
The European Union has enacted two landmark frameworks that impose partially divergent obligations on financial entities deploying artificial intelligence (AI) in cybersecurity. The AI Act (Regulation (EU) 2024/1689) establishes a risk-based classification system subjecting AI systems to graduated transparency, explainability, and human-oversight duties. The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) requires financial entities to maintain robust Information and Communication Technology (ICT) risk-management capabilities, including rapid, automation-capable threat detection and incident response. This article argues that, for systemically significant financial actors, the combined operation of these two regimes together with the EU Charter of Fundamental Rights produces what it terms a regulatory trilemma: a three-cornered tension between (i) the AI Act’s demand for transparency and human control, (ii) DORA’s expectation of automation-capable operational resilience, and (iii) the Charter’s guarantees of privacy, data protection, and non-discrimination. The article’s contribution is threefold and deliberately modest. First, it brings the AI Act and DORA into a single doctrinal frame and shows that their interaction generates a genuine compliance dilemma rather than a relabelling of familiar bilateral tensions. Second, it situates that dilemma within the wider fragmentation of EU digital regulation, asking why DORA stands somewhat apart from the rights-and-innovation balance that De Gregorio and Dunn identify as the connecting thread of the General Data Protection Regulation (GDPR), the Digital Services Act (DSA), and the AI Act, and whether the emerging discourse of digital sovereignty supplies a shared horizon. Third, it advances calibrated autonomy as a structured, proportionality-anchored interpretive and normative proposal that conditions the permissible degree of AI autonomy on threat severity, data sensitivity, and decision reversibility. The article closes with reform proposals—joint guidance from the European Supervisory Authorities, a harmonised incident taxonomy from the European Union Agency for Cybersecurity (ENISA), a narrowly defined compliance safe harbour, and sector-specific advisory boards—assessed against questions of competence, legal basis, and feasibility. The analysis is confined to the financial sector governed by DORA; the closing section identifies which arguments travel beyond it.
EU AI Act; DORA; cybersecurity; artificial intelligence; fundamental rights; regulatory trilemma; proportionality; calibrated autonomy; digital sovereignty; financial sector; operational resilience; data protection