EU AI Act Compliance for Financial Services, Fintechs and ICT Vendors

The EU AI Act, Regulation (EU) 2024/1689, is the world's first horizontal AI regulation. It entered into force on 1 August 2024 and is being phased in over several years. Prohibited practices under Article 5 have been in effect since 2 February 2025. General-purpose AI (GPAI) provider obligations and the governance infrastructure (AI Office, AI Board, notified bodies, penalties) took effect on 2 August 2025. The high-risk obligations were originally scheduled for 2 August 2026.

Penalties stack heavily. Prohibited practices: up to €35 million or 7% of global annual turnover. High-risk non-compliance: up to €15 million or 3%. Supplying misleading information to authorities: up to €7.5 million or 1.5%.

On 7 May 2026, EU lawmakers reached a political agreement on the Digital Omnibus package, which postpones key high-risk deadlines pending formal adoption. The Annex III high-risk obligations shift by roughly 16 months to late 2027. Product-safety high-risk systems shift by 12 months to August 2027. Transparency obligations under Article 50 (watermarking and synthetic content disclosure) are shifted by 3 months to 2 December 2026.

The catch: the deal still needs formal adoption by Council and Parliament to take legal effect. Until that happens, the original August 2026 deadline remains binding law. Compliance leads who pause work on the assumption that the extension lands are making a high-risk bet on the legislative process. My advice to clients has been consistent. Keep building toward August. If the extension is formally adopted before then, treat it as a buffer, not a reason to redo your plan. The work itself (inventory, classification, governance, documentation) is an engineering investment that holds value either way.

The AI Act applies to providers placing AI systems on the EU market and deployers using AI systems in the EU. It reaches non-EU companies whose AI output is used in the Union. Two roles trigger most of the obligations:

• Providers develop AI systems (or have them developed) and place them on the market under their name. Most obligations sit here.
• Deployers use AI systems in a professional capacity. Lighter obligations, but FRIA, instructions-for-use compliance, and monitoring still apply for high-risk use.

Regulated entities (banks, investment firms, insurers, payment institutions, CASPs) face cumulative obligations under the GDPR, DORA, and the AI Act for any AI system that processes personal data, makes consequential decisions about EU residents, or operates within an ICT-critical function. There is no honest way to handle this in three separate compliance silos.

The first is reactive. A customer has sent an AI Act questionnaire, a regulator has asked for an AI inventory, a board committee has flagged AI risk as unrated, or an audit has surfaced AI systems running without a governance file.

The second is structural. A scaled fintech or ICT vendor is embedding AI across products and needs to stand up a defensible governance program before the next compliance cycle. They want a senior expert who can chair the AI risk committee, sign off on classifications, and represent them to customers and regulators.

I work with both.

A full inventory of AI systems (built, embedded, and procured), each classified under Article 6 and Annex III. Output covers prohibited, high-risk, limited-risk, and minimal-risk classification, role assignment (provider versus deployer), and the obligation stack that follows. Most clients discover three categories of AI they didn't know they were responsible for: embedded vendor features they didn't classify as AI, copilots their teams adopted bottom-up, and legacy decisioning systems that quietly became high-risk under Annex III.

A governance framework you can defend in front of a regulator, an auditor, or a board. Covers AI policy, roles and responsibilities, decision rights, risk appetite, escalation paths, the AI risk committee charter, and integration with existing DORA, ICT risk, and operational risk frameworks. Designed to map cleanly to ISO 42001 if you want the certifiable version.

The eight obligation areas that high-risk AI systems must satisfy: risk management system, data governance, technical documentation (Annex IV), record-keeping and logging, transparency and instructions for use, human oversight, accuracy and cybersecurity, and the quality management system. I deliver the governance and documentation layer. Technical implementation runs alongside with your engineering team or a partner.

The Fundamental Rights Impact Assessment under Article 27 overlaps with the GDPR DPIA but isn't the same exercise. I build a combined methodology that satisfies both without doubling your assessment burden, and that drops cleanly into your existing privacy and risk processes.

For organisations integrating GPAI models from OpenAI, Anthropic, Mistral, Google, or Meta into customer-facing or internal products: the upstream evidence pack you should be requesting, the transparency obligations that flow down to you, and the residual risks you cannot push back to the provider.

Operational since 2 February 2025 and widely under-implemented. I design role-based AI literacy training programs that satisfy Article 4 obligations and reduce the actual risk of misuse inside your organisation.

For regulated entities, the AI Act sits on top of obligations you already have. I map AI Act controls to existing DORA ICT controls, GDPR Article 35 (DPIA) and Article 22 (automated decision-making), MiCA AML/KYC where AI sits in scope, and ISO 27001 Annex A controls. One unified control set, not five overlapping ones.

ISO 42001 (AI management system), ISO 27001 (information security), ISO 22301 (business continuity). ISO 42001 is becoming the practical certification path for AI governance under Article 17 and increasingly appears in enterprise customer questionnaires.

A political agreement was reached on 7 May 2026 in the Digital Omnibus package. It postpones Annex III high-risk obligations by roughly 16 months and product-safety high-risk obligations by 12 months. Transparency obligations under Article 50 shift by 3 months to 2 December 2026. The agreement still requires formal adoption by the European Parliament and Council. Until adoption, the original deadlines remain legally binding.

A system is high-risk if it falls under Article 6: either it is used as a safety component of a product covered by Annex I EU product-safety legislation (medical devices, machinery, toys, vehicles, etc.) or it sits in one of the use-case categories listed in Annex III. Annex III covers biometrics, critical infrastructure, education, employment and worker management, access to essential services (including credit scoring and insurance pricing), law enforcement, migration, justice, and democratic processes.

A provider develops an AI system, or has it developed, and places it on the market under their name or brand. A deployer uses an AI system in a professional capacity. Providers carry most obligations. A deployer who substantially modifies a system, rebrands it, or uses it for a different purpose than the provider intended can become a provider for that modified version, with all the obligations that brings.

Prohibited practices: up to €35 million or 7% of global annual turnover, whichever is higher. High-risk and most other non-compliance: up to €15 million or 3%. Supplying incorrect, incomplete, or misleading information to authorities: up to €7.5 million or 1.5%. Caps for SMEs and start-ups are lower in absolute terms.

ISO 42001 is the international standard for AI management systems, published in December 2023. It isn't a substitute for AI Act compliance, but the management system it specifies satisfies Article 17 (quality management for high-risk providers) and gives you a defensible governance structure that maps to most AI Act articles. Enterprise customers increasingly ask for ISO 42001 certification in vendor questionnaires, and it's compatible with existing ISO 27001 and ISO 9001 management systems.

The Fundamental Rights Impact Assessment under Article 27 is a mandatory assessment for certain high-risk deployers, including public-sector users and private-sector deployers offering services of public interest (banking, credit, insurance, healthcare). It examines the impact on fundamental rights including non-discrimination, privacy, data protection, and freedom of expression. It overlaps with the GDPR DPIA but covers a broader set of rights.

Yes, on the same basis as MiCA and DORA. If your AI system's output is used in the Union, the AI Act reaches you. There is no reverse-solicitation carve-out comparable to MiCA's. US-based providers placing AI systems on the EU market, or whose AI is integrated into EU-facing products, are squarely in scope.

If you've received an AI Act questionnaire from a customer, you don't have a current inventory of the AI systems running in your organization, your board is asking about AI risk, and you don't have a defensible answer, or you need someone to stand up an AI governance program that integrates with your existing DORA and GDPR work, get in touch. First-call diagnostic is free.