The DORA & EU AI Act Readiness Playbook for EU Fintech
A board-level checklist for the people who carry ICT risk: the controls examiners and partners check first, a five-step path to build them, and a ten-question self-assessment you can run in minutes.
EU fintech now sits under DORA (in force since January 2025) and the EU AI Act (high-risk obligations from August 2026). Most firms are not ready on the controls examiners check first, especially ICT third-party risk. This playbook shows the five steps to build readiness and a traffic-light check to score where you stand. We implement the technical controls and evidence; your compliance function attests.
A regulator does not wait for a convenient quarter
EU fintech runs on three things a single incident can take away in an afternoon: a working trading or payment system, a licence in good standing, and the trust of the banks and partners that keep your rails open. When one breaks, the loss is revenue you cannot bill, client funds you have to explain, and a supervisor who wants answers in writing.
In Deloitte's 2025 survey, only 25% of financial institutions said they were confident in their DORA compliance, and just 8% reported full compliance on third-party risk management, the area examiners look at first.
Readiness in five steps
Resilience is a way of running the company that an examiner, a partner and an investor can all read. These five steps build it in the order that holds up under scrutiny.
Put ICT and AI risk on the board agenda
Under DORA, accountability sits with the people who run the firm. Assign ownership, review it on a fixed cadence, and treat it with the same seriousness as liquidity or market risk.
- A named owner for ICT, third-party and AI risk, with authority and budget
- A current ICT asset and third-party register mapped to the DORA areas examiners review first
- An AI system inventory classified against the EU AI Act categories
Build the evidence architecture
Identify, protect, detect, respond and recover, and produce evidence at every step. Proof of a control should be a by-product of running it, not a document written the week before an audit.
- Detection written as code, versioned and reviewable
- Logging and asset coverage that answers "what did we see, and when"
- Continuity and recovery plans that are current and tested, with defined RTO and RPO
Build awareness and role clarity at management level
Controls fail at the seams between people. Continuous training keeps the management team and high-exposure functions able to judge a risk and respond to one.
- Regular management briefings on current threats and the obligations that apply
- Awareness for all staff: phishing, credentials, reporting
- One accountable person who reports to the board on a schedule
Get incident-response ready before you need it
A tested plan is the difference between an incident that costs a bad week and one that costs the relationship. DORA expects ICT incidents to be detected, managed and reported.
- An incident-response plan, tested with tabletop exercises
- A reporting workflow aligned to DORA, with timeline and ownership set in advance
- External response and forensics contracted before an incident, not during one
Monitor continuously and adapt
Threats and rules both keep moving, so the strategy is reviewed and adjusted, not set once.
- 24/7 detection or MDR, tuned to your environment
- Continuous monitoring of third-party ICT risk, not a yearly questionnaire
- A clear way to absorb new obligations: EU AI Act, MiCA, NIS-2
The obligations you have to address now
DORA
In force since January 2025. ICT risk management, third-party risk, incident detection and reporting, resilience testing. Accountability rests with the management body.
EU AI Act
High-risk obligations from August 2026: risk management, documentation, logging, human oversight. Credit, fraud and profiling use cases are in scope.
MiCA
Governs crypto-asset service providers, with authorisation and operational requirements now in force.
GDPR & NIS-2
GDPR governs personal data and breach notification. NIS-2 raises baseline cybersecurity and reporting duties for more entities.
Where does your firm stand?
Ten questions on the controls examiners and partners look at first, each requiring evidence. Get an instant Red, Yellow or Green score and the gaps to fix first.
Take the 10-question readiness checkCommon questions
What is DORA and who does it apply to?
DORA (the EU Digital Operational Resilience Act) has applied since January 2025. It requires EU financial entities, including brokers, payment firms, crypto and insurance firms, to run an ICT risk management framework, manage third-party ICT risk, detect and report incidents, and test resilience. Accountability sits with the management body.
When do the EU AI Act obligations apply to fintech?
The EU AI Act's obligations for high-risk systems take effect in August 2026. Many fintech use cases, such as credit decisioning, fraud detection and certain profiling, fall into the high-risk category and require risk management, documentation, logging and human oversight.
What are the penalties for non-compliance?
GDPR allows fines up to €20 million or 4% of global annual turnover. The EU AI Act allows up to €35 million or 7% of global turnover for the most serious breaches. NIS-2 sets substantial penalties for essential entities, and under DORA accountability reaches the management body personally.
Does WingsGRC make our firm compliant?
No. WingsGRC implements the technical controls and prepares the evidence your obligations rest on, such as ICT asset inventory, detection-as-code, logging and incident-reporting workflows. Regulatory interpretation, attestation and audit sign-off remain with your compliance function and independent auditors.
How do I know where my firm stands?
Use the WingsGRC readiness check: ten questions on the controls examiners and partners look at first, each requiring evidence. It returns an instant Red, Yellow or Green score and the specific gaps to fix first.