Resource · DORA

Under DORA, every AI provider is an ICT third party.

Your AI models are not a tool you bought once. DORA treats each one as an ICT third-party arrangement that has to be in your register, assessed for concentration risk, and shown to be substitutable. Vidai produces that evidence from real traffic.

Request a Demo See the compliance product

What it is

The operational-resilience law for finance.

Regulation (EU) 2022/2554, the Digital Operational Resilience Act, has applied to EU financial entities since January 2025. It treats technology dependency as a prudential risk: firms must know every ICT third party they rely on, understand where they are concentrated, and prove a critical function could keep running if a provider failed. AI providers fall squarely inside its definition of an ICT service.

AI is an ICT dependency

Each model and provider your traffic reaches is a third-party arrangement DORA expects to see in your register, with the risk assessed.

Concentration is the risk

Leaning on one provider for a critical function, fraud screening, claims, correspondence, is exactly the systemic dependency DORA and the UK's critical-third-party regime are written to surface.

Substitutability is evidence

"We could switch provider" is a claim until you can show the exit path and the moment it was exercised. DORA asks for the evidence, not the intention.

Why this got harder

Agents multiplied the third-party surface DORA governs.

In the chat era, an AI feature was a handful of provider calls. Agentic AI changed the shape of the dependency: one task now fans out into ten or more autonomous calls, and a multi-step agent workflow can cross several providers, regions and jurisdictions in a single run. The register DORA asks for is no longer a short, stable list. It is live, and it is moving.

See the traffic multiplier at your scale →

→Jurisdiction is not in the contract. A data-residency clause covers one corridor. It does not follow an agent through every sub-processor and model it reaches mid-task, which is where the real exposure now sits.

→The dependency is extraterritorial. A model served by a provider headquartered elsewhere can carry obligations that reach back across borders. DORA expects you to have understood that, per provider.

→The register has to be live. A spreadsheet refreshed quarterly cannot describe a dependency surface that changes with every agent run. The inventory has to come from the traffic itself.

The mapping, exactly

The articles where Vidai produces the evidence.

For these duties the evidence is the traffic record itself, not a document you assemble alongside it.

Art. 28

ICT third-party registerFinancial entities must keep a register of all contractual arrangements for ICT services. Every AI model and provider your traffic reaches is one such arrangement. Vidai's per-request record is the live, evidenced inventory of which providers are actually in use.

Art. 29

Concentration riskFirms must assess the risk of relying on a small number of ICT providers. Vidai attributes traffic per provider and per model, so concentration is a measured share of real traffic, not an estimate.

Art. 28

Exit strategies and substitutabilityFor ICT services supporting critical or important functions, firms must have exit strategies and identify alternative solutions. Routing is the exit mechanism: traffic can be repinned to another compliant provider or region, and the change is an audited, evidenced event.

Art. 9-10

Protection, detection and loggingICT risk management requires controls and the means to detect anomalous activity. Guardrail blocks, deny rules and circuit trips are enforced in the path and emitted as signed events to your SIEM.

Art. 17-19

Incident management and reportingMajor ICT-related incidents must be detected, classified and reported. The frozen per-request record is the source material for reconstructing what happened and when.

Sourced from Regulation (EU) 2022/2554 as in force, 2026. Vidai produces the operational evidence these articles rely on; the ICT risk management framework, the resilience testing programme and board accountability remain the firm's own responsibility, and the product is precise about that boundary.

Where Vidai fits

We don't certify you. We make the register real.

Vidai is not a DORA certification and cannot make a firm "DORA compliant". What it does is turn the slowest parts of the evidence into a by-product of running the traffic.

→The register writes itself. Every provider and model your traffic actually reaches is in the per-request record, so the ICT inventory is observed, not declared.

→Concentration is a number. Traffic attributed per provider turns "are we too dependent on one provider" into a measured share you can act on.

→The exit path is enforced, not promised. Routing repins critical traffic to another compliant provider or region, and the substitution is an audited event you can show.

→We are precise about the boundary. Vidai produces the operational evidence. The risk framework, resilience testing and reporting process are yours, and we say so.

Walk through your AI third-party evidence.

A 20-minute walkthrough: the live ICT register, concentration measured per provider, the substitutability path, and exactly where Vidai's boundary is.

Request a Demo