When GDPR arrived, most companies treated it as an IT project. The privacy notice got updated. The data flows got mapped. Once the infrastructure was in place, the conversation largely moved on.
The EU AI Act will not yield to the same approach. It does not ask companies what data they hold. It asks what their systems decide, and whether anyone is truly accountable for those decisions. In financial services, where AI is already influencing credit assessments, risk profiling, and suitability determinations at scale, that is not an abstract question. The firms operating in Cyprus, many of which have been building AI-assisted products under live regulatory conditions for close to a decade, have the operational experience to answer it seriously.
The Act entered into force in August 2024. Its core obligations for high-risk AI systems in financial services apply from August 2026, with a proposed extension to December 2027 currently under consideration by the European Commission. The following discussion relates specifically to firms regulated within the EU framework, including those authorised in Cyprus. Whatever the final date, the direction is settled. The question is not whether these obligations will arrive. It is whether firms are building toward them or waiting to be told.
Most firms using AI tools are responsible for them. That is the shift.
The Act draws a distinction between providers, the companies that build AI systems, and deployers, the companies that put them to use. Most financial services firms sit in the second category. They are using AI tools built by third parties for credit assessment, client risk profiling, fraud detection, suitability checks, and a growing range of operational functions. The practical implication is significant: deployer obligations cannot be delegated to the vendor.
This is a point the Act addresses directly. Many firms assume that because they did not build the AI system they are using, their compliance responsibility is limited to procurement. The Act disagrees. If a firm is using a third-party AI system for client risk assessments, the responsibility for how that system behaves, how it is monitored, how it is overseen, and what happens when it produces an unexpected outcome, sits with the firm. Not with the software provider. Vendor contracts do not transfer accountability.
The transition will be more manageable for firms that approach it as an operational question from the outset — involving product, risk, and technology teams rather than treating it as a legal exercise alone.
The classification question is more complex than it appears.
The Act’s most demanding obligations attach to systems classified as high-risk. In financial services, this explicitly includes AI used for creditworthiness assessments, credit scoring, and risk evaluation for insurance purposes. But the scope extends to any AI system that makes or materially influences decisions about individuals’ access to financial products and services.
For a firm operating in Cyprus, that can include automated suitability tools, risk categorisation models, fraud and AML screening systems, and client profiling engines. Many firms are running these tools without having formally asked whether they meet the threshold. The classification question — asking “which of our AI systems requires full compliance, and can we demonstrate it?” — is where the real work starts. The Act’s timeline means it cannot be deferred indefinitely.
Once a system is in scope, the obligations are operational, not merely documentary. Technical evidence of how the system works. Data governance standards for the inputs it uses. Logging sufficient to allow post-hoc review. Transparency to users about when AI is influencing decisions. And an oversight mechanism that is genuine, meaning a qualified person can review, intervene in, and override the system in practice, not just in theory. The penalties for non-compliance reach fifteen million euros or three percent of global annual turnover, whichever is higher.
What the Act gets right — and where we go further
The EU AI Act is asking the right question. Accountability for AI systems — who is responsible, what oversight exists, how decisions can be reviewed — is a necessary foundation, and the industry needed that question put clearly.
But accountability is a floor, not a destination. The question that shapes how we think about product design at Capital.com is not only whether our AI systems can be audited, but whether they are genuinely serving the people using them. That is a different question, and a broader one.
Our strategic direction across our EU-regulated entities is shaped by a belief we hold independently of regulatory timelines: that AI in financial services should be designed to improve the quality of the decisions clients make, not to maximise the volume of activity they generate. We describe this as being built for better decisions. It is not a response to the Act. It is how we have been thinking about what a responsible platform looks like as AI becomes central to what we do.
The implications for how we approach governance follow from that. Transparency, oversight, and the ability to review and intervene in AI-driven processes matter to us because they serve clients — not only because they satisfy an obligation. That means designing these things from the start, rather than building documentation around systems that already exist.
The EU AI Act’s requirements are a codification of the accountability part of that thinking. The proposed delay to December 2027 may provide additional runway. The firms that use it well will be those asking not just “are we compliant?” but “is our AI doing what it should be doing for the people using it?” Those are related questions. They are not the same one.
By Valentina Rzheutskaya, Chief Legal Officer and Executive Director, Capital.com
Valentina Rzheutskaya is Chief Legal Officer, Executive Director at Capital.com, a globally operating group authorised and regulated by multiple financial regulators. CFDs are complex instruments and carry a high risk of losing money rapidly due to leverage. You should consider whether you understand how CFDs work and whether you can afford to take the high risk of losing your money.
