What DORA expects of your AI

By Barry Middlebrook · Middlebrook Data & AI Governance

Most firms still file AI under "ethics" or "innovation." Under the EU's Digital Operational Resilience Act (DORA) — fully applicable since January 2025 — that framing is out of date. Supervisors increasingly treat AI as part of ICT risk and operational resilience: BaFin's December 2025 guidance made it explicit. If a financial entity relies on AI, that AI is now in scope of the same resilience discipline as the rest of its technology.

The reframe: AI is ICT risk

DORA's logic is simple — if your business can be disrupted by a technology failure, that technology must be managed, tested, and governed for resilience. An AI system that drafts reporting figures, scores credit, or routes customers is no different. The expectation is to "shift left": move controls to the start of the model lifecycle rather than bolting them on after deployment.

DORA doesn't ask whether your AI is clever. It asks whether you can keep running — and prove it — when your AI goes wrong.

What that means in practice

• Bring AI into your ICT risk framework. Inventory AI systems, classify them by criticality, and govern them under the same risk management you already run for technology.
• Treat AI vendors as ICT third parties. Your model providers, hosting, and AI platforms are critical third-party dependencies — with concentration risk, exit plans, and contractual resilience obligations.
• Make AI failures reportable incidents. A wrong, unavailable, or compromised AI output is an ICT incident — fold it into detection, response, and reporting.
• Test resilience. Include AI in scenario and resilience testing: what happens when the model drifts, the provider is down, or the data feeding it breaks?
• Put it on the board. DORA pushes accountability up — leadership must own ICT (and now AI) resilience, with evidence, not assurances.

Even if you're outside the EU, this matters: if you serve EU clients or depend on EU-regulated entities, you're in the blast radius — and DORA is fast becoming the template others borrow. The good news is that none of it is exotic. It's resilience discipline, extended to the AI you've already deployed.