The Latest Changes to the EU AI Act – What You Need to Know

By Nik Kairinos, CEO and Co-Founder of RAIDS AI.

AI’s influence continues to grow, reaching across sectors and across borders. In financial services, it’s fundamentally changing how firms operate, shifting towards more precise, efficient, and innovative ways of working. At a foundational level, it provides the ability to analyse large volumes of data quickly and spot patterns, provide insights and highlight errors quickly. But as well as speed, AI brings accuracy. For investments, it’s now being used to execute trades, using algorithms to analyse markets more precisely than humans can. In addition, it can spot potential investment risks by monitoring market conditions in real time.

Similarly, on June 3 2024, the New York Stock Exchange (NYSE) experienced a software-related technical error that led to erroneous price displays for numerous stocks triggering volatility halts across dozens of symbols before trading was corrected. The issue stemmed from incorrect pricing bands used in the Limit Up-Limit Down (LULD) mechanism due to a software release affecting consolidated pricing data. This in turn led to sharp, spurious price moves and temporary trading halts. Trading eventually resumed once the software was reverted and normal pricing restored. An additional consequence was a reported $48 million loss absorbed by one brokerage firm because clients placed buy orders based on the incorrect prices during the disruption.

It’s failures like these, and the increasing severity of risk as AI becomes more intelligent, that have led to the EU AI Act. The world’s first comprehensive law for AI, the Act grades AI by categorising systems by risk level: unacceptable risk, high risk, limited risk and minimal risk, and establishes different rules for providers and users depending on the level of risk. Different parts of the Act are being gradually rolled out and, in November, the EU announced some changes to the original legislation.

Headlines focused on alterations to the timeframe, noting that the six-month extension of high-risk system enforcement to December 2027 was a victory for the big tech companies, which had been vocal in their opposition.

From national authority classification to self-assessment

The changes that the EU made mean that legal accountability for compliance with the Act now falls directly to organisations. Essentially, it places the onus on companies themselves to self-certify that their high-risk AI classifications comply, rather than an outside body deciding who is and who isn’t compliant. It’s an important change because it shifts all legal accountability to the organisations, putting them at substantial risk of liability. In simple terms, there is no one else to blame if they are found to violate the Act.

For this reason, many will want to seek third-party validation. Indeed, in many instances, insurance companies, investors, and enterprise customers are increasingly demanding third-party validation anyway. According to the IAPP’s 2025 AI Governance survey of over 670 respondents across 45 countries, 77% of organisations are currently working on AI governance, with a jump to nearly 90% for those already using AI.

Additionally, engaging a third party gives the firm reassurance that it is compliant and significantly reduces the risk of liability exposure, as well as reducing the time, money and resources needed for self-assessment.

Article 17, prEN 18286, ISO 42001 – what does it all mean?

• Article 17 of the Act specifically mandates quality management systems (QMS) for high-risk AI providers. Following publication of Article 17, the EU then issued a European standard specifically addressing its requirements – prEN 18286.
• prEN 18286 (Artificial Intelligence – Quality Management System for EU AI Act Regulatory Purposes). With the presumption of conformity, organisations implementing prEN 18286 can assume they meet Article 17 obligations.
• ISO 42001 is the existing international standard for AI Management systems that was published in December 2023. While it’s voluntary, organisations with existing ISO 42001 certification have a significant head start, as it provides the operational foundation for prEN 18286.

What should organisations be doing now?

Organisations affected by the Act mustn’t waste the six-month time extension recently announced. To make sure they are prepared, they must view it as a strategic adoption window.

Immediate steps they need to take are:

• Understand whether they use technology that falls into the ‘high risk’ category. The scope of the Act is wide-reaching; any AI model used in the EU – regardless of where it originates from – is covered. So, if a financial services firm, for example, is deploying AI in the EU, or is a user of AI and has colleagues, partners, teams or stakeholders in the EU, then it needs to comply.
• Know whether they have existing ISO 42001 certification or are working towards it.
• Understand the requirements of prEN 18286 and take steps to ensure they’re met.
• Decide whether they wish to have third-party validation and find a provider, or take on the legal accountability that comes with self-assessment.

As the first legislation governing AI, everyone will be watching the EU AI Act closely. For companies operating in financial services, where reputation is everything, ensuring they’re compliant early on will ensure they’re not caught out later on.

Nik Kairinos is the CEO and Co-Founder of RAIDS AI; a real-time AI safety monitoring platform designed to detect and alert organisations to rogue AI behaviour before harm spreads.

With over 40 years of experience in artificial intelligence and deep learning, Nik has dedicated his career to turning advanced research into practical, trustworthy solutions that empower people to use AI safely and effectively.  He believes that true innovation demands safety, transparency, and responsibility – principles that ensure AI strengthens society instead of threatening it.