AI Governance for EU Banks: EBA Guidelines, ECB Expectations, and DORA Intersection

EBA guidelines and AI model governance

The European Banking Authority's guidelines on internal governance (EBA/GL/2021/05) and its consultative paper on machine learning in IRBA models establish the foundational AI governance expectations for EU banks. The EBA's approach treats AI models as a subset of the broader model risk management framework — requiring that AI models are subject to the same governance principles as traditional models, adapted for AI-specific characteristics. The key requirements: a model inventory that captures AI systems used in material business decisions; model validation conducted by persons independent of model development; documented evidence of model performance monitoring; and governance structures ensuring accountability for model outcomes.

The EBA has been particularly focused on AI in credit risk modelling — specifically AI used in Internal Ratings-Based (IRB) models for credit risk capital calculation. The EBA's TRIM (Targeted Review of Internal Models) process has examined AI model governance in significant institutions and produced findings that establish supervisory expectations. The recurring findings: inadequate model documentation for AI systems, validation methodology not adapted for AI-specific characteristics, and monitoring frameworks not detecting model drift in AI models.

DORA and AI operational resilience

The Digital Operational Resilience Act creates a specific framework for the operational resilience of digital systems in financial services — including AI systems. DORA's key obligations for AI: ICT risk management requirements that apply to AI systems as ICT assets; third-party ICT risk requirements that capture AI vendor relationships; operational resilience testing including for AI systems; and incident reporting for ICT-related incidents including AI failures. DORA's third-party requirements are particularly significant for AI governance — banks that rely on cloud-based AI services, vendor AI models, or third-party AI platforms must bring these relationships within their DORA compliance framework, with contractual requirements, due diligence, and exit strategies for material ICT third-party arrangements.