The financial services industry in the EU is undergoing an unprecedented regulatory transformation. A wave of new legislation, spanning from AI, data governance, cybersecurity, and operational resilience, is not just reshaping compliance requirements but reedifying and reshaping risk management, operational resilience and business operations.
The AI Act, GDPR, the Data Act, the Cyber Resilience Act (CRA), and DORA (Digital Operational Resilience Act) are not isolated rules but part of a broader push toward a more transparent, secure and accountable financial ecosystem. While individually impactful, their collective effect represents a seismic shift in how financial institutions must manage governance, risk and compliance (GRC).
Financial institutions have long leveraged AI for credit scoring, fraud detection, risk modelling and algorithmic trading. The AI Act introduces specific obligations for these high-risk applications, including: pre-market conformity assessments to ensure AI models meet regulatory standards before deployment; continuous monitoring and bias-prevention measures to mitigate unfair outcomes in AI-driven decisions. Transparency and explainability requirements, ensuring that AI-driven decisions in lending, insurance and wealth management can be justified and audited.
For financial firms, this means embedding AI governance directly within their risk and compliance structures, ensuring AI models remain ethical, fair and legally compliant. The AI Act however will not exist in isolation; it intersects with GDPR (General Data Protection Regulation) and the Data Act, particularly when financial institutions process personal or sensitive data for AI models.
GDPR remains the cornerstone of data protection, enforcing principles such as purpose limitation, data minimisation and individual rights over automated decisions. Financial institutions must ensure that AI-driven services comply with these principles while still leveraging large datasets for model training.
The Data Act, where applicable, will facilitate data sharing, aiming to increase innovation while ensuring fair access to financial data. This notwithstanding firms must navigate the tension between data portability, cloud switching and privacy obligations also under GDPR.
The challenge is to unlock the value of data while respecting data protection as well as privacy and security obligations, ensuring AI and other digital services and operations remain robust, compliant and resilient, as the rise of cyber threats and digital operational risks has driven regulators to impose stricter cybersecurity and resilience requirements.
Two key regulations aside from the Cybersecurity Act, which will be shaping financial services in this domain, are the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA).
CRA mandates that digital products and services, including AI-driven platforms, be secure by design. This aligns with the AI Act’s emphasis on robust, risk-mitigated AI models.
DORA imposes strict cybersecurity, third-party risk management and incident-reporting obligations on financial entities. AI systems used in trading, credit risk assessment or fraud detection must be continuously monitored for vulnerabilities and security risks.
Together, these regulations aim to reinforce the need for a unified, proactive approach to operational risk management, ensuring AI and other digital financial tools are resilient against cyber threats and disruptions.
The challenge here for financial institutions is not merely one of compliance with individual regulations but integrating them into their daily operations and into a cohesive GRC strategy, which should at least factor the following:
Strengthening AI & data governance: Establishing AI Risk Committees to oversee regulatory alignment, ethical AI deployment and bias prevention. Implementing explainability frameworks that meet both AI Act transparency requirements and GDPR’s fairness principles. Defining clear data governance structures, ensuring financial AI systems comply with GDPR, the Data Act and AI Act requirements. Enhanced cross-boarder data policies and procedures.
Embedding cyber resilience into compliance strategies: Aligning AI security with DORA and CRA mandates, ensuring AI-powered financial services meet cybersecurity and incident-reporting requirements. Vetting third-party AI providers, ensuring they comply with both the AI Act and DORA’s strict outsourcing requirements. Conducting regular security audits and penetration testing to reinforce AI system resilience.
Modernising regulatory & compliance functions: Leveraging Reg Tech (Regulatory Technology) solutions to automate compliance monitoring across AI, GDPR, DORA and CRA. Strengthening board-level accountability, ensuring senior leadership understands and oversees AI and cybersecurity risks. Integrating AI and cybersecurity oversight within internal audit functions, providing continuous monitoring and compliance validation. The regulatory landscape for financial services is undergoing a fundamental reset, where AI compliance is just one piece of a larger, interconnected framework governing data, security and operational resilience.
For financial institutions, these regulations may appear as compliance burdens, but they also present significant opportunities. For those willing to embed these regulatory changes into their core strategies, the future isn’t just about regulatory survival but being an active player in the reshaping of this industry.
By embracing this shift holistically, financial institutions can turn compliance into a competitive advantage, ensuring they not only meet regulatory obligations but also drive innovation, enhance resilience and build lasting customer trust.
Ian Gauci is managing partner of GTG, a technology-focused corporate and commercial law firm at the forefront of major developments in fintech, cybersecurity, telecommunications and technology-related legislation.
This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.