DORA, the EU AI Act, and Data Sovereignty: The 2026 Compliance Stack for Banks

The 2026 EU compliance stack is no longer a forward-looking topic. DORA has been in active enforcement since 17 January 2025. The EU AI Act's high-risk obligations enter full force on 2 August 2026 — eight weeks from this article's publication date. Schrems II plus the EU-US Data Privacy Framework is the operating reality of cross-border data transfers, not a future concern. Cloud concentration risk sits inside the EBA's outsourcing perimeter via EBA/GL/2019/02 ⧉ and the DORA critical third-party provider (CTPP) designation regime. The institutions still framing this as a "preparation" agenda have lost two regulatory cycles already.

Executive Summary / Key Takeaways

• DORA is in audit phase. Regulation (EU) 2022/2554 ⧉ Articles 6 (ICT risk-management framework), 8 (register of information), 18 (incident reporting), 26 (threat-led penetration testing) and the CTPP regime under Articles 28-44 have been in force for 16 months. Supervisory expectations are formal exam findings now, not advisory commentary.
• EU AI Act high-risk deadline is 2 August 2026. Annex III Point 5(b) covers credit scoring; Point 1 covers biometric identification at customer onboarding; Point 7 covers life and health insurance risk assessment. Articles 16-29 obligations — risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and cybersecurity — apply from that date.
• Cross-border data transfers are SCCs + TIA, not vague "data sovereignty". Standard Contractual Clauses, transfer impact assessments, supplementary measures where the TIA shows they're needed. The DPF covers DPF-certified US recipients only; everything else still needs SCCs + TIA. The Irish Data Protection Commission, CNIL, and Garante have all issued enforcement decisions in 2025.
• Cloud concentration is engineered, not declared. Multi-region active-active for critical services; documented exit plan with tested execution evidence; substitutability assessments by service tier; a third-party ICT register that reconciles to the cloud provider's own service inventory. EBA/GL/2019/02 paragraph 81 is what auditors check.
• The 2026 differentiator is policy-as-code wired into runtime. Open Policy Agent gating production deployments against DORA-derived rules; immutable audit logs feeding Article 8 register evidence; AI-system inventory with Annex III classification surfaced in the CI/CD pipeline. Evidence at the speed of the workflow, not in PDFs assembled the week before the exam.

Why 2026 Is The Audit-Phase Year #

Three regulatory regimes hit operational reality simultaneously.

DORA enforcement (17 January 2025 onwards). The European Supervisory Authorities (EBA, EIOPA, ESMA) published the final RTS and ITS through 2024, the CTPP designation regime opened in early 2025, and tier-1 banks have been filing Article 18 incident reports under the 4-hour initial-notification rule throughout 2025. The ESAs' joint TLPT framework — formally the TIBER-EU framework ⧉ aligned to DORA Article 26 — is the basis for the threat-led penetration testing programmes most G-SIBs run today. Findings from the first wave of supervisory exams started landing in Q4 2025.

EU AI Act phased application. The Act entered into force on 1 August 2024. The prohibited-practices provisions applied from 2 February 2025; the general-purpose AI obligations apply from 2 August 2025; the high-risk system obligations apply from 2 August 2026. That is the deadline that matters for banks. Most tier-1 institutions have at least one Annex III system in production — credit scoring (Point 5b), customer-facing biometric identification (Point 1), or life/health insurance risk assessment (Point 7). The obligations under Articles 16-29 — risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity — apply from that single date with no soft transition period.

Schrems II operational settlement. The CJEU's Schrems II ruling (July 2020) invalidated Privacy Shield and held SCCs valid subject to supplementary measures where the TIA shows protection inadequate. The European Commission adopted the EU-US Data Privacy Framework (DPF) in July 2023 — providing a transfer mechanism for DPF-certified US recipients only. Everything else still requires SCCs plus a documented TIA. CNIL's enforcement decisions on Microsoft 365 deployments in French public administrations, the Irish DPC's 1.2 billion euro fine against Meta in May 2023, and the Garante's actions against OpenAI in 2024 established the supervisory pattern: TIAs are inspected, supplementary measures are scrutinised, and the "we use SCCs" claim alone does not pass.

