EU AI Act Readiness Tracker

← Back to Enterprise.AI

The EU AI Act has extraterritorial reach — it applies to any institution whose AI outputs are used in the EU, including non-EU banks. If you serve EU customers or process EU data, you are in scope. The high-risk deadline is August 2026.

Why this matters for FS

The EU AI Act applies to any institution placing AI systems on the EU market or whose AI outputs are used in the EU — including non-EU banks. Several common FS use cases are explicitly classified as high-risk, including credit scoring of natural persons, certain insurance pricing, and AI used in employment or biometric identification.

Penalties scale up to 7% of global turnover for the most serious breaches. The Act's obligations layer on top of existing model risk and consumer protection regimes — they don't replace them.

The enforcement timeline

Feb 2025

Prohibited AI practices in force

Bans on social scoring, untargeted scraping, manipulative AI and certain biometric categorisation already apply.

Aug 2025

GPAI rules & governance bodies

Obligations for general-purpose AI model providers; AI Office and national authorities operational.

Aug 2026

High-risk AI rules apply

Full obligations for high-risk systems including credit scoring, certain insurance and HR uses. This is the date FS programs must be ready for.

Aug 2027

High-risk under product safety

Extension to high-risk AI embedded in regulated products covered by Annex I legislation.

Risk classification map for FS

Use case	Likely classification	Key obligations
Credit scoring of natural persons	High-risk	Conformity, data governance, transparency, human oversight
Life & health insurance pricing	High-risk	Same as above + sectoral consumer protection
AML / fraud detection	Limited / minimal	Likely outside high-risk; existing regimes apply
Customer-facing chatbot	Limited risk	Disclosure obligation (user must know it's AI)
HR / candidate screening	High-risk	Full Annex III obligations
Internal productivity GenAI	Minimal	Code of practice, GPAI provider passes through
GPAI / foundation model in use	Provider obligations	Provider documentation; deployer due diligence

EU AI Act compliance timeline (detailed)

Milestone	Date	What applies	Implication for FS
Transparency & Disclosure Phase 1	Feb 2025	Prohibited AI practices (Articles 5–6) in force: social scoring, untargeted biometric scrapin, manipulative AI, certain biometric categorisation	Audit GenAI use to exclude prohibited practices. Retract any social scoring models.
GPAI Model Provider Obligations	Aug 2025	General-Purpose AI model providers must comply with Articles 53–57: transparency, data governance, compliance with EU law	Check if your institution is a GPAI provider (unlikely unless you publish foundation models). If using GPAI (e.g., OpenAI), confirm vendor compliance.
AI Office & Notified Bodies Operational	Aug 2025	EU AI Office operational; national AI offices in member states; notified bodies for conformity assessment ready	Monitor EU AI Office guidance releases. Identify notified body for your jurisdiction if needed (typically for high-risk FS systems).
High-Risk AI Rules Apply	Aug 2026	Articles 1–52 in full effect: Classification, QMRA, training data governance, human oversight, conformity assessment, post-market surveillance, technical documentation for ALL high-risk systems	KEY DATE FOR FS: All high-risk FS AI (credit scoring, insurance pricing, HR) must be fully compliant. This is the hard deadline for your program.
Post-Market Surveillance Begins	Aug 2026	EU authorities begin monitoring high-risk AI systems; institutions must report incidents & serious failures	Establish incident reporting procedures. Set up EU Authority notification process. Document all model incidents.
Extension to Product-Embedded High-Risk AI	Aug 2027	High-risk AI embedded in products governed by Annex I regulations (machinery, civil aviation, etc.) must comply	Less direct impact on banking/insurance, but review if you embed AI in regulated products.
Risk-Based Code of Practice (Ongoing)	Ongoing from Q4 2025	EU AI Office will publish risk-based codes of practice for providers & deployers in different sectors (e.g., financial services code by end 2025)	Monitor releases. Align governance to FS-specific code when published.

Prohibited AI practices (must stop now)

These AI practices are prohibited under Article 5 of the EU AI Act. Any institution with these in place must discontinue immediately:

Prohibited Practice	Example in FS	Article	Action
Social scoring	AI that assigns a social/credit score based on social behavior, personal characteristics, or 'reputation' in the community.	Article 5(1)(a)	Audit all scoring models. Confirm none assign scores based on general social behavior. If found, retract immediately.
Manipulation through subliminal/unfathomable techniques	GenAI advisor using psychological manipulation techniques beyond user's ability to understand (e.g., subliminal messaging).	Article 5(1)(b)	Review advisor copilots & GenAI interactions. Remove any techniques designed to manipulate beyond transparency.
Biometric categorisation (certain forms)	AI that assigns person to category based on sensitive personal characteristics (race, ethnicity, sexual orientation) for financial purposes.	Article 5(1)(c)	Review all models that process biometric or sensitive personal data. Ensure none categorise based on protected characteristics.
Real-time remote biometric identification (FS context)	AI that identifies individuals in real-time without their explicit consent in public spaces (e.g., at branch ATMs).	Article 5(1)(d)	If using facial recognition for customer identification, ensure informed consent & explicit opt-in (not surveillance).

