v2.4.0 | Report Errata
docs security docs security

DORA ICT Risk Extension

DORA’s requirements overlap substantially with the AI Act’s cybersecurity requirements, covering ICT risk management (Article 6), incident classification and reporting (Articles 17–19), digital operational resilience testing (Articles 24–27), and third-party risk management (Articles 28–30). The practical challenge is satisfying both regimes through integrated controls.

The AI system’s risk management satisfies DORA for the AI-specific components; broader ICT risk management covering non-AI systems is separate. Incident classification can use a unified severity taxonomy, though classification criteria differ between DORA (major ICT-related incident under Article 18) and the AI Act (serious incident under Article 3(49)). DORA’s testing programme can incorporate AI-specific testing (adversarial ML, data poisoning), with the combined scope documented.

For TLPT under Article 26 (significant financial entities), a single testing exercise can serve both regimes if the scope explicitly includes AI-specific attack scenarios. DORA’s third-party risk management requirements are more prescriptive and should be used as the baseline, extended with AI-specific controls. If the system is not subject to DORA, this article is documented as not applicable.

Key outputs

  • DORA–AI Act requirement mapping across five domains
  • Integrated control approach with regime-specific extensions
  • TLPT scope alignment (where applicable)
  • Module 9 AISDP documentation
On This Page