Write a precise problem or opportunity statement

Name who is affected, what the problem or opportunity costs or limits in specific measurable terms, and what success looks like within a defined timeframe. If this statement cannot be completed with genuine precision, the immediate priority is a clearer understanding of your operations, not research into AI products.

Assess organisational readiness across data, governance, and people

Confirm that the data the system requires is accessible, consistently formatted, and of sufficient quality. Define governance ownership before deployment: who owns the system, who reviews its outputs, and what the escalation path is when an output appears incorrect. Involve the team who will use the system in designing the solution, not just in receiving it.

Test whether AI is the right solution

Verify that the problem is characterised by high volume, a learnable underlying pattern, and sufficient structural consistency to make automation reliable. If a delayed process, inconsistent delivery, or data quality issue could be resolved through process redesign, clearer accountability, or simpler software, that is the right path. The AI question can be revisited once the operational foundation is sound.

Map and score three to five candidate opportunities

Describe each candidate area with enough precision to enable meaningful comparison: who is affected, what the current state costs in measurable terms, what success looks like, and over what timeframe. Then score each candidate against five dimensions: strategic impact, data readiness, implementation complexity, time to measurable results, and risk.

Select the highest-scoring bounded pilot

Choose the candidate with the clearest data and fastest path to measurable results. This is not the most technically ambitious problem or the one generating the most enthusiasm, but the one where disciplined execution of a well-defined hypothesis produces a clear, defensible result within three to six months. Define a single hypothesis and a pre-agreed definition of success.

Record a baseline before the tool goes live

Document the current state of the specific problem before the AI system is introduced. This baseline is the only objective basis for evaluating whether the pilot succeeded. Without it, return on investment attribution is impossible even when the system is performing as intended. Set a non-negotiable decision date at three to six months.

Involve your team before deployment begins

Establish explicit decision rights confirming that the person remains accountable for AI outputs: the AI recommends, the person decides. Provide hands-on experience in low-stakes conditions before live deployment, including deliberate exposure to the system's failure modes. Document escalation paths for when AI outputs look wrong.

Scale within scope before expanding

After a successful pilot, scale carefully within the same operational context, with the same oversight structures, and with a second measurement point before scope is extended further. Each successful phase builds the institutional capability, team confidence, and evidence base that the subsequent initiative requires.

How to introduce AI into your business: a practical guide for Irish SMEs

# Does Your Financial Services Firm Have an AI Register? Here Is What the Law Requires.

Every Irish financial services firm using AI tools, including credit scoring software, fraud detection systems, and underwriting tools, has compliance obligations under the EU AI Act. On **7 May 2026**, the European Commission confirmed a political agreement to move the Annex III high-risk AI deadline from 2nd August 2026 to **2nd December 2027**. The Central Bank of Ireland is the regulator that will enforce these rules for Irish financial services firms, and it has put AI governance at the top of its supervisory agenda for 2026 and 2027.

Most compliance managers at Irish SMEs have heard of the EU AI Act. Very few have built the internal AI register that the law requires them to have.

Let me explain what an AI register is, why your firm needs one now, and how to build one before the clock runs out.

---

## The Distinction That Catches SMEs Off Guard

When most compliance officers in Irish financial services hear "AI Act registration", they picture the EU's public AI database, the official register where companies that build and sell AI systems must list their products. That database is real, but it is not their obligation. Firms that use AI tools do not register in it at all.

**Providers** are the companies that build and sell AI systems. They register in the EU database. **Deployers** are organisations that use those systems in their business. They do not appear in the EU database at all.

