Why Financial Services Are Squarely in Scope
In short
The EU AI Act explicitly lists credit scoring, insurance risk assessment, and fraud detection in Annex III as high-risk AI use cases, meaning virtually every major AI deployment in banking and insurance requires full compliance.
The EU AI Act organises AI systems into four tiers: prohibited AI, high-risk AI, limited-risk AI, and minimal-risk AI. Financial services firms are not a special category — they follow the same rules as every other sector.
The issue is that Annex III's high-risk use cases map almost perfectly to the core operations of modern banks and insurers. If your institution uses AI for credit, underwriting, fraud, or AML, you are almost certainly operating high-risk AI systems.
Which Annex III Categories Apply to Financial Services?
The EU AI Act's Annex III lists eight areas of high-risk AI. Four of them directly govern financial services operations:
- Annex III, Point 5(b): AI used in creditworthiness assessment and credit scoring of natural persons — covering retail lending, mortgage origination, and credit line decisions.
- Annex III, Point 5(c): AI used in life and health insurance risk assessment and pricing — covering underwriting models and premium calculation engines.
- Annex III, Point 4: AI used in employment and HR contexts — relevant for fintech firms using automated hiring tools.
- Annex III, Point 6: AI used in law enforcement contexts, which the European Banking Authority's November 2025 report confirms includes AML and CFT transaction monitoring systems operated by supervised institutions.
According to the European Banking Authority's November 2025 report on AI Act implications, the majority of AI use cases at EBA-supervised institutions fall into the high-risk category. This is not a marginal compliance edge case — it is the mainstream of financial AI.
The OECD's February 2026 report on the EU Coordinated AI Plan (Volume 2) identified finance as one of the top three EU sectors with the highest rate of AI adoption in high-impact applications. High adoption combined with high-risk classification means the compliance surface area is unusually broad.
AI systems deployed before August 1, 2024 are not exempt. All high-risk systems in production must achieve full compliance by August 2, 2026, regardless of when they were built or launched.
EU AI Act Risk Classification for Common Financial Services AI Use Cases
| AI Use Case | Risk Category | Annex III Reference | Primary Obligation |
|---|---|---|---|
| Credit scoring | High-Risk | Point 5(b) | Conformity assessment, technical documentation, human oversight |
| Mortgage affordability tools | High-Risk | Point 5(b) | Conformity assessment, technical documentation, human oversight |
| Life insurance underwriting | High-Risk | Point 5(c) | Conformity assessment, risk management system, EU database registration |
| Fraud detection / AML | High-Risk | Point 6 | Conformity assessment, logging, human oversight, incident reporting |
| Robo-advisory / investment recommendations | Limited-Risk or High-Risk (design-dependent) | Point 5(b) if creditworthiness elements present | Transparency obligation at minimum; full high-risk obligations if in scope |
| Customer service chatbots | Limited-Risk | Not in Annex III | Transparency obligation: disclose AI interaction to users |
| HR screening tools at fintechs | High-Risk | Point 4 | Conformity assessment, technical documentation, human oversight |
Provider vs. Deployer: Who Bears the Heaviest Compliance Burden?
Under Article 3 of the EU AI Act, a provider is any entity that develops and places an AI system on the market or into service. A deployer is any entity using an AI system under its own authority.
Most large banks building proprietary credit models are providers. Most mid-size banks and insurers licensing vendor-supplied scoring tools are deployers. The compliance obligations differ significantly between the two roles.
- Providers must: conduct conformity assessments, prepare technical documentation, affix CE marking where required, and register systems in the EU AI database before deployment.
- Deployers must: implement genuine human oversight, conduct data governance checks, monitor systems in operation, train relevant staff, and report serious incidents to competent authorities.
A critical point: Goodwin Law's August 2024 analysis of EU AI Act obligations notes that deployer obligations are "more limited but not trivial." A bank cannot outsource compliance to its AI vendor — it retains responsibility for how the system is used in practice.
This mirrors the logic already familiar from GDPR's controller/processor framework. Regulated institutions have navigated this split before — the AI Act applies the same principle to algorithmic decision-making.
For guidance on structuring your broader AI governance approach, see our EU AI Act compliance guide and the detailed EU AI Act compliance checklist for 2026.
Finance ranked among EU sectors with highest high-impact AI adoption
OECD, EU Coordinated AI Plan Volume 2 (February 2026)
Compliance Timeline: Every Deadline Financial Institutions Must Know
In short
The EU AI Act entered into force on August 1, 2024, with a phased implementation schedule. The critical deadline for financial services — high-risk AI compliance — falls on August 2, 2026.
