本文目前仅提供英文版本。
AI Governance for EU Banks: EBA Guidelines, ECB Expectations, and DORA Intersection
EU banks face AI governance requirements from the EBA (model risk management), the ECB (supervisory expectations), DORA (digital operational resilience including AI systems), and the EU AI Act. The complete 2026 compliance guide.
Key Takeaways
The EBA's guidelines on internal governance and model risk management (EBA/GL/2021/05) create specific AI governance expectations for EU banks — model inventory, independent validation, performance monitoring, and governance structure are all required.
The ECB's guide on internal models (TRIM) and its supervisory expectations on AI create additional obligations for significant institutions — the ECB has specifically flagged AI model governance as a supervisory priority.
DORA (Digital Operational Resilience Act, effective January 2025) creates operational resilience requirements for ICT systems including AI — third-party AI vendor risk is explicitly within DORA's scope.
EU AI Act obligations layer on top of banking-specific requirements — EU banks using AI in credit decisions, customer scoring, or compliance functions are likely providers or deployers of high-risk AI with Annex III obligations.
The practical governance challenge: EU banks face overlapping obligations from four regulatory frameworks simultaneously — EBA, ECB, DORA, and EU AI Act — requiring integrated governance rather than siloed compliance programmes.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
EU banking AI governance — overlapping authorities, increasingly prescriptive expectations
European banks face the most prescriptive AI governance framework in the world. EU banks must satisfy obligations under multiple overlapping regimes simultaneously: the EU AI Act (for AI as a regulated product); CRR 3/CRD VI capital and prudential regulation; ECB Banking Supervision expectations through the Single Supervisory Mechanism (SSM); EBA Guidelines on outsourcing, internal governance, and operational resilience; DORA (Digital Operational Resilience Act) for ICT third-party risk; GDPR for personal data processing; and national-level supervisory expectations from competent authorities. The result is a layered compliance environment where AI governance must be designed to satisfy all of these regimes concurrently.
The ECB Supervisory Guide on Internal Models (July 2025) — a major shift
On 25 July 2025, the European Central Bank published the latest version of its Supervisory Guide on Internal Models. The guide brought a major shift for EU banks: Model Risk Management expectations now extend to every model used by the institution, not just regulatory internal models (Basel IRB). Pricing models, stress testing models, ALM simulations, AI and ML models all fall under MRM. The previous two-tier governance approach — strong controls around regulatory models, lighter ad hoc controls around everything else — is explicitly no longer acceptable.
Chapter 9 of the 2025 guide focuses specifically on machine learning models. The ECB welcomes ML-based techniques but requires them to meet higher standards than traditional models: robust data governance with clear quality criteria including for training data; additional checks for unstructured or synthetic data to address missing values and bias; IT infrastructure capable of higher computational demands; documented hyperparameter tuning; monitoring of model drift; and explainability appropriate to model purpose. For many EU banks, this represents a significant uplift — a notebook is no longer sufficient documentation, regulators expect auditable model development processes.
ECB AI workshops and supervisory observations (2025)
The ECB conducted AI workshops with banks across nine European countries through 2025, with findings published in November 2025. Key observations: banks are integrating AI alongside traditional models for credit decisions and fraud detection; banks expect fraud-detection AI to be classified as low-risk under the EU AI Act (a position the ECB has flagged but not endorsed); no banks reported using GenAI in credit scoring, citing development time, cost, and trustworthiness challenges; governance arrangements are being established mostly by integrating AI into existing policies or creating dedicated AI governance functions (committees, AI units); data governance integration for AI is "yet to be established" effectively in most cases; AI models tend to be developed internally but hosted by cloud service providers.
The ECB's stated 2026 focus is on generative AI applications, deeper assessment of third-party dependencies and concentration risk, and strengthening operational resilience work building on DORA. Targeted reviews and on-site inspections conducted in 2024-2025 indicate the ECB will continue using existing supervisory tools to examine AI governance directly.
