DORA · Financial Entities · Regulation (EU) 2022/2554

DORA AI Exposure Assessment

DORA was designed for ICT risk and digital operational resilience. AI is now becoming part of that ICT estate. This assessment helps identify where AI systems, AI-enabled services, foundation-model providers, and agentic workflows may be creating DORA-relevant exposure that existing compliance programmes have not yet mapped.

Note
This is not a legal compliance assessment. It is an executive diagnostic designed to surface AI-specific blind spots inside DORA-aligned ICT risk, incident, resilience testing, third-party, and governance programmes. Outputs should be validated with Legal, Risk, Compliance, Operational Resilience, and Audit teams.
Exposure Lens
Your DORA programme may be mature for traditional ICT, but incomplete for AI-enabled ICT, AI vendors, agentic workflows, foundation-model dependencies, and AI-driven operational decisions. Rate 0–10 across five pillars. Takes 10 minutes.
How to use
Score each question first. Open evidence panels where the score is weak or where you need to prepare board, audit, or remediation evidence. Best used as a workshop tool: score the current state, open weak evidence panels, export the gap register, then assign owners for the remediation plan.
0 / 10 questions answered
AI-DORA Exposure Score
Answer all questions to generate final score
Exposure Level
Critical Material Managed Low / Evidence Ready
Priority Domain
Awaiting assessment
AI-DORA Exposure Verdict

Complete all ten questions to generate your exposure verdict.

⚠ Third-Party AI Dependency Risk — Flagged

Board Summary

Priority Remediation Plan — Pillars scoring below 6
Questions your Board / CIO / CRO / COO should be able to answer
  • Which AI systems or AI-enabled services support our ICT services, operational processes, or critical or important functions?
  • Which AI vendors, foundation-model providers, and AI-enabled SaaS tools are in our Register of Information?
  • Where are AI failure modes represented in our ICT incident taxonomy?
  • Can we classify and report an AI-caused or AI-assisted major ICT incident within the DORA reporting window?
  • Which AI dependencies are included in resilience testing and TLPT scope?
  • Who owns each AI-enabled critical or important function?
  • What evidence would we show an auditor or supervisor tomorrow?

Use this assessment to identify where AI-related ICT dependencies may require deeper review across Legal, Risk, Compliance, Procurement, Technology, and Operational Resilience.