Back to blog
· Minerva Data Solutions

EU AI Act and DORA: what evidence packs actually look like

Practical evidence structures for AI governance and operational resilience — not checkbox compliance theatre.

EU AI ActDORAAI governance

For European financial and regulated organizations, AI compliance is becoming a runtime evidence problem. Policies matter, but auditors increasingly need proof that the system behaved correctly: logs, approvals, incidents, model changes, vendor dependencies, and human overrides.

The mistake is building one evidence process for the EU AI Act and another for DORA. The better pattern is one telemetry layer with different regulatory views.

Where the obligations overlap

The EU AI Act pushes teams toward risk management, technical documentation, operation logs, transparency, human oversight, quality management, and post-market monitoring. DORA pushes financial entities toward ICT risk management, incident reporting, resilience testing, third-party registers, and operational continuity.

The documents differ, but the evidence often comes from the same events:

  • Which AI system was used
  • Who triggered it
  • What business process it affected
  • Which data sources, tools, and vendors were involved
  • Which model and prompt versions ran
  • Whether a human reviewed, approved, rejected, or overrode the output
  • Whether an incident, drift signal, policy breach, or access violation occurred

The evidence pack model

Think of an evidence pack as a regulator-ready bundle generated from live system telemetry. It should include an AI system registry entry, risk classification, data flow, model/provider inventory, per-run logs, human oversight records, vendor dependencies, retention policy, and incident links.

For an AI Act view, expose technical documentation, operation logs, oversight evidence, and monitoring results. For a DORA view, expose ICT risk mapping, third-party concentration, incident forensics, resilience controls, and continuity impact.

What to avoid

Do not rely only on questionnaires or static policy docs. They are useful catalogs, but they do not prove runtime behavior. The evidence has to come from the AI system itself, from the moment it retrieves data, calls tools, generates output, and waits for human approval.

Further reading: AI compliance for banking where DORA meets the AI Act, EU AI Act audit trail implementation guide, and AI system registry guidance.