EU AI Act Compliance Readiness Survey: 2024 Statistics, Trends, and Analysis

Methodology

These figures draw from two primary datasets. The first is the Deloitte Legal Germany AI Act Survey, published September 2024, which polled 500 managers actively involved in AI decisions at German companies. It assessed preparedness levels, measures already in place, and attitudes toward the regulation's effect on innovation. The survey captured sentiment roughly one month after the EU AI Act formally entered into force on 1 August 2024.

The second is the Cloud Security Alliance Research Note "EU AI Act High-Risk Deadline: Enterprise Readiness Gap," published 13 March 2026, which synthesises cross-industry data on compliance programme maturity, AI inventory completion, and harmonised standards adoption across EU member states.

Compliance cost data comes from an academic analysis published on ResearchGate (2025/2026) that examined cost structures using a Compliance Cost Profile methodology applied to EU digital firms deploying or providing AI systems. Banking-specific figures draw from the 2024 joint CSSF/BCL survey of Luxembourg's financial sector and the European Banking Authority's November 2025 factsheet on AI Act implications for banking and payments.

One caveat: the Deloitte survey covers German companies only. Germany's regulatory environment is among the most demanding in the EU, so these readiness figures may represent a ceiling for preparedness across the bloc rather than an average. The CSA research note covers firms globally, not EU-only.

Full data table

Sources: Deloitte Legal Germany (September 2024); Cloud Security Alliance (March 2026); CSSF/BCL (2024); EBA (November 2025); ResearchGate compliance readiness study (2025/2026); Official EU AI Act text, Regulation (EU) 2024/1689.

Key findings

Under a third of firms had started serious preparations by late 2024. The Deloitte Legal Germany survey found that just 26.2% of 500 AI decision-makers had actively begun compliance work by September 2024. That's one month after the Act entered into force. 53.8% had not implemented any concrete measures: no task force, no designated department, no dedicated project. The word "preparation" is generous for what most organisations had done.

The prerequisite step is still missing at most organisations. The CSA's March 2026 research note found that more than half of organisations have not established systematic inventories of their AI systems. You can't classify risk, complete a conformity assessment, or produce required documentation without first knowing what AI systems you actually operate. Many firms haven't cleared this baseline, let alone what comes after it.

Banks are ahead of the cross-industry average, but still exposed. The 2024 CSSF/BCL survey in Luxembourg found 38% of banks had AI systems in production or development, with fraud detection, AML monitoring, and customer onboarding as the most common uses. The EBA's November 2025 factsheet confirmed that these exact systems, namely those used for credit scoring, transaction monitoring, and customer profiling, sit in the high-risk category. That classification brings documentation, human oversight, and data governance obligations that go beyond what most AML compliance programmes currently deliver.

Compliance costs are higher than most institutions have budgeted. An academic analysis on ResearchGate estimates annual compliance costs at approximately €29,277 per AI system. A quality management system built from scratch adds €193,000 to €330,000 in one-time costs, plus roughly €71,400 annually. For a mid-size bank running 15 to 20 AI systems across credit, fraud, and KYC, the total annual spend could exceed €400,000 before audit and legal fees.

Readiness gaps are partly driven by regulatory uncertainty, not just inaction. Three forms of uncertainty slowed early preparation: interpretive (what obligations actually require), operational (how to instantiate them across heterogeneous systems), and procedural (evolving standards, delayed notified body designation). Harmonised technical standards entered the enquiry phase eight months late, in October 2025. That left firms waiting before they could build standards-based conformity assessment processes, compressing the timeline further.

Year-over-year trends

Before August 2024, there was no compliance readiness to measure: the EU AI Act wasn't binding.

By September 2024, Deloitte found 26.2% actively preparing, with 48.6% not yet engaged. AI literacy training obligations didn't apply until 2 February 2025, and the original hard deadline for high-risk systems was 2 August 2026, so most firms treated preparation as something they'd address later.

By early 2026, CSA data showed more than half of organisations still lacked a basic AI system inventory. Despite 18 months having passed since entry into force, foundational steps remained incomplete at most enterprises. The window between standards finalisation (October 2025) and the original August 2026 deadline gave firms less than 12 months to implement standards-based conformity assessments.

In May 2026, the EU AI Act Omnibus provisional agreement deferred several key high-risk deadlines. Annex III systems (credit scoring, recruitment, law enforcement AI) now face a deadline of 2 December 2027. Annex I systems embedded in regulated products must comply by 2 August 2028. The deferral relieves some immediate pressure but doesn't change the underlying readiness gap.

History is instructive here. When DORA's deadline was approached, firms that treated earlier extensions as permission to restart the clock from zero faced acute cost spikes and supervisory friction at the final date. The same pattern is visible across PSD2 SCA implementation. Firms that interpret the Omnibus deferral as additional breathing room rather than additional runway will face a harder 2027 than those that used 2026 to build the inventory and governance foundation.

The trajectory across 2024 to 2026 is slow, uneven acceleration. Financial institutions track ahead of cross-industry averages, but not by enough to be comfortable given the scope of high-risk obligations attached to their core AI systems.

What this means for compliance teams

For financial institutions, the readiness gap is a concrete operational risk. Credit scoring, fraud detection, AML transaction monitoring, and automated customer onboarding all sit in the high-risk tier. Each requires a documented risk management system, human oversight mechanisms, audit logs, and evidence of data governance. Some of these requirements exist in partial form under DORA, CRD V, or EBA model risk guidance, but the AI Act formalises and extends them to every covered AI system in the estate.

The most urgent step is inventory. A register of every AI system in operation, including vendor-supplied systems embedded in core banking platforms, is the foundation for every subsequent compliance step. Regulatory Compliance Automation is the infrastructure that makes this tractable at scale: systematic, auditable, and repeatable rather than a one-time spreadsheet exercise.

For fraud and AML teams, the Act's explainability and human oversight requirements intersect directly with existing supervisory expectations. Transaction Monitoring systems that already generate decision trails and alert rationales are much closer to compliance than black-box models. A system that can't explain why a transaction was flagged will need structural redesign, not just additional documentation layers.

KYC and onboarding pipelines are a particular flashpoint. Automated identity verification and credit risk scoring both fall in the high-risk tier. Any institution running opaque matching logic for Identity Verification and KYC/AML Automation faces dual exposure: AI Act non-compliance and continued FATF scrutiny on Customer Due Diligence quality. Addressing both at once, with auditable decision logs and human review checkpoints, is more efficient than treating them as separate regulatory workstreams.

The asymmetry is stark. Planned compliance costs roughly €29,277 per system per year. Non-compliance fines cap at €35 million or 7% of global annual turnover. For a bank with €5 billion in annual revenue, that 7% ceiling is €350 million. AI-Powered Fraud Detection architectures built with this exposure in mind look very different from those designed before the Act came into force.

Sources

• Deloitte Legal Germany, "AI Act Survey 2024: Scepticism towards EU AI Act," September 2024
• TechMonitor, "Nearly half of German companies not prepared for EU AI Act, Deloitte survey reveals," 2024
• Cloud Security Alliance, "EU AI Act High-Risk Deadline: Enterprise Readiness Gap," March 2026
• European Banking Authority, "AI Act: Implications for the EU Banking and Payments Sector," November 2025
• ResearchGate, "The EU AI Act compliance readiness: evidence on organisational preparedness, cost drivers and regulatory uncertainty," 2025/2026
• European Commission, EU AI Act regulatory framework