EU AI Act · Financial Services · 5 Tools

EU AI Act — Financial Services Compliance Hub

Five deterministic, browser-based tools covering the full EU AI Act compliance lifecycle for financial services firms — from Annex III risk classification through Article 9 risk management, Article 10 data governance, provider vs deployer obligation mapping, and regulatory change impact assessment. EU Regulation 2024/1689. Zero PII.

Annex III · High-Risk Obligations Art. 9 Risk Mgmt · Art. 10 Data Gov Provider vs Deployer Split Reg Change Impact Assessment Zero PII · Client-Side
2 Aug 2026
GPAI & High-Risk obligations: 8 weeks away. Credit scoring, fraud detection, AML profiling, underwriting, and biometric KYC systems face full Annex III compliance requirements. Article 9 risk management systems must be in place.
All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.
Key Deadlines

EU AI Act Enforcement Timeline

Three enforcement waves hit financial services. Article 5 prohibitions are already live. GPAI and high-risk obligations land August 2026 — 8 weeks away. Full Annex III framework extends to 2027.

1
2 February 2026
Article 5 — Prohibited AI Systems
Absolute bans on social scoring by public authorities, real-time biometric surveillance in public spaces (with narrow exceptions), and AI exploiting psychological vulnerabilities. Financial firms using AI for customer profiling must screen against Article 5 immediately.
● LIVE NOW
2
2 August 2026
GPAI Obligations (Articles 53 & 55) + High-Risk Obligations Begin
General-Purpose AI model transparency obligations effective (Article 53). For models with systemic risk (>10²⁵ FLOPs), Article 55 adversarial testing and incident reporting apply. Financial services firms using credit scoring, fraud detection, AML profiling, or biometric KYC must have Article 9 risk management systems and Article 10 data governance frameworks in place.
▲ 8 WEEKS AWAY
3
2 August 2027
Full Annex III High-Risk Framework
Complete compliance requirements for all Annex III high-risk systems: technical documentation (Art. 11), logging (Art. 12), transparency to deployers (Art. 13), human oversight (Art. 14), accuracy & robustness (Art. 15), QMS (Art. 17), EU AI database registration (Art. 49). Biometric verification, credit scoring, and insurance underwriting AI all covered.
○ PENDING
4
2 August 2030
Annex I Systems (Existing EU Regulated Products)
AI systems already subject to conformity assessment under existing EU financial services law (CRD VI, Solvency II, MiFID II) have extended transition to August 2030 under Article 113(12).
○ PENDING
High-Risk Use Cases

Financial Services AI Under Annex III

These financial services AI use cases are explicitly or presumptively classified as high-risk under EU AI Act Annex III §1 (biometrics) and §5(b) (access to essential private services). Full compliance obligations apply from 2 August 2026.

Use Case Annex III Reference Risk Tier Key Obligation Trigger
Credit scoring & creditworthiness assessment (natural persons) Annex III §5(b) HIGH RISK Art. 9 risk management system, Art. 10 data governance, Art. 14 human oversight
Automated fraud detection — account blocking (no human gate) Annex III §5(b) HIGH RISK Art. 14 mandatory human override capability before any access block
AML transaction monitoring — automated account restriction Annex III §5(b) HIGH RISK Art. 9 + Art. 12 logging; Art. 14 human-in-the-loop for account restrictions
Life / health insurance underwriting & pricing (natural persons) Annex III §5(b) HIGH RISK Art. 10 dataset quality criteria; Art. 15 accuracy declaration required
Remote biometric verification / facial recognition for KYC onboarding Annex III §1(a) HIGH RISK Art. 9 + Art. 17 QMS; real-time biometric ID in public spaces → Art. 5 prohibited
KYC risk scoring determining access to financial services (natural persons) Annex III §5(b) HIGH RISK Full Art. 9–17 obligations; Art. 49 EU AI database registration
AI in critical financial infrastructure safety components Annex III §2 HIGH RISK Art. 15 robustness & cybersecurity; Art. 11 technical documentation
Real-time biometric identification in publicly accessible spaces Article 5(1)(d) PROHIBITED Cannot be placed on market or put into service — Article 5 absolute prohibition
Five-Tool Workflow

Risk Classification → Compliance Mandate

Follow this five-step sequence to move from initial AI system classification through full August 2026 readiness. Each tool outputs structured data compatible with the AP2 Policy Mandate format.

