Este artigo está disponível apenas em inglês no momento.
AI Governance for EU Banks: EBA Guidelines, ECB Expectations, and DORA Intersection
EU banks face AI governance requirements from the EBA (model risk management), the ECB (supervisory expectations), DORA (digital operational resilience including AI systems), and the EU AI Act. The complete 2026 compliance guide.
Key Takeaways
The EBA's guidelines on internal governance and model risk management (EBA/GL/2021/05) create specific AI governance expectations for EU banks — model inventory, independent validation, performance monitoring, and governance structure are all required.
The ECB's guide on internal models (TRIM) and its supervisory expectations on AI create additional obligations for significant institutions — the ECB has specifically flagged AI model governance as a supervisory priority.
DORA (Digital Operational Resilience Act, effective January 2025) creates operational resilience requirements for ICT systems including AI — third-party AI vendor risk is explicitly within DORA's scope.
EU AI Act obligations layer on top of banking-specific requirements — EU banks using AI in credit decisions, customer scoring, or compliance functions are likely providers or deployers of high-risk AI with Annex III obligations.
The practical governance challenge: EU banks face overlapping obligations from four regulatory frameworks simultaneously — EBA, ECB, DORA, and EU AI Act — requiring integrated governance rather than siloed compliance programmes.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
EBA guidelines and AI model governance
The European Banking Authority's guidelines on internal governance (EBA/GL/2021/05) and its consultative paper on machine learning in IRBA models establish the foundational AI governance expectations for EU banks. The EBA's approach treats AI models as a subset of the broader model risk management framework — requiring that AI models are subject to the same governance principles as traditional models, adapted for AI-specific characteristics. The key requirements: a model inventory that captures AI systems used in material business decisions; model validation conducted by persons independent of model development; documented evidence of model performance monitoring; and governance structures ensuring accountability for model outcomes.
The EBA has been particularly focused on AI in credit risk modelling — specifically AI used in Internal Ratings-Based (IRB) models for credit risk capital calculation. The EBA's TRIM (Targeted Review of Internal Models) process has examined AI model governance in significant institutions and produced findings that establish supervisory expectations. The recurring findings: inadequate model documentation for AI systems, validation methodology not adapted for AI-specific characteristics, and monitoring frameworks not detecting model drift in AI models.
DORA and AI operational resilience
The Digital Operational Resilience Act creates a specific framework for the operational resilience of digital systems in financial services — including AI systems. DORA's key obligations for AI: ICT risk management requirements that apply to AI systems as ICT assets; third-party ICT risk requirements that capture AI vendor relationships; operational resilience testing including for AI systems; and incident reporting for ICT-related incidents including AI failures. DORA's third-party requirements are particularly significant for AI governance — banks that rely on cloud-based AI services, vendor AI models, or third-party AI platforms must bring these relationships within their DORA compliance framework, with contractual requirements, due diligence, and exit strategies for material ICT third-party arrangements.