EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legislation regulating artificial intelligence. It establishes uniform rules for the development, placing on the market and use of AI systems in the EU – with particular focus on high-risk applications common in the financial sector.
Contents
What is the EU AI Act?
The EU AI Act (officially: Regulation (EU) 2024/1689) is the world's first comprehensive legislation regulating artificial intelligence. The regulation was adopted on 13 June 2024 and entered into force on 1 August 2024.
The objective of the EU AI Act is to create a uniform legal framework for AI in the EU that:
- Protects fundamental rights – Preventing discrimination by AI
- Builds trust – Transparency and traceability
- Promotes innovation – Legal certainty for businesses
- Minimises risks – Risk-based regulatory approach
Why is the EU AI Act important for banks?
Financial services providers are increasingly deploying AI – from chatbots to fraud detection to automated credit decisions. Many of these applications fall under the high-risk category of the EU AI Act and are therefore subject to strict requirements for documentation, transparency and human oversight.
Who does the EU AI Act apply to?
The EU AI Act has a broad scope and applies to various actors in the AI value chain:
Providers
Organisations that develop or have AI systems developed and place them on the market under their own name.
- FinTech companies
- Software providers for banks
- Internal development departments
Deployers
Organisations that deploy AI systems under their own responsibility – even if they did not develop them themselves.
- Banks
- Insurance companies
- Financial services providers
Extraterritorial Effect
The EU AI Act also applies to organisations outside the EU if their AI systems are deployed in the EU or affect EU citizens. This makes it comparable to the GDPR in its global reach.
The 4 Risk Classes of the EU AI Act
The EU AI Act follows a risk-based approach: The higher the risk of an AI system, the stricter the requirements.
Unacceptable Risk
These AI practices are prohibited in the EU:
- Social scoring by public authorities
- Real-time biometric identification in public spaces (with exceptions)
- Subliminal manipulation
- Exploitation of vulnerabilities of specific groups
- Emotion recognition in workplaces/schools
Strict Requirements
Subject to comprehensive compliance obligations:
- Creditworthiness assessment & scoring
- Risk assessment for insurance
- Access to essential services
- Biometric identification
- Recruitment & personnel evaluation
- Critical infrastructure
Transparency Obligations
Must inform users about AI interaction:
- Chatbots
- Emotion recognition
- Deepfakes
- AI-generated content
No Specific Obligations
Voluntary codes of conduct recommended:
- Spam filters
- AI in video games
- Simple recommendation systems
EU AI Act in the Financial Sector
For banks and financial services providers, the EU AI Act is particularly relevant as many typical AI applications are classified as high-risk:
| AI Application | Risk Class | Typical Use |
|---|---|---|
| Credit Scoring | High-Risk | Automated creditworthiness assessment |
| Credit Decisions | High-Risk | Loan approval, limit decisions |
| Insurance Scoring | High-Risk | Premium calculation, risk assessment |
| Fraud Detection | High-Risk* | Transaction monitoring, AML |
| Robo-Advisory | Limited/High | Automated investment advice |
| Chatbots | Limited | Customer service |
| Document Processing | Minimal | OCR, data extraction |
* Fraud detection may be classified as high-risk depending on implementation, particularly when automated decisions with significant impact are made.
EU AI Act Timeline & Deadlines
The EU AI Act becomes applicable in phases. Here are the key deadlines:
Entry into Force
EU AI Act enters into force
Prohibited Practices
Prohibited AI practices must be discontinued (6 months after entry into force)
GPAI & Governance
Rules for General Purpose AI (e.g., ChatGPT) and governance structures
High-Risk AI
All high-risk requirements apply in full – including credit scoring!
Full Application
All provisions apply, including for certain embedded AI systems
Time to Act!
By August 2026, all high-risk AI systems must be compliant. Start now with an inventory of your AI systems.
Start AI Act Health Check →Requirements for High-Risk AI
Providers and deployers of high-risk AI systems must fulfil comprehensive requirements:
Risk Management System
- Identification of known & foreseeable risks
- Risk assessment and mitigation
- Continuous monitoring
- Documentation of all measures
Data Governance
- Ensuring training data quality
- Bias testing and avoidance
- Representativeness of datasets
- Documentation of data provenance
Technical Documentation
- Description of the AI system
- Document development process
- Performance metrics & limitations
- Conformity assessment
Transparency & Information
- Provide instructions for use
- Understandable explanation of functionality
- Provider contact details
- CE marking
Human Oversight
- Human-in-the-loop / Human-on-the-loop
- Ensure intervention capability
- Override/stop functionality
- Operator training
Robustness & Security
- Accuracy & reliability
- Cybersecurity measures
- Protection against manipulation
- Fault tolerance
Penalties for Violations
| Violation | Maximum Penalty |
|---|---|
| Prohibited AI practices | €35m or 7% annual turnover |
| High-risk requirements | €15m or 3% annual turnover |
| False information to authorities | €7.5m or 1.5% annual turnover |
EU AI Act Implementation: Step by Step
AI Inventory
Capture all AI systems in your organisation: in-house developments, purchased solutions, AI embedded in software. Use our AI Act Health Check for an initial overview.
