Updated 7 May 2026 · The Digital Omnibus AI Act trilogue agreement of 7 May 2026 postpones Annex III high-risk obligations to 2 December 2027 (the EP press release enumerates biometrics, critical infrastructure, education, employment, law enforcement, border management; non-exhaustive — §5 essential services banking/credit expected to be covered by the general postponement, consolidated text pending). The Eurogroup publicly demanded access to Anthropic's Mythos model in May 2026 so EU banks would not be exposed vs US peers — the DORA × AI Act intersection sharpens.
Sector — Banking / Financial Services
Credit-scoring AI under the EU AI Act
Annex III §5(b) + DORA × Article 26 — and what it means for your conformity pathway.
Credit institutions using third-party AI scoring trigger Annex III §5(b) and Article 27 FRIA automatically by activity. The 7 May 2026 Digital Omnibus did not exclude banking — Annex III §5 binds 2 December 2027. The DORA × AI Act intersection has sharpened: in May 2026 the Eurogroup publicly demanded EU access to Anthropic's withheld Mythos model so EU banks would not be exposed versus US peers. Whether your GPAI provider has signed the Code of Practice is now a deployer question, not a vendor question.
- · Independent — not affiliated with any provider, regulator, or notified body
- · Article-by-article: Annex III §5 + Article 26 §1–§12 + Article 27 FRIA + Article 25 reverse-bascule + DORA Article 28
- · 18-month runway: 2 December 2027 — confirmed post-Omnibus, not arbitrable
Classification
When AI scoring puts you in Annex III §5(b)
Annex III §5(b) covers AI systems intended to evaluate creditworthiness or establish credit scores of natural persons, with two narrow exceptions (detecting financial fraud, and providers exempt under specific MS provisions). If the deployer is a credit institution under Regulation (EU) 575/2013 and uses third-party AI scoring (or fine-tunes a vendor model on internal data), the deployer cascade activates: Article 26 §1–§12 + Article 27 FRIA automatic + Article 25(1)(b) reverse-bascule check.
Test: do you make or substantially influence a credit decision using AI? If yes — Annex III §5(b) applies, Article 27 FRIA is automatic, and Article 26 deployer obligations cascade.
| Activity | Annex III §5 | Article 27 FRIA |
|---|---|---|
| Consumer credit scoring (third-party AI) | Yes — §5(b) | Yes — automatic by activity |
| Insurance pricing using AI | Yes — §5(c) | Yes — automatic by activity |
| Anti-fraud detection (narrow scope) | No — §5(b) exception | No (provider scope) |
| Internal credit risk modelling (no individual decision) | Case-by-case Art. 6(3) | Conditional |
Source: Reg. 2024/1689 Annex III §5 · Reg. (EU) 575/2013 (CRR) · CJEU SCHUFA C-634/21 precedent on automated credit decisions.
Timeline
The banking deadline is 2 December 2027 — not 2 August 2026
Most companies in the AI ecosystem focus on 2 August 2026 (Article 50 transparency). For credit institutions and insurers under Annex III §5, the binding deadline post-Digital Omnibus (trilogue agreement 7 May 2026) is 2 December 2027 — high-risk obligations on Annex III high-risk use cases postponed by 16 months from the original 2 August 2026.
Banking is expected to be covered by the Annex III general postponement to 2 December 2027 (the EP press release of 7 May 2026 enumerates biometrics, critical infrastructure, education, employment, law enforcement, and border management; the enumeration is non-exhaustive — §5 essential services covered by the general postponement per Council/IAPP/Modulos triangulation, consolidated text pending). Unlike machinery (which received an overlap removal), banking did not receive a sectoral exemption. ~18 months of regulatory runway to produce a defensible position before binding obligations apply.
Note on certainty: 10 EU Member States (AT, DK, NL, SK, SI, ES, GR, PT, RO, LV) formed a blocking minority against further deregulation. The 2 December 2027 deadline is durable. Vente sur certitude, pas sur arbitrage.
Sources: Reg. 2024/1689 Annex III · Council/Parliament press release (7 May 2026) · Bloomberg coverage of Eurogroup Mythos demand (May 2026) · MLex EU member states diverging views.
Four deltas
Four obligations specific to banking deployers
DORA, GDPR Art. 22, EBA guidelines, and CRR provide a strong foundation for credit-decision compliance. But none of them produces an AI Act paragraph map. These deltas need to be added to the existing risk framework.
Delta 1 — Article 27 FRIA automatic by activity
Unlike HRTech (where FRIA is conditional on works-council activation) or healthcare (where FRIA does not apply at all), Annex III §5 banking deployers face automatic FRIA the moment Annex III obligations bind. The fundamental rights impact assessment is not optional.
Delta 2 — DORA Article 28 × Article 26 (third-party ICT)
Your GPAI provider is a critical ICT third-party under DORA. Whether they have signed the EU GPAI Code of Practice, and whether they participate in coalitions like Project Glasswing, is now a deployer due-diligence question — not a vendor procurement question.
Delta 3 — Article 25(1)(b) reverse-bascule
Banks that fine-tune a vendor scoring model on their own historical data may be reclassified as providers under Article 25(1)(b), inheriting the heavier Articles 16–22 regime. The boundary check is contractual, not technical: performed at the moment a fine-tuning option is contractually accepted.
Delta 4 — SCHUFA precedent integration
CJEU SCHUFA (C-634/21) ruled that credit scoring constitutes automated decision-making under GDPR Article 22 even when a human formally signs off. Article 26 §11 post-decision information now interlocks with GDPR Article 22 explanation rights. Failure to integrate creates dual-regime exposure.
