The enforcement of Regulation (EU) 2024/1689 is two-level by design. The EU AI Office handles general-purpose AI model providers directly. For the deployers of high-risk AI systems, the relevant authority is a national one. In financial services, that national authority is almost always a pre-existing sectoral supervisor that had already developed its own AI guidance well before the Regulation was adopted. Understanding those prior frameworks is as important as understanding the Regulation itself.

Key takeaways

  • Article 70 of Regulation (EU) 2024/1689 requires each member state to designate a national competent authority and a market surveillance authority. For financial services AI, most major member states layer this onto existing sectoral regulators.
  • Germany designated the Bundesnetzagentur for general AI surveillance. BaFin retains supervisory authority over AI in regulated financial services and is also the DORA supervisor for German financial entities from 17 January 2025.
  • The Netherlands designated the RVO as primary national competent authority. AFM and DNB retain sectoral competence. Both bodies published pre-Act AI guidance that maps directly onto Article 9 risk management obligations.
  • France designated ANSSI alongside sector supervisors. The ACPR supervises AI in banking and insurance. The CNIL covers data protection aspects, meaning that credit and insurance AI deployers in France face dual supervision from two bodies with overlapping mandates.
  • Across all three jurisdictions, the Article 26(6) written human oversight policy is the primary document a supervisor will request. It should be ready before the 2 August 2026 deadline, regardless of the Omnibus delay.

The enforcement architecture: a brief map

The full enforcement architecture of the EU AI Act is described in detail in the enforcement architecture article on this site. For the purposes of this national supervisor analysis, the relevant structural points are these.

Article 70(1) of Regulation (EU) 2024/1689 requires each member state to designate one or more national competent authorities. The Regulation allows a member state to designate a single coordinating body or to distribute the function across multiple sector supervisors. In practice, most major member states have taken a hybrid approach: one primary authority for general AI systems and designated sector supervisors for regulated industries. The deadline for member states to notify their designations to the European Commission was 2 August 2025.

Article 74 specifies the market surveillance authority's enforcement powers. Those powers include the right to access an operator's technical documentation, to enter premises and conduct inspections, to require corrective action including modification or withdrawal of an AI system, and to impose penalties up to the ceilings set in Article 99. The Article 99 tier relevant to deployers is the second: up to EUR 15 million or 3 per cent of worldwide annual turnover, whichever is higher.

The EU AI Office, established within the European Commission by Commission Decision of 24 January 2024 and operating from February 2024, supervises general-purpose AI model providers under Articles 51 through 63 and Articles 88 through 94. Its mandate does not typically extend to deployer-level enforcement of the Article 26 obligations. For most financial services deployers, the AI Office is not the operative enforcement risk.

Germany: BaFin and the Bundesnetzagentur

Germany's supervisory architecture for AI combines a general market surveillance function with strong sector-specific oversight. The Bundesnetzagentur (Federal Network Agency) was designated as Germany's primary market surveillance authority for general AI systems under Article 70 of the Regulation. For AI deployed in regulated financial services, BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) retains the supervisory competence it has exercised since before the Regulation was adopted.

BaFin's pre-Act engagement with AI in financial services is substantive. The 2021 guidance document "Orientierungshilfe zum KI-Einsatz" established a framework for the use of AI models in credit and insurance applications, setting early expectations around explainability, auditability, and human oversight. That guidance was not legally binding in the way that the EU AI Act obligations now are, but it established the conceptual vocabulary that BaFin supervisors bring to AI reviews. Deployers who have operated AI systems in German financial markets without engaging with those principles are likely to find supervisory dialogue harder, not easier, after August 2026.

BaFin's priority areas for AI supervision in 2026 include AI systems used in credit scoring and lending decisions, algorithmic trading systems (particularly those capable of autonomous order generation), robo-advisory platforms operating under MiFID II, and AI-assisted KYC and AML processes. Each of these use cases falls within Annex III of the Regulation, which defines high-risk AI systems in the financial services sector. That classification triggers the full suite of Article 26 deployer obligations: risk management system maintenance, human oversight mechanisms, logging, serious incident reporting, and cooperation with providers.

