Skip to content
Illustrations of people going to parties at night

The EU AI Act: What it means for your business

Authors

  • Konrad Meier

    Senior Manager, AI Law Leader in Financial Services | EY Switzerland

  • Roger Spichiger

    Partner, AI Leader in Financial Services | EY Switzerland

6 minute read 15 Mar 2024
Related topics
Forensics
Financial services
Technology leader's agenda
Risk
Technology

Read in Frenchread in German

The EU AI regulation is coming. What does it mean for you and your business in Switzerland?

Download the EY EU AI Act brochure

In brief

  • The EU AI Act brings strict requirements, also for organizations which have not had to deal with model management until now.
  • As a first step, organizations should gain an overview,  build a repository of all models and implement a model management.
  • The EU AI Act is set to enter into force in Q2-Q3, 2024, with transition periods for complying with various requirements ranging from 6-24 months.

Artificial Intelligence (AI) is transforming our world in unprecedented ways. From personalized healthcare to self-driving cars and virtual assistants, AI is becoming ubiquitous in our daily lives. However, this growing use of AI has raised many concerns about its impact on fundamental rights and freedoms. In response to this, the European Union (EU) has taken a significant step to regulate AI.

The EU AI Act, also known as the EU Artificial Intelligence Act, is the world's first concrete initiative for regulating Artificial Intelligence. It aims to turn Europe into a global hub for trustworthy AI by laying down harmonized rules governing the development, marketing, and use of AI in the EU. The AI Act aims to ensure that AI systems in the EU are safe and respect fundamental rights and values. Moreover, its objectives are to foster investment and innovation in AI, enhance governance and enforcement, and encourage a single EU market for AI.

Who is affected by the EU AI Act?

The AI Act has set out clear definitions for the different actors involved in AI: providers, deployers, importers, distributors, and product manufacturers. This means all parties involved in the development, usage, import, distribution, or manufacturing of AI systems will be held accountable. Moreover, the AI Act also applies to providers and deployers of AI systems located outside of the EU, e.g., in Switzerland, if output produced by the system is intended to be used in the EU.

What is required for the EU AI Act?

Step 1: Model inventory – understanding the current state

To understand the implications of the EU AI Act, companies should first assess if they have AI systems in use and in development or are about to procure such systems from third-party providers and list the identified AI systems in a model repository. Many financial services organizations can utilize existing model repositories and the surrounding model governance and add AI as an additional topic.

Organizations which have not needed a model repository so far should start with a status quo assessment to understand their (potential) exposure. Even if AI is not used at present, it is very likely that this will change in the coming years. An initial identification can start from an existing software catalogue or, if this is not available, with surveys sent to the various business units. 

Step 2: Risk classification of models

Based on the model repository, the AI systems can be classified by risk. The EU AI Act distinguishes different risk categories:

How EY can help

  • EU AI Act readiness

    The EU AI Act will be adopted shortly with far-reaching extraterritorial impact. As it is often more costly and complex to ensure compliance when AI systems are operating than during development, we recommend that firms start preparing now with a professional AI Act readiness assessment and early adaptation.

    Read more

The Act lays out examples of systems posing an unacceptable risk. Systems falling into this category are prohibited. Examples include the use of real-time remote biometric identification in public spaces or social scoring systems, as well as the use of subliminal influencing techniques which exploit vulnerabilities of specific groups.

High-risk systems are permitted but must comply with multiple requirements and undergo a conformity assessment. This assessment needs to be completed before the systems is released on the market. Those systems are also required to be registered in an EU database which shall be set up. Operating high-risk AI systems requires an appropriate AI risk management system, logging capabilities and human oversight respectively ownership. There shall be proper data governance applied to the data used for training, testing and validation as well as controls assuring the cyber security, robustness and fairness of the system.

Examples of high-risk systems are those related to the operation of critical infrastructure, systems used in hiring processes or employee ratings, credit scoring systems, automated insurance claims processing or setting of risk premiums for customers.

The remaining systems are considered limited or minimal risk. For those, transparency is required, i.e., a user must be informed that what they are interacting with is generated by AI. Examples include chat bots or deep fakes which are not considered high risk but for which it is mandatory that users know about AI being behind it.