Sources: Reg. 2024/1689 Articles 25–27 · Reg. (EU) 2022/2554 DORA · Reg. (EU) 2016/679 GDPR Art. 22 · CJEU C-634/21 SCHUFA · EBA guidelines on internal governance.
Our scope
What our assessment covers for banking AI
The Sprinkling Act report for a banking AI system covers the six gates of the standardised methodology, with the banking specificity layered in.
- →G1 — Art. 5 — Are any of the 8 prohibited practices triggered?
- →G2 — Art. 6(1) — Is the AI system a safety component of an EU-regulated product? (rare for banking, but checked)
- →G3 — Art. 6(2) + Annex III §5 — Credit/insurance scoring classification — core gate for banking
- →G4 — Art. 50 — Does an end user interact with the AI without knowing? (chatbot disclosure)
- →G5 — Art. 51/53 — Does the system use or distribute a general-purpose AI model? (Code of Practice signature check)
- →G6 — Art. 6(3) — Can the “no significant risk” exception apply?
Banking specificity:
- ·Annex III §5(b)/(c) determination with CJEU SCHUFA precedent applied
- ·Article 27 FRIA scope memo (mandatory for §5 by activity)
- ·Article 26 §1–§12 paragraph subset map (banking-specific active subset)
- ·Article 25(1)(b) reverse-bascule check on fine-tuning contracts
- ·DORA Article 28 third-party ICT cross-reference for GPAI providers
- ·GDPR Article 22 × AI Act Article 26 §11 dual-regime mapping
- ·Timeline orientation (2 December 2027 post-Digital Omnibus + significant change trigger)
Out of scope (explicit):
- ×Internal credit risk model validation (handled by EBA/CRR-aligned providers)
- ×DORA full ICT risk management framework (separate engagement)
- ×Stress-testing or capital adequacy assessment
Integration
How this fits with DORA, GDPR Article 22, and EBA guidelines
DORA covers ICT operational resilience, including third-party providers. The AI Act covers the AI-specific obligations layered on top: paragraph subset mapping, FRIA, reverse-bascule, and the GPAI provider due-diligence question that DORA frames but doesn't answer. GDPR Article 22 covers automated decision-making rights; AI Act Article 26 §11 specifies the post-decision information obligation. EBA guidelines on internal governance frame the broader risk function. Our report sits at the intersection — article-mapped, not regime-substitutive.
Concretely: the banking deployer ends up with four documents (DORA ICT risk register, GDPR Art. 22 record, AI Act Article 26 paragraph map, EBA governance trail). The Sprinkling Act report produces the third document. The other three are produced by your existing risk framework.
Sources: DORA Reg. (EU) 2022/2554 · GDPR Reg. (EU) 2016/679 · EBA Guidelines EBA/GL/2021/05 (internal governance) · AI Act Reg. 2024/1689 Articles 25–27.
GPAI provider chain
Where you sit in the GPAI cyber chain
Article 55 GPAI systemic-risk obligations activate 2 August 2026. Whether your GPAI provider has signed the Code of Practice and participates in cyber-coalitions is now a deployer due-diligence question. The Eurogroup publicly demanded EU access to Anthropic's withheld Mythos model in May 2026 (Bloomberg) so EU banks would not be exposed versus US peers — DORA × AI Act × Article 55 is now politically active at the highest level.
Project Glasswing — 12 launch partners + 40 critical-infrastructure organisations
Anthropic's coalition for vulnerability patching includes named partners across the cyber stack:
- ·Cloud / hyperscale: AWS, Google, Microsoft
- ·Hardware / silicon: NVIDIA, Broadcom, Apple
- ·Networking / security: Cisco, Palo Alto Networks, CrowdStrike
- ·Open source: Linux Foundation
- ·Financial services: JPMorganChase
- ·Foundation: Anthropic
If your GPAI provider is on the Code of Practice (Anthropic + OpenAI signed July 2025) and Glasswing-aware, your downstream Article 26 due-diligence has institutional cover. If they are not — or if they release comparable models less restrictively (OpenAI announced GPT-5.4-Cyber in April 2026 with a tiered "Trusted Access for Cyber" program) — your deployer cyber-resilience documentation has a gap that DORA Article 28 may force you to close.
Sources: AI Act Article 55 + Recital 110 · Reg. (EU) 2022/2554 DORA Article 28 · Anthropic Project Glasswing announcement · Bloomberg coverage of Eurogroup Mythos demand (May 2026) · UK AISI Mythos evaluation (32-step corporate-network attack simulation completed autonomously).
Apply it to your own position
The 9-question diagnostic identifies whether you trigger Annex III §5, Article 27 FRIA, or Article 25 reverse-bascule as a banking deployer. 60 seconds. Zero data collected.
This page is informational. It does not constitute legal advice, regulatory determination, or a conformity assessment under Article 43 AIA. Specific classifications for any specific banking deployer require a tailored screening. Credit institutions recognising themselves in the Annex III §5 description should consult qualified legal counsel and, where applicable, the relevant supervisor (ECB, EBA, ACPR, BaFin, etc.) before making compliance decisions.
SEE ALSO
Annex A — The Deployer Multiplier
Three downstream segments where the AI Act cascade becomes visible. Banking covered in §6.
Free Diagnostic
9-question assessment — banking-specific gates flagged.
Sprinkling Act Methodology
The 6-gate framework behind the assessment.
Pricing
Free assessment. €690 full report. No subscription.