Introduction
With the adoption of the EU AI Act, DORA (Digital Operational Resilience Act), and MiCA (Markets in Crypto-Assets Regulation), the European regulatory framework has expanded in scope and complexity. Each regulation addresses distinct technological domains—artificial intelligence, ICT resilience, and crypto-assets—but together they introduce a coherent supervisory approach: one that places increased responsibility for emerging technology oversight at the level of the board.
For boards of directors, these frameworks represent more than an extension of compliance functions. They redefine the board’s role in supervising technology-driven businesses, requiring sustained engagement with operational models that previously fell largely within management’s remit. In doing so, they reshape how risk, control, and strategic oversight must be integrated across corporate governance structures.
The implications are neither theoretical nor distant. These regulations are now entering force, and they introduce governance expectations that many boards are not yet fully equipped to meet.
Note: This article provides a strategic and governance-oriented perspective on evolving EU regulatory frameworks. It does not constitute legal advice. Organizations should consult qualified legal counsel for specific compliance obligations under the EU AI Act, DORA, and MiCA.
The EU AI Act: Supervising Algorithmic Systems at Board Level
The EU AI Act establishes a comprehensive legal framework for artificial intelligence, introducing a risk-based classification system that defines legal obligations according to the level of risk associated with a given AI system. High-risk AI systems—such as those used in employment decisions, credit scoring, KYC/AML processes, client suitability assessments, or biometric identity verification—are subject to extensive requirements around data governance, transparency, human oversight, and ongoing monitoring.
For boards, the AI Act introduces several governance requirements that extend beyond technical compliance:
- Oversight of AI Governance Structures
Boards are expected to ensure that AI governance frameworks are properly designed, implemented, and maintained. This includes reviewing risk classification decisions, approving governance policies, and supervising internal processes for monitoring AI system behavior over time. - Accountability for Ethical and Legal Risk Management
AI-related risks increasingly intersect with legal, reputational, and ethical exposures. Boards are expected to ensure that these dimensions are integrated into the firm’s risk management architecture, including model explainability, bias mitigation, and data integrity. - Supervision of Third-Party Model Risk
Many organizations rely on external vendors for AI capabilities, including foundation models and SaaS-based AI solutions. Boards remain responsible for ensuring that contractual arrangements with vendors include enforceable provisions related to compliance with the AI Act’s obligations. - Exposure to Sanctions and Enforcement
Non-compliance may trigger administrative sanctions of up to €35 million or 7% of global turnover. In certain governance failure scenarios, personal liability for directors may arise under national corporate law if oversight duties have not been properly executed.
The supervisory expectation is not that boards become technical experts in AI model architecture, but that they demonstrate sufficient engagement to supervise management’s AI governance framework, identify deficiencies, and ensure corrective action where necessary.
DORA: Operational Resilience as a Governance Obligation
DORA applies to a wide range of financial institutions, including banks, insurers, asset managers, payment firms, and critical third-party service providers. Unlike prior regulatory approaches that treated ICT risk primarily as an operational issue, DORA brings digital operational resilience directly within the board’s supervisory perimeter.
Several obligations are particularly relevant to boards:
- Board Responsibility for ICT Risk Frameworks
Boards must approve and oversee the institution’s overall ICT risk management framework. This includes risk appetite, business continuity plans, incident response protocols, and ICT security policies. - Director Competency Requirements
DORA introduces expectations regarding the board’s collective knowledge of ICT risk, requiring that directors possess sufficient understanding to assess management’s resilience strategies and challenge weaknesses when identified. - Oversight of Third-Party Dependencies
The regulation extends supervisory responsibility to outsourced ICT services, including concentration risks associated with reliance on major cloud service providers. Boards remain accountable for resilience risks even when key operational components are externally hosted. - Coordination Across Supervisory Authorities
For cross-border groups, DORA introduces potential regulatory coordination issues, requiring boards to oversee how multiple national competent authorities interact in relation to group-wide resilience planning and incident reporting.
DORA shifts operational resilience from a delegated IT issue to a board-level concern, requiring directors to supervise how digital dependencies intersect with the institution’s overall business continuity and financial stability.
MiCA: Formalizing Crypto-Asset Governance Structures
The Markets in Crypto-Assets Regulation (MiCA) establishes the first EU-wide legal framework governing crypto-asset issuance, trading, custody, and related services. While initially targeting crypto-native platforms, MiCA’s reach extends to financial institutions offering tokenized products or crypto-related services.