The Act's phased structure means different obligations activated at different dates. Financial institutions that missed the February 2025 checkpoint on prohibited practices are already out of compliance.
The August 2, 2026 deadline for Annex III high-risk systems is not a soft target. The European Banking Authority's November 2025 guidance confirms that national competent authorities will expect supervised institutions to demonstrate demonstrable progress by mid-2026 at the latest.
Full EU AI Act Implementation Timeline for Financial Services
| Date | Milestone | Who It Affects | Action Required |
|---|---|---|---|
| August 1, 2024 | Act enters into force | All firms deploying AI in the EU | Begin AI inventory gap assessment; assign compliance ownership |
| February 2, 2025 | Prohibited AI practices enforceable (Article 5) | All firms | Audit for prohibited practices: social scoring, real-time biometric surveillance in public spaces (with narrow exceptions), subliminal manipulation |
| August 2, 2025 | GPAI model obligations apply | Firms using foundation model APIs (GPT-4, Claude, Gemini, etc.) in products | Conduct GPAI compliance checks; review vendor agreements for systemic-risk model disclosures |
| August 2, 2026 | High-risk Annex III compliance deadline | All banks, insurers, and fintechs using high-risk AI | Full conformity assessment, technical documentation, risk management system, human oversight, EU database registration |
| August 2, 2027 | High-risk AI in existing products (Article 111 transition) | Firms with high-risk AI embedded in regulated products already on the market | Bring embedded high-risk AI into full compliance (extended timeline for product-integrated systems only) |
A compliance-ready AI inventory — listing every AI system, its use case, risk classification, provider/deployer role, and data sources — is the mandatory first step. For a bank with 15+ AI systems, this alone takes 6–10 weeks.
Why the Clock Is Already Running
Based on Alice Labs' experience supporting 100+ enterprise AI implementations since 2023, a realistic compliance readiness program for a mid-size bank typically requires 9–14 months end-to-end. That means institutions starting in Q4 2025 are already operating in the danger zone.
The conformity assessment alone — particularly for bespoke credit models — requires documented risk management systems, bias testing across protected characteristics, data quality attestations, and human oversight protocols that take months to design and validate.
- Q3 2025 (now): Complete AI inventory; classify each system by risk tier and provider/deployer role.
- Q4 2025: Conduct gap analysis against Annex III obligations; prioritise by risk and deployment volume.
- Q1 2026: Build technical documentation, data governance attestations, and human oversight protocols for each high-risk system.
- Q2 2026: Complete conformity assessments; register systems in EU AI database; conduct staff training.
- August 2, 2026: Full compliance operational; monitoring and incident reporting procedures live.
For firms still building their broader AI strategy, our AI strategy for financial services guide covers how to align governance timelines with business transformation objectives.
High-Risk AI Obligations: What Financial Institutions Must Actually Build
In short
High-risk AI systems under the EU AI Act require six categories of technical and governance controls: a risk management system, data governance, technical documentation, logging and record-keeping, transparency to deployers, and human oversight mechanisms.
Being classified as a high-risk AI system under Annex III is not a label — it is a compliance programme. Articles 9 through 15 of the EU AI Act specify six mandatory obligation categories that providers must satisfy before placing a high-risk AI system into service.
Deployers face a parallel but lighter set of obligations under Article 26. Both sets are described below.
Six Mandatory Obligations for High-Risk AI Providers (Articles 9–15)
- 1. Risk Management System (Article 9): A documented, ongoing process to identify, analyse, and mitigate foreseeable risks. Must be iterative — not a one-time assessment — and must cover risks arising from intended use and reasonably foreseeable misuse.
- 2. Data Governance (Article 10): Training, validation, and test datasets must be relevant, representative, and free of errors. Data governance practices must address known biases and statistical limitations. For credit models, this includes demographic fairness testing across protected characteristics.
- 3. Technical Documentation (Article 11 + Annex IV): A pre-deployment documentation package covering system architecture, training methodology, performance metrics, known limitations, and intended purpose. Annex IV lists 12 specific documentation elements.
- 4. Automatic Logging (Article 12): High-risk AI systems must generate logs sufficient to enable post-hoc monitoring of system operation. For financial AI, this means audit-trail logging of every individual decision, the inputs used, and the output produced.
