For financial institutions, the most important date in the EU AI Act calendar is 2 August 2026. That is when the Act's obligations for high-risk AI systems begin to apply — and unlike a product launch, the deadline does not wait for systems that are already running. If a model is in production and falls into a high-risk category, it has to meet the requirements by then, regardless of when it was built.

Financial services sits closer to the front line of this than almost any other sector, because so many of the industry's everyday AI use cases land squarely in the Act's high-risk definitions.

Why banks and insurers are exposed

The Act singles out specific uses as high-risk, and several of them are core to finance: assessing the creditworthiness of individuals and credit scoring, and risk assessment and pricing in life and health insurance. Add the intense supervisory attention now falling on AI used in fraud detection and anti-money-laundering decisioning, and a large share of the models a typical institution runs are either in scope or close to it.

The deadline applies to systems already in production — so the work is not "before we launch", it is "before August 2026", on models that are live today.

What "high-risk" actually requires

High-risk status is not a label you disclose and move on from. It brings a set of obligations that touch how the system is built, run, and governed:

  • A documented risk-management process that runs across the system's lifecycle.
  • Data governance covering the quality, relevance, and representativeness of training and input data.
  • Technical documentation and record-keeping, including logging that makes the system's behaviour traceable.
  • Meaningful human oversight, designed in rather than bolted on.
  • Appropriate levels of accuracy, robustness, and cybersecurity.
  • Post-market monitoring once the system is in use.

The trap: treating it as a documentation exercise

The most common mistake we see is institutions approaching the Act as a paperwork problem — something the compliance team can describe after the fact. But most of these requirements are engineering properties. You cannot document your way to traceability, robustness, or human oversight if they were never built into the system. Compliance that is bolted on at the end tends to be both expensive and fragile, and it rarely survives contact with a supervisor's questions.

The institutions that will move fastest through August 2026 are the ones treating governance and engineering as the same effort: the controls the Act asks for are largely the controls that make an AI system trustworthy enough to run in a bank in the first place.

What to do now

  • Inventory every AI and machine-learning system in use or in development — including the ones embedded in vendor products.
  • Classify each against the Act's risk categories, and be honest about the borderline cases.
  • Run a gap assessment for the high-risk systems against the obligations above.
  • Build the missing controls into the model lifecycle, not into a separate binder.
  • Assign clear accountability for each system, and start assembling the evidence a regulator would ask to see.

None of this is quick, which is precisely why the date matters. There is still time to do it properly — but less than the calendar suggests once you account for inventory, remediation, and testing.