Regulatory AI · Financial Services15 min read

EU AI Act Omnibus for Banks: Postponement, DORA Intersection, and the December 2027 Capital & Risk Reality

The Council–Parliament Omnibus deal of 7 May 2026 buys European banks 16 additional months on the high-risk AI compliance deadline. That sounds like relief. For Capital & Risk teams running credit-decisioning, AML, and fraud-detection AI, it is in fact the most important institutional re-pricing of the AI Act since it entered into force — because the EBA, the European Parliament, and the Commission have now all signalled, in writing and within seven months of each other, what they actually expect from banks. This article maps every signal to operational consequence, with verbatim sourcing.

Harish KumarHarish Kumar
··Primary-source research, post-Omnibus

1. TL;DR — The three numbers a banking Capital & Risk team needs to know

  • 2 December 2026 — Article 50 transparency obligations effective. Affects any bank-deployed generative AI that produces text, images, audio, or video to customers or internal staff (chatbots, AI-drafted communications, marketing content). Grace period was shortened from 6 to 3 months. This is the first new binding deadline for most banks.
  • 2 December 2027 — Annex III high-risk obligations enforceable. This is the date for credit-scoring AI, creditworthiness assessment AI, and most HR/employment AI used inside banks. Postponed from 2 August 2026 under the Omnibus deal of 7 May 2026.
  • 2 August 2028 — Annex I high-risk obligations enforceable. AI systems embedded in regulated products. For most banks this matters less directly, but it is the date for medical-device AI (insurance arms), industrial/operational AI in payments hardware, and certain payment-terminal AI features.

The penalty ceilings are unchanged: up to €35M or 7% of global annual worldwide turnover for prohibited-practice violations; up to €15M or 3% for other infringements. For a tier-1 European bank with >€50bn annual revenue, the 3% calculation substantially exceeds €15M and is the binding cap. Penalties apply on the new dates, not the old ones — but the substantive obligations have not been weakened.

2. The new banking timeline

DateObligationBanking systems in scope
2 Feb 2025 (in force)Article 5 prohibitions (social scoring, manipulative AI, etc.)Generally not bank use cases — but be aware of social-scoring overlap with credit decisioning
2 Aug 2025 (in force)GPAI core obligations — documentation, copyright disclosure, systemic risk evaluation for very large modelsMostly relevant to banks using GPAI; some implications for in-house foundation models
2 Dec 2026Article 50 transparency — AI-generated content disclosure (3-month grace, shortened)Customer-facing chatbots, generative AI in marketing, AI-drafted communications, internal AI assistants for staff
2 Dec 2027Annex III high-risk full obligations (postponed from 2 Aug 2026)Credit scoring (Annex III §5(b)), creditworthiness assessment, employment/HR AI inside banks, certain biometric verification systems
2 Aug 2028Annex I high-risk obligations — AI embedded in regulated products (postponed from 2 Aug 2027)Less direct for retail banks; matters for bank-owned insurance arms (medical-device AI), payment-terminal AI features, ATM hardware AI
2 Aug 2027National AI regulatory sandboxes operationalUseful staging environment for new high-risk AI deployments; coordinate with national competent authority before this date

3. What the EBA's 21 November 2025 factsheet actually said

On 21 November 2025, the European Banking Authority published a factsheet titled AI Act implications for the EU banking sector. This is the single most important institutional document for a bank Capital & Risk team's AI Act planning — more so than the Omnibus deal itself, because it tells you what your prudential supervisor expects.

The EBA's three findings, paraphrased from the factsheet:

  1. No significant contradictions found between the AI Act and EU banking and payments regulations. The AI Act's high-risk obligations on data governance, risk management, technical documentation, transparency, human oversight, and accuracy do not conflict with CRR, CRD, EBA model risk management guidelines, or DORA.
  2. The AI Act is complementary to existing banking law. Banking law already provides a comprehensive framework to manage risks. However, “some efforts may be required by banks and other financial institutions to integrate the two frameworks effectively.” That last phrase is doing a lot of work — read on.
  3. Supervisory cooperation matters. AI Act compliance for banks will be supervised by a combination of prudential authorities (ECB-SSM, national central banks, EBA) and the AI Act Market Surveillance Authorities (MSAs) designated by each Member State. The EBA explicitly flags this as a coordination challenge that “highlights the importance of supervisory cooperation to ensure the effective implementation of the AI Act.”

