DORA and AI Tools: What Financial Entities Need to Know
DORA is technology-neutral, so it never names AI — but a consumer AI tool is an external ICT service, and staff pasting client data into it is exactly the kind of risk the regulation expects firms to control.
AIovert Security Team
GDPR & EU AI Act practitioners · Last updated July 4, 2026
The short answer
The Digital Operational Resilience Act (DORA) applies to EU financial entities and requires them to manage ICT risk across all their systems and third-party providers. When employees at a bank, insurer, or investment firm use AI tools, DORA is relevant because those tools are ICT services that can introduce data-leakage and third-party risk. DORA has applied since 17 January 2025, so in-scope firms must already account for AI-tool usage within their ICT risk-management and third-party frameworks.
For AI specifically, the DORA-relevant risks are uncontrolled data flows to external providers and a lack of oversight over what staff submit — both of which a browser data control helps address.
Who DORA applies to
DORA covers a broad range of EU financial entities — banks, payment institutions, investment firms, insurers, crypto-asset service providers, and more — plus certain critical ICT third-party providers. If you are in scope, ICT risk from AI tools is part of your remit.
Why AI tools fall within scope
Consumer AI tools are external ICT services. Staff pasting client or transaction data into them creates data-leakage and concentration risk that DORA expects firms to identify, monitor, and mitigate as part of their ICT risk-management framework. The same exposure engages EU data residency and AI compliance concerns.
Controls that support DORA
A browser-level control that prevents sensitive data from reaching external AI tools, logs events for audit, and enforces policy contributes to the operational-resilience and third-party-risk expectations under DORA — while keeping the data on the device. See on-device vs proxy AI data protection and the buyer’s guide to the best GDPR DLP and AI data security tools.
Frequently asked questions
Does DORA specifically mention AI?
DORA is technology-neutral and does not single out AI, but AI tools are ICT services and therefore fall within its ICT risk-management and third-party-risk requirements. Firms must treat AI usage like any other ICT risk.
Since when has DORA applied?
DORA has applied to in-scope EU financial entities since 17 January 2025. Firms are expected to have ICT risk-management, incident-reporting, and third-party-risk arrangements in place, which should account for AI-tool usage.
How does a data control help with DORA?
By preventing uncontrolled data flows to external AI providers, producing audit logs, and enforcing policy, it supports the ICT risk-management and third-party-oversight obligations DORA imposes.
Primary sources
- DORA — Regulation (EU) 2022/2554 (eur-lex.europa.eu)
- DORA Articles 5–16 — ICT risk management framework (eur-lex.europa.eu)
- European Supervisory Authorities — DORA materials (eiopa.europa.eu)
Regulatory dates and requirements can change — verify against the official EU sources above before relying on them. This page is informational and not legal advice.
ICT-risk control for AI tools, built for the EU.
AIovert prevents client and transaction data reaching external AI tools, logs every event for audit, and keeps data on the device — supporting DORA obligations. Deploys in 15 minutes.