- 5. Transparency to Deployers (Article 13): Providers must supply deployers with documentation sufficient to understand the system's capabilities, limitations, accuracy performance, and human oversight requirements. For vendor-supplied scoring tools, this obligation falls on the vendor.
- 6. Human Oversight (Article 14): Systems must be designed to allow human intervention — stopping, overriding, or flagging decisions. For credit decisions, this means a qualified human must be able to review and overturn any automated decision. Nominal oversight mechanisms that are not genuinely operable do not satisfy this requirement.
Deployer Obligations Under Article 26
Institutions licensing AI from third-party vendors are deployers. Article 26 sets out their specific obligations, which are distinct from provider requirements but far from trivial.
- Implement human oversight mechanisms as specified by the provider's technical documentation.
- Ensure staff operating high-risk AI systems have adequate AI literacy and role-specific training.
- Monitor system performance in operation and report serious incidents to the relevant national market surveillance authority within defined timeframes.
- Conduct a Fundamental Rights Impact Assessment (FRIA) where required — applicable to public bodies and, in certain cases, private operators of high-risk AI affecting natural persons.
- Retain logs generated by the AI system for the period specified in Article 12 — typically a minimum of 6 months, longer where financial regulatory record-keeping obligations apply.
Conformity Assessment and EU AI Database Registration
Before deploying any high-risk AI system, providers must complete a conformity assessment. For most financial AI use cases, this is a self-assessment — there is no mandatory third-party auditor required under Annex III (unlike some other sectors).
However, self-assessment does not mean informal. The conformity assessment must be documented, evidence-based, and retained for 10 years post-deployment under Article 18. Following conformity assessment, providers must register their system in the EU AI public database before the system goes live.
For institutions assessing how to structure internal processes around these requirements, our AI governance framework guide provides a practical starting point for building the oversight structures the Act requires.
How the EU AI Act Overlaps With DORA, GDPR, and MiFID II
In short
The EU AI Act overlaps substantially with DORA's ICT risk management requirements, GDPR's automated decision-making rules, and MiFID II's algorithmic trading and suitability obligations — creating both duplication and opportunities for integrated compliance.
Financial institutions are already operating under one of the most complex regulatory frameworks in any sector. The EU AI Act does not replace existing obligations — it layers on top of them.
The good news: many AI Act requirements align closely with controls your institution may already have partly in place under DORA, GDPR, or MiFID II. An integrated compliance approach avoids building duplicate frameworks.
DORA (Digital Operational Resilience Act)
DORA requires financial entities to implement ICT risk management frameworks, conduct ICT-related incident reporting, and manage third-party ICT risk. These obligations entered full application on January 17, 2025.
The overlap with the EU AI Act is direct and significant:
- ICT risk management vs. AI risk management: DORA's ICT risk framework (Articles 5–15) and the AI Act's risk management system (Article 9) both require documented risk identification, control design, and ongoing monitoring. A single integrated risk management framework can satisfy both.
- Third-party ICT risk vs. deployer obligations: DORA's requirements for managing third-party ICT providers map closely to the AI Act's deployer obligations for vendor-supplied AI — both require contractual assurances, performance monitoring, and exit strategies.
- Incident reporting: Both frameworks require notification to competent authorities for serious incidents — DORA for major ICT incidents, the AI Act for serious incidents involving high-risk AI systems. A single incident triage and reporting workflow can serve both.
GDPR and Automated Decision-Making (Article 22)
GDPR Article 22 already restricts fully automated decisions with significant effects on individuals — which includes credit decisions and insurance pricing. Data subjects have the right to explanation and human review.
The AI Act's human oversight requirement (Article 14) and transparency obligations (Article 13) reinforce and extend these GDPR protections rather than replacing them. Key points of integration:
- Explainability: GDPR Article 22 requires meaningful information about the logic of automated decisions. The AI Act requires technical documentation covering system logic and limitations. Both push institutions toward interpretable or explainable AI design choices.
- Data minimisation vs. data representativeness: GDPR's data minimisation principle and the AI Act's data governance requirements (Article 10) can create tension — using less data satisfies GDPR but may reduce model representativeness required by the AI Act. Legal and data science teams need to align.
- DPIAs and FRIAs: GDPR Data Protection Impact Assessments and AI Act Fundamental Rights Impact Assessments cover overlapping ground. A combined impact assessment methodology reduces duplication.