01 Classify Risk Tier T327
02 Art. 9 Risk Mgmt System T333
03 Art. 10 Data Governance T334
04 Obligations Provider / Deployer T335
05 Change Impact Reg Landscape T318
  1. 1

    Classify Your AI System Risk Tier

    Start with T327 to determine whether your AI system is prohibited, high-risk, limited, or minimal risk under EU AI Act Annex III. Select use case category (credit, fraud, AML, KYC, insurance), apply context qualifiers, and receive a classification with legal basis, compliance deadline, and full obligation checklist.

    T327 Risk Class Mapper
  2. 2

    Build Your Article 9 Risk Management System

    For high-risk systems, use T333 to design the Article 9 risk management system. The builder maps your AI system's risk identification process, mitigation measures, residual risk thresholds, and continuous monitoring obligations into a scored gap assessment with remediation priorities.

    T333 Art. 9 Risk Mgmt Builder
  3. 3

    Map Article 10 Data Governance Requirements

    Use T334 to assess your training, validation, and testing datasets against Article 10 quality criteria: relevance, representativeness, freedom from errors, and completeness. Outputs a data governance gap score, dataset lineage requirements, and bias assessment obligations.

    T334 Art. 10 Data Governance Mapper
  4. 4

    Split Provider vs Deployer Obligations

    Use T335 to determine which obligations fall on your organisation based on whether you are a provider (places AI on market or puts into service under your name) or a deployer (uses a third-party AI system). Critical for financial institutions using vendor AI systems — many Article 14 and Article 26 obligations shift to deployers.

    T335 Provider/Deployer Splitter
  5. 5

    Assess Regulatory Change Impact

    Use T318 to model the impact of EU AI Act enforcement on your existing compliance stack. Cross-map with DORA, MiFID II, CRD VI, and PSD3 obligations already in flight. Outputs a regulatory change impact score and resource prioritisation matrix for your compliance programme.

    T318 Reg Change Impact Assessor
Group A · Risk Classification (T327)
T327
Annex IIIArticle 6

EU AI Act Article 6 Risk-Class Mapper — Financial Services

Classify financial services AI under EU AI Act Annex III. Determines Unacceptable, High-Risk, Limited, and Minimal risk tiers with precise legal basis (Article 6 + Annex III reference), compliance obligations by article, enforcement deadlines, and plain-English compliance brief. AP2 JSON export. Client-side. Zero PII.

Open Tool
Group B · Article 9 & 10 Compliance (T333, T334)
T333
Article 9Risk Mgmt

EU AI Act Article 9 Risk Management System Builder

Design a compliant Article 9 risk management system for high-risk AI. Maps risk identification, analysis, estimation, and evaluation processes. Scores gap against EU AI Act requirements. Outputs remediation priorities and AP2 Policy Mandate JSON. Client-side. Zero PII.

Open Tool
T334
Article 10Data Gov

EU AI Act Article 10 Data Governance Mapper

Assess training, validation, and testing datasets against Article 10 quality criteria. Relevance, representativeness, bias detection, data lineage, and provenance requirements. Gaps scored 0–100. Data governance remediation plan and AP2 JSON export. Client-side. Zero PII.

Open Tool
Group C · Obligation Split & Change Impact (T335, T318)
T335
ProviderDeployer

Provider vs Deployer Obligations Splitter

Determine which EU AI Act obligations apply to your role. Provider obligations: Art. 9–17, 49 (technical documentation, QMS, EU AI database). Deployer obligations: Art. 14 (human oversight), Art. 26 (use instructions, logging, transparency to affected persons). Critical for firms using vendor AI. AP2 JSON. Client-side. Zero PII.

Open Tool
T318
Reg ChangeImpact

Regulatory Change Impact Assessor

Model the impact of new regulatory requirements on your existing compliance stack. Cross-maps EU AI Act with DORA, MiFID II, CRD VI, PSD3, and other in-flight regulations. Outputs a change impact score, overlap analysis, resource prioritisation matrix, and remediation timeline. Client-side. Zero PII.

