News & Articles
August 4, 2025
Draft Law on Tech Governance: Bringing DORA and the AI Act
In the times when digital advancement is at its stake, persists a pressing need across all sectors for legal frameworks and regulatory measures that keep pace with the evolution of digital technologies.
The Regulation (EU) 2022/2554 on digital operational resilience (hereinafter – the DORA) and Regulation (EU) 2024/1689 on artificial intelligence (hereinafter – the AI Act) fundamentally aim to establish a legal framework for financial entities governing the use of digital technologies, IT systems, and the deployment and management of AI systems. While the listed regulations aim to provide operationalisation and risk management standards, applying them in practice may be challenging.
Due to such reason, the Financial Ministry of Latvia has proposed a new draft law – Law on Digital Operational Requirements and the Implementation of Artificial Intelligence in the Financial Market (hereinafter – the Draft Law) which aims to harmonise the DORA and AI Act. This article will briefly introduce the Draft Law, its compliance mechanisms and also provide practical insights for the startup and fintech entities, who may be subject of the Draft Law.
The article incorporates expert insights obtained through a consultation with Marine Krasovska, Head of the Financial Technology Supervision Division at the Bank of Latvia.
DRAFT LAW - TARGET AUDIENCE AND DUTIES
Prior to the adoption of the DORA, requirements for digital resilience were fragmented and inconsistent, but the DORA harmonises and unifies the requirements for the financial sector, ensuring a unified approach across the EU. On the other side, the AI Act sets common rules and risk mitigation practices for the use of AI.
While both of the frameworks are fundamentally necessary, provisions and compliance may become demanding, especially for startups and small-medium enterprises. To avoid such regulatory challenges, the Draft Law specifically aims to provide a common framework for the financial sector specifically in application of the DORA and AI Act.
As M. Krasovska indicates, the Draft Law has been developed with the aim of promoting a flexible yet robust supervisory environment – with a clear distribution of competences and the establishment of responsibilities, enabling timely responses to risks. While DORA primarily focuses on security – establishing unified resilience requirements for existing systems, the AI Act outlines a common path for future development. Therefore, attaining common strategic, regulatory and economic objectives.
The Draft Law, as indicated in the Article 4 and 5, applies to a wide scope of financial market participants subject to supervision by the Bank of Latvia, including, but not limited to: alternative investment fund managers, insurance intermediaries, electronic money institutions, credit and payment institutions. Additionally, the financial entity using AI systems will be subject to AI governance obligations under the Draft Law.
Scope of entities that do not have to comply with the AI obligations, as outlined in the Article 7 of the Draft Law, are – small and non-interconnected investment brokerage firms and small private pension funds.
Target audience:
Besides the compliance with both of the regulations individually, the financial entity has to inform the Bank of Latvia regarding any critical changes that could potentially negatively affect the continuity of the future operations. This provides a general obligation towards the target audience to regularly assess and inform the Bank of Latvia in case it faces any digital operational disturbances.
Duties:
Financial entities covered by the DORA must:
They are also required to:
On the other hand, the duties imposed by the AI Act on providers and users vary based on the assessed level of risk associated with the AI system. High risk systems are subject to stricter legislation (Articles 9 – 14), but providers of general-purpose models – subject to transparency obligations and inform the competent authority about serious incidents (Article 55).
The Draft Law in its design does not create additional obligations for the target audience, it rather summarises and harmonises the duties laid out in the DORA and the AI Act and provides a mandate to the supervisory authority. This legislation aims to introduce legal certainty for both – the target audience of the law and also for the regulator.
Although EU regulations such as DORA and the AI Act are directly applicable across Member States, there has been raised doubts whether the Draft Law is required at all, given the binding nature of the regulations. However, as the project of Draft Law suggests and also M. Krasovska indicates, there is no hierarchy between the regulations, as they are of equal legal standing and are still undergoing development in terms of practical implementation. DORA sets out unified resilience requirements for existing systems, while the AI Act outlines a common path for future development.
Supervisory authority:
Bank of Latvia – the supervision compliance of DORA and the AI Act among the financial entities. To note, the Bank of Latvia serves as the supervisory authority responsible for overseeing compliance with and implementation of the AI Act within the financial sector. Its mandate does not extend to other sectors or areas where AI may be applied.
Enforcement and sanctions:
The Supervisory authority may impose sanctions for non-compliance with both the DORA and AI Act requirements separately. The sanctioning powers are applicable both to legal and natural persons, therefore enhancing the personal accountability mechanism.
Sanctions for DORA violations:
Sanctions or AI Act violations:
l entities, it sends a clear message: compliance isn’t optional, and accountability is personal.
If your business handles financial transactions, customer funds or digital asset flows, DORA has been a required standard since January 17, 2025. To be compliant with the Draft Law, the financial entity must comply with DORA and AI Act individually. Both of the regulations require reporting of incidents (in the scope of DORA – major incidents, while AI Act – AI-related risks).