For all operators of AI systems, the implementation of a Code of Conduct around ethical AI is recommended. Notably, General-purpose AI models (GPAI), including foundation models and generative AI systems, follow a separate classification framework. The AI Act adopts a tiered approach to compliance obligations, differentiating between high-impact GPAI models with systemic risk and other GPAI models. 
 

Step 3: Prepare and get ready

If you are a provider, deployer, importer, distributor or affected person of AI systems, you need to ensure that your AI practices are in line with this new artificial intelligence regulation. To start the process of fully complying with the AI Act, you should initiate the following steps: (1) assess the risks associated with your AI systems, (2) raise awareness, (3) design ethical systems, (4) assign responsibility, (5) stay up-to-date, and (6) establish a formal governance. By taking proactive steps now, you can avoid potential significant sanctions for your organization upon the Act coming into force.

The AI Act is set to come into force in Q2-Q3 2024 following publication in the Official Journal of the European Union. Transition periods for compliance will subsequently be imposed with companies having 6 months to adhere to requirements for prohibited AI systems, 12 months for certain General Purpose AI requirements, and 24 months to achieve full legislative compliance.
 

What are the penalties in case of non-compliance?

The penalties for non-compliance with the AI Act are significant and can have a severe impact on the provider’s or deployer's business. They range from €7.5 million to €35 million or 1% to 7% of the global annual turnover, depending on the severity of the infringement.  Hence, it is essential for stakeholders to make sure they understand the AI Act fully and comply with its provisions.
 

How is the financial services sector impacted by the EU AI Act?

Financial services have been identified as one of the sectors where AI could have the most significant impact. The EU AI Act contains a three-tier risk classification model that categorizes AI systems based on the level of risk they pose to fundamental rights and user safety. The financial sector uses a multitude of models and data-driven processes which will come to rely more on AI in the future. Processes and AI systems used for creditworthiness assessments, or the evaluation of risks with AI premiums of customers fall into the high-risk category under the AI Act. Additionally, AI systems used in operating and maintaining financial infrastructure considered to be critical also fall under the scope of high-risk AI systems, as do AI systems used for biometric identification and categorization of natural persons or employment and employee management. 

EY EU AI Act brochure

Download the PDF to get an overview of the EU AI Act and its impact on the markets. 

Download PDF
Illustrations of people going to parties at night

Summary

The EU AI Act is set to be a significant milestone in the field of AI regulation and innovation. To ensure that the benefits of AI are fully realized while protecting fundamental rights and user safety, it is important for organizations to act now, assess their risks, and start preparing for the changes that the AI Act will bring. By doing so, organizations can move towards a more secure and trustworthy AI environment which will allow them to reap the rewards of this transformative technology.

Acknowledgement:

We kindly thank Ava Dossi for her contribution to this article.

Related Services

  • Forensic & Integrity services

    Learn more about our Forensic & Integrity services teams and how they can help your business help organizations achieve their integrity agenda.

    Read more

  • Financial Services

    Learn more about our Financial Services teams and how they can help your business focus on delivering value while navigating risk and managing disruption.

    Read more

  • Technology leaders’ agenda

    To strategically transform, leaders need to deliver tech at speed, innovate at scale and put humans at the center.

    Read more

  • Risk

    Discover how leading risk management practices create value and a competitive advantage by embracing disruption with trust and confidence.

    Read more

  • Technology

    Discover EY's technology insights, people & services and how they can help your business improve performance, manage risk and drive innovation.

    Read more

  • AI Insights

    Explore our global insights that look at how you can build confidence in AI, drive exponential value throughout your organization and deliver positive human impact. Learn more.

    Read more

About this article

Authors

  • Konrad Meier
    Senior Manager, AI Law Leader in Financial Services | EY Switzerland
  • Roger Spichiger
    Partner, AI Leader in Financial Services | EY Switzerland
Related topics
Forensics
Financial services
Technology leader's agenda
Risk
Technology

Related articles

How cyber incident simulations enhance cross-team collaboration

Explore the benefits of running cyber incident simulations to improve cybersecurity and collaboration throughout your organization.

02 Jun 2025 Marc Minar

How wealth managers can leverage complexity for competitive advantage

Client sentiment is shifting. Learn how wealth managers can respond with targeted improvements in financial and non-financial services.

