EU AI Act Update for Finance: Luxembourg's Enforcement Setup, Digital Omnibus Changes, and Key Deadlines

EU and Luxembourg Update on the European Harmonised Rules on Artificial Intelligence - Recent Developments

Overview of the EU AI Act

The EU AI Act, dated 13 June 2024, is the first comprehensive framework for AI across the EU. It regulates how AI systems are developed, deployed, and used, with a clear focus on safety, fundamental rights, and a single market for trustworthy AI.

The regime has been phasing in since February 2025. It looks to avoid overregulation while keeping a level playing field for EU and non-EU providers.

Official overview: European Commission - AI Act

Interplay with Financial Sector Regulation

The AI Act is designed to sit next to existing financial rules like DORA, CRR, and PSD2 without contradictions. Many obligations map cleanly to what firms already know from DORA-risk management, governance, logging, testing, incident processes, and auditability.

Guidance from the European Commission is expected to reduce duplicate reporting. The November 2025 Digital Omnibus proposal goes further by streamlining rules across AI, data access, privacy, and cybersecurity, introducing a single incident reporting point and aligning thresholds and timelines. Formal adoption is expected later in 2026, subject to negotiations.

Background on operational resilience: European Commission - DORA

Luxembourg: Competent Authorities and Procedural Setup

As an EU regulation, the AI Act applies directly. Luxembourg's draft bill no. 8476 will designate authorities and procedural rules.

• CSSF: market surveillance authority for AI systems tied to financial services.
• Commissariat aux Assurances: oversight for insurance-related AI systems.
• Autorité luxembourgeoise indépendante de l'audiovisuel: transparency and media aspects.
• CNPD: data protection interfaces.

The bill is currently under discussion in parliament.

Where AI Is Used in Finance Today

A 2024 CSSF and central bank survey showed fast adoption in Luxembourg: about 28% of institutions had AI use cases in production or development and 22% were experimenting. Rates were higher for payment and e-money institutions (63%) and banks (38%), and adoption has likely grown since.

Top use cases: AML and fraud monitoring, onboarding and KYC, process automation, search and summarization, customer support, and pilots in credit scoring and analytics. Expected benefits include efficiency, better analytics and personalization, accuracy, and round-the-clock availability.

Key Risks Legal Teams Should Prioritize

• Operational and cyber: data leakage, system failures, malware, unauthorized access.
• Governance: clear accountability at senior level, documented oversight, explainability, and transparency.
• Data: quality, privacy, bias, discrimination, provenance, retention, and lawful basis.
• Models: accuracy, drift, testing, monitoring, security vulnerabilities, and change control.
• Third parties: due diligence, contract clauses, audit rights, SLAs, and exit options.
• People: AI literacy, training, and defined human-in-the-loop checkpoints.

Risk-Based Classification Under the AI Act

• Unacceptable risk: prohibited (e.g., social scoring, emotion recognition in workplaces). Must not be placed on the market, put into service, or used in the EU.
• High risk: strict requirements (e.g., credit scoring, biometric identification). Obligations include a quality-management system, technical documentation, automatic logging, conformity assessment, EU database registration, corrective actions, and transparency duties.
• Transparency risk: information obligations (e.g., chatbots). People must be told they are interacting with AI, and AI-generated or manipulated outputs must be clearly marked and detectable.
• Minimal risk: allowed with no specific restrictions beyond general law.

Penalties

• Up to €35 million or 7% of worldwide turnover for prohibited practices.
• Up to €15 million or 3% for other infringements.
• Up to €7.5 million or 1% for supplying incorrect or misleading information.

Applies to both EU and non-EU companies offering AI systems in the EU.

Timeline You Need to Plan For

• By 2 February 2025: prohibited practices must cease; AI literacy duties start for providers and deployers.
• By 2 August 2025: governance provisions and obligations for general-purpose AI models apply.
• By 2 August 2026: high-risk AI systems in finance must meet specific requirements.
• By 2 August 2027: remaining provisions become fully applicable.

The Digital Omnibus may shift triggers by linking high-risk compliance to standards and support tools, with long-stop dates currently set for 2 December 2027 (high-risk systems) and 2 August 2028 (product-embedded systems).

Why This Matters

The AI Act's reach is global. If you provide AI or serve users in the EU, you need to comply-regardless of where your company is based.

The Act's focus on traceability, explainability, transparency, and human oversight will influence best practices beyond Europe. For financial services, the fit with existing rules means integrated compliance is the smart path, not parallel programs.

Practical Next Steps for Legal and Compliance

• Map all AI use cases (current, pilot, and planned) and classify them under the AI Act.
• Decide whether the firm is a provider, deployer, distributor, importer, or multiple roles-and document it.
• Stand up or update your AI governance framework: risk management, human oversight, testing, model inventory, and model lifecycle controls.
• Build the quality-management system and technical documentation for high-risk systems; set up logging and audit trails.
• Prepare for conformity assessments and EU database registration where required.
• Review third-party contracts for AI-specific warranties, data rights, security, monitoring, audit, and exit.
• Establish incident and breach reporting flows that sync with DORA, GDPR, and the proposed single reporting point under the Digital Omnibus.
• Roll out AI literacy training for relevant staff and define human-in-the-loop checkpoints.
• Track European Commission guidance, standards, and the Digital Omnibus negotiations to adjust timelines.

If you're setting up AI literacy or role-based training plans, you can explore curated options by role here: Complete AI Training - Courses by Job.