The EBA's practical position

The EBA states it does not see any immediate need to introduce new guidelines or to review existing guidelines. In 2026-2027, the EBA will undertake specific activities to support implementation by: (a) promoting a common supervisory approach and cooperation among national competent authorities and Market Surveillance Authorities; (b) providing input to the European AI Office and participating in discussions of the AI Board Subgroup on Financial Services. This means banks should not expect new EBA technical standards on AI specifically. Existing frameworks — particularly model risk management guidelines and DORA implementing standards — are the operational reference points.

The phrase “some efforts may be required to integrate the two frameworks effectively” is the EBA telling banks: build the integration layer yourselves. The regulator is not going to provide a unified evidence schema. That is now the bank's problem to solve.

4. The Parliament's 25 November 2025 resolution: proportionate, not new

Four days after the EBA factsheet, on 25 November 2025, the European Parliament adopted a resolution laying out its priorities for AI use in the financial sector. The rapporteur was Arba Kokalari (European People's Party Group) — notably, the same rapporteur who would later co-shape the Omnibus deal of 7 May 2026.

Kokalari's framing in the resolution: “There is significant potential in the responsible use of AI in the financial sector, which can deliver safer and more efficient products for consumers. Policymakers must now ensure the right conditions for AI deployment, without adding administrative burdens.”

The resolution asks the Commission and supervisors to issue clearer, proportionate guidance rather than producing new rules. Combined with the EBA's identical posture, this is a coordinated political signal: banks should expect interpretive guidance, not new substantive obligations, during 2026-2027.

For Capital & Risk teams, this changes the planning posture. Build against the existing AI Act + DORA + EBA framework as it stands today. Do not over-engineer for hypothetical future rules. The institutional weight is pointed away from rule expansion and toward enforcement clarity.

5. DORA × AI Act: the four-regulation stack a credit AI sits under

An AI system used for credit decisioning at a European bank must simultaneously satisfy four regulatory frameworks. Each asks a different question; each requires a different evidence trail.

RegulationKey articlesThe question it asks
EU AI Act (2024/1689)Art. 9-15 (high-risk); Art. 26 (deployer obligations); Annex III §5(b)Is the model fit for its high-risk purpose? Is bias examined? Is human oversight effective? Is the technical documentation complete?
DORA (2022/2554)Art. 5-14 (ICT risk management); Art. 17-23 (ICT incidents); Art. 28-30 (third-party)Is the ICT estate that hosts the AI system resilient? Are incidents reportable? Are third-party AI vendors under contractual ICT controls?
GDPR (2016/679)Art. 22 (automated decision-making); Art. 6, 9 (lawful basis); Art. 35 (DPIA)Is the data subject's right to non-discrimination and meaningful information about logic protected? Are special category data processed lawfully?
EBA model risk guidelinesEBA/GL/2017/16 (internal governance); EBA/RTS/IRB on model validationIs the model independently validated? Is there a model inventory? Are model changes controlled?

The same artefact — e.g. a model validation report — can satisfy obligations under multiple regulations. But it must be retrievably linked to each obligation. A model validation report buried in the model risk team's SharePoint that has never been mapped to AI Act Article 15 or DORA Article 24 is not, in practice, evidence of compliance with either — it is just a document.

This is the integration problem the EBA flagged. Banks need a single graph of obligation → evidence → owner → freshness that spans all four regimes, with retrieval that answers a supervisor's question in seconds. Spreadsheets and parallel binders do not survive a real examination.

