This article constitutes a scientific and conceptual legal study examining the relationship between cybersecurity obligations applicable to high-risk AI systems and sector-specific ICT risk management in the financial sector under EU law. The research problem concerns the interpretation of the reference to “relevant circumstances and risks” in Article 15 (5) of the Artificial Intelligence Act (AI Act) when high-risk AI systems operate as components of ICT infrastructure within financial institutions. The article argues that these circumstances and risks should be interpreted in light of the proportionality framework laid down in Article 4 of the Digital Operational Resilience Act (DORA). The aim of the research is to determine whether the proportionality criteria established in DORA may function as an interpretative benchmark for assessing the adequacy of cybersecurity measures required under the AI Act. The main thesis advanced is that the proportionality criteria concerning the size of the entity, its risk profile, and the nature, scale and complexity of its activities provide objective parameters for identifying the “relevant circumstances and risks” referred to in Article 15 (5) of the AI Act in the financial sector. The originality of the study lies in demonstrating the systemic complementarity between horizontal AI regulation, which applies regardless of the status of the entity using the AI system, and the sector-specific ICT operational resilience rules. The research is conducted at the level of EU law and contributes to the doctrinal interpretation of emerging EU digital regulations, offering practical relevance for supervisory authorities and financial institutions implementing cybersecurity obligations for AI systems.

LITERATURE

Bierecki D., Zasada proporcjonalności w stosowaniu rozporządzenia w sprawie operacyjnej odporności cyfrowej sektora finansowego (Digital Operational Resilience Act – DORA), “Europejski Przegląd Prawa i Stosunków Międzynarodowych” 2024, no. 3. DOI: https://doi.org/10.52097/eppism.9272

Bierecki D., Czuryk M., Gaie C., Langlois-Berthelot J., Sovereignty by Design: Embedding Fiscal Risk Intelligence in Europe’s Defence-Digital Strategy, “Prawo i Więź” 2026, no. 1. DOI: https://doi.org/10.36128/2z2k7566

Bierecki D., Gaie C., Karpiuk M., Langlois-Berthelot J., Creating Resilient Artificial Intelligence Systems: A Responsible Approach to Cybersecurity Risks, “Prawo i Więź” 2025, no. 5. DOI: https://doi.org/10.36128/0akf8v90

Bierecki D., Karpiuk M., Melchior C., Strizzolo N., Security in the Era of Threats Occurring in Cyberspace, “Prawo i Więź” 2025, no. 4. DOI: https://doi.org/10.36128/PRIW.VI57.1476

De Hert P., Papakonstantinou V., Does the Future Hold More Rights or More Proportionality? The GDPR-Message, “European Data Protection Law Review” 2023, vol. 9(4). DOI: https://doi.org/10.21552/edpl/2023/4/5

Fuchs C., Information Technology and Sustainability in the Information Society, “International Journal of Communication” 2017, vol. 11.

Helios J., Jedlecka W., Wykładnia prawa Unii Europejskiej ze stanowiska teorii prawa, Wrocław 2018.

Herlin-Karnell E., EU Data Protection and the Principle of Proportionality, “Nordic Journal of European Law” 2021, vol. 4(2). DOI: https://doi.org/10.36969/njel.v4i2.23782

Kaczmarek K., Karpiuk M., Melchior C., A Holistic Approach to Cybersecurity and Data Protection in the Age of Artificial Intelligence and Big Data, “Prawo i Więź” 2024, no. 3. DOI: https://doi.org/10.36128/PRIW.VI50.907

Karpiuk M., Glosa do wyroku Naczelnego Sądu Administracyjnego z dnia 12 lutego 2018 r. (II OSK 2524/17), “Studia Iuridica Lublinensia” 2019, vol. 28(1). DOI: https://doi.org/10.17951/sil.2019.28.1.185-194

Maliszewska-Nienartowicz J., Zasada proporcjonalności jako podstawa oceny legalności ograniczeń swobód rynku wewnętrznego Unii Europejskiej, Toruń 2020.

Pelc P., Zasada proporcjonalności w DORA, “Cybersecurity and Law” 2024, no. 2.

Thai Thi T.D., Gia P.D., Balancing the Right to Access Information, the Right to Privacy, the Right to Personal Data Protection, and the Right to Be Forgotten in the Digital Age: The Case of Vietnam, “Prawo i Więź” 2024, no. 6. DOI: https://doi.org/10.36128/PRIW.VI53.1221

Tolino G., Punia G., Emmanuel J., Report: EU Digital Operational Resilience Regulation (DORA), “Global Privacy Law Review” 2025, vol. 6(1). DOI: https://doi.org/10.54648/gplr2025010

LEGAL ACTS

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333/80, 27.12.2022).

Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No. 526/2013 (Cybersecurity Act) (OJ L 151/15, 7.6.2019).

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (OJ L 333/1, 27.12.2022).

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No. 300/2008, (EU) No. 167/2013, (EU) No. 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L 2024/1689, 12.7.2024).

Treaty on European Union (OJ C 326, 26.10.2012).