The European Union’s Artificial Intelligence Act (Regulation (EU) 2024/1689) 1, known as the EU AI Act (EU AIA), came into force in August 2024. The regulation establishes a harmonised and comprehensive legal framework for artificial intelligence across all 27 member states, to safeguard fundamental rights, democracy, and environmental sustainability while promoting innovation. Its tiered compliance obligations will become progressively applicable over a phased timeline until 2030.
Following the provisional political agreement reached in May 2026 on the Digital Omnibus on AI, the EU AIA timeline is expected to be recalibrated in targeted areas as shown below. The agreement is still subject to formal adoption, but it provides an important planning timeline for financial institutions. However, it should be noted that until the Omnibus is formally adopted and published in the Official Journal, the original EU AIA remains the binding legal baseline.
The Omnibus does not signal a retreat from the EU’s regulatory ambitions. Instead, it recalibrates the path to implementation, giving businesses more time and greater clarity in targeted areas, while preserving the EU AIA’s core risk-based architecture.
AI presents transformative opportunities for the financial sector, such as enhancing operational efficiency, improving risk assessment accuracy, and enabling more personalised customer services. It also introduces complex risks, including cybersecurity threats, data privacy concerns, opaque decision-making, and the potential to introduce bias and inequality. Financial institutions must therefore embed robust AI risks management into their existing governance frameworks.
Under the EU AIA, financial institutions will be required to ensure that their use of AI complies with strict governance, transparency, and risk management requirements, especially for high-risk applications.
This article explores the EU AIA requirements for the financial sector, the potential operational impact on banks, and the current state of AI integration across the sector. It also discusses how different jurisdictions are approaching AI regulation globally.
|
| “ECB research finds that regulation and a lack of institutional quality are particularly detrimental to the expansion of high-tech sectors relative to more mature technologies. Investing in radical technologies is highly risky and needs a different set of framework conditions.” Christine Lagarde, President of the ECB |
Timelines of the EU Act implementation
- Came into force in August 2024, with tiered compliance obligations to become progressively applicable over a phased timeline until 2030. The ban on AI systems presenting unacceptable risks, together with the AI literacy obligation, began to apply from February 2025.
- The regulatory provisions governing general-purpose AI models from August 2025.
- For the majority of high-risk AI systems, including relevant financial services use cases such as credit checking and life and health insurance risk and pricing assessments, the Digital Omnibus proposes to move the obligations from August 2026 to 2 December 2027.
- For high-risk AI systems embedded in products or safety components the main obligations will move from 2 August 2027 to 2 August 2028.
- Obligations for certain high-risk AI systems intended for use by public authorities that were on the market before the entry into force of the EU AIA will continue to apply from December 2030.
- The majority of the transparency obligations are expected to apply from 2 August 2026. This includes obligations to inform individuals when they are interacting with an AI system and to disclose where certain content has been generated or manipulated by AI.
- The Omnibus introduces a targeted four-month extension for AI systems generating or manipulating synthetic content that were placed on the EU market or put into service before 2 August 2026, and they will have until 2 December 2026 to implement marking and detectability measures. Systems placed on the market or put into service from 2 August 2026 must comply from that date.
Some takeaways from the EU AI Act
The EU AIA introduces obligations across the value chain and covers the providers, deployers, distributors and importers of AI, as well as AI enabled product manufacturers. The most rigorous requirements will be for the providers of high-risk AI systems, but it also sets clear actions for deployers. The regulation is applicable to organisations located within the EU, and to the ones located elsewhere but which provide AI systems, products and services to the EU. Most financial institutions will not be providers (e.g. developing the LLMs in the AI tools like Open AI), or distributor (e.g. like Microsoft) - they will be deployers or users. However, it is still important to understand the risk-based classifications and obligations imposed on the providers and distributors, for context.
The Omnibus should be read as a targeted recalibration rather than a fundamental change in the EU’s regulatory approach. The core risk-based structure remains intact, but the timing of high-risk obligations, certain registration and transparency requirements, AI literacy wording and the interaction with sectoral product rules are being adjusted to make implementation more workable.
It is also important to note that the EU AIA introduces an approach that is consistent with the broader trend in EU banking regulation for enhanced risk control and more transparent governance, including the principles in Basel III package (CRR3/CRD6). In this sense, the EU AIA is fully aligned with the EU’s ongoing regulatory efforts to promote effective risk management.
Risk based regulation
- Unacceptable Risk: Systems that present an unacceptable level of risk. The building, buying and use of these will be prohibited in the EU. These are AI systems considered to be a clear threat to the safety, livelihoods and rights of people, such as social scoring by governments and real-time remote biometric identification systems.
