A US bank with EU customers and Canadian operations does not get to pick one AI regulator. It picks three — the EU AI Act for AI-system obligations, DORA for ICT third-party risk, and SR 26-2 for US model risk management. Each one covers different ground; none of them covers all of it. This piece is the single-source mapping a cross-border AI governance lead can hand to their board, with tools that amplify your in-house expertise across all three.
Why these three travel together
Most law-firm explainers pick two of the three and stop, leaving the cross-border bank AI governance lead to assemble the three-layer mental model from separate sources. A single bank with EU market reach, ICT vendor exposure, and US bank-supervised status sits inside the intersection of all three. None substitutes for another; none covers the others' ground. Treating them as competing frameworks is a categorisation error; treating them as a stack with documented overlap is the practitioner read.
Layer 1 — Regulation (EU) 2024/1689 / the EU AI Act
Regulation (EU) 2024/1689 — the EU AI Act — applies to providers and deployers of AI systems with EU market reach, and Article 2 makes that reach extraterritorial. A non-EU bank serving EU customers is in scope for the AI-system obligations even if it has no EU presence. The Act's Annex III lists high-risk use cases that map directly onto bank operations — creditworthiness scoring, life- and health-insurance pricing, and AI in employment decisions are all named. Article 5 prohibitions have been enforceable since 2 February 2025; Article 4 AI literacy and general-purpose AI obligations under Articles 53 and 55 have been live since 2 August 2025; Annex III standalone high-risk obligations are scheduled for 2 August 2026, with the Digital Omnibus on AI provisionally moving that date to 2 December 2027 once formally adopted. The layer covers the AI system itself — its design, its training, its transparency, its risk management.
Layer 2 — Regulation (EU) 2022/2554 / DORA
Regulation (EU) 2022/2554 (DORA) is the EU's ICT operational resilience framework for financial entities, in force since 17 January 2025. DORA is not an AI regulation — it is an ICT and third-party risk-management regulation that AI vendors fall into when they are ICT third parties to an in-scope financial entity. The integration angle matters: AI cloud-model providers, AI vendors offering an inference API, and any agentic-AI orchestrator that touches production banking systems are ICT third parties under Article 28's third-party arrangements regime. The contract has to satisfy DORA's third-party arrangement specifications — service descriptions, audit and access rights, exit strategy, location of data and processing, and sub-contracting controls — and the ICT incident-reporting timelines apply when an AI vendor causes an in-scope incident. DORA does not regulate the AI model; it regulates the contractual and operational envelope the AI vendor sits inside.
Layer 3 — SR 26-2
Supervisory Letter SR 26-2 is the interagency revised guidance on model risk management issued by the Federal Reserve, OCC, and FDIC on 17 April 2026. It is expected to be most relevant to banking organisations with over $30 billion in total assets regulated by the Federal Reserve. SR 26-2 supersedes SR 11-7 and SR 21-8, modernises the model-risk construct on a materiality-based footing, and narrows the model definition to exclude simple arithmetic and deterministic rule-based software. Critically, generative and agentic AI sit outside the formal MRM scope under SR 26-2 — the carve-out is non-coverage, not prohibition. Statistical, financial, and economic AI models that fit the new definition stay in scope; generative and agentic AI route to the parallel governance track.
Where they overlap, where they don't
| Dimension | EU AI Act | DORA | SR 26-2 |
|---|---|---|---|
| Primary scope | AI systems on the EU market | ICT and third-party arrangements for EU financial entities | Bank model risk management (US) |
| AI included | Yes — direct subject | Indirect — as ICT third parties | Statistical, financial, economic models only — GenAI carved out |
| Model definition | Annex III high-risk + GPAI tiers | Not applicable — ICT framework | Narrowed to exclude rule-based software |
| Vendor risk | Provider and deployer obligations | Article 28 third-party arrangements | Vendor management under existing US bank guidance |
| Incident reporting | Article 73 serious-incident notification | ICT-related incident reporting | Operational incident reporting under existing US bank channels |
| Enforcement | National competent authorities + EU AI Office | National competent authorities | Federal Reserve, OCC, and FDIC supervision |
No row substitutes another. A bank in scope for all three implements three sets of obligations across one estate — and one inventory underpins all three.
One governance programme, three artefacts
Cross-framework governance does not require three programmes. Responsible AI Studio (RAIS) builds the toolkit a single AI governance function can run end-to-end. The AI Policy Generator carries citations to the EU AI Act, DORA, and SR 26-2 in the clauses each one answers to. The AI Vendor Assessment maps to DORA Article 28 for EU-supervised entities and to US third-party risk frameworks for the bank's vendor catalogue. The AI Compliance Gap Analyser is the cross-framework instrument — it surfaces where the three layers' obligations overlap, where they diverge, and which artefacts the bank already has versus which still need drafting.
Where to read the source material
- Regulation (EU) 2024/1689 — Artificial Intelligence Act — Article 2 (scope), Annex III, and Articles 53 and 55 (GPAI).
- Regulation (EU) 2022/2554 (DORA) — Article 28 (third-party arrangements).
- SR 26-2 — Revised Guidance on Model Risk Management (17 April 2026) — interagency, supersedes SR 11-7 and SR 21-8.
Map your AI compliance gaps → /tools/gap-analyser/for/financial-services
Qualified review still required. Outputs are AI-generated starting-point documents — not a substitute for qualified legal or compliance advice.