6. What is high-risk for banks (and what is not)

Annex III of the AI Act enumerates the eight high-risk areas. For banks, the relevant entries are:

  • Annex III §5(b) — Creditworthiness and credit scoring of natural persons. This is the headline banking entry. Any AI system that evaluates creditworthiness or establishes a credit score for individuals is high-risk. Exceptions: AI used to detect financial fraud is explicitly excluded from being high-risk on this ground alone (recital 58).
  • Annex III §4 — Employment and HR AI. Any AI used by the bank for recruitment, screening of candidates, evaluation, promotion, termination, task allocation, or monitoring of workers is high-risk. Affects HR functions in every bank.
  • Annex III §1 — Biometric categorisation and emotion recognition. If the bank uses biometric verification (voice authentication, face matching for KYC), parts of Annex III §1 apply — particularly post-Omnibus where biometrics are explicitly in the 2 Dec 2027 cohort.
  • Annex III §5(c) — Risk assessment and pricing in life and health insurance. Relevant for banks with bancassurance arms or in-house life/health insurance products.

What is generally NOT high-risk in banking: fraud detection and AML/CFT transaction monitoring (subject to the recital 58 exclusion); chatbots and customer-service AI (limited-risk — Article 50 transparency only); back-office process automation that does not affect individuals' rights; internal productivity tools (code copilots, document drafters, internal search).

A practical scope-screening question

For any AI system inside the bank, ask: does the output of this system, by itself or in combination with a human decision-maker, materially affect a natural person's access to finance, employment, biometric identification, or rights under EU consumer protection? If yes, treat as high-risk and build the full Articles 9-15 evidence package. If no, you still have Article 50 transparency obligations from 2 December 2026 for any generative output that customers see.

7. The AI Board Subgroup on Financial Services — the venue to watch

The AI Board, established by Article 65 of the AI Act, is the EU-level governance body that advises the Commission and Member States on consistent application of the regulation. Within it, a Subgroup on Financial Services has been created. The EBA participates. This is the single most important institutional venue for banking-sector AI Act interpretation through 2026-2027.

What it will do, based on the EBA factsheet and the structure of the AI Board: coordinate supervisory practices between prudential authorities and AI Act Market Surveillance Authorities; align positions on key interpretive questions (the credit-fraud detection boundary; the deployer-vs-provider split for banks running in-house models; the integration of DORA incident reporting with AI Act post-market monitoring under Article 72); and feed practical guidance into the European AI Office.

For a bank Capital & Risk team: track the AI Board Subgroup's outputs. They will land before the 2 December 2027 enforcement date and will define what supervisors actually look for. The 19-month runway should be used to align internal governance to anticipated subgroup positions, not to wait for them.

8. Implications for Capital & Risk teams in 2026

Five concrete consequences for the next 6 months:

  1. Article 50 is now your first deadline, not Annex III. 2 December 2026 is 6.5 months away. Every customer-facing generative AI surface needs disclosure, machine-readable marking where applicable, and a content-lineage record. Marketing, customer service, internal AI assistants visible to clients — all in scope. The 3-month grace was halved; do not assume the original 6-month buffer.
  2. Credit-scoring AI must continue toward conformity, just on a longer runway. The 12-18 month industry benchmark for a tier-1 high-risk programme is unchanged. From May 2026 to December 2027 is 19 months — the realistic preparation window. Programmes that paused in late 2025 because the deal looked likely should restart now.
  3. Build the obligation graph, not parallel binders. The EBA explicitly flagged integration effort. Without a graph linking obligations (AI Act articles, DORA articles, EBA guidelines, GDPR provisions) to evidence (model validation reports, technical documentation, incident logs, training data lineage), supervisors during 2027-2028 examinations will see four binders that do not reconcile.
  4. Map third-party AI vendors against DORA Article 28 + AI Act provider/deployer roles. Banks using third-party AI (vendor credit-scoring services, vendor fraud-detection models, GPAI APIs) are deployers under the AI Act and remain accountable for the entire stack under DORA. Vendor contracts written before late 2025 likely do not include AI Act conformity warranties. Renegotiate now.
  5. Plan for supervisory dual-track examinations. Your prudential supervisor (ECB-SSM, national central bank) will examine your AI governance during JST (Joint Supervisory Team) visits. The AI Act Market Surveillance Authority in your Member State has parallel authority for AI Act conformity. They will not coordinate examinations — you must reconcile evidence requests from both.

