Regulation
EU AI Act — AI risk regulation for financial services
The EU AI Act is a risk-based framework that imposes binding obligations on developers and deployers of AI systems. Financial institutions that use AI in credit decisions, fraud detection or customer interactions are directly in scope.
What is the AI Act?
Regulation (EU) 2024/1689 — the EU Artificial Intelligence Act — is the world's first comprehensive legal framework for AI. It classifies AI systems by risk level and imposes proportionate obligations on providers (developers) and deployers (users of AI systems built by others).
Financial institutions are primarily deployers. If your organisation uses AI systems built by vendors for high-risk use cases, the compliance obligations fall on you as the deployer.
Risk classification and financial services
| Use case | Risk level | Obligations |
|---|---|---|
| Credit scoring / creditworthiness assessment | High risk | Full high-risk requirements |
| Insurance premium calculation | High risk | Full high-risk requirements |
| Fraud detection | Limited/Minimal | Transparency obligations only |
| Customer chatbots | Limited | Disclosure required |
| AML transaction monitoring | Under assessment | Guidance expected |
| Prohibited: real-time biometric surveillance | Prohibited | Not permitted |
Key obligations for high-risk AI deployers
Due diligence on AI systems
Before deploying a high-risk AI system, you must verify the provider has met their obligations: technical documentation, CE marking, EU declaration of conformity and registration in the EU database.
Human oversight
Deployers must implement appropriate human oversight measures. For credit decisions, this means human review procedures, override capabilities and clear accountability structures.
Data governance
Training data used in high-risk AI must meet quality standards: relevant, representative, free of errors and sufficiently complete. Deployers must ensure data governance practices meet this bar.
Monitoring and incident reporting
High-risk AI systems must be monitored for performance post-deployment. Serious incidents must be reported to national supervisors.
Timeline
| Date | Milestone |
|---|---|
| August 2024 | AI Act entered into force |
| February 2025 | Prohibited AI practices banned |
| August 2025 | GPAI model obligations apply |
| August 2026 | High-risk AI system requirements apply — financial institutions in scope |
| August 2027 | High-risk AI in regulated products (Annex I) apply |
How Arcens helps
Horizon scanning: The AI Act's technical standards and guidance notes are still being developed. We track EBA, EIOPA and European Commission publications and translate them into actionable requirements.
NFR management: We help you build an AI governance framework — inventory, risk classification, oversight procedures and documentation — that meets AI Act requirements and aligns with your existing risk management structure.
Deadline alert
August 2026: High-risk AI compliance required. Credit scoring, insurance pricing AI in scope.
Preparation should begin now — AI inventory and gap assessment typically take 3–6 months.
Quick facts
Full name: Regulation (EU) 2024/1689
Supervisor (NL): TBD — likely DNB/AFM
Key deadline: August 2026
Is your AI use in scope?
Ask our advisor to assess whether your AI systems fall under the high-risk category and what steps you need to take before August 2026.