Deadlines at a glance
The EU AI Act enters into application in several phases. For Austrian banks and insurers, this creates different implementation priorities.
| Date | What applies | Relevance for financial institutions |
|---|---|---|
| 2 February 2025 | Prohibition of certain AI practices, AI literacy obligation | Prohibited practices must be avoided; people working with AI need appropriate competence and awareness. |
| 2 August 2025 | GPAI duties and governance structures at EU/member-state level | Use of external language models and AI models requires a clear internal control and supplier understanding. |
| 2 August 2026 | Original timeline: majority of rules, transparency duties under Art. 50, Annex III high-risk duties | Chatbots and AI interactions must be made transparent. High-risk systems in credit, insurance and HR must be classified and prepared. |
| 2 December 2027 | Politically agreed Digital Omnibus timeline for certain high-risk areas | Until formal adoption, institutions should include the postponement in planning but not delay inventory and governance work. |
| 2 August 2028 | Under the Digital Omnibus agreement: systems in regulated products | Usually less directly relevant for classic financial service providers, but relevant for embedded product or safety components. |
What high-risk AI means
Not every AI system falls under the strict high-risk requirements. Annex III of the EU AI Act lists specific areas of use. For financial institutions, creditworthiness assessment of natural persons, life and health insurance underwriting, and HR recruiting and performance evaluation are particularly relevant.
- Annex III No. 5(b): AI systems for evaluating the creditworthiness of natural persons or establishing a credit score.
- Annex III No. 5(c): AI systems for risk assessment and pricing in life and health insurance.
- Annex III No. 4: AI systems for recruiting, selection, task allocation, performance monitoring and work-related decisions.
Deployer duties and FRIA
Deployers of high-risk AI systems must implement technical and organisational measures, assign human oversight, control input data, retain logs, inform affected persons and cooperate with authorities. For creditworthiness assessment and life and health insurance risk assessment, a Fundamental Rights Impact Assessment (FRIA) is additionally required before use. HR AI mainly triggers information duties towards employee representatives and affected employees; a FRIA obligation may still need to be checked in special constellations.
CSRD / ESRS: bias as a reporting topic
The EU AI Act regulates AI systems directly. CSRD and ESRS can become additionally relevant where AI-supported decisions create discrimination risks, human-rights impacts or governance risks. HR AI, creditworthiness assessment and life/health underwriting are particularly affected. In those cases, documenting technical conformity alone is not enough; institutions also need traceable information on policies, due diligence, measures, risks, metrics and auditability.
Sanctions
The EU AI Act provides for tiered sanctions: breaches of prohibitions can lead to fines of up to EUR 35 million or 7 percent of global annual turnover, breaches of many deployer and high-risk requirements up to EUR 15 million or 3 percent, and incorrect information up to EUR 7.5 million or 1 percent. Company-law, banking, insurance and data-protection consequences may also apply.
Fourfold reporting cascade: one incident, several authority routes
A serious AI incident in an Austrian financial institution can trigger several independent reporting obligations. The triggers and timelines must be assessed separately.
| Legal basis | What is reported? | Timeline | Recipient |
|---|---|---|---|
| EU AI Act Art. 73 | Serious incident involving high-risk AI | no later than 15 days; 10 days in case of death; 2 days for certain particularly severe constellations | competent market surveillance authority after national implementation |
| GDPR Art. 33 | Personal data breach with risk to data subjects | 72 hours | Austrian Data Protection Authority |
| DORA / Delegated Regulation (EU) 2025/301 | Major ICT-related incident | 4 hours from classification and no later than 24 hours from detection; intermediate report after 72 hours; final report within one month | FMA |
| NISG 2026 | Significant cybersecurity incident, where the institution is in scope and no special regime applies | early warning, notification and final report under the NISG 2026 system | cybersecurity authority or competent CSIRT reporting route |
DORA is the central special regime for ICT risk management and major ICT incidents in financial entities. NISG 2026 may be relevant in parallel for certain cybersecurity and reporting constellations. The specific distinction should be assessed for each institution and incident type.
What should be prepared
- incident-response plan with a specific AI incident category
- separate assessment logic for AI Act, GDPR, DORA and NISG 2026
- clear owners for FMA, data protection authority and cybersecurity reporting
- templates for initial notification, intermediate report, final report and internal escalation
The EU AI Act does not exist in isolation. DORA requires ICT risk management and third-party governance. GDPR regulates automated individual decisions and data protection impact assessments. Austrian labour constitution law may require a works agreement for HR AI.