Open Tool

v1.0 · June 2026 · 5 tools · EU AI Act Financial Services · EU Regulation 2024/1689

Obligations Summary

Provider vs Deployer Obligations

Financial institutions frequently act as both providers (when they build and deploy their own AI) and deployers (when they use a vendor's AI system). The obligation split matters: providers carry the heavier technical burden; deployers carry operational and transparency duties.

Article Provider Obligation Deployer Obligation
Art. 9 Establish and maintain lifecycle risk management system. Identify, analyse, estimate, and evaluate risks. Implement mitigation measures. Inform provider of serious incidents. Cooperate with Art. 9 ongoing monitoring obligations where specified in instructions for use.
Art. 10 Dataset quality criteria: relevance, representativeness, freedom from errors, completeness. Bias assessment and data lineage documentation. No direct Art. 10 obligation — but must not modify AI system in ways that compromise training data quality assumptions.
Art. 11 Prepare comprehensive technical documentation before market placement. Keep updated throughout lifecycle. No direct Art. 11 obligation — request and retain a copy of provider's technical documentation for audit purposes.
Art. 12 Ensure automatic event logging capability is built in. Specify log retention scope in instructions for use. Retain logs for minimum 6 months. Make available to competent authorities on request.
Art. 13 Provide accurate instructions for use: capabilities, limitations, accuracy metrics, foreseeable risks, human oversight measures. Follow instructions for use. Do not use AI system in ways outside the scope of the instructions.
Art. 14 Design system to allow human oversight. Natural persons overseeing must be able to understand output, detect anomalies, override or halt system. Assign qualified natural persons for human oversight. Ensure they have authority and capability to intervene. Do not automate in ways that bypass human oversight.
Art. 26 No direct Art. 26 obligation (applies to deployers). Inform affected natural persons that they are subject to an AI-driven decision (where required). Conduct fundamental rights impact assessment if public body. Notify provider of serious incidents.
Art. 49 Register in EU AI database before market placement or service commencement. Verify registration exists in EU AI database. Public body deployers may have additional registration obligations.

Up to €35M or 7% of global annual turnover

Article 99 of EU Regulation 2024/1689 sets the maximum penalty for prohibited AI system violations at €35,000,000 or 7% of total worldwide annual turnover — whichever is higher. High-risk non-compliance carries up to €15M or 3%. Incorrect information provided to national competent authorities carries up to €7.5M or 1.5%. Financial services regulators (ECB, EBA, national NCAs) are expected to act as designated market surveillance authorities for financial sector AI systems.

Regulatory Citations
[1]EU Regulation 2024/1689 ("EU AI Act"), OJ L 2024/1689, 12 July 2024. Entry into force 1 August 2024. Application staged per Article 113.
[2]Annex III §5(b): high-risk AI systems used for creditworthiness assessment, access to financial services, insurance underwriting for natural persons.
[3]Article 6(2): Annex III classification basis. Article 9: risk management system. Article 10: data governance. Article 14: human oversight. Article 26: deployer obligations.
[4]Article 99: penalties. Article 113: application timeline — prohibited AI (2 Feb 2026), GPAI (2 Aug 2026), Annex III high-risk (2 Aug 2027), Annex I existing EU products (2 Aug 2030).
[5]Caveat: This hub provides indicative guidance only — not legal advice. Classifications involve legal interpretation. Consult qualified EU AI Act counsel before compliance decisions.
Audience

Who Uses These Tools

Compliance / Legal

Use T327 to classify all AI systems in scope and generate a compliance obligation checklist by article. Use T335 to confirm provider vs deployer obligation split for each vendor AI system in use.

Risk Management

Use T333 to design a compliant Article 9 risk management system. Score gaps against EU AI Act requirements, prioritise remediation, and export an AP2 Policy Mandate JSON for board reporting.

Data Engineering / MLOps

Use T334 to audit training, validation, and testing datasets against Article 10 quality criteria. Identify representativeness gaps, bias risks, and data lineage documentation requirements.