MiFID II
MiFID II's suitability and appropriateness obligations (Articles 24–25) already require investment firms to ensure that automated recommendations account for client characteristics and objectives. Algorithmic trading systems are subject to pre-deployment testing and ongoing monitoring requirements under MiFID II RTS 6.
For robo-advisory and automated investment recommendation systems, firms must assess whether the system qualifies as high-risk under the AI Act in addition to existing MiFID II obligations. The classification depends on whether creditworthiness elements are present — if the system scores a client's financial capacity, Annex III Point 5(b) may apply.
| Obligation Area | EU AI Act | Existing Regulation | Integration Opportunity |
|---|---|---|---|
| ICT / AI risk management | Article 9 risk management system | DORA Articles 5–15 | Unified risk management framework |
| Third-party AI / ICT vendors | Article 26 deployer obligations | DORA third-party risk management | Combined vendor due diligence process |
| Incident reporting | Article 73 serious incident reporting | DORA major ICT incident reporting | Single incident triage and notification workflow |
| Automated decision explainability | Articles 13–14 transparency & oversight | GDPR Article 22 | Shared explainability framework; combined DPIAs/FRIAs |
| Algorithmic suitability / fairness | Annex III Point 5(b), Article 10 data governance | MiFID II Articles 24–25, RTS 6 | Integrated pre-deployment testing protocol |
Fines and Enforcement: What Non-Compliance Actually Costs
In short
The EU AI Act's penalty structure has three tiers: up to €35M or 7% of global turnover for prohibited AI violations, up to €30M or 6% for high-risk AI non-compliance, and up to €15M or 3% for incorrect information to authorities.
The EU AI Act introduced some of the largest administrative fine ceilings in EU regulatory history — higher than GDPR's €20M / 4% maximum for most violations. For a global bank, 6% of annual turnover is an existential number.
Fines are set by national market surveillance authorities (in most member states, the financial regulator will be the designated authority for supervised institutions). The European AI Office has direct enforcement authority over GPAI model providers.
Three-Tier Penalty Structure (Article 99)
- Tier 1 — Prohibited AI (Article 5 violations): Up to €35 million or 7% of global annual turnover, whichever is higher. Relevant for any financial institution inadvertently using social scoring or prohibited biometric categorisation in its AI stack.
- Tier 2 — High-risk AI non-compliance (Articles 9–46 violations): Up to €30 million or 6% of global annual turnover, whichever is higher. This tier applies to the core financial services use cases: credit scoring, underwriting, AML systems that fail to meet Annex III obligations.
- Tier 3 — Incorrect or misleading information: Up to €15 million or 3% of global annual turnover. Applies to false statements to notified bodies or competent authorities during conformity assessment procedures.
How Enforcement Will Work in Practice
Each EU member state must designate at least one national competent authority as market surveillance authority for AI Act enforcement. For financial institutions, this will typically be the existing prudential or conduct regulator — the ECB, national central banks, or the FCA equivalent in each jurisdiction.
The European Banking Authority's November 2025 report flagged that NCAs plan to incorporate AI Act compliance into their existing supervisory review and evaluation processes (SREP). This means AI compliance will be assessed alongside capital adequacy, liquidity risk, and operational resilience — not as a separate silo.
- Supervisory expectations: NCAs will request AI Act compliance evidence as part of scheduled SREP cycles from 2026 onwards.
- Reactive enforcement: Serious incidents reported under Article 73 will trigger supervisory investigation and may result in fines, temporary prohibition on use, or mandatory system withdrawal.
- Cross-border coordination: The European AI Office coordinates enforcement for multi-jurisdiction AI systems, reducing the risk of inconsistent national treatment for pan-European financial institutions.
SMEs and start-ups receive proportionate fines under Article 99(6) — penalties are capped at the lower threshold where both fixed ceiling and turnover-based ceiling apply. This provides limited but real relief for early-stage fintechs.
Ready to accelerate your AI journey?
Book a free 30-minute consultation with our AI strategists.
Book ConsultationPractical Compliance Checklist for Financial Institutions
In short
A compliant financial institution needs to complete five workstreams: AI inventory and risk classification, gap analysis, technical documentation and conformity assessment, governance and oversight implementation, and EU AI database registration.
Based on Alice Labs' experience designing AI compliance frameworks for Nordic financial institutions, the following checklist reflects the actual workstreams required to achieve EU AI Act readiness by August 2, 2026.