Board-level responsibilities under MiCA include:
- Approval of Governance Structures for Crypto Activities
Boards must oversee the firm’s governance architecture for crypto-asset services, including internal control functions, staffing qualifications, and compliance oversight. - Supervision of Disclosure Obligations
Directors are accountable for ensuring that white papers, financial disclosures, and client communications meet MiCA’s transparency standards, particularly around reserve assets, token structure, and financial soundness. - Oversight of Risk and Remuneration Policies
MiCA requires boards to supervise the firm’s incentive structures to ensure that remuneration policies align with prudent risk-taking, avoiding the forms of internal misconduct that have contributed to failures in the crypto sector globally. - Fiduciary Duties and Liability Exposure
While MiCA includes certain director protections when fiduciary obligations are properly discharged, the burden of demonstrating good governance rests with the board, requiring clear documentation of oversight activities and decisions.
For many institutions, MiCA may create both compliance burdens and competitive opportunities, particularly where effective governance allows market participants to differentiate themselves on the basis of client protection and institutional reliability.
Overlap and Integration Across Regulatory Domains
Although these three frameworks address distinct subject matter areas, they are not independent from the perspective of board governance. Several themes recur across AI Act, DORA, and MiCA:
| Supervisory Area | EU AI Act | DORA | MiCA |
|---|---|---|---|
| Board Oversight Obligations | Yes | Yes | Yes |
| Third-Party Vendor Dependencies | Yes | Yes | Yes |
| Governance of Emerging Technologies | Yes | Yes (ICT context) | Yes |
| Personal Exposure for Directors | Yes | Yes | Yes |
| Documentation and Auditability | Yes | Yes | Yes |
Boards will increasingly need to design governance structures that address these obligations in a coordinated manner, avoiding fragmented compliance programs that fail to reflect how digital technologies interconnect within the business.
Strategic Consequences: Second-Order Effects for Market Participants
The introduction of these frameworks will reshape parts of the European financial and technology landscape:
- Higher Compliance Costs Will Drive Industry Consolidation
Small and mid-sized firms may lack the capital, governance capacity, or technical expertise to maintain compliance, creating upward pressure for consolidation across multiple sectors. - Vendor Contracting Will Shift
Firms will place greater demands on AI model providers, cloud operators, and crypto platforms to provide compliance-ready solutions with stronger contractual assurances, audit rights, and shared liability frameworks. - Competitive Advantages May Emerge for Well-Governed Firms
Institutions that can demonstrate robust governance across these domains may benefit commercially with institutional clients, counterparties, and regulators who increasingly view governance capacity as a proxy for long-term business stability. - Fragmentation Between Jurisdictions Will Complicate Cross-Border Operations
Differences between EU frameworks and non-EU regimes may increase compliance complexity for international firms, raising the importance of integrated global governance models at the board level.
Governance Actions for Boards
Boards should consider a series of near-term measures to position their institutions for these regulatory shifts:
- Map Existing Governance Capabilities Against Regulatory Requirements
Undertake a structured assessment of board and management capabilities against AI, ICT resilience, and crypto governance expectations. Identify areas requiring additional expertise or restructuring. - Consolidate Oversight Functions Across Domains
Consider the formation of integrated board committees that supervise digital risk in its entirety, rather than maintaining fragmented oversight structures tied to historical functional silos. - Review Vendor Governance Frameworks
Evaluate whether third-party agreements provide sufficient contractual protections, audit rights, and information access to enable regulatory compliance across AI, ICT, and crypto exposures. - Align Internal Audit Functions with Emerging Obligations
Ensure that audit plans directly address AI model oversight, operational resilience testing, and crypto-asset governance. - Review Director Liability Coverage
Assess whether D&O insurance policies are properly aligned with these new forms of director exposure, particularly where legal frameworks remain untested. - Strengthen Regulatory Engagement
Maintain open communication channels with supervisory authorities to clarify obligations, demonstrate governance commitment, and address interpretive uncertainties as regulatory practice evolves.
Conclusion
The EU AI Act, DORA, and MiCA collectively mark a shift in how technology risk is supervised at the board level. The supervision of AI systems, operational resilience, and crypto-assets is no longer the sole domain of technical or compliance teams. These frameworks place boards directly into the oversight structure, with clear obligations to supervise management’s handling of emerging technology risks.
Institutions that adapt their governance structures to reflect these supervisory expectations will be better positioned to navigate both regulatory obligations and market dynamics. Boards that fail to engage meaningfully with these developments increase the risk not only of regulatory intervention, but of competitive disadvantage in a marketplace where governance capacity itself is becoming a source of institutional value.
At Fund Guardian , my colleagues Dr. Angelina Pramova, CESGA®, Guillem Liarte, and I support firms in executing their AI and oversight strategies — offering tools, analytics, and expertise to accelerate implementation, reduce risk, and build long-term governance capability. Contact us here .
Links:
European Parliament on the EU AI Act
Digital Operational Resilience Act (DORA)