Annex III high-risk requirements for FS (detailed)

For systems classified as high-risk under Annex III, Articles 8–30 require the following obligations:

Risk management system (Article 9): Establish, document and implement a continuous QMRA process. Identify, analyze and evaluate AI-specific risks. Implement mitigation strategies. Monitor risk evolution.
Data & data governance (Articles 10–11): Training data must be relevant, representative, and free of errors. Document data sources, collection methods, & labeling. Prohibit prohibited categories of data. Establish data governance processes for quality & bias.
Documentation & record-keeping (Article 11(5)): Create & maintain EU technical documentation including: training/test/validation data description, model architecture, performance metrics, data governance processes, risk assessment, human oversight implementation, instructions for deployment & use.
Transparency & information to users (Article 13): Inform users that they are interacting with an AI system. Explain the AI's capabilities & limitations. Provide information sufficient for them to exercise rights (e.g., right to explanation under GDPR).
Human oversight (Article 14): Implement human oversight mechanisms so that humans can understand AI outputs and override them. Oversight must be meaningful, not rubber-stamp.
Accuracy, robustness & cybersecurity (Article 15): Ensure high level of accuracy, robustness & cybersecurity in design & development. Test against adversarial inputs. Establish performance standards & monitor against them.
Post-market monitoring (Article 27): Establish system to monitor AI performance post-deployment. Collect & analyze data on incidents, complaints, near-misses. Implement mechanism to report serious incidents to competent authorities.
Incident reporting (Article 73): Report "serious incidents" and "substantial violations" to competent authorities. Definition of serious incident: system causes injury, health damage, property damage >1,000 EUR, or serious damage to rights & freedoms.

For FS institutions, the highest-impact obligation is Article 11 technical documentation. Most banks have model cards but they fall short of EU AI Act requirements. Start your gap analysis with documentation completeness for high-risk systems.

Conformity assessment checklist for high-risk systems

Before placing a high-risk AI system on the EU market, you must complete a conformity assessment. Here is the checklist:

Conformity Area	Documentation Required	Evidence
Risk Management System	QMRA process documented; risks identified & mitigated	Risk register, mitigation plans, testing results, post-market monitoring plan
Data Governance	Training data is representative, documented, free of errors	Data quality report, data sources, bias testing results, representativeness analysis
Accuracy & Performance	Model meets documented performance requirements	Validation report, performance metrics on test set, comparison to baselines
Explainability	Model decisions can be explained to users & regulators	Explainability documentation (SHAP/LIME plots, decision logic), user-facing explanations
Fairness & Non-Discrimination	No disparate impact across protected groups	Fairness testing report, demographic parity analysis, mitigation of identified biases
Human Oversight	Humans can understand, monitor & override AI decisions	Audit logs of human decisions, override rate > 0 documented, training materials for operators
Cybersecurity & Robustness	System resistant to adversarial attacks & data poisoning	Adversarial testing report, penetration testing results, security architecture diagram
Post-Market Monitoring	Mechanism to track performance & incidents post-deployment	Monitoring dashboard, incident log template, escalation procedures
Documentation	EU Technical Documentation complete per Article 11	Comprehensive model card, risk assessment, data sources, performance metrics, limitations

Risk classification decision tree for FS

Use this decision tree to classify your AI systems under the EU AI Act:

Is the AI practice prohibited under Article 5? (social scoring, manipulation, biometric categorization, real-time remote ID)
→ YES: PROHIBITED. Stop use immediately. Retract from market.
→ NO: Continue to step 2.
Is the AI a general-purpose AI (GPAI) or foundation model? (e.g., you publish a large language model)
→ YES: Subject to GPAI obligations (Articles 53–57). You are a provider; document training data, test for dangerous capabilities.
→ NO: Continue to step 3.
Is the AI used to evaluate creditworthiness of natural persons? (credit scoring, mortgage pre-approval)
→ YES: HIGH-RISK (Annex III(a)). Proceed to Annex III obligations.
→ NO: Continue to step 4.
Is the AI used in insurance pricing or acceptance of claims? (life insurance premiums, health insurance, claims assessment)
→ YES: HIGH-RISK (Annex III(b) / (f)). Proceed to Annex III obligations.
→ NO: Continue to step 5.
Is the AI used in recruitment, employment, or worker monitoring? (resume screening, promotion decisions, performance monitoring)
→ YES: HIGH-RISK (Annex III(c)). Proceed to Annex III obligations.
→ NO: Continue to step 6.
Is the AI used in critical infrastructure / essential public services? (payment systems, critical utilities)
→ YES: HIGH-RISK (Annex III(e)). Proceed to Annex III obligations.
→ NO: Continue to step 7.
Is the AI used for law enforcement purposes? (AML/CFT, fraud investigation)
→ YES: Likely HIGH-RISK or LIMITED-RISK. Check Article 30 (law enforcement derogations). Consult legal.
→ NO: Continue to step 8.
Is the AI biometric identification or emotion/intention detection?
→ YES: Possible HIGH-RISK. Check context & Article 5 restrictions. Consult legal.
→ NO: Continue to step 9.
Does the AI have the potential to significantly impact rights & freedoms? (e.g., customer advice, product recommendations that affect financial decision)
→ YES: LIMITED-RISK or HIGH-RISK. Assess context. Transparency & user information required (Article 13).
→ NO: Likely MINIMAL-RISK or outside scope. Document classification rationale.

Documentation requirements per Article 11 (EU Technical Documentation)

For high-risk AI systems, Article 11 requires comprehensive technical documentation. Minimum contents:

AI system summary: Name, version, provider, purpose, risk classification, deployment date.
Training & validation data description: Sources, collection methods, size, representativeness, labeling methodology, data governance process.
Model architecture & design: Algorithm, hyperparameters, key design decisions, rationale for model choice vs. alternatives.
Performance metrics: Accuracy, precision, recall, AUC, fairness metrics (disparate impact ratio, equalized odds), performance by demographic group.
Human oversight design: How humans understand outputs, mechanisms for human intervention, audit trails of human decisions.
Risk assessment: Risk management system, identified risks, mitigation measures, residual risks, post-market monitoring plan.
Robustness & security testing: Adversarial testing results, security assessment, failure modes, edge cases identified.
Instructions for use: Deployment guidance, intended use & limitations, user training requirements, escalation procedures.
Known limitations: Accuracy thresholds below which system should not be used, data distribution requirements, known biases, failure modes.
Compliance with EU law: GDPR compliance (lawful basis, data subject rights), fair lending compliance, consumer protection alignment.
Maintenance & retraining: Retraining frequency, performance monitoring cadence, process for updating model based on feedback.
Version history: All model versions, when deployed, changes from prior versions, retirement dates.

Gap analysis template

Use this template to assess your compliance gaps for each high-risk AI system:

Requirement	Current State	Target State	Gap	Remediation Plan	Owner	Timeline
QMRA process documented	Ad-hoc risk review	Formal QMRA per Article 9	Missing documented process	Develop risk management template & train team	Model Risk	Q2 2026
Training data governance	Data tracked in Excel	Documented lineage & governance per Article 10-11	No formal data governance	Implement data catalog & governance framework	Data Office	Q3 2026
Fairness testing	Tested manually, not documented	Automated fairness testing & reporting per Article 15	No continuous fairness monitoring	Deploy fairness tooling; establish monitoring SLAs	Data Science	Q2 2026
Human oversight audit trail	No logging of human decisions	Audit logs of human overrides & decisions per Article 14	Missing logging mechanism	Implement audit logging in production system	Tech / Ops	Q1 2026
Post-market monitoring	No formal process	Documented monitoring plan & incident reporting per Article 27	No incident tracking or reporting	Establish incident registry & authority notification process	Compliance	Q2 2026
EU Technical Documentation	Model card incomplete	Comprehensive documentation per Article 11	Missing sections (data sources, risk assessment, limitations)	Assign owner; build doc template; complete for all high-risk models	Model Risk	Q1 2026
Conformity assessment	Not started	Formal conformity assessment & declaration per Article 19	No assessment completed	Engage notified body or internal assessment; document declaration	Compliance	Q2 2026

The 10-step readiness program

Stand up EU AI Act program owner. Typically in 2nd line (Compliance/Legal) joint with 2nd line risk. Define governance, budget, timeline.
Build a complete AI inventory with EU scope flagged. Identify all AI systems used by the institution. Flag those with EU market access or EU customer impact.
Classify each system: prohibited, high-risk, limited, minimal, or GPAI. Use the decision tree above. Document classification rationale. For high-risk systems, confirm Annex III applicability.
Run gap assessment against Annex III for high-risk systems. Use the gap analysis template. Identify missing documentation, monitoring, fairness testing, human oversight.
Establish data governance evidencing for training datasets. Document data sources, representativeness, labeling methodology, quality checks. Establish data quality SLAs.
Document risk management system and post-market monitoring plan. Develop QMRA process, risk register, mitigation strategies. Define monitoring KPIs, incident reporting, escalation.
Implement human oversight mechanisms for in-scope systems. Audit logs of human decisions, override mechanisms, training for operators. Ensure meaningful oversight (not theater).
Update vendor & foundation-model contracts with deployer-side rights. Ensure contracts include: audit rights, data governance terms, incident notification, liability allocation, data residency.
Prepare conformity assessment and EU technical documentation. Complete documentation per Article 11. Engage notified body if required. Document declaration of conformity.
Train board & executives, and rehearse incident response. Board briefing on obligations & timelines. Incident response playbook & tabletop exercise. Staff training on transparency & human oversight.

Ready to implement this in your organisation?

Get in touch to discuss how this accelerator fits your institution.

Book a Consultation →