The institutional question for 2026 is not whether each regime applies. It is whether the compliance evidence the institution produces under exam scrutiny holds together.

DORA in Audit Phase — Article-Specific Mechanics #

The articles that produce supervisory findings in 2026:

Article 6 — ICT Risk-Management Framework #

The framework must be documented, approved by the management body, reviewed at least annually, and integrate with the institution's overall risk-management framework. Supervisors test for: explicit risk tolerance statements per ICT risk category; a documented information-security policy; defined roles and responsibilities at second-line and third-line of defence; a quantified annual ICT risk assessment that drives the institution's risk appetite. The pattern in early 2026 findings: institutions whose ICT risk taxonomy does not reconcile to their incident-reporting taxonomy under Article 18.

Article 8 — Register of Information (Third-Party ICT) #

The register must contain every contractual arrangement on the use of ICT services. Mandatory fields per the ITS on the register of information ⧉ include the function supported, criticality classification, location of data processing and storage, sub-outsourcing chain, and exit-strategy assessment. The CTPP designation regime under Article 31 reads the registers across the EU to identify which third parties cross the systemic threshold. An incomplete or inconsistent Article 8 register is now both an individual finding and a CTPP-perimeter integrity risk.

Article 18 — ICT-Related Incident Reporting #

The 4-hour initial-notification window for major ICT-related incidents is what catches institutions out. Classification criteria for "major" follow Article 18(3) and the technical RTS — number of clients affected, geographical reach, data losses, economic impact, reputational impact, criticality of services affected, duration. Banks running mature incident processes still struggle with the first-hour classification call. The engineering deliverable: an automated severity-classification helper wired into the incident-management platform that produces an Article 18 decision rationale within the first response cycle, not after a triage meeting.

Article 26 — Threat-Led Penetration Testing #

TLPT applies to financial entities designated by the competent authority, scoped per the institution's critical or important functions. The testing must follow the TIBER-EU methodology (or an equivalent national framework), use threat intelligence to construct attack scenarios, and run at least every three years. Engagement of providers is regulated under Article 27 (provider selection) and Article 28 (test execution). The 2026 supervisory question: does the institution's TLPT scope include its public-cloud-hosted critical functions, and does the provider engagement model handle the cloud-provider's own security boundaries cleanly?

Articles 28-44 — Critical Third-Party Providers #

The CTPP regime is the supervisory innovation that most directly affects cloud strategy. AWS, Microsoft (Azure), Google (GCP), Salesforce, Workday, and a handful of other strategic providers sit inside or near the designation perimeter. Designation triggers direct oversight by the ESAs, including the right to information requests, on-site inspections, and supervisory recommendations. The implication for tier-1 banks: cloud-provider concentration is now a regulated supervisory metric, not just an internal risk-management concern.

EU AI Act Architecture for High-Risk Banking Systems #

The phased application timeline:

The Annex III provisions that hit banks hardest:

• Annex III Point 1 — Biometric identification and categorisation. Customer-onboarding biometric matching (e.g., liveness detection plus document-photo matching) falls under high-risk if used for identification rather than verification of a single person against a claim. The distinction is operationally meaningful: matching against a single declared identity is verification; matching against a database is identification.
• Annex III Point 5(b) — Creditworthiness assessment. Any system used to evaluate creditworthiness of natural persons or establish their credit score is in scope. This covers retail credit-card scoring, mortgage origination scoring, BNPL underwriting, and SME-credit decisioning where natural persons are the subject. Excludes systems detecting financial fraud (Recital 58).
• Annex III Point 5(c) — Risk assessment and pricing in life and health insurance. Bancassurance arms running underwriting models on life or health products are inside this point even if the parent bank's retail credit operation is also in scope under Point 5(b).
• Annex III Point 7 — Administration of justice and democratic processes. Not normally banking-relevant but worth confirming for institutions providing court-payment or judicial-account services.