FINTECH AND STARTUP IN FOCUS
“For every business the current digital stance comes at some sort of risk and requires navigation among complex innovations while sustaining strong competition. By reducing the imbalance between regulation and technology, we can support innovation in a safe and well-regulated way. This helps build trust in financial services – both among companies and the general public”, indicates M. Krasovska, Head of the Financial Technology Supervision Division at the Bank of Latvia
According to Baltic AI Landscape, conducted by Venture Faculty financial analyst Tomass Vilks, AI companies based in Baltic states have in total combined funding worth $593M, but fintech and legal tech – $26M. The $593M in AI funding signals an emerging innovation ecosystem in the Baltics. Harmonizing DORA and the AI Act in national law demonstrates regulatory foresight and readiness to govern this growth responsibly. With $26M already invested in fintech/legal tech, proper legislation increases investor confidence. Clear rules foster a predictable environment – making the country more attractive for further AI and fintech investment.
Furthermore, this Draft Law comes significant to startups due to:
1. meeting the DORA requirements while sustaining straightforward AI direction, therefore, reassuring clients and investors that the service provided by the startup is secure, reliable – critical factors for financial markets;
2. implementing responsible AI practices, startups differentiate themselves in the market, allow to become strong competitor at attracting investment, and potential partner with institutional stakeholders that demand high compliance standards;
3. as fintech companies are especially vulnerable to digital disruptions due to their high reliance on cloud platforms, APIs (application programming interface) and third party providers, risk of incidents, system failures and data loss are at ultimate stake.
Source: Baltic AI Landscape: Estonia, Latvia & Lithuania by Venture Faculty & Dealroom
LIAA LAUNCHES AI & DIGITAL TECH GRANT
In parallel with the evolving regulatory landscape, support mechanisms are being introduced at the national level to facilitate meaningful compliance and innovation. Notably, the Latvian Investment and Development Agency (LIAA) has launched a significant grant programme to promote the adoption of digital technologies and AI solutions in enterprises.
As of July 21, 2025, Latvian companies are invited to apply for initiative, which aims to accelerate the integration of advanced digital systems, various operational processes and implement a wide range of AI solutions, which in essence is closely aligned with the aim of the Draft Law. The total grant funding available amounts to EUR 18,550,000, marking a substantial commitment to fostering digital transformation in line with not only the broader EU regulatory agenda, but also harmonised national legislation. These digitalisation projects are expected to enhance the competitiveness and increase the productivity of Latvian companies.
This initiative complements the national implementation of the AI Act and DORA by providing tangible financial support to enterprises seeking to align with upcoming compliance requirements while also enhancing their digital competitiveness.
CASE STUDIES – BLACKCATCARD and MASTERCARD
Blackcatcard (service offered by Papaya, Ltd) is EU-based fintech which used DORA to build trust and differentiation among other fintech’s, by using DORA not as a burden, but as an opportunity to enhance product security and resilience. In that way, fintech demonstrates stability, trust to customers, investors and partners, but also provides strong competitive advantage among fintech market players. The Blackcatcard collaborated with third-party providers and regulators to align their current systems to meet DORA compliance levels.
According to the Mastercard Signals report, the EU’s AI Act will reshape banking by imposing strict rules on generative AI, ensuring greater transparency, and potentially slowing innovation in some areas, while also fostering trust and safety. As the OECD survey indicates, approximately 95% of EU banks are experimenting to implement AI and machine learning into their operations, but many startups lag behind – often due to a lack of regulatory clarity or strategic planning. The Draft Law offers a framework to close this readiness gap and compete on equal footing.
Source: 2024 OECD Survey on Regulatory Approaches to AI in Finance. Based on a total of 49 responding jurisdictions
CONCLUSION
As Latvia begins to align its national framework with the requirements of the DORA and the AI Act, every startup has an opportunity to leverage this Draft Law to adapt their digital governance and implement the necessary security standards. Doing so allows companies to demonstrate to both current and potential clients – as well as to investors – that they are one step ahead of those waiting to be forced into compliance. Therefore, we encourage businesses to use this Draft Law proactively – to ultimately position themselves as credible and forward-looking players in the financial sector.
If you are a start-up or any business considering if these regulations apply to your business – do not hesitate to contact us, we will try to find the best solution tailored exactly to your business needs.
At Venture Faculty we aim for strategic legal compliance that treats regulations not as burdens, but tactical enablers which lead to future-proof infrastructure.
The information in this article is general and not intended as legal advice. It is for information purposes only and does not reflect any particular situation or circumstances and should not be relied upon as a source of professional advice.
Authors: Edgars Poga, Manager and Daiga Kroņkalne, Legal Assistant.