9. What to do in the next 19 months

Months 1-3 (May-Aug 2026)

  • AI system inventory: every system that touches credit, HR, biometrics, or generates customer content
  • Article 50 readiness for 2 Dec 2026 (first deadline)
  • Renegotiate third-party AI vendor contracts
  • Establish obligation graph (AI Act × DORA × GDPR × EBA)

Months 4-12 (Sep 2026-Apr 2027)

  • Article 9-15 technical documentation for each high-risk system
  • Risk management system aligned with EBA model risk + DORA
  • Human oversight design and training
  • Post-market monitoring infrastructure (links to DORA incident reporting)

Months 13-19 (May-Nov 2027)

  • Conformity assessment (Article 43)
  • EU database registration
  • CE-marking processes for any product-embedded AI
  • Internal audit dry-run before 2 Dec 2027

10. How Quantamix Solutions supports bank compliance under the new timeline

Quantamix Solutions builds graph-based AI governance infrastructure that addresses exactly the integration problem the EBA flagged: linking obligations across regulations to the evidence that satisfies them, with retrieval at examination speed.

TraceGov.ai — the obligation-to-evidence graph for banks

TraceGov.ai operationalises the multi-regulation graph required for banking AI compliance. AI Act articles, DORA articles, EBA guidelines, and GDPR provisions are nodes; evidence artefacts (model validation reports, technical documentation, incident logs, training data lineage manifests) are nodes; the edges encode which evidence satisfies which obligation, with freshness, ownership, and confidence. TRACE scoring quantifies compliance across five dimensions (Transparency, Reasoning, Accuracy, Compliance, Evidence) with a composite score that maps directly to AI Act articles. When a supervisor asks “show me your evidence for Article 9 risk management for the consumer credit model”, the graph returns the precise artefacts, their last-updated date, and the responsible owner in seconds.

TAMR+ — graph-based AI reasoning for regulated decisioning

For banks deploying generative AI on regulated tasks (drafting customer communications, summarising loan applications, responding to subject access requests), TAMR+ provides 2× accuracy versus standard AI on regulatory questions, with patent-protected retrieval (EP26162901.8) and cryptographic proof trails. Outputs carry the citation chain that supports both AI Act Article 13 transparency and DORA Article 24 logging.

FrictionMelt — identifying compliance friction before it becomes a finding

FrictionMelt's friction-intelligence engine identifies the 95 most common friction points in AI deployment — including bias-related barriers (demographic gaps, proxy discrimination, feedback loops) that map directly to AI Act Article 10 data governance obligations. For banks, the relevant friction patterns include credit-decision proxy variables (postcode as proxy for ethnicity), labour-market under-representation in HR AI, and gendered language in generative customer communications. FrictionMelt flags these before a supervisor or a customer complaint does.

GraQle — the knowledge-graph engine underneath

GraQle is the multi-agent graph reasoning engine that powers TraceGov.ai, TAMR+, and FrictionMelt. For banks, it is the substrate that turns a static collection of policies, model cards, model risk reports, and regulatory text into a queryable graph. The same engine that answers “what depends on this model?” for a software engineer answers “what AI Act articles depend on this evidence?” for a compliance officer.

All Quantamix products are EU-built, EU-headquartered, and host data in Frankfurt (eu-central-1). No vendor lock-in. Book a diagnostic demo briefing for a banking-specific walkthrough.

