EN
Home › AI Compliance

EU AI Act · DORA · GDPR

AI compliance for banks and insurers: what needs to be done now

The EU AI Act is in force. Initial obligations already apply. For high-risk AI systems, the Digital Omnibus is likely to shift parts of the timeline, but not the need for robust AI governance.

The regulatory reality for Austrian financial institutions

Since 2 February 2025, the first binding EU AI Act requirements have applied, including the prohibition of certain AI practices and the obligation to ensure AI literacy for people who deploy or operate AI systems.

What many underestimate: the regulatory requirements do not arrive one by one. DORA, NIS2, GDPR and the EU AI Act overlap with different deadlines, authorities and sanction regimes. One AI-related compliance breach can involve the FMA, the data protection authority and the works council at the same time.

For medium-sized regional banks and insurers in Austria, this creates a particular challenge: they often operate the same core systems as large institutions, but with significantly leaner internal compliance resources.

Current timeline status

Following the political agreement on the Digital Omnibus of 7 May 2026, rules for certain high-risk areas are expected to apply from 2 December 2027. Until formal publication in the Official Journal, cautious planning should take both timelines into account.

The central topic areas boards need to address now

Shadow AI

AI components in purchased software or freely used tools are often not inventoried as AI systems. Nevertheless, duties under the EU AI Act, GDPR and internal governance rules may arise.

More on shadow AI

EU AI Act

The EU AI Act has been in force since 1 August 2024. Certain prohibitions have applied since February 2025. High-risk duties, transparency obligations and national supervision must now be prepared in a structured way.

More on the EU AI Act

Board liability

Through Austrian company and banking law, AI governance becomes an organisational duty. Not knowing which AI systems are used is not a viable control concept.

More on board liability

Vendor AI

Market-leading platforms for core banking, AML, underwriting and HR may contain AI components. Institutions using those systems have their own deployer obligations.

More on vendor AI

FRIA

The Fundamental Rights Impact Assessment under Art. 27 EU AI Act is especially relevant for creditworthiness assessment and life/health insurance risk assessment.

Understand FRIA

GPAI

ChatGPT, Copilot, Claude and other general-purpose AI services require usage rules, privacy review, inventory and provider due diligence.

More on GPAI

Cyber Resilience Act

Apps and digital products under an institution's own brand may trigger CRA obligations in addition to DORA. Role allocation is the first step.

Assess CRA relevance

ArbVG §§ 96/96a

AI systems with employee data, HR or control functions may require works council involvement and works agreements in Austria.

Assess the ArbVG interface

The path to compliance: structured, methodical, individual

The path to EU AI Act compliance is not a single project, but a structured process across several phases: inventory, risk classification, role allocation, gap analysis, governance and ongoing monitoring. International standards such as ISO/IEC 42001:2023 provide a framework, but they do not replace the individual assessment of specific AI systems, business processes and responsibilities in your institution.

CSRD / ESRS relevance for AI bias

AI bias is not only a technical or EU AI Act topic. If AI systems create discrimination risks in HR, lending, underwriting or customer access, these risks may also become relevant for CSRD / ESRS reporting: as a social impact, governance topic, risk-management question or auditable evidence.

ISO/IEC 42001

The international standard for AI management systems provides structure, but does not cover all EU AI Act-specific duties.

Understand ISO/IEC 42001

AI inventory

Without a complete inventory, risk classification, FRIA and governance remain incomplete.

More on the AI inventory

Audit readiness

Auditable AI governance means being able to provide inventory, roles, FRIA, logs, reporting paths and evidence at any time.

Build audit readiness

Project support

We support Austrian financial institutions from initial inventory to auditable governance structures.

View project support

Glossary

Core terms from the EU AI Act, ISO/IEC 42001 and AI governance, with links to the relevant topic pages.

Open glossary

Would you like to know where your institution stands?

We can discuss your individual situation. An initial conversation is non-binding and gives you a clear view of where your institution currently stands on AI governance.

Contact us

Sources

Notice: This page is for general information about regulatory developments and does not constitute legal advice. It does not replace advice from lawyers specialising in AI law or specialist AI compliance advice. Content reflects the state of June 2026 and may change through new legislation, national implementation rules or regulatory interpretation.