20 May 2025 Olaf Toepfer +2

How intra-generational transfers disrupt inter-generational strategies

Get detailed insights into the shape of global wealth transfers intra-generationally, and into the views and plans of Baby Boomer inheritors.

20 May 2025 Olaf Toepfer +2

How different generations of financial services professionals view trends in Swiss banking and wealth management 

Explore Banking Automation trends among young and seasoned financial services professionals and the evolving role AI plays in the industry.

12 May 2025 Marcel Zünd +1

Safe harbor interest rates: guidance and key considerations

Discover the key changes in the SFTA’s new safe harbor interest rates for 2025 and what Swiss taxpayers need to know before relying on them.

09 May 2025 Francisco Palacios +1

Navigating cyber risks in AI: safeguarding financial services

Deep-dive into critical vulnerabilities that Swiss financial services organizations deploying AI in cloud environments can be exposed to.

02 May 2025 Marc Minar

Regulatory highlights in the financial services sector – Winter edition 2024/2025

Download EY’s ‘Regulatory Highlights in the Financial Services Sector’ for an update on changes to the Swiss banking regulations, incl. changes to EU legislation.

24 Apr 2025 Darko Stefanoski +1

How a license to lead can transform human potential in an AI world

Learn more about the EY AI Sentiment Index Study and unlock key insights to lead in the AI era.

09 Apr 2025 Beatriz Sanz Sáiz +2

Q4 2024: How did the Swiss valuation parameters and the European M&A volume develop?

This publication provides information on market multiples and cost of capital fundamentals by sector for firms listed in the Swiss All Share Index.

10 Mar 2025 Hannes Schobinger +1

EY position paper on Artificial Intelligence (AI): AI-generated content in transition – between progress and fatigue

AI-generated content is shaping the digital space – an overview of the opportunities, challenges and the role of collaboration between humans and AI.

27 Feb 2025 Adrian Ott

Faced with insider threats, how do you strengthen defenses from within?

Learn why ethical leadership, an environment of trust and a culture of accountability are key in protecting financial institutions from insider threats.

21 Feb 2025 Madhumita Jha

How insurers can accelerate value creation from gaps to gains

Wherever there’s a protection gap, insurers have opportunities to innovate and grow. Read more of the 2025 Global Insurance Outlook findings.

30 Jan 2025 Isabelle Santenac +3

Banking Barometer 2025 - Balance

EY Banking 2025 report indicates Swiss banks may see lower profits ahead but remain confident in their long-term business model.

09 Jan 2025 Patrick Schwaller +2

Highlights from the 2024 EY European Financial Services AI Survey

2024 EY survey reveals 90% of EU finance firms adopt AI with plans to up GenAI spend, facing training, ethics, and regulatory challenges ahead.

18 Dec 2024 Roger Spichiger

Risks and benefits of generative AI in the financial sector

FINMA expects the financial industry to mitigate certain AI risks. Get EY’s recommendations across governance, reliability, transparency and non-discrimination.

16 Dec 2024 Darko Stefanoski +1

How can alternative fund managers shape new horizons of opportunity?

Alternative fund managers see growing demand from a new investor class that not only offers opportunities but challenges. Discover more.

11 Dec 2024 Jessica Bloom +1

How Reverse Solicitation is Shaping Crypto Assets Investments?

This article will describe how the guidelines of the European Securities and Markets Authority (ESMA) is dealing with reverse solicitation under the MiCA.

06 Dec 2024 Darko Stefanoski

CRD VI: Opportunities and challenges for Swiss banks in the EU

As Swiss banks navigate the prudential requirements and exceptions of CRD IV, we help you understand how to stay compliant and ahead of the competition.

02 Dec 2024 Silvia Devulder +1

Q3 2024: How did the Swiss valuation parameters and the European M&A volume develop?

Valuation Market Essentials Switzerland – What key highlights did we observe in Q3 2024?

19 Nov 2024 Hannes Schobinger +1

How will you stand out in today’s crowded digital home market?

To succeed in the fast-evolving digital home, providers must differentiate themselves in the eyes of their target consumers. Here’s how.

30 Oct 2024 Cédric Foray +1

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Limited, each of which is a separate legal entity. Ernst & Young Limited is a Swiss company with registered seats in Switzerland providing services to clients in Switzerland.
    You are visiting EY ch (en)
    ch en