What deployers are legally required to have is something different: an **internal AI register**. This is a living record of every AI system in use within your organisation, covering what it does, who supplies it, how it has been classified for risk, and what controls you have in place to meet your obligations under Article 26 of the EU AI Act.<a href="#ref-1">[1]</a>

If your firm uses third-party software to assess creditworthiness, score insurance risk, or support any customer-facing decision, you are a **deployer** under the AI Act. The fact that you bought the tool from a vendor does not transfer your compliance obligations to them. Article 26 applies to your organisation directly, regardless of where the software came from.<a href="#ref-8">[8]</a>

<Pullquote>Deployers do not register in the EU's public database. That is the provider's obligation. What deployers are required to have is an internal AI register: a living record of every AI system in use and the governance surrounding it.</Pullquote>

---

## Why Financial Services Has a Heavier Compliance Burden

The EU AI Act takes a risk-based approach: the higher the potential impact of an AI system on people's lives, the stricter the compliance requirements. Financial services firms have a heavier burden than most sectors because several of the most common AI use cases in the industry are explicitly named as high-risk in the legislation.

Annex III of the Regulation is the list of high-risk AI categories.<a href="#ref-3">[3]</a> The ones most relevant to Irish financial services firms are:

- **AI used to assess the creditworthiness of individuals or generate credit scores** is classified as high-risk (Annex III, point 5(b))
- **AI used for risk assessment and pricing in life and health insurance** is also classified as high-risk (Annex III, point 5(c))

The legislation includes an exception for fraud detection AI, but it is narrow and frequently misread. More on that below.

The European Banking Authority confirmed this in its November 2025 mapping exercise. Banks and payment institutions using AI for creditworthiness assessment and credit scoring face the full high-risk obligations under the Act, on top of existing requirements under CRD, CRR, and DORA (the EU legislation governing capital requirements and digital operational resilience for financial firms).<a href="#ref-5">[5]</a>

**A concrete example:** A Dublin mortgage broker uses a credit assessment tool purchased from a fintech vendor. The vendor is responsible for showing that their system meets EU AI Act requirements. But the broker, as the deployer, still has to maintain an internal AI register covering that tool, keep system logs for at least six months, assign a named person responsible for human oversight, monitor how the system is performing, and report any serious incident to the Central Bank. None of that is the vendor's job. None of it is optional under Article 26 of the EU AI Act.

<Pullquote>Buying a compliant tool from a vendor does not make your deployment compliant. Article 26 obligations fall on the deployer. The register, the oversight, and the logs are your responsibility.</Pullquote>

---

## The Deadline Has Changed: What It Means for Your Planning

On 7 May 2026, the European Commission announced a political agreement to extend the Annex III high-risk deadline from 2nd August 2026 to **2nd December 2027**.<a href="#ref-7">[7]</a> The formal legislative text has not yet been published, but the political agreement is confirmed. This gives Irish financial services firms an additional 16 months to build compliant governance.

It does not change what that governance needs to look like. The Central Bank of Ireland's supervisory agenda, confirmed before this agreement, remains unchanged. Its 2026 Regulatory and Supervisory Outlook states explicitly that it will bring an AI focus to all thematic reviews throughout 2026 and 2027.<a href="#ref-4">[4]</a> The extension is an opportunity to build an AI register properly, not a reason to defer. For a full explanation of what changed and which obligations remain in force from 2nd August 2026, see [EU AI Act compliance deadlines for Irish SMEs](/insights/what-the-august-2026-eu-ai-act-deadline-means-for-irish-smes).

The **Regulation of Artificial Intelligence Bill 2026** designates the Central Bank of Ireland as the Market Surveillance Authority for AI used by regulated financial service providers.<a href="#ref-6">[6]</a> The Central Bank will enforce those obligations using the powers it already holds under the Central Bank Act 1942. Those powers cover inspections, information requests, formal directions, and fines. Its 2026 Regulatory and Supervisory Outlook states explicitly that it will bring an AI focus to all thematic reviews throughout 2026 and 2027.<a href="#ref-4">[4]</a>

On the question of fines: Article 99 sets the upper limit at 15 million euro or 3% of global annual turnover, whichever is higher, for organisations not meeting their deployer obligations.<a href="#ref-2">[2]</a> For SMEs, the lower of the two applies. For a firm with 10 million euro in global turnover, that is still a potential fine of 300,000 euro for failing to maintain adequate documentation.