The DORA layer compounds BaFin's supervisory scope. Regulation (EU) 2022/2554 (the Digital Operational Resilience Act) applied from 17 January 2025 and subjects financial entities to a comprehensive ICT risk management framework. BaFin is Germany's designated DORA supervisor for financial entities, which means that an AI-dependent system is now a candidate for supervisory review under both the EU AI Act and DORA simultaneously. The two regimes address different failure modes (AI misuse versus ICT operational failure), but in practice they pull from many of the same technical records. A deployer maintaining separate compliance files for each regime without cross-referencing them is likely to create inconsistencies that complicate supervisory dialogue.

For German financial services deployers, the practical consequence of this dual structure is a document strategy that satisfies both regimes from a single source of truth. The risk record required under Article 26 of the EU AI Act should be built in a format that also maps to the ICT risk register requirements under Articles 6 through 10 of DORA. The overlap is substantial enough that maintaining two independent risk records for the same AI system is operationally inefficient and introduces the risk of inconsistent representations to two separate supervisors.

The Netherlands: AFM, DNB, and the RVO designation

The Netherlands designated the RVO (Rijksdienst voor Ondernemend Nederland, or Netherlands Enterprise Agency) as its primary national competent authority under the EU AI Act. For AI systems deployed in financial markets and prudentially supervised institutions, the AFM (Autoriteit Financiële Markten) and DNB (De Nederlandsche Bank) retain sectoral competence. The Autoriteit Persoonsgegevens (the Dutch data protection authority) was designated as market surveillance authority for AI use cases involving personal data processing, consistent with the Article 70(2) mechanism in the Regulation.

Both AFM and DNB had published substantive AI guidance before the Regulation was adopted. The AFM's AI strategy paper, published in 2022, identified three supervisory principles for AI in financial markets: fairness (the system must not produce discriminatory outcomes for comparable users), transparency (decision-making processes must be explainable to the degree required by the regulatory context), and resilience (the system must remain stable and governable under adverse conditions). These three principles map closely onto the Article 9 risk management requirements and the Article 14 human oversight provisions of the Regulation.

DNB's "Good Practices for Machine Learning" guidance, first published in 2019 and updated in 2022, is the more technically detailed of the two frameworks. It addresses model risk management for machine learning applications used by supervised financial institutions and covers validation methodology, documentation standards, explainability techniques, and ongoing monitoring. Several of the practices described in that guidance anticipate the Article 9(4) risk management system requirements of the EU AI Act almost exactly: the guidance requires institutions to maintain technical documentation, conduct pre-deployment validation, and operate continuous monitoring processes. Institutions that implemented the DNB guidance correctly have a meaningful head start on Article 9 compliance.

The AFM's focus in 2026 encompasses AI in investment advice (including automated suitability assessments under MiFID II Articles 25 and 54), automated order execution systems, and AI systems used to assess product suitability for retail clients. All of these use cases involve high-risk AI classification under Annex III. For deployers using AI to generate investment recommendations or to execute client orders algorithmically, the interaction between MiFID II suitability documentation requirements and the EU AI Act logging and transparency requirements requires careful integration. The Article 26(6) written human oversight policy, which the AFM has indicated is a priority document in its AI reviews, must also be consistent with the MiFID II governance documentation held on file.

One particular compliance feature of the Dutch supervisory landscape is the breadth of DNB's prudential perimeter. DNB supervises banks, insurers, pension funds, and payment institutions. An AI system used in actuarial modelling for a Dutch insurer falls within DNB's prudential oversight, the EU AI Act market surveillance framework, and the Solvency II governance requirements simultaneously. Deployers operating across that intersection should not expect each of those frameworks to be administered in isolation. Dutch supervisory practice tends toward integrated review, and a deployer with a coherent cross-regulatory file is in a materially better position than one who treats each framework as a separate compliance task.

