Research Note · Regulated Finance · June 2026

Frontier Models Under DORA

We gave every employee of a BaFin-regulated Wertpapierinstitut access to a frontier model. The lesson was not that compliance blocks AI. The lesson was that DORA turns AI access into evidence work.

0
DORA articles that prohibit using ChatGPT or Claude by name
2 Feb 2025
AI literacy duties became applicable under Article 4 of the EU AI Act
3
Controls carried the rollout: vendor file, people, output gate
SS
Sebastian Schmidt
Senior AI Engineer, svrn alpha
11 June 2026

The Reflex

Ask a German financial institution why employees cannot use frontier models and the answer often arrives as a category, not an analysis: data protection, DORA, the cloud. Press for the article, the clause, the assessed risk, and the answer usually thins out into a policy written before the current tools, contracts, and supervisory posture existed.

The rules matter. DORA exists because finance depends on ICT systems in ways that can break markets. GDPR exists because client data deserves protection. The AI Act exists because capability without literacy creates operational exposure. The point is not to route around the rules. The point is to stop reading every rule as a wall.

A wall says no. A specification says: show the file, train the people, control the output.
The Reflex
A wall says no.
  • Blanket ban, no assessed risk
  • No file, no clause, no analysis
  • Use moves to personal devices and accounts
Risk, ungoverned
The Method
A specification says: show your work.
  • Show the file
  • Train the people
  • Control the output
Access, defensible
The same rule read two ways. The ban removes governance from a risk that keeps happening. The specification turns access into 3 controls a supervisor can inspect.

That was the method. The deployment question was never "can we use this?" in the abstract. It was "what has to be true before a regulated institution can say yes and defend the decision later?" The answer was narrower, more concrete, and more operational than the reflex suggests.

Control 01
Vendor file

Treat the model provider as an ICT third-party service provider. Evidence the assessment, contract, data locations, register entry, and exit route.

Control 02
AI literacy

Turn training into a legal control: data classes, failure modes, approved lanes, and the point at which human judgement must take over.

Control 03
Output gate

Validate the process around the model. Nothing generated by AI leaves the firm or enters a regulated process without a named owner.

1. The Vendor File Comes Before the First Prompt

DORA does not need to mention large language models. A frontier-model subscription or API is a digital service delivered through ICT systems. Once employees send prompts to a provider, the question for the financial entity is not whether the word "LLM" appears in the regulation. The question is whether the arrangement is governed as ICT third-party risk.

For a commercial frontier-model deployment, the file has to answer a small set of questions with documentary evidence: what service is being procured, where processing occurs, what data is retained, whether customer data is used for training, which certifications and contractual commitments back the claims, which sub-processors exist, and how the institution exits if the tool no longer fits the risk appetite.

ICT Third-Party Vendor File frontier-model deployment · register entry
Service procuredWhat is delivered, by which provider, on which tier
Processing locationsWhere prompts and data are handled
Data retentionWhat is stored, and for how long
Training useConfirmation that client data is not used to train
CertificationsSOC 2, ISO, and the contractual commitments behind the claims
Sub-processorsWho sits behind the provider
Register entryRecorded in the ICT third-party register
Exit routeProvider-agnostic workflow plus 1 assessed alternative
The file is the artefact, not the prompt library. Each line is a question answered with evidence. Once it exists, a new model is an update event, not a fresh existential debate.

The criticality classification is where most firms accidentally create their own problem. A firm-wide AI assistant for drafting, summarisation, coding, translation, and research support does not have to support a critical or important function. But the usage policy has to make that true. If employees quietly drift from drafting into trade execution, portfolio instruction, regulatory reporting, or client-specific advice, the classification will not survive contact with a supervisor.

This is also where the consumer-versus-commercial distinction stops being procurement trivia. Personal accounts and free tiers are the governance failure mode. Commercial tiers bring data-processing terms, administrative controls, audit logs, training-use restrictions, and the ability to attach a real vendor assessment. Shadow AI is not cheaper. It is simply unfiled risk.

