← Back to glossary

DORA (Digital Operational Resilience Act)

Definition

Regulation (EU) 2022/2554, applicable since 17 January 2025. Governs the digital operational resilience of financial entities — ICT risk management, incident reporting, resilience testing and third-party risk management, including for cloud and AI service providers.

Noise — Signal

In the AI context, DORA is often reduced to "we have to list our cloud providers". The substantive lever sits in third-party risk management (Article 28 ff.): critical ICT third-party providers — and that includes foundation-model providers as soon as they are embedded in business-critical processes — must be contractually auditable, must have documented exit strategies and must be included in resilience tests. Standard contracts from large US model providers rarely meet this bar today.

The right question

Not: "Are our AI providers DORA-compliant?" But: "Which AI components in our value chains qualify as critical ICT functions, what does that mean contractually for audit rights and exit, and where does that force us toward open-source or on-premises alternatives?"

Related terms

AI Act (EU AI Act)

EU Regulation 2024/1689 governing AI systems, with staggered application through 2027 and separate obligations for general-purpose AI models.

On-Premises AI

Operating AI models and infrastructure in your own or a dedicated environment instead of through the model providers' API services.

Open Weights vs. Open Source

Open weights denotes publication of the model parameters; open source additionally requires training code, data specification and an open licence.

Model Governance

Processes, roles and documentation that steer the lifecycle of an AI model in a company.

← Back to glossary