Risk Classification
Assign each AI system to a risk class. Check particularly whether credit decisions, scoring or automated assessments are affected.
Conduct Gap Analysis
Compare the current state with EU AI Act requirements. Identify gaps in documentation, governance and technical measures.
Establish AI Governance
Set up responsibilities, processes and policies for AI deployment. Define who is accountable for compliance.
Create Documentation
Prepare the required technical documentation for high-risk systems: system description, risk assessment, test reports, instructions for use.
Implement Technical Measures
Deploy required technical controls: logging, human oversight, bias monitoring, explainability.
Continuous Monitoring
Establish processes for ongoing monitoring of your AI systems. The EU AI Act requires post-market monitoring for high-risk AI.
DORA & EU AI Act: Leveraging Synergies
For financial institutions, DORA and the EU AI Act overlap in several areas. An integrated compliance strategy saves effort:
| Topic | DORA | EU AI Act |
|---|---|---|
| Risk Management | ICT risk management framework | AI risk management system |
| Documentation | ICT asset register, policies | Technical documentation, AI inventory |
| Third Parties | ICT third-party risk | Requirements for AI providers |
| Testing | Resilience testing, TLPT | Robustness testing, bias checks |
| Governance | Management body responsibility | Human oversight, responsibilities |
| Incident Management | ICT incident reporting | Serious incident reporting |
Unified Risk Management
Integrate AI risks into your existing ICT risk management framework under DORA.
Consistent Governance
Leverage existing governance structures and extend them with AI-specific aspects.
Consolidated Documentation
Combine AI inventory and ICT asset register for a unified overview.
Why Niagon for Your EU AI Act Compliance?
Financial Sector Expertise
We understand the specific AI applications in banks: credit scoring, fraud detection, robo-advisory.
DORA + AI Act Combined
We develop integrated compliance strategies that efficiently cover both regulations.
Pragmatic Approach
No academic reports, but actionable implementation plans.
Our EU AI Act Services
- AI Act Health Check: Free initial assessment of your AI readiness
- AI Inventory: Systematic capture of all AI systems
- Risk Classification: Categorisation according to EU AI Act classes
- Gap Analysis: Identification of action required
- AI Governance: Establishment of structures and processes
- Documentation: Creation of required evidence
Frequently Asked Questions about the EU AI Act (FAQ)
What is the EU AI Act?
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legislation regulating artificial intelligence. It entered into force on 1 August 2024 and will become fully applicable in phases through 2027.
Does the EU AI Act apply to banks?
Yes, the EU AI Act applies to all organisations that develop, deploy or offer AI systems in the EU – including banks and financial services providers. Particularly relevant are AI applications for creditworthiness assessment, fraud detection and automated decision-making.
What are high-risk AI systems in the financial sector?
In the financial sector, the following are considered high-risk AI: creditworthiness assessment, credit scoring, risk assessment for insurance, fraud detection with automated decisions, and AI systems for evaluating customers for financial services.
What penalties apply for EU AI Act violations?
Violations can result in fines of up to €35 million or 7% of global annual turnover for prohibited AI practices. For high-risk violations, up to €15 million or 3% of turnover.
When does the EU AI Act become fully applicable?
The EU AI Act becomes applicable in phases: prohibited practices from February 2025, high-risk AI from August 2026, and for certain AI models from August 2027. Banks should start preparing now.
What is AI risk classification?
The EU AI Act categorises AI systems into four risk classes: Prohibited (e.g., social scoring), High-risk (e.g., credit scoring), Limited risk (e.g., chatbots with transparency requirements) and Minimal risk (e.g., spam filters).
Do banks need an AI compliance officer?
The EU AI Act does not mandate a specific AI officer, but providers of high-risk AI must demonstrate a quality management system and appropriate governance structures. In practice, clear accountability for AI compliance is recommended.
How are the EU AI Act and DORA related?
DORA and the EU AI Act complement each other: DORA addresses digital resilience and ICT risks, whilst the AI Act specifically covers AI risks. Both require risk management systems, documentation and governance. An integrated compliance strategy makes sense.
What does EU AI Act compliance cost?
Costs vary considerably depending on the number and type of AI systems. For an initial gap analysis, expect €10,000-30,000. Total compliance costs depend on the complexity of the AI deployed.
How does Niagon support EU AI Act compliance?
Niagon offers: Free AI Act health check, AI inventory and risk classification, gap analysis, establishment of AI governance structures, documentation and audit preparation.
Ready for the EU AI Act?
Start now with our free AI Act Health Check and find out which of your AI systems are affected.