Consumer / free tierShadow AI
  • No data-processing agreement
  • No administrative controls
  • No audit logs to review
  • Training use unclear or opted in by default
  • Nothing to attach to a vendor assessment
  • No defined exit
Unfiled risk
Commercial tierGoverned access
  • Data-processing agreement in place
  • Administrative controls for the firm
  • Audit logs that can be reviewed
  • Training-use restrictions in the contract
  • A real vendor assessment can be attached
  • Exit route documented in the register
Filed and defensible
The choice is not capability versus caution. The same model through a personal account is unassessable, unloggable, and unexitable. Through a commercial tier it becomes a vendor file.
Scope matters. Zero-retention or no-training claims are product-specific. API commitments do not automatically cover a chat application. If strict EU processing is a hard requirement, solve it architecturally with the right deployment route and region. Do not ask a contract clause to do infrastructure work.

The exit strategy for a non-critical productivity tool can be short: provider-agnostic workflows, no hard dependency in a regulated process, and at least 1 assessed alternative. Write it anyway. A register entry that proves the institution considered exit is worth more in an audit than a meeting-room assurance that everyone knew what they were doing.

What this means for the finance desk

The first artefact is not a prompt library. It is a vendor file that makes the permitted lanes defensible. Once the file exists, new models become update events instead of fresh existential debates.

2. Training Is a Legal Control

Most rollout plans treat training as adoption work. That is too soft. Since 2 February 2025, Article 4 of the EU AI Act has required providers and deployers to take measures to ensure an adequate level of AI literacy among staff and other people dealing with AI systems on their behalf. For regulated finance, that turns training into evidence.

The useful version is not a feature tour. It is a control surface. Employees need to know which data classes can go where, which tools are approved for which classes, which outputs require review, and which use cases are simply outside the deployment. That policy has to be short enough to remember and precise enough to enforce.

The second part is failure-mode literacy. A fluent model can invent citations, fabricate regulatory references, misread a table, or turn a probabilistic answer into the tone of a certainty. Showing employees those failures changes behaviour faster than another policy PDF. The person who has watched a model invent a BaFin circular is harder to impress and safer to equip.

The third part is lane discipline. Drafting, summarisation, code support, translation, and research preparation are different from unreviewed client communication, investment advice, regulatory filings, or anything touching market-abuse risk. Names matter. Owners matter. Boundary language matters.

Approved lanes
Drafting Summarisation Code support Translation Research preparation
Out of scope
Unreviewed client communication Investment advice Regulatory filings Market-abuse-sensitive work
The literacy programme is the deployment drawn as a map: which work is in the lane, which work is not, and the boundary employees are trained to hold.

What this means for the finance desk

The literacy programme is not a tax on adoption. It is the adoption programme with legal force behind it: more use, narrower use, better reviewed use.

3. Validate the Process, Not the Model

A frontier model will produce an error. That is not a residual risk to wish away. It is a system property to engineer around, the same way operational-risk frameworks never assumed humans were infallible either.

The regulated question is not "can the model be wrong?" It can. The useful question is: what stood between the output and the outside world? In this deployment, the line was simple: nothing generated by AI leaves the firm, or enters a regulated process, without a named human owner who reviewed it and is accountable for it.

01 · Input
Input class
Classify the data and the task before the prompt.
02 · Scope
Approved lane
Is the use case inside the permitted lanes?
03 · Owner
Accountable owner
A named human reviews it and owns it.
04 · Gate
Review gate
Scaled by consequence, from PR review to a full compliance lane.
05 · Record
Record
Logged, compared against approved usage, feeds the quarterly review.
The controlled object is the workflow, not the model. Every output passes the same 5 stages before it leaves the firm or enters a regulated process.

The gate scales by consequence. Code suggestions go through pull request review. Internal memos stay with the author. Client-facing research, MiFID II material, MAR-sensitive content, or anything used in a regulated process requires a stronger review lane, including disclosure to the reviewer that AI contributed to the draft.

