Europe’s bank AI problem is no longer mainly about whether the AI Act creates a new compliance regime. It does. The more useful question is where supervisors will put that regime while banks are still building the operating model around it.
The answer is becoming clear. AI compliance is being moved into the supervisory calendar.
The European Banking Authority has now mapped the AI Act’s high-risk obligations for creditworthiness and credit scoring against the EU banking rulebook. ECB Banking Supervision has put AI and generative AI into its 2026-28 priorities. Pedro Machado, an ECB representative to the Supervisory Board, has since described bank AI adoption as “firmly at its core” from a supervisory perspective, with more than 85% of large supervised banks already using AI in some form.
That is the shift. The AI Act may be horizontal law. Inside banks, it is becoming an examination-planning problem.
The problem is not a blank rulebook
The EBA’s November 2025 mapping exercise is narrow by design. It focuses on high-risk AI systems used to evaluate creditworthiness or establish the credit score of natural persons. That is where the AI Act directly meets ordinary bank economics: underwriting, pricing, credit access and model governance.
The EBA says those systems are classified as high-risk in the banking and payments sector and that the AI Act adds safeguards for them. It then maps those requirements against the sectoral laws already inside the EBA’s perimeter: CRD, CRR, DORA, the Consumer Credit Directive, the Mortgage Credit Directive, the Payment Services Directive and EBA guidelines, including loan origination, internal governance and probability-of-default/loss-given-default rules.
This matters because European banks are not starting from a consumer-app baseline. They already live with capital rules, model governance, conduct duties, outsourcing controls, operational-resilience requirements and supervisory review.
In its AI Act implications note, the EBA says it found no significant contradictions between the AI Act and EU banking and payments law. It also says the AI Act is complementary to the financial-services framework, though banks may need work to integrate the two effectively.
If there is no obvious contradiction, banks get less room to wait. They have to show how the same risk machinery now covers both.
The hard part is supervisory cooperation
The EBA did not find an immediate need to introduce new EBA guidelines or review existing ones. That sounds like regulatory restraint. It is also a warning.
No new guideline does not mean no new work. It means supervisors expect the existing machinery to absorb the AI Act before a bespoke banking-AI manual arrives. The EBA says implementation depends on cooperation between prudential supervisors, conduct authorities and market-surveillance authorities. It also plans 2026 and 2027 work to promote a common supervisory approach.
This is the boring part of the story. It is also where the risk sits.
Credit scoring touches prudential risk, consumer protection, discrimination, data quality, model validation and operational resilience. A bank’s second line may think in terms of model risk. A conduct authority may look at customer outcomes. A market-surveillance authority may care about AI Act conformity. Same model, different institutional reflexes.
For banks, the implication is blunt: AI compliance evidence has to be reusable across supervisors.
A model inventory that only satisfies internal model-risk governance will not be enough if it cannot show AI Act role classification, provider/deployer responsibility, data controls and human oversight. A DORA outsourcing file that treats a GenAI vendor as generic cloud supply may miss model opacity, prompt confidentiality and exit-risk questions.
That is why this is becoming a planning problem. The bank that waits for one final checklist may discover that three authorities have already asked for overlapping evidence in three formats.
The ECB is turning AI into a targeted work programme
The ECB’s 2026-28 supervisory priorities make the next move explicit. Under operational resilience and ICT capabilities, ECB Banking Supervision says it intensified AI and GenAI monitoring in 2025 by collecting data from banks and engaging with specific use cases. It will keep monitoring general AI use while taking a more targeted approach to banks’ generative-AI applications.
The published work programme includes two concrete AI items: targeted horizontal workshops with selected banks on generative-AI applications, and cooperation with AI Act market-surveillance authorities and the EBA.
Horizontal workshops are not enforcement actions. They are how supervisors compare institutions, normalize expectations and learn where the weak controls are.
Machado’s February 2026 speech fills in the supervision logic. He says ECB data collection shows more than 85% of large banks under European supervision already use AI in some form. He also says GenAI is spreading into IT operations, legal and document analysis, customer support, relationship management and internal knowledge tools. Those are not only model-risk domains. They are workflows.
The supervisory concern follows naturally. In the same speech, Machado says AI increasingly affects governance, business-model evolution, operational risk, conduct risk, compliance risk and strategic risk. For GenAI, he points to concentration risk, vendor lock-in, data confidentiality, security, resilience, exit strategies and reputational risk.
Translation: a chatbot procurement can become an outsourcing review, a data-governance review, a conduct review and a board-accountability review. Nobody promised the acronym would stay in one department.
The bank response has to change
The weak response is to create an AI Act project and staff it with lawyers, model-risk specialists and a PowerPoint tolerance for pain.
The stronger response is to treat AI compliance as a supervisory evidence architecture.
That means four practical shifts.
First, banks need a single AI inventory that supervisors can interrogate by use case, business owner, model type, provider, risk tier, customer impact, outsourcing dependency and AI Act role. A list of experiments is not an inventory.
Second, credit-scoring systems need a crosswalk between AI Act high-risk duties and banking controls that already exist.
Third, GenAI needs a different dependency map. Many GenAI systems are externally supplied, cloud-hosted and embedded in workflows where outputs are probabilistic, hard to trace and easy to over-trust.
Fourth, boards and senior managers need to own the operating question, not just approve an AI policy. Machado’s point is that AI does not dilute responsibility. If responsibility is split between IT, data science, the business and compliance without a clean accountability framework, the supervisor will see it.
The implication
Europe’s bank AI regime is not arriving as one clean switch-on date. It is arriving through supervisory planning.
A law tells banks what must be true. A supervisory programme asks them to prove what is true, on a calendar, with accountable owners, comparable evidence and follow-up.
The EBA has made the credit-scoring intersection legible. The ECB has made GenAI a targeted supervisory topic. Together, they are turning bank AI compliance from a future legal-readiness exercise into a current control-system test.
The banks that understand this will not wait for the perfect AI Act banking handbook. They will build the map now: AI use case, applicable law, control owner, supervisory evidence, remediation path.
The banks that do not will discover that “we are monitoring developments” is a sentence supervisors also know how to say.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.