← All posts

The High Risk AI Rules Are Here. Now Comes the Rework.

Europe has finally defined when an AI system is high risk. For financial services, the real story is not the rule. It is how much work the rule forces you to redo.

On 19 May the Commission set out when an AI system counts as high risk.1 A system qualifies by one of two routes: it is a safety component of a regulated product, or its purpose sits in one of eight sensitive domains in Annex III. For finance, three bite: credit scoring, insurance pricing, and hiring.2 Cross that line and the system needs a lifecycle risk file, documented and bias tested data, regulator grade documentation, automatic logging, built in human oversight, declared accuracy and security, a conformity assessment, and registration in an EU database before launch.3 A product safety regime, applied to software. Feedback on the draft was open until 23 June.1

The rework

Most of these systems already exist and already work. The Act does not ask you to build them. It asks you to prove them again, on its terms. That is where the cost lives.

Take a credit model your team has run for six years, long since built, validated, and signed off. It now needs a documented risk process kept current for life, a dossier tracing the origin and representativeness of a decade of data, proof that the data was tested for bias, and written instructions for use.3 None of it changes what the model does. All of it is new work.

The model was also never built to log what the Act demands: every use, the data checked, the matches found, the person who verified the result. That is an engineering retrofit. Oversight must be designed in too, with a real ability to override and halt the system. For a model that runs automatically at scale, that is a product change.3

Then the gate. A conformity assessment and registration before launch, and a fresh assessment on every material change.4 A routine update that once took a sprint now waits on legal, compliance, and model risk. A two week change becomes a two month one.

The Act turns engineering work into documentation work, and continuous improvement into a queue of reassessments.

The competitiveness gap

A US lender ships the same model under existing banking supervision, with no AI specific layer on top: no conformity assessment, no database, no separate dossier. It iterates faster. Much of Asia is lighter still: Singapore and Japan rely on voluntary, principles based frameworks that advise rather than gate.56 A firm there can deploy, learn, and adjust while a European rival is still assembling its file.

The penalty is not a one time fee. It compounds. Every deployment and every change carries the same overhead, so the gap widens with each cycle. Over a few years, that is the difference between shipping monthly and shipping quarterly.

Cutting the knot

Keep the goals. Safety, fairness, and traceability are worth protecting. Drop the duplication. Four moves would carry most of the load:

Together they turn a bespoke compliance project per system into a workflow: classify, inherit a pattern, let the pipeline produce the evidence, map it to existing controls, register, move on. The outcome holds. The rework collapses.

Europe can lead on trustworthy AI without making its own firms the slowest in the room. The consultation on the draft closed on 23 June, and the most useful thing a leader could do was concrete: show where the rules duplicate work already done, and describe the lighter workflow that delivers the same protection. The same case is worth making in every forum where these rules are still taking shape.

References
  1. European Commission, Targeted consultation on the draft guidelines for the classification of high-risk artificial intelligence systems, Shaping Europe’s Digital Future, 19 May 2026.
  2. European Commission, Draft Commission guidelines on the classification of high-risk AI systems, 19 May 2026.
  3. European Parliament and Council, Regulation (EU) 2024/1689 (Artificial Intelligence Act), Articles 6 and 9–15, Official Journal of the European Union, 13 June 2024.
  4. Bird & Bird, The Commission’s Draft High-Risk AI Guidelines under the EU AI Act: A First Read, 2026.
  5. Infocomm Media Development Authority & IAPP, Model AI Governance Framework (Singapore); Global AI Governance Law and Policy: Singapore, 2019–2026.
  6. Ministry of Economy, Trade and Industry (Japan), AI Guidelines for Business, Version 1.0, April 2024.

Cost and timeline characterisations, including the illustrative move from a two week change to a two month one, are the author’s own estimates derived from the obligations in source 3, not figures published by the Commission.

All articles on this site are written by me. I use AI to assist with final formatting and editing before publication.

I share every post on LinkedIn, and that is where the discussion happens. Join it there →

Continue reading