What your organisation needs to know. What your people need to do.
The EU AI Act is not approaching. It is here. On 2 August 2026, its most consequential provisions become enforceable. If your organisation builds, deploys, or procures AI systems that affect EU residents, you are already in scope.
2 August 2026Calculating time remaining…
Watch first
Who Is Responsible?
An eleven-minute explainer for financial services practitioners. The four risk tiers, the Annex III categories that sit on your compliance desk, the provider/deployer distinction, and the Article 4 training obligation your organisation has already missed the deadline on.
The same principles, set to music
Now make it stick.
The explainer above does the careful work — what the Act requires, and who carries the obligation. This one is built for retention: an upbeat re-explainer of the same principles, with a chorus that states the core ideas three times so they lodge the way a song does and a clause never will. Same content, different gear.
The regulation
What is the EU AI Act?
Regulation (EU) 2024/1689 is the world's first comprehensive legal framework for artificial intelligence. It entered into force in August 2024 and has been rolling out in stages ever since.
Its core logic is deceptively simple: the higher the risk an AI system poses to people, the more rigorous the obligations on those who build and use it.
It applies to any organisation whose AI systems are used in the EU, or produce outputs that affect EU residents, regardless of where that organisation is headquartered. This is not a guidelines document. It is binding law with extraterritorial reach.
Think GDPR — but for AI.
The Omnibus — Current Status
In November 2025, the European Commission proposed the Digital Omnibus — a simplification package with some deadline adjustments. Political agreement was reached on 7 May 2026. Some provisions have been extended. The core high-risk obligations for financial services remain on the August 2026 timeline. The direction of travel has not changed.
Risk classification
The four tiers
Minimal Risk
No specific obligations
Spam filters, AI in video games, recommendation engines. The majority of AI by volume. The Act says: carry on.
Limited Risk — Transparency
Disclose. Label. Mark.
Chatbots, deepfakes, AI-generated content. One rule: users must know they are interacting with AI.
High Risk — Heavily Regulated
Full compliance obligations
Credit scoring, fraud detection, employment AI, critical infrastructure. Risk assessments, data governance, human oversight, audit logs, registration. Enforcement: 2 August 2026.
Unacceptable Risk — Prohibited
Banned since February 2025
Social scoring, real-time biometric surveillance in public spaces, AI that exploits psychological vulnerabilities. Categorically incompatible with human dignity. Not a governance problem. Banned.
Annex III — financial services
Why financial services organisations need to pay close attention
Three categories from Annex III — the Act's definitive high-risk list — sit directly on your compliance desk. These are not edge cases. These are core operational systems in most financial services institutions.
The comparison that makes this concrete: a robot vacuum cleaner and a self-driving car are both autonomous AI systems navigating physical space. But if the vacuum fails, it bumps into the cat. If the car fails, someone dies. The Act treats them differently because the culpability profile is different.
A credit scoring AI that goes wrong doesn't produce a crash. But it closes doors for years — invisibly, irreversibly, to someone who may never know why it happened. The Act treats that as high risk. Rightly so.
01
Credit Scoring & Creditworthiness Assessment
AI that evaluates an individual's eligibility for credit, insurance, or financial products. Full high-risk obligations apply. Full stop.
High Risk — Full Compliance Required
02
Fraud Detection & Anti-Money Laundering
AI-driven financial crime prevention is explicitly in scope. The sophistication of these systems does not reduce your obligations. It increases them.
High Risk — Full Compliance Required
03
Employment & HR Systems
AI used in recruitment, performance evaluation, or workforce management. For large, distributed organisations, this scope is broader than most compliance teams currently recognise.
High Risk — Full Compliance Required
The distinction most briefings miss
Provider vs. deployer — and why it matters
The EU AI Act distinguishes between providers — organisations that develop and build AI systems — and deployers — organisations that use them.
Both have obligations. But deployers cannot outsource their compliance to their vendor.
If your fraud detection system was built by a third party, the Act does not allow you to point to the vendor's documentation and consider your obligations discharged. You — the deployer — are responsible for appropriate use, human oversight, and ensuring the system functions as intended within your specific context.
Most current commercial AI contracts do not reflect this. The deployer liability sits in your organisation regardless of what your vendor agreement says. Review yours before August.
Provider
Builds the system
Develops, trains, and deploys the AI. Carries obligations for conformity, documentation, and registration under the Act.
Deployer
Uses the system
Cannot delegate compliance to the vendor. Responsible for appropriate use, human oversight, and context-specific performance. This is your organisation.
Who is responsible?
In law — you are.
The obligation nobody is talking about
Article 4 — AI Literacy
Article 4 of the EU AI Act introduced an AI literacy obligation that has applied since February 2025. It requires providers and deployers to ensure that their staff have sufficient AI literacy — the knowledge and skills to understand the systems they work with, to use them appropriately, and to recognise where human judgement must take precedence.
This is not an awareness campaign. It is a substantive training requirement embedded in the regulation itself.
These are learning and development questions, not just legal ones. Getting the answer right requires thinking like a training practitioner — not just a compliance officer. That combination is rarer than it should be.
4
Three questions follow immediately from Article 4
These are not rhetorical. They require documented answers your organisation can produce if asked.
01 —What does "sufficient AI literacy" look like for different roles in your organisation?
02 —How do you demonstrate that you have delivered it?
03 —How do you keep it current as systems evolve?
"Regulation creates the what. Training creates the capability. The organisations that navigate this successfully are not the ones with the thickest compliance manuals — they are the ones whose people genuinely understand what they are doing, and why it matters."
What good looks like
A compliance training pathway
A well-designed EU AI Act training programme does not attempt to turn every employee into a regulatory expert. It calibrates depth to role and builds practical capability — not just awareness.
Foundation — All Staff
What the Act is and what it means to work in a regulated AI environment
The four risk tiers. When to flag, escalate, or ask. Assessed via a short scenario-based check. The starting point every organisation needs before anything else.
E-learning or facilitated 90-minute session. Annual refresh.
Practitioner — AI Users with Decision Authority
Understanding the system you are using — and where your judgement is required
Article 4 literacy in depth. What the system does and does not do. Human oversight in practice. Recognising outputs that should not be acted upon without verification.
Blended — structured learning plus live facilitated session. Role-specific scenarios.
Governance — Compliance, Legal, Risk, Leadership
Full regulatory mapping, documentation requirements, and audit readiness
Provider/deployer obligations in detail. Annex III classification. How to build a compliant AI governance framework and how to audit it. Third-party contract requirements.
Intensive workshop programme. Practical application to live systems.
Technical — Developers, Data Scientists, AI Owners
Data governance, bias monitoring, audit trails, and conformity assessment
The technical obligations behind the high-risk classification. Logging requirements. What compliant third-party AI contracts should require. How to build in oversight rather than bolt it on.
Workshop plus ongoing consultancy support.
Go deeper
From understanding to action
This page explains what the EU AI Act requires. The companion document sets out a practical framework for building the training architecture, governance mechanisms, and operational discipline to meet those requirements — including a Training Needs Analysis, decision gateway, AI inventory methodology, and the Better Angel governance layer.
If your organisation is preparing for August 2026 — or if you're already in implementation and need the training architecture to match — I'd welcome a conversation.