France: ACPR, CNIL, and the ANSSI designation

France designated ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information, the French cybersecurity agency) alongside its existing sector supervisors as the national authority under the EU AI Act. For financial services, the relevant supervisor is the ACPR (Autorité de Contrôle Prudentiel et de Résolution), which supervises banks, insurance companies, and investment firms under the authority of the Banque de France. The CNIL (Commission Nationale de l'Informatique et des Libertés) serves as the data protection supervisor and, under Article 70(2) of the Regulation, is designated as market surveillance authority for AI use cases involving personal data, a category that includes virtually all credit and insurance AI applications.

The ACPR's pre-Act engagement with AI is formal and published. In 2020, the ACPR co-published with the Banque de France a report titled "Machine Learning Algorithms: A Challenge for Banking Supervision." That report identified credit, insurance, and market risk AI as the three priority application areas requiring supervisory attention, and it established an analytical framework based on model complexity, interpretability, and systemic exposure. That framework continues to inform ACPR's supervisory approach. Deployers who have engaged with the 2020 report and who can demonstrate how their AI governance responds to its analytical framework are in a stronger position in any ACPR supervisory dialogue.

The ACPR's supervisory priorities for AI in 2026 are concentrated in three areas: algorithmic credit scoring, particularly for consumer and SME lending decisions; AI in insurance underwriting and claims handling, where the combination of behavioural data inputs and automated decision outputs raises both Article 9 risk management questions and anti-discrimination concerns; and robo-advice and digital investment services, where the MiFID II suitability obligations intersect with the EU AI Act transparency provisions.

The CNIL adds a distinct and parallel supervisory dimension. Since the adoption of the EU AI Act, the CNIL has positioned itself as the principal French authority for the data protection dimensions of AI compliance. Its 2023 guide on developing AI systems in compliance with the GDPR, "Comment développer un système d'IA respectueux de la vie privée," maps GDPR obligations onto AI development lifecycle stages including data collection, model training, deployment, and monitoring. For a deployer using personal data in an AI system, the CNIL's guide is the closest existing French document to a practical compliance roadmap for the data inputs of an Article 26-regulated system.

The overlap between the ACPR and CNIL mandates is especially acute in credit scoring. An AI credit scoring system used by a French bank processes personal financial data at scale, generates decisions that have significant legal or similarly significant effects on natural persons (an Article 22 GDPR trigger), and falls within Annex III of the EU AI Act as a high-risk AI system in the access to financial services category. A deployer operating such a system in France faces supervisory exposure from the ACPR on the prudential and conduct side, from the CNIL on the data protection side, and from the general EU AI Act market surveillance framework administered by ANSSI. These three bodies do not currently operate through a single joint inquiry mechanism, and the practical risk of simultaneous parallel inquiries from two of them is real for any deployer whose system generates a regulatory trigger event.

The United Kingdom: FCA, ICO, and AISI (cross-border context)

The United Kingdom left the European Union and is not subject to Regulation (EU) 2024/1689. The UK operates a different regulatory framework for AI: the 2023 AI Regulation White Paper, which takes a principles-based approach distributed across existing sector regulators rather than a single horizontal statute. The FCA supervises AI in financial markets under its existing principles-based framework, including Principle 12 (Consumer Duty) and the Senior Managers and Certification Regime, rather than under a dedicated AI statute.

For EU operators with UK-facing business, or for UK firms with EU operations, the cross-border supervisory picture requires careful mapping. The FCA's "AI Update" published in February 2024 confirmed that the FCA intends to supervise AI under existing regulatory frameworks rather than await a new statute. Consumer Duty (effective July 2023) requires financial services firms to demonstrate that their products and services deliver good outcomes for retail customers, a requirement that AI-assisted advice and product recommendation systems must satisfy through outcome monitoring.

AISI (the AI Safety Institute, now operating under the Department for Science, Innovation and Technology) focuses on frontier model safety evaluation, not deployer compliance. UK firms deploying third-party AI products in financial services should not expect AISI to be a relevant enforcement contact. The FCA and, for data-related AI issues, the ICO (Information Commissioner's Office) are the operative supervisors.

The practical implication for cross-border operators is that the UK and EU supervisory requirements are not equivalent but they share significant structural overlap. The FCA's Consumer Duty outcome monitoring requirements and the EU AI Act's Article 9 post-market monitoring requirements both demand ongoing surveillance of how an AI system performs for its users. A deployer that maintains a robust monitoring programme to satisfy Article 9 is also building most of the evidence base it needs for Consumer Duty compliance. The documentation, however, must be tailored to each regime's specific language and structure.

