Other cookies are configurable.
Your Fintech AI Is Probably Non-Compliant in Europe. The Deadline Is 81 Days Away.
Most fintech CTOs know August 2 is coming. Almost none have translated "EU AI Act compliance" into an actual engineering checklist. Here's what that checklist actually contains.
The EU AI Act enforcement deadline for high-risk AI systems.
For fintech, it's not a soft landing — it's a hard line with a fine attached.
Most fintech CTOs we've spoken with this year know August 2 is coming. What fewer have done is translated "EU AI Act compliance" into an actual engineering and ops checklist — something their team can work through before the deadline, not a legal summary that lives in a Google Doc nobody opens.
This post is that checklist. We've worked through it with clients across fintech and financial services. Which systems are actually in scope, what the obligations require in practice, how DORA complicates things, and what 81 days of focused work can realistically accomplish.
One thing upfront: there's a proposed EU extension floating around — the Digital Omnibus package that could push Annex III obligations to December 2027. Don't build your plan around it. Regulators have issued no confirmation, and building your compliance strategy on an unconfirmed extension is exactly the kind of thing that ends careers when the extension doesn't materialize.
Does This Apply to Your Fintech?
The EU AI Act applies based on where your AI operates or whose lives it affects — not where your company is registered. A Latvian fintech processing French customer credit applications is in scope. A US neobank with EU customers is in scope. A SaaS company selling AI risk tools to European banks is in scope as a provider, even if they never touch end-user data themselves.
The Act distinguishes two roles with different obligations:
- Provider — you built the AI system and place it on the EU market. Full technical documentation, conformity assessment, CE marking, EU database registration.
- Deployer — you use someone else's AI system in your operations. Human oversight, monitoring, fundamental rights impact assessment for certain cases.
Many fintechs are both simultaneously: a deployer for the LLM APIs they use, and a provider for the risk models or scoring systems they've built and license to partners.
If your AI system influences whether a customer gets a loan, insurance policy, or access to a financial service — you are almost certainly a provider of a high-risk system under Annex III. That triggers the full compliance framework, not just transparency notices.
Which Systems Are High-Risk (and Which Aren't)
Annex III lists the categories that fall under the high-risk regime. For fintech, the relevant entries are under point 5 (access to essential private services) and point 1 (biometrics). This is where most teams get surprised.
| AI System | In scope? | Note |
|---|---|---|
| Credit scoring / creditworthiness assessment | IN SCOPE | Explicitly listed. No grey area. |
| Insurance risk pricing / underwriting AI | IN SCOPE | Annex III point 5(c). |
| Biometric verification / eKYC face matching | IN SCOPE | Any biometric-based identity verification. |
| Loan approval decisioning AI | IN SCOPE | Affects access to essential financial services. |
| Fraud detection AI | EXCLUDED* | Explicitly excluded. Still needs DORA alignment. |
| Transaction monitoring / AML screening | DEPENDS | If outputs restrict customer access — likely in scope. |
| Customer service chatbots | LIMITED RISK | Transparency disclosure required only. |
| Internal productivity tools | OUT | Minimal risk. No mandatory obligations. |
The fraud detection exclusion surprises most teams. It's explicit in the legislative text. But — and this matters — if your fraud detection system triggers account suspension or restricts a customer's access to their money, the analysis changes and you should get a legal opinion before assuming you're out of scope.
What Non-Compliance Actually Costs
EU AI Act fines are additive to GDPR penalties. A high-risk AI system that also processes personal data non-compliantly exposes you to enforcement from two separate regulatory frameworks simultaneously. A biased credit scoring model that also mishandles personal data could trigger both an AI Act violation and a GDPR violation. Build your compliance program to cover both from the start.
The Problem Nobody Mentions: DORA
If you operate in EU financial services, you're also subject to DORA — the Digital Operational Resilience Act, fully applicable since January 17, 2025. The AI Act and DORA overlap significantly, and most compliance guides treat them as separate workstreams.
Building two separate compliance programmes is the most expensive mistake a fintech CTO can make right now.
01 —ICT Risk Management
DORA requires an ICT risk management framework. The AI Act's Article 9 requires a risk management system for high-risk AI. Extend your existing DORA ICT risk framework to include AI-specific risks — don't build a parallel system from scratch.
02 —Register of Information
DORA requires a Register of Information covering all ICT third-party service providers. Third-party AI systems (LLM APIs, scoring models, identity verification services) need to be in your DORA register and covered by the AI Act's vendor documentation requirements. One register, two compliance uses.
03 —Incident Reporting
Both frameworks require incident reporting. An AI system failure that triggers a DORA ICT incident may also require an AI Act notification to the relevant market surveillance authority. Coordinate these processes now, not during an incident.
What "Ready" Actually Means Technically
| Article | Requirement | What it means in practice | Effort |
|---|---|---|---|
| Art. 9 | Risk Management System | Documented lifecycle process for identifying, evaluating, and mitigating AI risks. Must be updated continuously, not just at deployment. | Medium |
| Art. 10 | Data Governance | Training data documented with sources, bias testing results, known limitations. Data pipelines auditable. | Medium |
| Art. 11 | Technical Documentation | Full system architecture, training methodology, performance benchmarks. Ready for regulator review on request. | Medium |
| Art. 13 | Transparency & Logging | Automatic logging at every inference that produces a material output. Logs must enable post-hoc review. This is an architecture change, not a config change. | Hard |
| Art. 14 | Human Oversight | "A human can see the output" is not sufficient. The system must support meaningful intervention, override, and audit — not just observation. | Hard |
| Art. 43 | Conformity Assessment | Self-assessment for most systems. CE marking and EU database registration required. | Hard |
Articles 13 and 14 consistently take longer than expected. Logging at inference level for a high-volume credit scoring system isn't a weekend task. Human oversight that satisfies the regulation isn't a dashboard — it's an operational workflow with documented escalation paths, trained staff, and tested override mechanisms.
What to Do Between Now and August 2
81 days is tight but workable — with the right prioritization. The engineering work for logging and human oversight takes 4–6 weeks minimum for a system already in production. Starting in July means you don't finish in time.
What Happens to the Teams That Miss It
The honest answer: enforcement in the first months after August 2 will almost certainly focus on egregious cases, not on every fintech that's 30 days behind on documentation. But that's not a strategy.
The risk of waiting isn't just the fine. It's every day after August 2 that your non-compliant system processes EU customer data.
- The companies that will be fine: Those who complete the inventory now and build compliance infrastructure that also improves their AI operations — better logging, clearer oversight, documented risk management.
- The companies that will scramble: Those waiting for the extension that may not come, spending Q3 2026 in emergency compliance mode, pulling engineering teams off product work.
- The companies that will get fined: Those who have material compliance gaps when an incident draws regulatory attention — a discriminatory credit decision, a biometric system failure, a customer complaint that reaches the DPA.
The infrastructure you build to satisfy the EU AI Act — inference logging, human oversight workflows, auditable data pipelines — is the same infrastructure that makes your AI systems trustworthy, debuggable, and scalable. The compliance work and the engineering work are the same work.
81 days. Start this week.
Latest articles in our Blog
Let’s make
it happen
Request sent!
We'll get back to you within 1 business day.