Shortly before the holiday season, BaFin published new Guidance on the ICT risks associated with the use of Artificial Intelligence (AI). While explicitly non-binding, this document provides essential practical orientation for financial institutions and insurance companies on how to integrate AI technologies into the Digital Operational Resilience Act (DORA) framework.
In his latest analysis, Laurent de la Vaissière, our principal consultant, breaks down the key points of this guidance for risk managers, compliance officers, and IT leaders. The article offers a verification-focused overview of how these new expectations impact digital resilience strategies.
Key topics covered in the article include:
-
Scope and Definition: Clarification that AI systems are treated as ICT assets and infrastructure, placing them squarely within DORA’s ICT risk management framework.
-
Governance Obligations: The strategic role of the management body in overseeing AI risks and the requirement for annual framework reviews.
-
The AI Lifecycle: Robust requirements for the entire lifecycle, from testing and change management (including for Generative AI) to secure decommissioning.
-
Third-Party Risk: Managing the complexities of outsourced AI, opaque integrations (“Shadow AI”), and ensuring exit strategies and audit rights.
-
Security and Resilience: Cross-cutting requirements for data protection, continuous monitoring, incident reporting, and business continuity planning.
This analysis provides a clear roadmap for ensuring your AI initiatives are aligned with the latest regulatory guidance on digital operational resilience.
Learn more
Read the full analysis here.