EU AI Act application to EU banks
EU AI Act high-risk classifications relevant to banks include: AI used in creditworthiness assessment of natural persons (Annex III high-risk); AI used in risk assessment and pricing in life and health insurance (high-risk); AI systems used as safety components in critical infrastructure (where bank-operated infrastructure qualifies); AI used in employment decisions; biometric categorisation systems. Banks deploying high-risk AI as providers or deployers must comply with the EU AI Act framework — risk management, data governance, technical documentation, human oversight, transparency to users — with most Annex III obligations applying from 2 December 2027 under the Digital Omnibus agreement of 7 May 2026.
Banks operating internationally face the question of whether to adopt a single global framework satisfying EU AI Act requirements (more stringent) or maintain regional variations. Most major EU banks are adopting global frameworks meeting EU standards.
DORA — the operational resilience overlay for AI
The Digital Operational Resilience Act (DORA), applicable from 17 January 2025, imposes ICT third-party risk requirements on EU financial entities. AI vendors qualify as ICT third-party providers under DORA. Banks must: maintain a register of ICT third-party arrangements (including AI vendors); conduct risk assessments before entering ICT third-party arrangements; ensure contractual provisions meet DORA's specified requirements (service descriptions, locations, security obligations, audit rights, exit strategies); maintain ICT-related incident management with reporting to competent authorities; conduct ICT business continuity and disaster recovery exercises.
The ECB Guide on outsourcing cloud services to cloud service providers (published July 2025) explains how the ECB expects banks to comply with DORA in cloud contexts — including for AI services typically delivered through cloud platforms. Good practices include reducing vendor lock-in risks, having tested contingency options for cloud services supporting critical or important functions, and ensuring contract terms support DORA-compliant exit and transition.
EBA Guidelines — governance and outsourcing
EBA Guidelines on internal governance (EBA/GL/2017/11), on outsourcing arrangements (EBA/GL/2019/02), and on SREP (EBA/GL/2022/03) all apply to AI deployment in EU banks. The EBA Supervisory handbook on the validation of rating systems under the IRB approach (EBA/REP/2023/29) applies where ML techniques are used in credit risk modelling. The Basel Committee on Banking Supervision Occasional Paper No 24 (September 2025) "How supervisors can address explainability" provides additional international supervisory perspective directly relevant to EU banks.
Genuine challenges for EU bank AI governance programmes
Model inventory at scale. Large EU banks have thousands of models, many embedded in third-party software. Building and maintaining a complete inventory that catalogues each model's purpose, type, MRM tier, and AI Act classification is itself a major undertaking.
Concentration risk in foundation models. Most enterprise AI capability depends on a small number of foundation model providers. EU banks face concentration risk that traditional vendor diversification cannot easily address — there are not many alternative GPT-4-class or Claude-class providers. The ECB has flagged this concentration explicitly.
Explainability vs performance. ML models that outperform traditional approaches often do so by capturing complex patterns that are difficult to explain. The ECB's expectation of explainability proportionate to model purpose requires banks to balance performance gains against explainability constraints, particularly in credit decisions where adverse action explanations are required.
Training data lineage and bias. EBA expectations for data governance extend to AI training data. Establishing data lineage, bias testing, and ongoing fairness monitoring at the model lifecycle level requires capabilities most banks have not historically built.
What EU bank AI governance programmes should include by end 2026
Complete model inventory covering all models including AI/ML, with MRM tier and AI Act classification. Updated MRM framework consistent with ECB Supervisory Guide on Internal Models (July 2025) including Chapter 9 ML-specific requirements. Documented AI strategy aligned with risk appetite, board-approved and reviewed annually. AI vendor contracts updated to DORA standards including audit rights, incident notification, and exit assistance. EU AI Act gap assessment with implementation plan for high-risk obligations applicable from 2 December 2027. Cloud service provider arrangements aligned with ECB Guide on outsourcing cloud services (July 2025). Explainability documentation for AI used in customer-impacting decisions sufficient for both regulatory examination and adverse action notice purposes. Bias and fairness monitoring with documented testing protocols. AI risk reporting to risk committees and the board.