European Union: AI Act & GDPR

The EU AI Act

The EU AI Act is the world's first comprehensive AI legislation. Entered into force on August 1, 2024, it establishes a risk-based regulatory framework with phased implementation running through August 2027. For financial institutions, the most consequential provisions are the high-risk requirements that take full effect in August 2026.

Implementation Timeline

In Force

February 2025 — Prohibited AI practices banned. Social scoring, real-time biometric surveillance (with exceptions), and manipulation techniques are outlawed across the EU.

In Force

August 2025 — General-purpose AI (GPAI) model obligations. Providers of GPAI models must comply with transparency requirements, copyright safeguards, and systemic risk assessments.

Aug 2026

August 2026 — Full high-risk requirements. Conformity assessments, technical documentation, risk management systems, human oversight, and post-market monitoring obligations become enforceable.

Aug 2027

August 2027 — Regulated product AI systems. AI embedded in products already subject to EU product safety legislation (medical devices, machinery, etc.) must comply.

Risk Classification

The AI Act establishes four tiers of risk, each with different regulatory obligations:

Unacceptable Risk — Banned outright. Includes social scoring, manipulative AI, and certain biometric applications.
High-Risk — Subject to the full suite of compliance obligations: conformity assessments, documentation, risk management, human oversight, accuracy and robustness requirements.
Limited Risk — Transparency obligations only. Users must be informed they are interacting with AI.
Minimal Risk — No specific obligations, though voluntary codes of conduct are encouraged.

Financial Services High-Risk Use Cases

The AI Act explicitly classifies the following financial services applications as high-risk:

Credit scoring and creditworthiness evaluation of natural persons
Insurance risk assessment and pricing for natural persons
AI systems used to evaluate creditworthiness or establish credit scores, with the exception of systems detecting financial fraud

In practice, the majority of AI systems deployed by financial institutions — from customer-facing chatbots making product recommendations to internal risk models — will require careful assessment against the high-risk classification criteria.

Penalties

The enforcement regime is substantial and designed to ensure compliance:

Prohibited practices: up to €35 million or 7% of global annual turnover, whichever is higher
High-risk non-compliance: up to €15 million or 3% of global annual turnover
Incorrect information to authorities: up to €7.5 million or 1% of global annual turnover

GDPR Intersection

The GDPR intersects with AI governance at every point where AI processes personal data — which in financial services means virtually every AI use case. The two frameworks create overlapping but distinct obligations that must be addressed holistically.

The GDPR intersects with AI governance at every point where AI processes personal data — which in financial services means virtually every AI use case.

Article 22: Automated Decision-Making

GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. For financial institutions, this creates specific obligations around credit decisions, insurance underwriting, and fraud detection that must be reconciled with AI Act requirements.

Data Protection Impact Assessments

DPIAs are required under GDPR for high-risk processing activities. AI-driven financial services applications almost universally trigger DPIA requirements, and these assessments must now be coordinated with the AI Act's conformity assessment requirements to avoid duplication and ensure consistency.

Right to Explanation

GDPR's requirements for meaningful information about the logic involved in automated decisions dovetail with the AI Act's transparency and explainability requirements. Financial institutions must develop explanation capabilities that satisfy both frameworks simultaneously.

How Corvair Addresses EU Requirements

Corvair's composable lens architecture and SCAR scoring methodology map directly to the EU AI Act's fairness and explainability requirements. Each governance lens generates auditable, structured evidence that can be presented to EU regulators in the format they expect, while simultaneously satisfying MAS AIRG and other jurisdictional requirements.

The result is a single governance architecture that produces EU-compliant documentation as a natural output of ongoing AI operations, rather than a separate compliance exercise conducted after the fact.

Explore Other Jurisdictions

Prepare for the EU AI Act

Understand how high-risk classification applies to your AI systems and what you need to do before August 2026.

Schedule a Briefing