The EU AI Act timeline for financial services: what applies when — and what the Digital Omnibus would delay

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies in phases (Art. 113). Four steps: since 2 February 2025, the prohibited practices (Art. 5) and the AI-literacy duty (Art. 4) apply. Since 2 August 2025, the rules for general-purpose AI models (GPAI, Chapter V), the governance structure (AI Office, AI Board) and the penalty provisions apply ^[1].

The two decisive dates for financial firms are still ahead: from 2 August 2026, the bulk of the Regulation applies — including the high-risk obligations for the Annex III systems and the Art. 50 transparency duties. From 2 August 2027 follow the high-risk obligations for AI that is a safety component of regulated products (Art. 6(1), the Annex I route), plus the extended transition for GPAI models placed on the market before August 2025 (Art. 111(3)) ^[1].

The financial sector appears in Annex III point 5 in two places. Point (b) covers AI for evaluating the creditworthiness of natural persons or establishing their credit score — expressly excluding AI for the detection of financial fraud. Point (c) covers AI for risk assessment and pricing in relation to natural persons in life and health insurance. Both are therefore high-risk, with the full obligations on data governance, technical documentation, logging, transparency and human oversight ^[1].

There is a filter: under Art. 6(3), an Annex III system is not high-risk if it poses no significant risk to health, safety or fundamental rights (for example a narrow procedural task). But that exception falls away as soon as the system performs profiling of natural persons — which is exactly the norm in credit scoring and insurance pricing. In practice the filter is therefore usually not available to financial firms; classification as high-risk is the realistic assumption.

Most banks and insurers are deployers, not providers of AI models — the heavy GPAI duties fall on the model provider. But two things flow back to you. First, since 2 August 2025 the provider must, under Art. 53, make available technical documentation and downstream information (Annex XII) — documents you should actively demand for your own compliance file. Second, model risk can flow into your own Annex III use case when you build a GPAI model into a credit-scoring or pricing system ^[1].

Add the transparency duty under Art. 50 (applicable from 2 August 2026): anyone operating an AI system that interacts with people (chatbots) or generates synthetic content must disclose that it is AI and mark AI-generated content in machine-readable form. This duty bites even where you only wrap a third-party model via an API — because you are the provider or deployer of that specific system ^[1].

Here is the key nuance. On 19 November 2025 the European Commission proposed a simplification package; its AI-specific part — the Digital Omnibus on AI (COM(2025) 836, procedure 2025/0359(COD)) — would postpone the high-risk deadlines: the Annex III systems from 2 August 2026 to 2 December 2027, the Annex I products from 2 August 2027 to 2 August 2028. The mechanism originally floated — making application conditional on the availability of harmonised standards — was dropped in negotiation in favour of fixed calendar dates ^[2][3].

Decisive for planning: this postponement is not yet law. As of 2 June 2026 there is a provisional political agreement (trilogue in early May 2026, confirmed by the Member States in the Committee of Permanent Representatives on 13 May 2026; the parliamentary committee stage is under way, the plenary vote expected in the June/July session) — but no adopted regulation and no publication in the Official Journal. Until the Omnibus is formally adopted and published, 2 August 2026 remains the operative date for the Annex III high-risk obligations ^[2].

The sober consequence: plan for 2 August 2026 until further notice. Postponing the Annex III preparation — inventory of AI systems, risk classification, data governance, documentation, human oversight — to the supposedly safe December 2027 bets on a legislative act that has not yet been passed. If the Omnibus is adopted in time, you gain breathing room; if it is not, August 2026 applies as originally enacted.

This is precisely a horizon-scanning problem: the status of the Omnibus moves weekly, the Commission issued guidelines on high-risk classification (Art. 6) on 19 May 2026, and the harmonised standards are emerging in parallel. Detecting adoption on the day it is published, classifying the deadline change correctly and routing it to model governance and the compliance function means planning on the basis of the law in force rather than headlines — which is exactly what Horizon Scanner is built for.