- High Risk: There are rigorous mandatory requirements for high-risk systems, with the most onerous being for providers of these systems. High risk AI includes the system used in employment, education, surveillance systems, and credit scoring. Importantly, AI components that merely assist users or optimise performance would not automatically be treated as high-risk safety components unless their failure could create health or safety risks. Some of the key requirements include:
- Establishing and maintaining processes for risk management, quality management and data governance across the development lifecycle into deployment and monitoring
- Maintaining appropriate technical documentation and record keeping to support transparency requirements
- Pre-market conformity assessments and defining appropriate levels of human supervision in production
- Post-market monitoring, including generating and maintaining system logs and identifying, addressing and reporting serious incidents
- Limited Risk: This category includes AI systems that interact directly with people (e.g., chatbots), and visual or audio “deepfake” content that has been manipulated by an AI system. They are systems where it is not obvious to humans that they are interacting with a machine or that the output generated by them is synthetic and not from humans. These systems are allowed but have transparency obligations such that end users or those affected by them are clear that an AI system is being used. According to the Omnibus, providers of AI systems that generate or manipulate synthetic content and were placed on the market before 2 August 2026 have until 2 December 2026 to implement machine-readable marking and detectability measures. Systems placed on the market from 2 August 2026 have to comply with those marking requirements from the date they are placed on the market.
- Minimal risk: These are all other systems not in the above three categories and are allowed with no formal requirements.
General Purpose AI models (GPAI)
These include models like GPT-4o. GPAI models are separated out because they can be applied in many ways, with risks arising from both how they are used and the underlying model itself. For those, regulatory requirements are two-fold: at the model level (for providers such as OpenAI) and at the use-case level (for each new application developed by an organisation). There are also specific obligations for models deemed to pose a “systemic risk”, currently defined in terms of computing power used to train them.
Compliance and operational impact of the EU AI Act
Compliance with the EU AIA will require financial institutions to build new governance capabilities, adapt second line models, align operational processes, and integrate AI oversight across the organisation.
The revised Omnibus timetable gives businesses additional time for the most complex high-risk obligations, but it should not be treated as a reason to pause implementation. In practice, this is also likely to raise expectations that financial institutions will have comprehensive inventories, classification decisions, supplier due diligence, transparency controls and evidence packs in place before the revised deadlines arrive.
The financial sector industry is expected to be a particularly intensive user of AI systems. Financial institutions are actively exploring ways to leverage AI in order to enhance the quality of their customer experience, optimise internal processes, and meet evolving regulatory expectations.
Under the EU AIA, financial institutions are required to establish a process for assessing the potential consequences for individuals or groups of individuals, or both, and societies that can result from the development, provision or use of AI systems.
- The AI system impact assessment shall determine the potential consequences an AI system’s deployment, intended use and foreseeable misuse has on individuals or groups of individuals, or both, and societies.
- The AI system impact assessment shall take into account the specific technical and societal context where the AI system is deployed and applicable jurisdictions.
- The result of the AI system impact assessment shall be documented. Where appropriate, the result of the system impact assessment can be made available to relevant interested parties as defined by the organisation.
- The organisation shall consider the results of the AI system impact assessment in the risk assessment.
The EU AIA therefore requires institutions to establish robust data governance frameworks that guarantee transparency, security, and full respect for users’ rights. Achieving compliance with these requirements will necessitate that financial institutions undertake a range of initiatives, including:
- Developing an AI inventory: be able to accurately identify all AI systems they use — whether developed internally or sourced externally, and must map the operational processes supported by these systems.
- Risk assessment and classification: each AI system must be evaluated and classified in accordance with the risk levels defined under the EU AIA, which will trigger the corresponding regulatory obligations.
- Ensuring compliance for high-risk systems, including:
- Establishing a comprehensive AI risk management system.
- Implementing a high standard of cybersecurity protections.
- Ensuring effective human oversight of AI-driven processes and decision-making.
- Meeting all applicable information and transparency obligations.
Responsible AI deployment must also address its impacts on employees and organisational dynamics. An essential action will be developing a policy for the use of AI/ GenAI for the organisation. Financial institutions should engage proactively in internal dialogue on how AI will affect roles, responsibilities, and working conditions. Internal governance frameworks should explicitly cover the introduction of AI-based decision systems in HR and management processes, ensuring that employees’ rights, health, and well-being are safeguarded. Structured engagement with employee representatives can help build trust, support workforce adaptation, and mitigate operational risks as AI adoption progresses.
Financial institutions should be able to evidence proportionate training and awareness for staff who procure, develop, approve, monitor or use AI systems. This includes understanding AI limitations, escalation routes, human oversight expectations and the risks of over-reliance on automated outputs.
The Omnibus is also expected to soften the wording of the AI literacy duty from an obligation to “ensure” a sufficient level of AI literacy to an obligation to “take measures to support the development of” AI literacy among staff and other persons dealing with AI systems on the organisation’s behalf. Therefore, AI literacy should remain a priority even after the Omnibus becomes law.
Foundational implementation actions for financial institutions to prioritise
To operationalise these compliance requirements and governance principles, financial institutions should prioritise the following foundational actions:
- Ensuring that there is a consistent understanding of what is AI vs what is not AI in line with the EU AIA. The definition of AI in the EU AIA is broad, and many organisations have a much narrower definition of what constitutes AI, thereby increasing the risk of under-governing and regulatory non-compliance.
- Identifying and inventorying current in-house developed and third-party AI systems and designing a robust process to identify and inventory new AI systems.
- Risk assessing and categorising inventoried AI systems to determine their EU AIA risk classification and the applicable compliance requirements.
- Undertaking a historical exercise to help ensure that prohibited AI systems are not in use and designing a go forward process to stop the development or procurement of prohibited systems.
- Understanding the organisation’s role in the AI value chain for different AI systems and the associated obligations for different categories of risk.