Algorithmic Governance in the Financial Sector: Between AI Regulation and Digital Operational Resilience

Introduction

Financial institutions have been relying on automated systems for years. Credit scoring, anti-money laundering (“AML”) monitoring, fraud detection, loan origination, and trading strategies increasingly rely on models rather than manual judgement. The adoption of artificial intelligence (“AI”) has accelerated this shift, improved efficiency, but also raised questions of accountability, fairness, and regulatory compliance.

Algorithmic governance addresses these concerns by requiring transparency, human oversight, and traceability in the way automated decisions are made and used.

EU Regulatory Architecture

The Regulation (EU) 2024/1689 (“AI Act”) establishes a risk-based framework for AI. Many systems widely used in finance, from credit scoring models to certain risk-monitoring workflows (e.g. credit-related risk assessments) and algorithmic trading platforms, fall into its “high-risk” category. These systems must now be designed and operated with documented controls: risk management, quality of training data, explainability of outputs, human supervision and ongoing monitoring of performance and incidents. In other words, models become governed processes rather than opaque tools buried in operations.

The Regulation (EU) 2022/2554 (“Digital Operational Resilience Act” or “DORA”) complements this by focusing on the stability of the digital environment that supports these systems. It requires firms to manage Information and Communication Technologies (“ICT”) risk, test critical systems, report outages or crises and supervise third-party technology providers, particularly cloud providers.

If the AI Act addresses how automated assessments are controlled, DORA addresses whether the infrastructure supporting them is secure and resilient.

Legal Dimensions of Algorithmic Governance

Responsibility and traceability are now central. Institutions must be able to reconstruct how an algorithm influenced a decision and who oversaw it.

Data protection should be addressed through the General Data Protection Regulation (Regulation (EU) 2016/679) principles, and ICT governance under DORA—covering logging, access controls, and incident reporting. Additionally, concerns over discrimination demand that models be tested and monitored to prevent biased or exclusionary outcomes, especially in credit allocation and customer risk assessment.

Internal Governance Operating Model

Effective governance requires a clear inventory of algorithmic systems and an understanding of which ones matter most. Systems should be classified by risk, with embedded models documented, validated before deployment, and monitored throughout their lifecycle. Oversight is typically anchored in risk and compliance, with the authority to challenge system behaviour and underlying model performance. and require adjustments. These processes must link directly to post-market monitoring under the AI Act, and to incident management and resilience expectations under DORA. Board-level accountability is also essential, and senior management is expected to understand how these systems influence business outcomes, and to ensure they are appropriately controlled.

Supervision and Emerging Trends

Supervision is evolving accordingly. The EU AI Office, together with national AI authorities, will oversee the AI Act’s implementation, while financial supervisors such as the European Banking Authority (“EBA”), the European Insurance and Occupational Pensions Authority (“EIOPA”) and European Securities and Markets Authority (“ESMA”) coordinate sector-specific expectations on explainability, model risk, and outsourcing. In 2025, EIOPA launched a targeted consultation on its draft opinion on AI governance and risk management (open 12 February–12 May 2025) and later published the final opinion on 6 August 2025. In parallel, ESMA issued a supervisory briefing on algorithmic trading (26 February 2026), while the EBA advanced AI-related supervisory work through mapping and convergence activities, rather than a targeted consultation.

Independent algorithmic audits are set to become standard practice, pushed by harmonised technical standards and, potentially, by trust labels for compliant systems. Regulatory sandboxes will remain important testbeds for innovation, enabling controlled experimentation with live data under supervisory visibility and predefined safeguards, specifically via AI regulatory sandboxes established by the AI Act (and, in defined cases, real‑world testing), which require ex‑ante testing plans, documented risk controls, and safeguards for data protection and fundamental rights under competent‑authority oversight. As these trends converge, the industry is likely to see tighter integration between AI governance and operational resilience, greater reliance on standardised testing and assurance frameworks, and an increasingly evidence-based approach to explainability and fairness.

Conclusion

Algorithmic governance has moved to the centre of financial regulation. With the AI Act and DORA now in force, institutions must show not only that their systems are robust, but also that automated decisions are lawful, explainable, and fair. Trust in financial services increasingly depends on the transparency and accountability of the models that inform decisions. Institutions that treat algorithms as governed assets—monitored, documented, and overseen—will be better placed to meet supervisory expectations, avoid litigation, and deploy AI at scale with credibility.