The Articles 16-29 obligations summarised:

• Risk management system (Article 9). Continuous iterative process across the system lifecycle, documented in writing.
• Data and data governance (Article 10). Training, validation and test data subject to data-governance and management practices including relevance, representativeness, completeness, and assessment for biases.
• Technical documentation (Article 11) and record-keeping (Article 12). Automatic event-logging from the system itself, retained for periods appropriate to the system's purpose.
• Transparency to deployers (Article 13). Instructions for use enabling deployers to interpret system output.
• Human oversight (Article 14). Designed-in measures enabling natural persons to oversee, including the ability to override or stop the system.
• Accuracy, robustness, cybersecurity (Article 15). Performance metrics published in instructions for use; resilience to adversarial inputs; bias correction during operation.

The supervisory question for August 2026: can the bank produce a Conformity Assessment under Annex VI for each Annex III system in production? The institutions that built model-risk-management frameworks aligned to SR 11-7 / SS1/23 have most of the inputs already; the work is mapping existing controls to AI Act Article 9-15 evidence categories.

Data Sovereignty as Engineering Discipline #

The operational data-sovereignty model in 2026:

Standard Contractual Clauses (Module 2 or 3 as applicable). Updated SCCs adopted by Commission Decision (EU) 2021/914 are the baseline. Pre-2021 SCCs were grace-periodised; using them in 2026 is a finding.

Transfer Impact Assessment. For every transfer to a non-adequate third country, document: laws and practices in the recipient country relevant to data protection; whether those laws permit access by public authorities exceeding what is necessary and proportionate in a democratic society; the specific data being transferred; the technical and organisational supplementary measures applied. The EDPB's Recommendations 01/2020 ⧉ provide the framework.

EU-US Data Privacy Framework certification check. DPF-certified US recipients allow transfer under the adequacy decision without SCCs + TIA. Verification: the recipient's DPF certification page ⧉ plus an internal record of the verification date. The DPF survived its first annual review in 2024; its longer-term durability remains a live question.

Supplementary measures where TIA shows they're needed. Pseudonymisation before transfer, encryption with keys held in the EU, split processing, or transfer-after-aggregation. The 2025 enforcement pattern: CNIL's findings on Microsoft 365 in French administrations centred on whether disabling Connected Experiences and configuring EU Data Boundary tenant placement constituted sufficient supplementary measures.

Cloud-provider EU Data Boundary mechanisms. AWS European Sovereign Cloud, Microsoft EU Data Boundary, Google Cloud EU sovereignty package, plus the sovereign-cloud partnerships (Bleu / Capgemini-Orange, Delos Cloud, Oracle EU Sovereign Cloud) all attempt to engineer data-sovereignty guarantees at the platform level. None of them eliminates the SCC + TIA requirement; they reduce the TIA's residual-risk surface.

Cloud Concentration Under DORA and EBA Outsourcing Guidelines #

The DORA CTPP regime and the EBA outsourcing guidelines layer on top of each other:

EBA/GL/2019/02 ⧉ paragraph 64 requires institutions to ensure that critical or important outsourcing arrangements do not impair the institution's substantive presence in the EU, oversight by management, or ability to make decisions on the outsourced function. Paragraph 81 requires substitutability assessments. Paragraphs 113-117 cover the exit-strategy documentation that supervisors actually test for.

DORA Article 28 adds the contractual content requirements for ICT third-party arrangements supporting critical or important functions: data accessibility, data security, data residency, audit rights, exit strategies, and continuity provisions.

The CTPP regime then sits above both: if a third-party crosses the designation threshold, the ESAs gain direct oversight authority. The engineering implications are about geographical and architectural design choices: multi-region active-active for critical services; documented exit plans with periodic execution tests (not just tabletop exercises); third-party ICT registers that reconcile to the cloud provider's own service inventory.