Practical obligations by supervisor: what deployers should prepare

Across all three major EU jurisdictions covered in this article, the single most consistently anticipated document is the Article 26(6) written policy on human oversight. All three national supervisory frameworks, BaFin's 2021 AI guidance, DNB's 2022 Good Practices, and ACPR's 2020 Machine Learning report, emphasise the necessity of human control and intervention capability as a defining criterion for responsible AI deployment in financial services. The EU AI Act codifies that expectation into a specific document obligation. A deployer who cannot produce a written human oversight policy tailored to the specific AI system in question should treat that gap as the highest-priority compliance item before August 2026.

For financial services operators deploying high-risk AI in multiple EU member states, the document set required under Article 26 must be defensible to each national supervisor simultaneously. The substantive requirements are uniform under the Regulation, but the supervisory frames are not. A risk record written in a format designed primarily for the Bundesnetzagentur may not communicate effectively to an ACPR examiner accustomed to the ACPR's 2020 machine learning analytical framework. Operators managing multi-jurisdiction AI compliance should either maintain jurisdiction-adapted versions of their core documents or ensure that their primary compliance file includes explicit mapping to each relevant national authority's published guidance.

The Article 26(5) serious incident reporting obligation is operationally significant in this multi-supervisor context. If a deployer's AI system causes or contributes to a serious incident as defined by the Regulation, the reporting obligation runs to the market surveillance authority in the member state where the incident occurred, not necessarily the member state where the deployer is established. A deployer with operations in Germany and France should have incident triage procedures that identify which authority receives the report within the notification window, rather than discovering the question for the first time at the moment of the incident.

For the insurance and liability dimension of this supervisory landscape, the coverage question is how an AI regulatory liability policy responds to multi-jurisdiction regulatory proceedings. A single AI system generating serious incidents or supervisory inquiries in two member states simultaneously creates a regulatory liability exposure that may be denominated in two different penalty tiers from two different authorities. For the coverage framework that addresses these multi-jurisdiction regulatory exposures, see the agentcertified.eu certification framework, which maps compliance posture to risk quantification across multiple regulatory regimes, and the Article 26 deployer obligations guide on this site for the full documentation baseline.

The expected enforcement focus for 2026 and 2027 across all four supervisors described in this article is concentrated in the same two sector clusters: financial services AI and HR technology. These are the areas where all major European financial regulators have pre-existing supervisory frameworks that map most directly onto the EU AI Act's Annex III high-risk classification. A deployer using AI for credit scoring, insurance underwriting, investment advice, or employment screening who has not yet begun the Article 26 compliance exercise is operating within the active enforcement radar of the authorities most resourced and most motivated to act.

Frequently asked questions

Which authority supervises AI used in German financial services under the EU AI Act?

Germany designated the Bundesnetzagentur as the primary market surveillance authority for general AI systems under Article 70 of Regulation (EU) 2024/1689. BaFin retains supervisory competence for AI deployed in regulated financial services, including credit scoring, algorithmic trading, and AI-assisted KYC and AML processes. Deployers in these categories face dual supervision: BaFin sector requirements and the EU AI Act obligations enforced by the designated market surveillance authority. DORA, which applied from 17 January 2025, adds a further ICT risk management layer that BaFin supervises for German financial entities.

What is the AFM's approach to AI supervision in the Netherlands?

The AFM (Autoriteit Financiële Markten) retains sectoral competence for AI in financial markets alongside the RVO as the Netherlands' primary national competent authority under the EU AI Act. The AFM's AI strategy, published in 2022, identifies three supervisory principles: fairness, transparency, and resilience. In 2026 the AFM's priority areas include AI in investment advice, automated order execution, and product suitability assessments under MiFID II. DNB's machine learning guidance, updated in 2022, maps directly onto Article 9 risk management system obligations and provides the most detailed pre-Act technical benchmark available in the Netherlands.

