Most conversations about the EU Artificial Intelligence Act treat it as something on the horizon. A framework to prepare for, eventually. That reading is already out of date.
The Act entered into force in August 2024. The ban on prohibited AI practices took effect in February 2025. Rules governing general-purpose AI models became enforceable in August 2025. For financial services firms operating in the EU, the full weight of the Act lands on 02 December 2027, and for many of the AI systems now embedded in operations, that is not a comfortable distance away.
The question for technology leaders and their boards is not whether the Act applies to them. It is whether the AI systems they are already running, and the ones they are building now, will hold up when a regulator looks closely.
What the act actually requires
The EU AI Act uses a risk-based framework. AI systems are classified by the level of risk they present, from prohibited practices at one end to minimal-risk applications at the other. For financial services, the classification that matters most is high risk.
AI used in credit scoring, insurance underwriting, employment decisions, access to financial services, are all treated as high-risk under the Act. High-risk classification carries specific obligations: conformity assessments (where relevant), technical documentation, human oversight mechanisms, logging and audit trail requirements, and, critically, the ability to explain how a system works and why it produced a given output.
This is not a compliance checkbox exercise. The Act demands that firms understand their AI systems well enough to evidence their behaviour to a regulator. Firms that cannot do that are expected to restrict or redesign those systems.
There are also requirements that apply regardless of risk classification. Any organisation deploying AI must ensure that the people responsible for overseeing it have sufficient literacy to do so. Governance structures must exist. Responsibility must be assigned. Third-party dependencies must be understood and managed, not assumed.

The gap most firms have not closed
The honest picture across the sector is that AI adoption has moved faster than governance. Firms are using externally provided tools, large language models, automated decision systems, generative AI platforms, without always having clarity on how those tools work, what data they rely on, or what happens when their behaviour changes.
This is not unique to Malta. Regulators across Europe have observed the same pattern: growing use, limited internal expertise, and governance frameworks that have not kept pace. The Malta Financial Services Authority noted exactly this following its cross-sectoral assessment in 2025. Most firms lacked a board-approved AI strategy. Most relied primarily on external providers. Most had limited internal capability to provide effective oversight.
That gap creates real exposure. Under the EU AI Act, the obligation sits with the deployer, not the vendor. A firm cannot transfer accountability to its software supplier. If the system produces a harmful output, or cannot be explained, or was not properly validated before deployment, that is the deploying firm’s problem.
What governed AI development actually looks like
Getting this right is not primarily a legal exercise. It is an engineering and architecture problem. Compliance is an outcome of how systems are designed, not something applied afterwards.
Governed AI development means building with explainability in mind from the start: structuring systems so that decisions can be traced, outputs can be audited, and deviations can be detected. It means establishing human-in-the-loop controls where the Act requires them, and documenting those controls in a way that holds up under scrutiny. It means treating third-party AI components the same way a well-run organisation treats any critical external dependency, with due diligence, contractual protections, and a clear understanding of what you are accountable for when something goes wrong.
It also means building change management into the model. AI systems are not static. They drift. Their behaviour changes as underlying models are updated by providers, as data shifts, or as use cases expand beyond the original scope. Ongoing monitoring, drift detection, and clear escalation procedures are not optional extras. They are part of what the Act expects firms to maintain.
Where Cleverbit works
Cleverbit builds software for organisations where getting AI wrong has real consequences. We are not a compliance consultancy. We embed experienced AI engineers alongside your existing team, assess your current AI setup against what regulators expect, and build the systems and evidence trail that compliance depends on. That means governance architecture, audit trail design, explainability, human oversight controls, and the documentation that boards and regulators need to see.
We work with firms that are building AI-enabled systems into regulated processes and that need those systems to be defensible, not just functional. Fast delivery matters. So does building something that still makes sense when a regulator, an auditor, or a senior leader asks how it works and why it made a particular decision.
The EU AI Act has made that standard explicit. For financial services firms in the EU, it is now the baseline, and the gap between where most organisations are today and where the Act requires them to be is one that needs to close before December 2027.