tracient.ai EU AI Act & credit scoring
120 days to EU AI Act enforcement — 2 August 2026

EU AI Act compliance
for credit scoring AI

Credit scoring, mortgage assessment, and loan underwriting AI is explicitly classified as high-risk under EU AI Act Annex III. Full audit trail and risk management obligations apply from 2 August 2026. Four months is not long.

See a live EU AI Act compliance demo → Request early access
⚠ High-risk deadline: 2 August 2026 — 120 days remaining

The classification

Your credit AI is high-risk. That is not negotiable.

EU AI Act Annex III §5(b) explicitly lists AI systems used to evaluate the creditworthiness of natural persons or establish their credit score as high-risk. This covers credit scoring models, mortgage assessment AI, loan underwriting systems, and any AI that contributes to a lending decision.

High-risk classification means a specific set of obligations applies to both providers (who build the AI) and deployers (who use it in their financial products). As a regulated fintech using credit AI, you are a deployer. The obligations are yours.

These are not guidance or best-practice recommendations. They are legally enforceable requirements with fines up to €35 million or 7% of global turnover. The deadline is 2 August 2026.

See what a compliant credit AI run looks like →
EU AI Act Annex III §5(b)
High-risk AI — explicit classification
"AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud."
Annex III §5(b) High-risk
Applies to your firm if you use AI for:
✓  Credit scoring models
✓  Mortgage eligibility assessment
✓  Personal loan underwriting
✓  Buy-now-pay-later decisioning
✓  Automated lending approval workflows

The obligations

Five articles. All enforceable from 2 August 2026.

Each of these obligations applies to your credit AI system. Each one requires infrastructure you probably do not have yet.

Art. 9 — Risk Management
Document every data dependency
A risk management system must identify and assess every data source your credit AI uses. If your model calls an external bureau, an affordability API, or any third-party data provider — each must be documented, assessed for bias and quality, and monitored. Undocumented data sources are a direct breach.
Art. 9
Art. 12 — Automatic Logging
Log every decision automatically
High-risk AI systems must automatically generate logs of every decision. Logs must include input context, model version, confidence scores, and the outcome. They must be retained for the period appropriate to the system's purpose — for credit decisions, regulators expect at least five years.
Art. 12
Art. 13 — Transparency
Tell applicants how AI influenced their decision
Deployers must ensure applicants are informed that AI was used, which data sources influenced the decision, and what the basis of any automated outcome was. The transparency record must be captured at decision time — you cannot reconstruct it after the fact.
Art. 13
Art. 14 — Human Oversight
Human override must be active and documented
High-risk AI systems must have active human oversight mechanisms. If your credit AI reaches a threshold — a score below a certain level, an unusual data pattern — escalation to a human reviewer must be triggered and documented. The override capability itself must be logged as active.
Art. 14

Frequently asked questions

EU AI Act & credit scoring

Is credit scoring AI definitely high-risk under the EU AI Act?
Yes, without ambiguity. EU AI Act Annex III §5(b) explicitly lists "AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score" as high-risk. This is not a grey area — it is one of the most clearly defined classifications in the entire regulation.
We are a UK company. Does the EU AI Act apply to us?
If you offer credit products or services to customers in the EU, or if EU-based customers interact with your AI-driven credit systems, the EU AI Act applies. Additionally, the UK is developing its own AI regulation framework that is expected to align closely with EU standards. Getting ahead of the EU Act is the right posture regardless of your legal structure.
What is the difference between the EU AI Act and DORA for credit AI?
DORA focuses on operational resilience — ICT risk management, incident reporting, and third-party provider oversight. The EU AI Act focuses specifically on AI systems, their risk classification, and the quality of their decision-making processes. A credit scoring AI must comply with both: DORA for its ICT footprint and the EU AI Act for its decision audit trail. These are separate, complementary obligations.
Can we build the audit trail ourselves?
You can build logging infrastructure, but the obligation is more than logging. Article 9 requires a risk management system that continuously monitors data quality and bias. Article 13 requires transparency records tied to individual decisions. Article 14 requires documented oversight mechanisms. Building this yourself means building a compliance product alongside your core product — and maintaining it as regulations evolve.
What happens if we are not compliant by 2 August 2026?
National competent authorities begin enforcement from 2 August 2026. Fines for non-compliance with high-risk AI obligations can reach €35 million or 7% of total worldwide annual turnover. Beyond fines, regulators can require you to withdraw the AI system from use until compliance is demonstrated — which means pausing your credit decisioning operations entirely.

Early access

2 August 2026
is closer than
your next audit.

120 days to enforcement

Tracient gives your credit AI a compliant audit trail — Art. 9 risk management, Art. 12 automatic logging, Art. 13 transparency records, and Art. 14 oversight documentation. 90-day free pilot, no rebuild required.

90-day free pilot · EU data residency · No credit card

✓ You're on the list. We'll be in touch well before 2 August 2026.