What This Means by Bank Type #

Global Systemically Important Banks #

The compliance perimeter is now an architecture problem. The investment is not another policy refresh — it is the policy-as-code platform that wires DORA-derived rules into the CI/CD pipeline, the AI-system inventory that surfaces Annex III classification at deployment time, the third-party ICT register that reconciles automatically to procurement and cloud-bill-of-materials systems, and the immutable audit log that produces Article 8 register evidence on supervisor request. Build the platform; the regulatory cycle that follows AI Act high-risk (likely an expansion under the General-Purpose AI Code of Practice) inherits the infrastructure.

Universal and Mid-Sized Banks #

The pragmatic posture is rigorous Annex III inventory. Most universal banks have one or two systems clearly in scope (credit scoring, mortgage origination, customer-facing biometrics) and a long tail of borderline cases. Spending three months in 2026 H1 producing a defensible Annex III classification per AI system in production — with a written rationale that survives external review — is higher-value than another control framework refresh. The classification work doubles as DORA Article 6 ICT risk-management evidence for AI-bearing systems.

Smaller Banks and Building Societies #

The strategic answer is vendor diligence over internal build. Pick AI vendors who publish Annex III conformity assessment documentation, who commit to Articles 9-15 evidence support in their contracts, and whose third-party security accreditations align with DORA Article 28 requirements. Validate the vendors' claims through your MRM process. The internal scope is integration, configuration, and operational oversight — not framework construction.

Insurers and Bancassurance Arms #

Annex III Point 5(c) on life and health insurance risk assessment puts insurance arms inside the high-risk perimeter regardless of the parent bank's exposure. The August 2026 deadline applies. Coordinate with the parent bank's AI Act compliance function — most of the underlying inventory and evidence work is shared, and the regulatory exposure is single-line-of-business specific.

Fintechs, PSPs, and Regtechs #

The product question for vendors selling into EU banks in 2026 is no longer "does your platform comply with DORA / AI Act." It is "does your platform produce the documentation a tier-1 bank's compliance function needs to evidence its own compliance." DORA Article 8 register inputs, AI Act Article 11 technical documentation templates, SCC + TIA boilerplate for any data-transfer arrangement. Vendors who answer with usable templates close enterprise deals; vendors who answer with PDFs lose to competitors who don't.

Engineering the Operating Model #

The 2026 differentiator is policy-as-code wired into runtime.

Open Policy Agent at the deployment gate. Every production deployment passes through OPA evaluation against DORA-derived policy. Examples: any service touching customer data must have a documented Article 8 register entry; any Annex III AI system must have Conformity Assessment evidence linked from the deployment manifest; any third-party ICT service must have a substitutability assessment within validity. The policy registry is Git-versioned; rejected deployments produce reviewable rationales.

Immutable audit logging feeding Article 8 evidence. WORM-stored deployment, configuration, and access events that reconcile back to the third-party ICT register. Supervisors asking "show me the controls for service X at date Y" get a query result, not a document assembly project.

AI-system inventory with Annex III classification surfaced in CI/CD. Every AI system in the institution's inventory carries an Annex III classification (Point 1, 5(a), 5(b), 5(c), 6, 7 or none). The classification is reviewed when the system changes; deployment to production checks the classification is current. Articles 9-15 evidence categories map to inventory fields and the CI/CD pipeline writes evidence artefacts as part of every release.

Threat-led penetration testing wired into the SDLC. TLPT scopes derive from the institution's critical and important functions inventory; the testing programme runs continuously rather than as a discrete event every three years. Findings feed back into the OPA policy registry; closed findings produce supervisory-ready evidence packets.

The institutions that produce evidence at the speed of the workflow pass the exams. The institutions that produce documentation packets in response to data requests do not.

Questions? Answers.

