NIS2 and DORA Are Live. Your Accounting AI Isn't Compliant. The Clock Is Running.
Why Consumer AI Tools in Finance Create a Specific, Personal Legal Exposure Under Regulations That Have Already Taken Effect
---
NIS2 became law in October 2024. DORA — the Digital Operational Resilience Act — took effect in January 2025. Both require every covered organization to assess every ICT provider handling critical functions. "Critical functions" includes the AI tools your accounting team used this week. How many of those tools have you assessed? How many contracts include audit rights? How many have documented exit strategies? The regulation doesn't ask whether you intended to comply. It asks whether you did.
---
What DORA Actually Requires, in Plain Terms
DORA Article 28 requires financial entities to maintain a complete register of every ICT third-party provider — any company providing digital services that support critical or important business functions — and assess each one for concentration risk (the danger of relying on a single provider with no exit plan if it fails or changes terms), contractual protections, and operational continuity. Financial analysis, reporting, and document processing all qualify as critical functions. ChatGPT, Microsoft Copilot, and similar consumer AI tools used by finance teams are, under DORA's definition, unregistered ICT third-party providers processing critical functions without the required assessments.
Article 30 adds the contract requirements: audit rights, sub-outsourcing transparency, data portability, termination procedures, and performance monitoring must all be included in agreements with ICT providers. Free-tier consumer AI tools used daily by accounting teams satisfy none of these Article 30 requirements. The specific gap: there is no contract between your organization and the consumer AI provider your finance employee uses on their laptop. No audit rights. No termination procedures. No sub-outsourcing visibility. No compliance documentation that any regulator can inspect.
---
Every Month Compounds the Exposure
Every month of DORA non-compliance is a month of documented exposure. Not because a regulator is actively auditing right now — the obligation has existed since January 17, 2025, and wasn't met. When enforcement actions arrive — and the European Supervisory Authorities (the EBA, ESMA, and EIOPA, which are the EU's financial sector regulators) published their first coordinated oversight priorities for 2026 in Q1 2025 — regulators will be able to establish the date DORA became applicable and compare it to the date compliant AI practices were implemented. The gap between those dates is the evidence of non-compliance.
Microsoft Copilot for Finance — embedded in Microsoft 365 and active by default for licensed users — processes financial data through Microsoft's Azure cloud infrastructure. Under DORA Article 28, Microsoft's AI services qualify as an ICT third-party provider requiring formal assessment, a contractual arrangement meeting Article 30 requirements, and inclusion in the ICT register. The standard Microsoft enterprise agreement is not written to satisfy DORA Article 30. Your IT department renewed the Microsoft 365 license. Nobody assessed the Copilot AI features as a separate ICT provider — because those features arrived with the renewal, not as a separate procurement decision.
---
Article 50: The Personal Number
Beyond the organizational exposure, DORA Article 50 makes senior management of financial entities personally liable for operational resilience failures — the inability to prevent, withstand, and recover from disruptions caused by uncontrolled ICT providers. The regulation can impose fines of up to €1 million on individual executives for ICT risk management violations, and up to €5 million for failures related to critical ICT third parties. This is not organizational liability that a company absorbs at the entity level. This is a direct personal financial penalty for the executives responsible for governance, applied regardless of whether they were aware of the specific tool being used.
The CFO who signed off on a €5 million annual software budget with full vendor assessment processes, and who simultaneously uses ChatGPT for financial analysis without any DORA assessment, is managing risk inconsistently in a way that regulators will document. The question DORA asks of senior management is not "did you know?" The question is "did you have adequate controls?"
"We didn't know" is the description of inadequate controls — which is itself the violation.
---
The Stress Test Your Banking Clients Will Run
A scenario worth presenting to your legal team: your firm's largest banking client receives a routine DORA supervisory review. The regulator asks for the bank's ICT supply chain documentation. The bank includes your firm in its assessment. The bank asks: "Which AI tools does your firm use on work for our accounts, and can you provide your DORA Article 28 assessment documentation for each?" If you cannot produce it — because the assessment was never conducted — you represent a third-party risk to the bank's own DORA compliance. That is the specific scenario in which accounting firms and mid-market companies lose regulated financial services clients without a data breach occurring.
Most organizations that consider themselves DORA-compliant reached that conclusion through an IT-led process focused on formal software vendors, cloud infrastructure, and network providers — the systems in the official software inventory. Consumer AI tools used by individual employees on personal accounts are off the IT radar entirely. The recognition that stops most CFOs cold: "Our IT team told us DORA was handled. They built a vendor assessment process for our major software providers. Nobody included ChatGPT, because nobody thought of it as an ICT provider."
---
Enforcement Willingness Is Already Documented
In May 2025, the Irish Data Protection Commission imposed a €530 million GDPR fine against TikTok for cross-border data transfers — the largest data protection fine of 2025. That enforcement action established that EU regulators will impose large penalties for data governance failures without hesitation. DORA adds a parallel enforcement layer specifically targeting operational resilience failures in financial services. The European Banking Authority noted in its January 2025 supervisory guidance that "generic AI services not purpose-built for financial services may not meet Article 28 ICT third-party risk requirements." The signal from regulators is consistent: AI tools in financial services require the same governance rigor as any other ICT provider.
NIS2 runs parallel for organizations meeting its thresholds: companies with 250 or more employees, or €50 million in annual revenue, in sectors including financial services, digital infrastructure, and several manufacturing categories. For those organizations, AI tools used in operations represent network and information systems that must meet Article 21's risk management requirements. The CFO who assumed NIS2 was an IT department matter should verify whether their company is in scope — and whether the accounting AI tools currently in use satisfy the ICT third-party risk provisions that became mandatory in October 2024.
---
The Compliant Architecture Already Exists
Stralevo is built to satisfy DORA Article 28 and Article 30 requirements by design. EU-hosted, with full audit rights available contractually, complete ICT third-party documentation, no sub-outsourcing to non-EU providers, and a zero-hallucination architecture where every answer traces back to its source document — Stralevo is the answer a CFO gives when a banking client's compliance team asks for AI governance documentation. Your audit trail documents every query, every document processed, every answer generated with its source citation. When that question arrives, the answer is: "Here is the assessment documentation. Here is the audit trail. Here are the contractual protections." That answer satisfies the question without creating a new compliance gap.
Finance leaders who put this in place before the EU AI Act's August 2026 full enforcement deadline — the EU's new law establishing governance requirements for AI systems used in high-stakes contexts like financial services — are building a single documentation file that satisfies three regulatory frameworks at once: DORA's ICT third-party requirements, NIS2's risk management obligations, and the AI Act's governance records. One tool, one decision, one audit file that covers the full picture before the auditor asks.
The organizations that build this now face one set of questions from regulators: "Can you demonstrate your AI governance framework?" The organizations that wait face a different set: "Can you explain why this obligation existed since January 2025 and your documentation begins in 2027?"