This is not a legal opinion — it is a practitioner-level operational guide. Engage qualified legal counsel for jurisdiction-specific interpretation.
Workstream 1: AI Inventory and Risk Classification
- ☐ Complete AI system inventory: List every AI system in production, development, or procurement. Include vendor-supplied tools, embedded AI in purchased software, and AI accessed via APIs.
- ☐ Classify each system by risk tier: Apply the Annex III test to each system. Document the classification rationale, including why borderline systems are classified as limited-risk rather than high-risk.
- ☐ Assign provider/deployer status: For each system, determine whether the institution is a provider (built in-house or commissioned) or deployer (licensed from a third party).
- ☐ Map to existing regulatory obligations: Flag systems that are already subject to DORA, GDPR Article 22, or MiFID II — these are candidates for integrated compliance treatment.
Workstream 2: Gap Analysis Against Annex III Obligations
- ☐ Risk management system gap: Assess current risk management documentation against Article 9 requirements. Identify missing elements: foreseeable misuse analysis, residual risk acceptance procedures, iterative review cadence.
- ☐ Data governance gap: Review training and validation dataset documentation against Article 10. Flag datasets lacking demographic representativeness attestations or bias testing records.
- ☐ Technical documentation gap: Check existing model cards and documentation against Annex IV's 12 required elements. Identify missing items: intended purpose statement, performance metrics by subgroup, known limitations disclosure.
- ☐ Human oversight gap: Assess whether current human review processes are operationally genuine or nominal. Identify systems where human override capability does not exist or is technically impractical.
- ☐ Logging gap: Confirm automated decision logs capture inputs, outputs, timestamps, and system version. Verify retention periods meet both AI Act and financial regulatory requirements.
Workstream 3: Technical Documentation and Conformity Assessment
- ☐ Prepare Annex IV technical documentation for each high-risk AI system. Assign documentation ownership to model risk management or technology teams.
- ☐ Conduct conformity assessment: For most financial AI use cases, this is a self-assessment. Document evidence for each Article 9–15 obligation.
- ☐ Retain conformity assessment records for 10 years post-deployment per Article 18.
Workstream 4: Governance, Oversight, and Training
- ☐ Appoint an AI compliance owner: Designate a named individual responsible for EU AI Act compliance across the institution. Ensure they have direct access to the board or risk committee.
- ☐ Implement AI literacy training: Article 4 requires providers and deployers to ensure staff working with high-risk AI have adequate AI literacy. Document training completion.
- ☐ Establish incident reporting procedures: Define what constitutes a serious incident under Article 3(49), who is responsible for notification, and the 15-day reporting timeline to competent authorities.
- ☐ Implement post-market monitoring: Establish a process to collect and review operational performance data for each high-risk AI system on an ongoing basis.
Workstream 5: EU AI Database Registration
- ☐ Register each high-risk AI system in the EU AI public database before deployment or before the August 2, 2026 deadline for systems already in operation.
- ☐ Update registrations whenever a system undergoes a substantial modification — defined as a change affecting the system's risk classification or its conformity with Annex III obligations.
For the complete annotated checklist with article references and evidence templates, see our dedicated EU AI Act compliance checklist for 2026. For firms also assessing their overall AI implementation readiness, our AI readiness assessment guide provides a parallel diagnostic framework.
Special Considerations for Fintechs and Scale-Ups
In short
Fintechs face the same Annex III obligations as large banks but with fewer compliance resources — proportionate fines apply for SMEs, but technical obligations are identical. Fintechs building proprietary AI models as providers face the heaviest burden.
Fintech firms often assume the EU AI Act is a large-bank problem. It is not. Any fintech offering credit products, insurance, or payment fraud detection to EU customers is deploying high-risk AI within the Act's scope.
The distinction that matters most for fintechs is provider vs. deployer. Fintechs building their own credit scoring or underwriting models are providers — the heaviest obligation tier. Fintechs integrating bureau scores or third-party fraud APIs are deployers — still obligated, but with less documentation burden.
Where Fintechs Are Most Exposed
- Proprietary credit models: BNPL providers, neobanks, and embedded finance platforms that score creditworthiness using transaction data are providers of high-risk AI. Conformity assessment and Annex IV documentation are mandatory.
- Automated onboarding and KYC: Document verification AI and facial liveness checks may intersect with biometric identification rules — classify carefully, as some use cases approach prohibited territory.
