All posts
EU AI ActAI RegulationComplianceEuropeAI PolicyRegulated Industries

August 2, 2026: The EU AI Act Deadline Every US Fintech With European Customers Is About to Miss

Credit scoring is explicitly named as high-risk AI under EU law. The compliance deadline is August 2 — not proposed, not contingent. A US fintech with no EU office still falls in scope if its model touches EU borrowers. The checklist is long and the clock is short.

May 22, 2026

August 2, 2026 is not a proposed date. Under the EU AI Act, it's the binding compliance deadline for providers of high-risk AI systems — and credit scoring and creditworthiness assessment are explicitly named in Annex III of the Act as high-risk. A proposed extension is under discussion but not finalized; treat August 2026 as the binding deadline.

The Act's penalty regime is clear. High-risk violations carry fines up to €15M or 3% of global annual turnover, whichever is higher. Prohibited practice violations reach €35M or 7%. For a US fintech doing $200M in revenue, that's up to $6M on the low end — assessed against global turnover, not EU revenue.

Who's Actually in Scope

This is where most US fintechs get it wrong. Scope is determined by where the AI output is used, not where the company is based. The Act covers providers "irrespective of whether those providers are established or located within the Union or in a third country."

In practice: a US credit scoring API consumed by a German bank falls in scope. A US underwriting SaaS accessible to EU borrowers falls in scope. A US AI engine licensed to an EU insurance broker falls in scope. No EU subsidiary required. No EU employees, no EU servers, no EU office. If your model's output touches an EU user's creditworthiness decision, you're in scope.

What High-Risk Compliance Actually Requires

Self-assessment is permitted for credit scoring — no third-party notified body required. But the documentation burden is operationally heavy, spanning Articles 9, 10, 14, 16, and 18 of the Act:

  • Risk management system — documented and maintained across the full system lifecycle
  • Data governance and bias testing — training data assessed for protected-class disparities
  • Technical documentation — retained for 10 years post-deployment
  • Automated logging — sufficient for post-hoc audit of individual decisions
  • Conformity assessment — formal self-assessment with EU Declaration of Conformity
  • CE marking — affixed before market placement
  • EU AI database registration — mandatory before deployment
  • Authorized EU representative — a named entity within the EU carrying legal compliance responsibility

That last item catches US companies off guard. You need a designated EU representative on file before August 2. This isn't a checkbox — they hold legal liability under the Act.

The GDPR Article 22 Compound

The AI Act doesn't operate in isolation. GDPR Article 22 has required human review of automated credit decisions since 2018. Data subjects have the right to human review of decisions affecting them — and that review must carry actual authority to override the outcome.

Article 14 of the AI Act adds an affirmative design requirement: systems must be built so deployers can meaningfully intervene before decisions take effect. Not rubber-stamp. Not post-hoc appeal. Meaningful intervention before the decision lands.

For fintechs running black-box models where "the model decided," these two regimes compound into a structural problem. A disclosure checkbox and a complaints email address aren't human oversight under either law.

What to Do Before August 2

Scope audit first. Map every AI system that touches EU users' credit or creditworthiness. Include APIs, licensed models, and embedded scoring within third-party platforms. If you don't know the list, you can't assess the gap.

Technical documentation sprint. For in-scope systems, begin generating required documentation immediately. The 10-year retention clock starts at deployment — if the system is already live, the documentation is already overdue.

Bias testing. Commission or reproduce testing on training data for protected-class disparities. This is both a regulatory requirement and your primary evidentiary defense if challenged.

Engage an EU representative. This is blocking. You cannot complete conformity assessment or database registration without a named EU representative. Identify and engage one before August 2.

Assess your human override architecture. Determine whether current override mechanisms meet the AI Act's "meaningful intervention" standard and GDPR Article 22's human review requirement. If not, scope the remediation now.

Enforcement infrastructure is advancing. As of August 2025, only 8 of 27 EU member states had designated national competent authorities (EU Parliament Think Tank). But the European AI Office is operational, and the EBA completed a formal mapping of AI Act requirements against EU banking regulations in November 2025 (EBA). EBA and ESMA are designated as sector-specific enforcement bodies.

A proposed extension to December 2027 is under discussion but not finalized. Build your compliance plan around August 2.

Back to all posts