens at the intersection? +
AI models from external vendors create dual obligations: DORA for ICT third-party risk, AI Act for classification and human oversight. Separate management creates gaps supervisors will find.
When do DORA and AI Act requirements both apply? +
DORA has been applicable since January 2025. AI Act high-risk requirements apply from August 2026. Institutions need integrated governance now to meet both deadlines.

Map your regulatory exposure

Identify where DORA, AI Act, and AML obligations overlap for your AI systems — and where governance gaps exist.

Identify Your Compliance Gaps Download Whitepaper