- HR tools: Fintechs using AI-powered CV screening or interview assessment tools are subject to Annex III Point 4 — high-risk AI in employment. This is frequently overlooked.
- Foundation model dependency: Fintechs building products on GPT, Claude, or Gemini APIs are GPAI deployers — obligations applied from August 2, 2025. Review your vendor agreements for transparency disclosures required under Article 53.
SME Proportionality Provisions
The EU AI Act includes limited proportionality provisions for SMEs and micro-enterprises under Articles 9(7), 17(3), and 62(1). These allow simplified risk management documentation and regulatory sandbox access, but do not reduce the core technical obligations.
The fine cap for SMEs under Article 99(6) means penalties are calculated at the lower of the fixed ceiling or the turnover-based ceiling — providing meaningful financial protection for early-stage firms while preserving enforcement authority.
Fintechs navigating the build vs. buy decision for AI capabilities should factor compliance cost into that analysis. Our build vs. buy AI guide models the full cost-of-ownership including regulatory overhead, which is particularly relevant for high-risk AI classification scenarios.
Frequently Asked Questions: EU AI Act for Financial Services
In short
Answers to the most common questions from risk, legal, and technology teams at banks, insurers, and fintechs navigating EU AI Act compliance.
Does the EU AI Act apply to non-EU banks serving EU customers?
Yes. The EU AI Act has extraterritorial scope similar to GDPR. Any provider or deployer whose AI system output is used in the EU is subject to the Act — regardless of where the system is built or hosted. A US bank offering EU retail credit products via an AI scoring system must comply with Annex III obligations.
Is fraud detection AI automatically classified as high-risk?
Fraud detection AI used in an AML/CFT context falls under Annex III Point 6, which covers AI used by competent authorities or on their behalf in law enforcement contexts. The European Banking Authority's November 2025 report confirms this extends to AML transaction monitoring at supervised institutions. Pure payment fraud detection without AML elements may require individual classification assessment.
What is a "serious incident" that must be reported under the EU AI Act?
Article 3(49) defines a serious incident as any incident or malfunction of a high-risk AI system that results in death, serious injury, significant unplanned disruption of critical infrastructure, violation of fundamental rights obligations, or serious damage to property or the environment. For financial AI, this includes systematic discriminatory credit decisions or AML system failures causing regulatory breaches. The reporting timeline is 15 working days from awareness.
Can a bank self-certify compliance, or is a third-party auditor required?
For the financial services Annex III use cases (credit scoring, insurance underwriting, fraud detection), self-assessment conformity assessment is permitted — a mandatory third-party notified body is not required. However, the self-assessment must be fully documented and evidence-based. Regulators may request the conformity assessment file during SREP reviews from 2026 onwards.
How does the EU AI Act interact with GDPR's right to explanation?
GDPR Article 22 gives individuals the right not to be subject to solely automated decisions with significant effects, plus the right to obtain human review and meaningful explanation of the logic involved. The AI Act's human oversight (Article 14) and transparency (Article 13) obligations reinforce this — both require that automated credit or insurance decisions can be reviewed and explained. The frameworks are complementary, not contradictory. A combined explainability approach serves both.
What counts as a "substantial modification" requiring re-registration?
Article 3(23) defines a substantial modification as a change to a high-risk AI system that affects the system's compliance with Annex III obligations or results in a change to its intended purpose. For a credit scoring model, retraining on a fundamentally different dataset, changing the target variable, or deploying the model in a new product context would likely qualify. Routine parameter retuning within defined thresholds typically does not.
Do robo-advisors and algorithmic trading systems qualify as high-risk AI?
It depends on the system's design and function. Robo-advisors that include a creditworthiness or financial capacity assessment component may fall under Annex III Point 5(b). Pure algorithmic trading systems operating without individual client credit assessment are not explicitly listed in Annex III and may qualify as limited-risk — but this requires individual classification analysis. MiFID II obligations continue to apply regardless of AI Act classification.
How long must technical documentation and logs be retained?
Conformity assessment technical documentation must be retained for 10 years after the AI system is placed on the market, per Article 18. Automatic logs generated by high-risk AI systems must be retained for at least 6 months under Article 12(1), unless applicable financial regulation (e.g., MiFID II's 5-year transaction record requirement) specifies a longer period — in which case the longer period prevails.
About the Authors & Reviewers

Co-Founder, Alice Labs
Co-Founder at Alice Labs. Builds AI automation, agent workflows and integration systems that hold up in real business operations.
