Three Regulations, One Challenge: Securing Your AI Systems
European organisations deploying AI face an unprecedented convergence of regulatory requirements. The EU AI Act, DORA (Digital Operational Resilience Act), and NIS2 (Network and Information Security Directive) each address different aspects of technology risk — but their requirements increasingly overlap when it comes to AI systems.
For CISOs, compliance officers, and AI governance teams, understanding how these regulations interact isn’t just an academic exercise. It’s the difference between building a coherent compliance programme and drowning in duplicated effort.
The EU AI Act: AI-Specific Requirements
The EU AI Act is the world’s first comprehensive AI regulation. For high-risk AI systems, it mandates:
- Risk management systems that identify, analyse, and mitigate risks throughout the AI lifecycle
- Data governance ensuring training, validation, and testing datasets are relevant, representative, and free from errors
- Technical documentation that enables assessment of AI system compliance
- Transparency obligations ensuring users understand they’re interacting with AI and can interpret its outputs
- Human oversight measures enabling humans to monitor, intervene in, and override AI decisions
- Accuracy, robustness, and cybersecurity appropriate to the AI system’s purpose and risk level
The Act also introduces obligations for general-purpose AI models, including transparency requirements, technical documentation, and — for models with systemic risk — adversarial testing and incident reporting.
DORA: Digital Resilience for Financial Services
DORA applies to financial entities across the EU and their critical ICT service providers. Its relevance to AI comes through several channels:
- ICT risk management: AI systems are ICT assets. DORA requires comprehensive risk identification, protection, detection, response, and recovery capabilities for all ICT systems — including AI
- Incident reporting: Major ICT incidents must be reported to competent authorities. This includes AI failures or security breaches that affect financial services
- Digital operational resilience testing: Financial entities must regularly test their ICT systems, including threat-led penetration testing. AI systems are squarely within scope
- Third-party risk management: Financial entities must manage risks from ICT third-party providers, including AI vendors and cloud-based ML services
NIS2: Broadening the Security Net
NIS2 significantly expands the scope of EU cybersecurity requirements to cover essential and important entities across 18 sectors. Its AI implications include:
- Cybersecurity risk management: Entities must implement appropriate technical, operational, and organisational measures to manage risks to their network and information systems — including AI components
- Supply chain security: NIS2 specifically requires assessment of the security of supply chains, directly relevant to AI model and data supply chains
- Incident notification: Significant incidents must be reported within 24 hours, with a full incident notification within 72 hours
- Management body accountability: Senior management must approve cybersecurity risk management measures and can be held personally liable for non-compliance
Where the Regulations Converge on AI
Risk Assessment and Management
All three regulations require systematic risk assessment. Rather than conducting three separate assessments, organisations should develop a unified AI risk management framework that addresses the specific requirements of each regulation. The NIST AI Risk Management Framework provides a useful foundation that can be mapped to EU regulatory requirements.
Incident Response and Reporting
An AI security incident may trigger reporting obligations under all three regulations simultaneously. A poisoned AI model in a financial institution could constitute a high-risk AI system failure (EU AI Act), a major ICT incident (DORA), and a significant security incident (NIS2). Your incident response process must account for all applicable reporting timelines and requirements.
Third-Party and Supply Chain Risk
All three regulations address supply chain and vendor risk, but from different angles. A coherent approach evaluates AI vendors against the combined requirements: security practices (NIS2), operational resilience (DORA), and AI-specific safeguards (EU AI Act).
Testing and Assurance
Regular testing is mandated across all three frameworks. AI-specific penetration testing, adversarial robustness evaluation, and operational resilience testing can be designed to satisfy multiple regulatory requirements simultaneously.
Building a Unified Compliance Strategy
Step 1: AI System Inventory
Create a comprehensive register of all AI systems in use, their risk classifications under the EU AI Act, their relevance to DORA-regulated activities, and their connection to NIS2-covered services. This inventory becomes the foundation for all compliance activities.
Step 2: Integrated Risk Assessment
Conduct a single, thorough risk assessment that maps each AI system against the requirements of all applicable regulations. Identify common controls that satisfy multiple requirements and highlight regulation-specific gaps.
Step 3: Control Framework
Implement technical and organisational controls that address the superset of requirements. Well-designed AI security controls — model monitoring, access management, data governance, incident response — naturally satisfy requirements across all three regulations.
Step 4: Continuous Compliance Monitoring
Regulations evolve, AI systems change, and new risks emerge. Implement continuous monitoring that tracks compliance status across all applicable frameworks and alerts on emerging gaps.
How LittleData Can Help
The LittleData.ai platform provides integrated compliance tracking across the EU AI Act, DORA, NIS2, and other frameworks including ISO 42001 and NIST AI RMF. Our dashboards give you a unified view of your compliance posture, highlight gaps, and track remediation progress.
Our AI security services include regulatory gap analysis, control implementation, and ongoing compliance support tailored to your organisation’s specific regulatory landscape.
Contact our compliance team to discuss how we can help you navigate the converging regulatory landscape for AI.