References #

• European Union, (2022). Regulation (EU) 2022/2554 — Digital Operational Resilience Act (DORA) ⧉.
• European Union, (2024). Regulation (EU) 2024/1689 — Artificial Intelligence Act ⧉.
• European Banking Authority, (2019). EBA/GL/2019/02 — Guidelines on outsourcing arrangements ⧉.
• European Supervisory Authorities, (2024). Final Report on the ITS on the Register of Information under DORA ⧉.
• European Central Bank, (2024). TIBER-EU framework ⧉.
• European Data Protection Board, (2020). Recommendations 01/2020 on supplementary measures ⧉.
• US Department of Commerce, (2023). EU-US Data Privacy Framework ⧉.
• European Commission, (2021). Commission Implementing Decision (EU) 2021/914 — Standard Contractual Clauses ⧉.

Last reviewed 2026-06-16.

# DORA, the EU AI Act, and Data Sovereignty: The 2026 Compliance Stack for Banks

> Originally published at [https://sebastienrousseau.com/2026-05-28-dora-ai-act-data-sovereignty-banking-compliance-stack-2026/](https://sebastienrousseau.com/2026-05-28-dora-ai-act-data-sovereignty-banking-compliance-stack-2026/)

DORA, the EU AI Act, GDPR, cloud concentration risk, and data sovereignty are converging into one 2026 compliance stack for banks.

Read the full article on sebastienrousseau.com: https://sebastienrousseau.com/2026-05-28-dora-ai-act-data-sovereignty-banking-compliance-stack-2026/

DORA, the EU AI Act, and Data Sovereignty: The 2026 Compliance Stack for Banks

DORA, the EU AI Act, GDPR, cloud concentration risk, and data sovereignty are converging into one 2026 compliance stack for banks.

https://sebastienrousseau.com/2026-05-28-dora-ai-act-data-sovereignty-banking-compliance-stack-2026/

@online{rousseau2026dora,
  author  = {Rousseau, Sebastien},
  title   = {{DORA, the EU AI Act, and Data Sovereignty: The 2026 Compliance Stack for Banks}},
  year    = {2026},
  url     = {https://sebastienrousseau.com/2026-05-28-dora-ai-act-data-sovereignty-banking-compliance-stack-2026/index.html},
  urldate = {2026}
}

TY  - GEN
AU  - Rousseau, Sebastien
TI  - DORA, the EU AI Act, and Data Sovereignty: The 2026 Compliance Stack for Banks
PY  - 2026
UR  - https://sebastienrousseau.com/2026-05-28-dora-ai-act-data-sovereignty-banking-compliance-stack-2026/index.html
ER  -

Rousseau S. DORA, the EU AI Act, and Data Sovereignty: The 2026 Compliance Stack for Banks. sebastienrousseau.com. 2026 May 28. Available from: https://sebastienrousseau.com/2026-05-28-dora-ai-act-data-sovereignty-banking-compliance-stack-2026/index.html

Rousseau, Sebastien. "DORA, the EU AI Act, and Data Sovereignty: The 2026 Compliance Stack for Banks." sebastienrousseau.com. May 28, 2026. https://sebastienrousseau.com/2026-05-28-dora-ai-act-data-sovereignty-banking-compliance-stack-2026/index.html.

Rousseau, S. (2026, May 28). DORA, the EU AI Act, and Data Sovereignty: The 2026 Compliance Stack for Banks. sebastienrousseau.com. https://sebastienrousseau.com/2026-05-28-dora-ai-act-data-sovereignty-banking-compliance-stack-2026/index.html

DORA, the EU AI Act, and Data Sovereignty: The 2026 Compliance Stack for Banks

DORA, the EU AI Act, GDPR, cloud concentration risk, and data sovereignty are converging into one 2026 compliance stack for banks.

Originally published at https://sebastienrousseau.com/2026-05-28-dora-ai-act-data-sovereignty-banking-compliance-stack-2026/ by Sebastien Rousseau.
Licensed under CC-BY-4.0.

SEBASTIEN ROUSSEAU · FOUNDER · ENGINEER