- AI automation & agent systems lead
- Workflow design across 100+ deployments
- Specialist in RAG, integrations & APIs

Co-Founder, Alice Labs
Co-Founder at Alice Labs. Author of 7 research reports on AI adoption, governance and labor markets cited across EU, OECD and US benchmarks.
- 8+ years in AI strategy & implementation
- Top-5 AI Speaker, Sweden (Mindley 2025)
- 100+ enterprise AI engagements
Frequently Asked Questions
Does the EU AI Act apply to non-EU banks serving EU customers?
Yes. The EU AI Act has extraterritorial scope similar to GDPR. Any provider or deployer whose AI system output is used in the EU is subject to the Act, regardless of where the system is built or hosted.
Is fraud detection AI automatically classified as high-risk under the EU AI Act?
Fraud detection AI used in an AML/CFT context falls under Annex III Point 6. The EBA's November 2025 report confirms this extends to AML transaction monitoring at supervised institutions. Pure payment fraud detection without AML elements requires individual classification assessment.
Can a bank self-certify EU AI Act compliance for credit scoring systems?
Yes. For financial services Annex III use cases, self-assessment conformity assessment is permitted — no mandatory third-party notified body is required. However, the assessment must be fully documented and evidence-based, and may be reviewed by regulators during SREP cycles.
What is the EU AI Act compliance deadline for financial institutions?
August 2, 2026 is the compliance deadline for high-risk AI systems under Annex III — which includes credit scoring, insurance underwriting, fraud detection, and AML tools. No grandfather clause applies to legacy systems.
What fines apply for EU AI Act non-compliance in financial services?
Non-compliance with high-risk AI obligations carries fines up to €30 million or 6% of global annual turnover, whichever is higher, under Article 99 of the EU AI Act.
What is the difference between an AI provider and deployer under the EU AI Act?
A provider develops and places an AI system on the market. A deployer uses it under their own authority. Banks building proprietary credit models are providers; banks licensing vendor scoring tools are deployers. Both carry compliance obligations, but providers face stricter technical documentation and conformity assessment requirements.
How does the EU AI Act interact with DORA for financial institutions?
The EU AI Act's risk management system (Article 9) and incident reporting requirements (Article 73) overlap substantially with DORA's ICT risk framework and major incident reporting obligations. An integrated compliance approach using a single risk management framework reduces duplication and total compliance cost.
Do robo-advisors qualify as high-risk AI under the EU AI Act?
It depends on design. Robo-advisors that include a creditworthiness or financial capacity assessment may fall under Annex III Point 5(b) as high-risk. Pure algorithmic trading systems without individual credit assessment are not explicitly listed in Annex III and may qualify as limited-risk, but require individual classification analysis.
NIST AI Risk Management Framework: Enterprise Implementation Guide
Next in AI Governance & ComplianceEU AI Act Timeline 2026: Key Deadlines & Compliance Dates
Further reading
- EU AI Act, Regulation 2024/1689· op.europa.eu
- European Banking Authority· eba.europa.eu
- European Commission AI initiative· commission.europa.eu
Related services
Related reading
EU AI Act Compliance Guide
Discover a step-by-step guide to achieving EU AI Act compliance for enterprises, ensuring adherence to regulations by 2026.
deepdiveEU AI Act Compliance Checklist 2026
Step-by-step EU AI Act compliance checklist for enterprises. Risk classification, Annex IV documentation, FRIA, AI literacy, conformity assessment — before 2 Aug 2026.
deepdiveWhat Is AI Governance?
AI governance covers policy, process, and tooling for responsible AI. EU AI Act, NIST AI RMF, ISO 42001, OECD principles compared — with Alice Labs methodology.
deepdiveAI Strategy for Financial Services
AI strategy for banks, insurance, asset management. EU AI Act Annex III for credit + insurance, DORA from Jan 2025, NIST AI RMF, top 6 use cases.
deepdiveWhy AI Projects Fail
Most AI projects fail before reaching production. Based on RAND, MIT Sloan, and 100+ Alice Labs engagements — the 7 root causes, with concrete fixes for each.
Sources
- EU AI Act, Regulation 2024/1689European Parliament and Council
- Report on AI Act implications for the EU banking sectorEuropean Banking Authority
- EU Coordinated AI Plan, Volume 2OECD
- Artificial Intelligence initiativeEuropean Commission
- EU AI Act Deployer Obligations AnalysisGoodwin Law
Next scheduled review: