EU AI Act obligations for banks, credit institutions, and fintech firms. Credit scoring AI, AML systems, algorithmic trading, DORA overlap, and EBA guidelines.
Why Banking Faces Concentrated EU AI Act Exposure
The banking and financial services sector sits at the intersection of the EU AI Act's strictest obligations and the most complex regulatory environment in the EU. Financial institutions are among the largest deployers of AI in Europe — in credit underwriting, fraud detection, AML/CFT screening, customer due diligence, algorithmic trading, and wealth management. The EU AI Act directly targets the most consequential of these use cases through Annex III, classifying several financial AI applications as high-risk by definition.
Banking also operates under a dense pre-existing regulatory layer: DORA, MiFID II, CRD IV/CRR, AML Directives, GDPR, and BCBS 239. The EU AI Act does not replace these frameworks — it adds to them. For a credit institution, deploying an AI-based credit scoring model triggers simultaneous obligations under the AI Act (Annex III, Art. 9–16), DORA (ICT risk management), and the EBA's model risk management guidelines.
High-Risk AI Use Cases in Banking Under Annex III
Annex III, category 5(b) explicitly lists AI used for the evaluation of creditworthiness or credit scoring of natural persons, and AI used for assessing credit risk of legal persons where AI determines or substantially influences the outcome. This captures a broad range of financial AI deployments.
Credit scoring and underwriting models — automated systems that determine loan eligibility, credit limits, or interest rates for retail and SME customers — are high-risk AI under Art. 6(2) read with Annex III. Banks acting as providers of these systems must complete conformity assessments, maintain technical documentation under Art. 11, implement risk management systems under Art. 9, ensure human oversight mechanisms under Art. 14, and register the system in the EU AI Act database (Art. 71) before deployment.
AML and fraud detection systems present a more nuanced picture. Systems that apply sanctions screening, transaction monitoring, or behavioural analytics to flag suspicious activity generally affect financial institutions rather than directly determining outcomes for individuals. Where the AI output is the primary basis for adverse action against a customer (account freezing, refusal of service), high-risk classification may be triggered under Annex III cat. 5(b) or cat. 6 (law enforcement) depending on the national authority's role. Banks must conduct a careful classification analysis.
GPAI-based tools — large language models used for customer service, document processing, or investment analysis — are subject to Art. 50 transparency requirements (disclosure that users interact with AI) and, where the model provider has systemic risk, Art. 55 obligations.
Provider vs Deployer Obligations for Banks
Banks may act as providers (building their own AI models), deployers (using third-party AI systems), or both. The distinction determines the obligation profile:
| Role | Obligation source | Key requirements |
|---|---|---|
| Provider | Art. 9–17 | Conformity assessment, technical documentation, QMS, registration |
| Deployer | Art. 26 | Monitor system, ensure human oversight, maintain logs, inform users |
| Both | Art. 9–17 + Art. 26 | Full provider obligations + deployer monitoring duties |
Banks purchasing credit scoring AI from a fintech vendor act as deployers under Art. 26. They must verify the vendor has completed conformity assessment, integrate human review into adverse decision processes, maintain usage logs for 10 years (Art. 26(6)), and ensure that AI decisions are explained to affected individuals under GDPR Art. 22 and EU AI Act Art. 13.
Sectoral Regulation Overlap: DORA, MiFID II, and Solvency II
DORA (Regulation 2022/2554) applies to banks, investment firms, insurance companies, and ICT third-party providers. For AI specifically, DORA requires:
- AI systems treated as ICT systems subject to risk management frameworks (Art. 6 DORA)
- ICT-related incident classification and reporting — AI failures may constitute major ICT incidents
- Resilience testing of critical ICT systems — AI models included where material to operations
- Third-party risk management covering AI vendor contracts, exit strategies, and audit rights
MiFID II (Markets in Financial Instruments Directive) applies to algorithmic trading and investment advice. AI-generated investment recommendations trigger suitability assessment requirements; algorithmic trading systems require pre-trade controls, kill switches, and regulatory notification.
EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04, updated 2022) mandate technology risk governance covering AI models, operational continuity requirements, and model validation independence. These align substantially with EU AI Act Art. 9 risk management requirements.
Enforcement Authorities
EU AI Act enforcement for banking AI operates through a dual-layer authority structure:
National Competent Authorities (NCAs) designated by each Member State under Art. 70 are the primary AI Act enforcement bodies. They can conduct market surveillance, request technical documentation, and impose fines (up to €30M or 6% of global annual turnover under Art. 99).
European Banking Authority (EBA) coordinates sector-specific AI oversight across the banking union, provides technical standards on ICT risk, and issues guidelines that shape national supervisory expectations. EBA also participates in the European AI Board established under Art. 65.
ECB and national prudential supervisors may request AI model documentation as part of SREP (Supervisory Review and Evaluation Process) assessments under CRD IV where AI drives material credit or operational risk decisions.
Compliance Roadmap for Banks
Immediate (now → August 2026): Complete prohibition compliance check — review all AI systems for practices banned under Art. 5, including social scoring and real-time biometric identification in public spaces. These prohibitions apply immediately for new contracts.
Q3 2026 — High-risk classification audit: Map all deployed and in-development AI systems against Annex III, specifically categories 5(b) and 5(c). Document classification rationale. Engage legal and compliance to assess DORA overlap.
Q4 2026 — Provider obligations for in-house AI: For credit scoring and underwriting models built internally, initiate conformity assessment procedures, develop technical documentation per Annex IV, and implement QMS under Art. 17.
2027 — Deployer obligations for third-party AI: Audit all AI vendor contracts for EU AI Act compliance. Require providers to furnish conformity declarations and registration numbers. Update data processing agreements to reflect Art. 26 logging obligations.
August 2027 — GPAI obligations effective: Ensure all third-party LLMs and foundation models used in banking applications comply with Art. 51–55. Verify providers have published transparency documentation under Art. 53.
December 2027 — High-risk AI deadline: Full compliance required for all Annex III high-risk AI systems. Ensure registration in the EU AI Act database, operational human oversight mechanisms, and post-market monitoring plans under Art. 72.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Banks face EU AI Act obligations primarily through Annex III categories 5(b) and 5(c): AI used in creditworthiness assessment and credit scoring, and AI used in life and health insurance underwriting. These are classified as high-risk AI systems requiring conformity assessments, technical documentation, human oversight mechanisms, and registration in the EU AI Act database. Additionally, banks deploying AI for anti-money laundering (AML) screening, fraud detection, or customer due diligence may be captured under Annex III depending on the system's function and the decisions it influences.
DORA (Digital Operational Resilience Act, Regulation 2022/2554) and the EU AI Act create overlapping but distinct obligations. DORA requires financial entities to manage ICT risk, conduct resilience testing, and maintain incident reporting capabilities — this applies to AI systems as ICT tools. The EU AI Act adds risk classification, conformity assessment, transparency, and human oversight requirements for AI systems specifically. A credit institution operating an AI-driven credit scoring system must satisfy both DORA's ICT risk management framework and the EU AI Act's high-risk AI requirements. The EBA's ICT and security risk management guidelines apply in parallel.
Algorithmic trading systems are not directly listed in Annex III, so they do not automatically constitute high-risk AI under the EU AI Act. However, if a trading algorithm is used as a component of a creditworthiness assessment or influences access to financial services in a way that affects individuals, it may fall within Annex III scope. MiFID II requirements for algorithmic trading — including kill switches, system testing, and audit trails — remain fully applicable. The EU AI Act's Art. 50 transparency requirements apply to AI interacting with natural persons, and GPAI model obligations under Art. 51 apply to large language models used in trading or analysis platforms.
The European Banking Authority (EBA) has published guidelines on internal governance (EBA/GL/2021/05) and ICT risk management that directly inform AI governance expectations for banks. Key requirements include board-level accountability for AI strategy, independent validation of AI models used in credit risk, operational risk frameworks covering AI failures, and explainability requirements for AI systems affecting credit decisions. The EBA's consultations on machine learning for IRB models set quantitative standards for model validation, data quality, and performance monitoring that align closely with the EU AI Act's Art. 9 risk management requirements.
Yes, in principle — the EU AI Act applies regardless of company size. However, Art. 9(5) requires that risk management systems be proportionate to the size and nature of the provider or deployer. SME and startup provisions under Art. 55 and Art. 57 to Art. 63 provide access to regulatory sandboxes operated by national competent authorities, reducing barriers to compliance testing. The EBA Innovation Hub and European Forum for Innovation Facilitators (EFIF) provide additional support for fintech firms navigating AI regulation.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.