How does France's ACPR relate to EU AI Act enforcement?

France designated ANSSI alongside sector supervisors including the ACPR. The ACPR's supervisory priorities for AI cover algorithmic credit scoring, AI in insurance underwriting and claims handling, and robo-advice. The CNIL supervises the data protection aspects of EU AI Act obligations in France. Deployers operating AI in French financial services should prepare for potential inquiry from both the ACPR and the CNIL, as their mandates overlap in credit and insurance AI use cases. The ACPR's 2020 machine learning report with the Banque de France is the foundational analytical document for its supervisory approach.

What documents should a financial services deployer prepare for a national supervisor inquiry?

The core document set for a supervisory inquiry under the EU AI Act combines the Article 26 deployer obligations with any sector-specific AI governance requirements of the relevant regulator. The minimum file should include a risk record mapped to the Article 9 risk management categories, a written human oversight policy under Article 26(6), an instructions-for-use map showing how the deployer has followed the provider's guidance, a logging schedule covering Article 26(5) serious incident triggers, and a record of the conformity assessment evidence reviewed before deployment. BaFin and AFM have both indicated in prior AI guidance that explainability documentation and audit trail records are priority review items.

Does DORA change the AI supervisory obligations for financial entities in the EU?

DORA (Regulation (EU) 2022/2554) applies from 17 January 2025 and subjects financial entities to ICT risk management obligations that extend to AI-dependent systems. DORA does not replace the EU AI Act obligations but adds a parallel ICT risk management and third-party risk framework. For a financial entity deploying a high-risk AI system, compliance requires satisfying DORA's ICT risk management requirements, the EU AI Act's Article 26 deployer obligations, and the sector-specific AI guidance of the national supervisor. Where AI systems process personal data, GDPR obligations apply concurrently.

References

  1. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), OJ L, 12.7.2024.
  2. Article 70, Regulation (EU) 2024/1689: designation of national competent authorities and single points of contact. Member state notification deadline: 2 August 2025.
  3. Article 74, Regulation (EU) 2024/1689: powers of market surveillance authorities including documentation access, premises inspection, corrective action orders, and penalty imposition.
  4. Article 26, Regulation (EU) 2024/1689: obligations of deployers of high-risk AI systems, including Article 26(5) serious incident reporting and Article 26(6) human oversight policy requirement.
  5. Article 99, Regulation (EU) 2024/1689: three-tier penalty structure. Second tier (deployer obligations): up to EUR 15 million or 3 per cent of worldwide annual turnover.
  6. European Commission Decision of 24 January 2024 establishing the AI Office within the European Commission. AI Office operational from February 2024.
  7. BaFin, "Orientierungshilfe zum KI-Einsatz" (2021). Guidance on the use of AI models in credit and insurance applications, including explainability and human oversight principles.
  8. DNB (De Nederlandsche Bank), "Good Practices for Machine Learning" (2019, updated 2022). ML model risk management guidance for supervised financial institutions.
  9. AFM (Autoriteit Financiële Markten), AI Strategy (2022). Three supervisory principles for AI in financial markets: fairness, transparency, resilience.
  10. ACPR and Banque de France, "Machine Learning Algorithms: A Challenge for Banking Supervision" (2020). Priority supervision areas: credit, insurance, market risk AI.
  11. CNIL, "Comment développer un système d'IA respectueux de la vie privée" (2023). GDPR compliance guide for AI system development and deployment lifecycle.
  12. Regulation (EU) 2022/2554 (Digital Operational Resilience Act, DORA). Applied from 17 January 2025. ICT risk management obligations for EU financial entities.
  13. FCA, "AI Update" (February 2024). Confirmation that the FCA will supervise AI under existing regulatory frameworks including Consumer Duty and PRIN 12.
  14. Regulation (EU) 2016/679 (General Data Protection Regulation), Articles 22 and 83. Data protection obligations for AI systems processing personal data; coordination with EU AI Act enforcement under Article 70(2) of Regulation (EU) 2024/1689.
  15. Annex III, Regulation (EU) 2024/1689: list of high-risk AI systems including AI in credit scoring, employment screening, investment advice, and access to financial services.