11. Sources & references

  • European Banking Authority — AI Act implications for the EU banking sector, factsheet, 21 November 2025 (updated 20 November 2025), eba.europa.eu.
  • European Parliament — Resolution on AI use in the financial sector, 25 November 2025 (rapporteur: Arba Kokalari, EPP).
  • Council of the EU — Artificial Intelligence: Council and Parliament agree to simplify and streamline rules, press release, 7 May 2026, consilium.europa.eu.
  • Orrick — EU's Digital Omnibus on AI: 7 Key Changes You Need to Know, 7 May 2026, orrick.com.
  • Bird & Bird — Recent developments on the interplay between AI and financial institutions, 15 January 2026, twobirds.com.
  • Addleshaw Goddard — AI Omnibus: provisional agreement on changes to EU AI Act, including delayed deadlines, May 2026.
  • Taylor Wessing — The EU Digital Omnibus on AI — What the political deal means, 7 May 2026.
  • IAPP — EU agrees to amend AI Act, clarifies overlap with machinery rules, 7 May 2026, iapp.org.
  • EU AI Act, Regulation (EU) 2024/1689, Annex III (high-risk classifications) and Articles 9-15, 50, 65, 72, 99.
  • DORA, Regulation (EU) 2022/2554, Articles 5-14 (ICT risk management) and 17-23 (incident reporting).
  • EBA Guidelines on internal governance (EBA/GL/2017/16) and EBA RTS on IRB model validation.

12. FAQ

Has the EU AI Act deadline for banks been postponed?

Yes. Following the 7 May 2026 Omnibus deal, high-risk AI for credit scoring and creditworthiness moves from 2 Aug 2026 to 2 Dec 2027. Annex I product-embedded AI moves to 2 Aug 2028. Article 50 transparency for AI-generated content takes effect 2 Dec 2026 with a 3-month grace (shortened from 6).

What did the EBA say about the AI Act and banking regulation?

On 21 November 2025 the EBA published a factsheet finding: (1) no significant contradictions between the AI Act and EU banking/payments regulation; (2) the AI Act is complementary to banking law — but integration effort will be required; (3) supervisory cooperation between prudential authorities and AI Act Market Surveillance Authorities is essential. The EBA does not plan new guidelines; existing model risk and DORA frameworks remain the reference.

How does the AI Act interact with DORA for banks?

Credit AI sits under four regulations simultaneously: AI Act (Art. 9-15, Annex III §5(b)), DORA (Art. 5-14, 17-23), GDPR (Art. 22), and EBA model risk guidelines. The AI Act asks 'is the model fit for purpose?'; DORA asks 'is the ICT estate resilient?' They are complementary, not duplicative — but the evidence trail for each is different. Banks need a unified obligation-to-evidence graph.

Is credit scoring AI still high-risk under the Omnibus?

Yes. The Omnibus did not change Annex III substance. Credit scoring and creditworthiness assessment for natural persons remain explicitly high-risk under Annex III §5(b). Only the date changed: enforceable from 2 Dec 2027 instead of 2 Aug 2026.

What is the AI Board Subgroup on Financial Services?

An advisory subgroup of the AI Board (established by Article 65 of the AI Act) focused on financial services. The EBA participates. This is the venue where prudential and AI Act supervisory authorities will coordinate interpretive guidance for banks during 2026-2027. Bank Capital & Risk teams should track its outputs.

Does the postponement reduce penalty exposure for banks?

Not for prohibited practices or GPAI. For Annex III high-risk obligations on credit scoring, the penalty calendar shifts: fines cannot begin before 2 Dec 2027. Ceilings unchanged: up to €15M or 3% of global turnover for high-risk infringements; up to €35M or 7% for prohibited practices. For tier-1 banks, the percentage calculation typically binds.

What should a bank Capital & Risk team do with the additional 16 months?

Three things: (1) Do not pause — a tier-1 high-risk programme realistically takes 12-18 months end-to-end; (2) Build the obligation graph linking AI Act, DORA, EBA guidelines, GDPR to evidence — Quantamix Solutions' TraceGov.ai is purpose-built for this; (3) Prepare for the AI Board Subgroup on Financial Services to issue practical guidance during 2026-2027 and build to anticipated positions rather than waiting.

Related Reading

Omnibus Amendment Explainer →Financial Services Compliance Guide →TraceGov.ai →TAMR+ →Full Deadline Timeline →