Who needs to comply with the EU AI Act?
Quick answer
Any organization developing or deploying AI systems used in the EU must comply, regardless of where it's based. Non-EU companies are in scope when their AI output reaches EU users. Credit scoring, fraud detection, and insurance AI are classified high-risk under Annex III, which carries the Act's strictest pre-deployment requirements.
The full answer
The EU AI Act (Regulation EU 2024/1689) defines scope in Article 2. The geographic trigger is the EU market and EU users. Four categories of organization carry binding obligations.
Providers develop AI and place it on the EU market. The heavier set of requirements lives here: technical documentation before deployment, a conformity assessment, registration in the EU AI Act database, post-market monitoring, and CE marking for certain systems. A non-EU company selling AI to EU buyers through any distribution channel is a provider.
Deployers use AI systems professionally in the EU. Banks, insurers, asset managers, and payment processors using vendor AI for decisions affecting EU customers are deployers under Article 26. They must implement the provider's documented usage instructions, keep operational logs, maintain human oversight controls, and conduct a fundamental rights impact assessment (FRIA) before deploying high-risk systems in certain public-facing contexts.
Importers and distributors are in scope too. If a firm modifies a system it distributes, the Act reclassifies it as a provider.
The extraterritorial reach is real. Article 2(1)(c) captures non-EU organizations when their AI output is used in the EU. A US bank running AI credit decisions for European customers is in scope. A Tokyo-based AI vendor supplying fraud models to Belgian banks is in scope. This mechanism mirrors GDPR, which regulators have already enforced extraterritorially. It's not an edge case; it's the baseline.
High-risk financial services AI
Annex III lists the categories. Financial services appears in at least three of the eight groups:
- Point 2 (Critical infrastructure): AI managing payment systems, settlement networks, and core banking operations
- Point 4 (Employment): AI used in hiring, scheduling, or performance management at regulated firms
- Point 5(b) (Essential services): AI assessing creditworthiness, scoring insurance risk, and processing claims decisions
High-risk classification triggers six pre-deployment requirements under Articles 9 through 15 and Article 43: a risk management system, data governance program, technical documentation, automatic logging, human oversight mechanisms, and a conformity assessment.
When the EU AI Act takes effect matters for planning: the Annex III high-risk obligations apply from August 2026, but that timeline is closer than it looks for organizations that need to build documentation and testing programs from scratch. Banks using AI for AML transaction monitoring should assess now whether their systems fall under high-risk categories, because building compliant risk management systems and data governance programs takes 12 to 18 months at most institutions.
GPAI model obligations
From August 2025, providers of general-purpose AI (GPAI) models have separate obligations under Title VIII. Financial institutions running large language models in regulated workflows (document review, customer risk assessment, automated advisory outputs) need to track this parallel track.
Models above 10^25 FLOPs, as defined in Article 51, are classified as systemically risky. They face adversarial testing requirements, incident reporting to the AI Office, and independent audits. A financial firm that fine-tunes a foundation model for internal credit assessment may be a GPAI provider, not just a deployer. That distinction matters because provider obligations significantly exceed deployer obligations.
Enforcement structure
Each EU member state designates a national market surveillance authority. The AI Office within the European Commission handles GPAI model supervision directly. For financial sector AI, joint enforcement with prudential regulators (ECB, national central banks, supervisory authorities) is likely. The ECB's Single Supervisory Mechanism has already identified AI governance as a supervisory priority for 2025 and 2026.
Penalties follow a tiered structure. Most violations carry up to 3% of global annual turnover. Prohibited AI practice violations reach 6%. Providing incorrect information to regulators carries 1.5%. A €50 billion global bank is looking at potential exposure in the hundreds of millions of euros for serious violations.
Compliance gaps in AI governance feed directly into regulatory exam risk. Supervisors who find inadequate AI risk management during routine exams will not view this favorably, and the path from exam failure to enforcement action is well-documented.
What compliance actually requires
Most financial services firms will need to work through five steps:
- Inventory all AI systems in production and map them against Annex III to determine risk classification
- For high-risk systems: build a risk management system, document training data governance, implement automatic logging, and design human oversight controls
- Conduct a FRIA for Annex III high-risk AI deployed in public-facing applications
- Register high-risk systems in the EU AI Act database before August 2026
- Establish incident reporting processes for serious incidents and near-misses
The EBA has indicated that AI Act compliance will intersect with existing model risk management frameworks under EBA/GL/2021/14. Institutions with documented model risk governance already in place will have a measurable head start. Institutions that don't will face building both programs simultaneously.
The official text of Regulation EU 2024/1689 is available on EUR-Lex. The European Commission's AI regulatory framework page publishes updated implementation guidance as secondary legislation is issued.
Why this matters
Financial services firms that assume the EU AI Act only applies to EU-based companies are wrong, and that assumption is expensive. The extraterritorial reach in Article 2 is explicit. Credit scoring, fraud detection, and insurance risk AI don't get treated as "limited risk" simply because the firm developing or deploying them is headquartered outside the EU.
The high-risk classification for credit and insurance AI is particularly consequential. Unlike GDPR, where financial AI obligations were indirect (automated decision-making rights under Article 22), the EU AI Act creates direct technical requirements: logging systems, conformity assessments, risk management programs. These don't exist in most non-European AI development workflows today.
Compliance failures can trigger regulatory exams and, in serious cases, enforcement action that looks a lot like what happens when a bank fails an AML exam: remediation orders, potential monitor appointments, and reputational damage that outlasts the fine. The penalties are large enough that no compliance team can treat this as a medium-term problem.
Banks using AI in perpetual KYC workflows or transaction monitoring need to assess their Annex III exposure now. The August 2026 deadline sounds distant. A realistic implementation program, including vendor contract renegotiations and conformity assessment preparation, doesn't leave much runway.
Related questions
- When does the EU AI Act take effect?
- Can AI be used for AML transaction monitoring?
- What triggers a regulatory exam?
- What happens when a bank fails an AML exam?