HomePublicationsDORA's AI Vendor Trap: Liability Flows, Capital Charges, and...
Regulatory

DORA's AI Vendor Trap: Liability Flows, Capital Charges, and Board Exit Strategies

✎ Kieran Upadrasta 📅 2026-01-15 🎓 CISSP, CISM, CRISC, CCSP
📖 Read Online (Flipbook) ⬇ Download PDF
Abstract

The Digital Operational Resilience Act creates an unprecedented liability trap for financial institutions that have become dependent on AI vendors for critical business functions. Unlike traditional ICT outsourcing, AI vendor relationships create non-linear liability flows where model failures can cascade across multiple business lines simultaneously, triggering capital charge implications that boards have not anticipated. This paper maps the liability architecture of AI vendor relationships under DORA, identifies the specific provisions that create 'vendor traps' — situations where switching costs exceed the risk of continued dependence — and provides board-level strategies for either restructuring these relationships or establishing credible exit pathways.

The analysis covers concentration risk provisions, subcontracting chains, and the new requirements for testing AI vendor resilience that take effect in 2025.

Table of Contents
  1. 01DORA and AI Vendor Dependencies
  2. 02Non-Linear Liability in AI Outsourcing
  3. 03Capital Charge Implications
  4. 04The Vendor Trap Mechanism
  5. 05Concentration Risk Under Article 28-44
  6. 06Subcontracting Chain Liability
  7. 07Board-Level Exit Strategies
  8. 08Restructuring AI Vendor Relationships
K

Kieran Upadrasta

CISO & Strategic Cyber Consultant · CISSP, CISM, CRISC, CCSP

27 years securing financial services · Big 4 pedigree (Deloitte, PwC, EY, KPMG) · Zero breaches managing £500B+ in assets

https://www.kieranupadrasta.com · LinkedIn