Code suggestionsInternal engineering work
Pull request review. The standard engineering gate already in place.
Internal memosDrafts and working documents
Author owns the output. Review stays in-team, scaled to internal stakes.
Client-facing researchMiFID II material, MAR-sensitive content
Full review lane, with disclosure to the reviewer that AI contributed to the draft.
One gate, 3 intensities. Review effort tracks consequence, so the control is proportionate rather than uniform.

Logs close the loop. DORA third-party-risk governance is not satisfied by a policy that nobody checks. Commercial deployments provide administrative records. Turn them on. Review them. Compare actual usage against approved usage. Use the review to update the criticality decision, because that decision is living, not decorative.

Validation is not something bought from the model provider. No benchmark, certification, or model card makes a deployment compliant by itself. Compliance lives in the process around the model.

What this means for the finance desk

The model is not the controlled object. The controlled object is the workflow: input class, approved lane, accountable owner, review gate, record. That is where a supervisor will look after an incident.

The Posture

Every apparent blocker offered 2 easy exits. The first was to block the tool and call it prudence. The second was to ignore the rule and call it pragmatism. Both avoid the work. The institutional path is to take the rule seriously enough to satisfy it.

That path is slower at the start and faster everywhere after. The firm with the vendor file, literacy programme, output gates, logs, and quarterly review does not re-litigate frontier-model access every time a new release ships. It updates the file, revisits the classification, and moves.

The firm that blocked everything in 2023 may discover that employees never stopped using AI. They moved it to personal devices and personal accounts, outside the controls DORA would have asked for. The blanket ban did not remove the risk. It removed governance from a risk that was already happening.

  1. 01 DORA is a specification, not a slogan. It asks financial entities to govern ICT third-party risk. A frontier-model provider can fit that frame if the institution does the work.
  2. 02 Consumer AI is the failure mode. The risk is not that employees have access to capable models. The risk is that they use capable models through products the institution cannot assess, contract, log, or exit.
  3. 03 AI literacy is a control. Training belongs in the evidence file because trained employees route data better, trust output less blindly, and understand where human judgement begins.
  4. 04 The output gate is the liability gate. If the model drafted it, a named human still owns it before it leaves the firm or enters a regulated process.
  5. 05 The advantage compounds. Institutions that can show their work will adopt faster because every new model is an update to a governance system, not a new war with compliance.

DORA, the AI Act, and GDPR do not say "no" to frontier models in regulated finance. They say: show your work. In this market, the institutions that learn to show their work fastest will be the ones that make regulation part of the moat.

Sources & References

This note is operational analysis, not legal advice. References are listed for the regulatory and vendor-contract frames used in the deployment design.

  • Regulation (EU) 2022/2554, Digital Operational Resilience Act. Applicable from 17 January 2025. Articles 3, 28, 29, and 30 frame ICT third-party service provider definitions, third-party-risk principles, concentration risk, contractual provisions, register expectations, and exit strategy discipline. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554
  • Regulation (EU) 2024/1689, Artificial Intelligence Act. Entered into force on 1 August 2024. Article 4 establishes AI literacy duties for providers and deployers; Article 113 sets the phased application calendar, including Article 4 from 2 February 2025. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
  • European Commission, AI literacy questions and answers. May 2025. Used for the Article 4 implementation frame: AI literacy should be proportionate to context, staff roles, and the systems being used. URL: https://digital-strategy.ec.europa.eu/
  • GDPR Article 28. Processor agreement requirements used in the commercial-tier versus consumer-account distinction. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
  • Anthropic and OpenAI business privacy, data processing, and enterprise administration materials. Used for the vendor-file distinction between consumer access, commercial terms, administrative controls, logging, and training-use restrictions. URLs: https://privacy.anthropic.com/ and https://openai.com/policies/
  • BaFin DORA information portal. Used for the German supervisory context around DORA implementation and ICT-risk governance. URL: https://www.bafin.de/

Deploy Frontier Models Without Shadow AI

SVRN ALPHA builds governed AI systems for regulated finance: vendor files, usage lanes, audit records, output gates, and sovereign workflow architecture. The same work can start smaller through AI Readiness & Enablement when the first need is a defensible rollout path.

See the Offering
Also read: If It's Not Dangerous, It's Not Us · When Agents Become the Trading Desk