EU Delayed the AI Act. Your DORA Auditor Didn’t.
Pelaris5 min read·Just now--
The May 7 Digital Omnibus agreement gave compliance teams a longer runway on AI obligations. It gave them nothing on DORA.
6 min read. GRC and Compliance. Pelaris.
The News Everyone Celebrated Without Reading the Footnotes
On May 7, 2026, the EU Council and Parliament reached provisional agreement on the Digital Omnibus package. The headline: high-risk AI Act obligations for standalone systems now have a new deadline of December 2, 2027 — moved from August 2, 2026. Embedded systems get until August 2, 2028.
For many GRC and compliance teams, this landed as relief. Eighteen months of runway instead of ninety days. Board presentations could be revised. The urgency slide came down.
There was a footnote. Most teams missed it.
DORA — the Digital Operational Resilience Act — was not part of the Digital Omnibus. Its enforcement timeline did not move. Its penalty structure did not soften. And in 2026, regulators are no longer operating in grace-period mode.
The AI Act extension bought time. It did not buy safety. For senior executives at EU-regulated fintechs, the more immediate risk did not shift an inch.
What DORA Actually Requires in 2026
DORA has been in full enforcement since January 17, 2025 (Regulation (EU) 2022/2554, Article 64). The first twelve months were, in practice, an adjustment period — supervisory authorities at the EBA, EIOPA, and ESMA signalled they were observing and calibrating, not yet penalising.
That posture changed in 2026.
The European Supervisory Authorities shifted to what their published work programmes describe as proactive and interventionist supervision. This language appears in the EBA’s 2026 supervisory priorities and in EIOPA’s published oversight agenda. The message is specific: regulators are no longer waiting for incidents to surface before examining resilience frameworks. They are actively requesting evidence.
What that evidence looks like:
ICT risk registers. DORA Article 8 requires firms to maintain a comprehensive register of all ICT assets, their classification, and their role in supporting critical or important functions. Examiners are reviewing both the completeness of registers and whether they can be demonstrated as actively maintained — not populated once and shelved.
Third-party ICT provider documentation. Articles 28–44 impose detailed requirements on ICT third-party risk management: written agreements, exit strategies, concentration risk assessments, and ongoing monitoring. Examiners are requesting the written agreements. Generic or absent agreements are findings.
Incident reporting workflows. Article 19 establishes mandatory reporting timelines — initial notification within 4 hours of classification as a major incident, an intermediate report within 72 hours, and a final report within one month. Regulators are examining whether documented workflows capable of meeting these timelines exist, not merely whether reports have been filed.
The firms being examined first are those operating critical functions in financial markets: payments processors, digital banks, insurance platforms with high ICT dependency. If your firm sits in that category, the supervisory posture in your jurisdiction has already shifted.
The Part That Usually Surprises People
DORA’s institutional penalties are widely understood. What is less discussed is the personal liability layer that several EU member states have implemented.
DORA Article 50 grants member states the authority to direct administrative penalties at natural persons — individual executives — for breaches attributable to their conduct or failure to act. That authority has been exercised.
In Germany and Spain — two of the largest EU financial services jurisdictions — senior executives can face individual fines of up to 1,000,000 euros for ICT risk failures where the breach is attributable to their oversight responsibilities. This is not a corporate penalty that settles as a balance sheet entry. It is a personal financial outcome.
The executives in scope are not limited to the obvious candidates. The CRO carries exposure on ICT risk oversight. The CDO carries exposure on data resilience and third-party dependency management. The CISO carries exposure on operational continuity and incident classification. Where the CFO has direct sign-off authority on ICT risk budgets or resilience testing programmes — which is the case in many mid-sized fintechs — they are in scope as well.
This changes the decision calculus for compliance documentation in a specific way. The choice to build a structured evidence package is no longer purely a corporate risk management decision. It is a personal risk management decision for the individuals named above.
The question is no longer “does our firm need this.” It is “do I need this.”
“This is not a corporate penalty. It is a personal outcome.”
The Documentation Overlap Most Teams Have Not Processed
Here is the practical implication that the AI Act delay obscured.
The documentation that firms were producing for AI Act obligations — AI system inventories, data flow maps, vendor registers, risk classifications — overlaps substantially with DORA evidence requirements. These are not two separate documentation programmes. They are largely the same artefacts, mapped to different regulatory frameworks.
The AI system inventory required for AI Act Article 6 classification maps closely to the ICT asset register required under DORA Article 8. The vendor due-diligence documentation required under AI Act Article 26 (deployer obligations on high-risk systems) mirrors the third-party ICT provider documentation required under DORA Articles 28–44. The risk classification matrix required for AI Act Annex III assessment is a structured subset of the ICT risk register framework DORA mandates.
ISO 42001 adds a third dimension: enterprises are increasingly requiring vendors to demonstrate AI management system capability as part of procurement. Not certification — documentation of a credible governance roadmap. The same artefacts serve all three requirements.
Build once. Maintain in one place. Reference across three frameworks.
Firms that have already begun AI Act documentation work are not behind on DORA. They are ahead of it. The work needs to be extended and reframed — not restarted.
Pelaris Weekly Intelligence. Regulatory developments, AI tools, and GRC frameworks for senior compliance professionals. Free, weekly. Subscribe at pelarishq.com.
What the Evidence Package Contains
For a CRO, CDO, or Head of GRC at an EU-regulated fintech facing a DORA examination in the next 12 months, the evidence package breaks down into ten core documents:
1. ICT asset register (classified, with critical function mapping per Article 8)
2. ICT third-party provider register (with written agreement status and exit strategy documentation per Articles 28–44)
3. Risk classification matrix (with inherent and residual ratings, mapped to DORA risk categories)
4. Incident reporting workflow (with classification criteria and Article 19 timeline obligations)
5. Resilience testing schedule (with test types mapped to Article 25 requirements)
6. Concentration risk assessment (third-party ICT provider exposure)
7. Board-level GRC reporting template (quarterly, with DORA key risk indicator structure)
8. Vendor due-diligence questionnaire (ISO 42001 governance roadmap framing)
9. Data flow and ICT dependency mapping canvas
10. Human oversight and AI governance SOP (AI Act Article 14 and DORA continuity alignment)
These are the documents examiners will request. Having them — structured, maintained, and traceable to their regulatory source — is the difference between an examination that concludes without material findings and one that generates a formal supervisory action.
The Pelaris GRC Pack v1.0 contains templates for all ten. Each template references the relevant regulation and article number. Each is designed to be completed by a GRC team without external consultant support.
The Pelaris GRC Pack v1.0 — AI Act and DORA for Fintech. 10 templates. Every document a DORA evidence package requires — mapped to source regulations, built for fintech teams operating under EU supervisory scrutiny. Notion workspace. Excel and Google Sheets fallbacks. PDF runbook included. Available at gumroad.com/pelaris.