Regulatory Affairs

Use T318 to model how EU AI Act obligations interact with DORA, MiFID II, CRD VI, and PSD3 programmes already in flight. Identify deduplication opportunities and resource conflicts.

Product / Technology

Use T327 + T335 to determine whether a new AI feature is high-risk and who bears the compliance obligations — your team as provider, or the financial institution as deployer.

Board / CISO

T333 outputs an AP2 Policy Mandate JSON and board-level risk summary. T318 produces a regulatory change impact matrix suitable for board risk committee reporting.

Quick Start

Get Ready for August 2026 in 5 Steps

  1. 1

    Classify Every AI System in Your Inventory

    Open T327 — EU AI Act Risk-Class Mapper for each AI system. Select use case category and specific use case. The tool determines risk tier (Unacceptable / High / Limited / Minimal), provides the legal basis (Annex III reference), compliance deadline, and full obligation checklist in under 30 seconds.

  2. 2

    Determine Provider vs Deployer for Each System

    Open T335 — Provider vs Deployer Obligations Splitter. For each high-risk system, confirm whether your organisation is the provider (built and places on market) or deployer (uses a third-party AI). This determines which Articles 9–17, 26, and 49 obligations fall on you directly.

  3. 3

    Build Article 9 Risk Management Systems

    For each high-risk AI system where you are the provider, open T333 — Article 9 Risk Management System Builder. Score your current risk management practice against the Art. 9 requirements. The remediation priority table becomes your August 2026 workplan.

  4. 4

    Audit Training Data Against Article 10

    Open T334 — Article 10 Data Governance Mapper. Input dataset characteristics (size, sources, bias checks completed, lineage documentation status). Receive a gap score and required remediation actions — including representative sampling requirements for credit, AML, and underwriting models.

  5. 5

    Model Regulatory Change Impact

    Open T318 — Regulatory Change Impact Assessor to cross-map EU AI Act against your existing DORA, MiFID II, and CRD VI programmes. Identify overlapping obligations to avoid duplication, and surface resource conflicts that could delay your August 2026 compliance sprint.

Related Hubs

Explore Adjacent Suites

DORA & Operational Resilience Hub

11 tools covering ICT risk gap analysis, incident classification, CIF identification, resilience testing, third-party governance, and NCA submission tracking. EU 2022/2554.

Open Hub →

Regulatory Compliance & Consent Hub

Cross-framework regulatory compliance tools covering GDPR, MiFID II, CRD VI, and Solvency II consent and documentation requirements.

Open Hub →

AML/KYC & Financial Crime Compliance Hub

22 tools for CDD/EDD, transaction monitoring rule building, SAR narrative generation, sanctions screening, and AML programme gap auditing.

Open Hub →

Counterparty Credit Risk & Due Diligence Hub

8 tools for credit risk rating, PD/LGD modelling, covenant monitoring, and counterparty due diligence under Basel IV frameworks.

Open Hub →
MCP Integration

Agentic Access via MCP

All 5 tools expose structured outputs compatible with the AINumbers MCP manifest. Use the tool IDs below with any MCP-capable agent for automated EU AI Act compliance workflows.

Tool IDMCP NameInput SchemaOutput
T327classify_eu_ai_act_riskuse_case_id, qualifiers{natural_person, binding, regulated, public_authority}risk_class, annex_ref, article_ref, deadline, obligations[], compliance_brief
T333build_art9_risk_mgmt_systemai_system_id, risk_identification_score, mitigation_measures[], residual_risk_thresholdgap_score, remediation_priorities[], mandate_json
T334map_art10_data_governancedataset_type, size, sources[], bias_checks_done, lineage_documentedgovernance_gap_score, missing_criteria[], remediation_plan, mandate_json
T335split_provider_deployer_obligationsrole{provider|deployer|both}, ai_system_type, use_case_refprovider_obligations[], deployer_obligations[], shared_obligations[], mandate_json
T318assess_regulatory_change_impactnew_regulation, existing_regulations[], entity_type, in_scope_systems[]impact_score, overlap_matrix{}, resource_conflicts[], remediation_timeline