---

## What Article 26 Actually Requires of You

Article 26 of the EU AI Act sets out what organisations deploying high-risk AI systems must have in place.<a href="#ref-1">[1]</a> Here is what it actually says, in plain terms.

- **Use the AI system according to the provider's instructions.** You need those instructions in writing, and you need to be able to show you have followed them. If you do not have them, ask your vendor for them today.
- **Ensure human oversight is in place.** The person or persons responsible must have the competence, training, and authority to step in if something goes wrong with the system's outputs.
- **Manage the quality of data fed into the system.** The data going in needs to be relevant and representative of the decisions the system is supporting.
- **Keep operational logs for a minimum of six months.** Financial institutions can integrate this with records already maintained under EU financial services law.
- **Monitor the system's operation** and report serious incidents to the provider and the Central Bank without undue delay.
- **In certain circumstances, tell people when they are subject to a high-risk AI system.** If a loan applicant's creditworthiness is assessed by an automated tool, they have a right to know. The precise scope of this duty depends on the use case and may interact with other obligations.
- **Co-operate with the Central Bank** in any action it takes in relation to the system.

One practical note for firms already operating under EU financial services law: Article 26 explicitly states that organisations subject to internal governance requirements under MiFID II, CRD, or DORA may satisfy the monitoring obligation by complying with those existing rules. The AI register does not replace your existing compliance framework. It builds on top of it.

<Pullquote>Article 26 requires operational governance, not just documentation. Human oversight must be genuinely exercisable. Log retention must actually be in place. The obligations are live from 2nd August.</Pullquote>

---

## Building Your AI Register: A Practical Framework

An AI register does not require specialist software or a new compliance hire. For most Irish financial services SMEs, a well-structured spreadsheet is the right starting point. With proper version control, it is sufficient for initial regulatory scrutiny.

Pick one person (your compliance lead, head of operations, or risk manager) and set aside two hours for the initial inventory. The goal is not perfection. It is a defensible, documented starting point that shows the Central Bank your firm is actively governing its AI use.

### The Core Fields

Each AI system in your firm needs its own entry covering the following:

| Field | What to Record | Example |
|---|---|---|
| **System name** | Exact name of the tool or model | CreditAssess Pro 3.0 |
| **Vendor / provider** | Who supplies or built the system | FinTech Vendor Ltd |
| **Business purpose** | What decision or task it supports | Consumer creditworthiness assessment |
| **Department** | Which team uses it | Credit Risk / Lending Operations |
| **Risk classification** | Minimal / Limited / High (per Annex III) | High-risk: Annex III, Part 5(b) |
| **Named overseer** | Individual responsible for human oversight | Head of Credit Risk, [Name] |
| **Log retention status** | Are six-month logs being retained? | Yes, integrated with CRD documentation |

### Additional Fields for High-Risk Systems

For any system classified as high-risk, track these as well:

- **Provider's Declaration of Conformity received:** yes/no (this is the vendor's formal documentation confirming their system meets EU AI Act requirements)
- **Instructions for use received:** yes/no, and date reviewed
- **Affected persons notification process:** is there a procedure in place to inform customers subject to AI-assisted decisions?
- **Incident reporting contact:** named contact at the vendor for malfunction or serious incident notification
- **[Fundamental Rights Impact Assessment](/insights/what-is-a-fundamental-rights-impact-assessment-and-who-needs-one) required:** yes/no, and if yes, completion status (this is a structured assessment of how the AI system could affect individuals' rights; Article 27 requires deployers to carry one out in certain circumstances)
- **Last governance review date**

### Finding the AI in Your Organisation

Before you can classify anything, you need to know what AI tools are actually in use across your firm. This is not always as straightforward as it sounds.

AI capabilities are embedded in CRM platforms, underwriting tools, AML screening software, and customer-facing chatbots. Often nobody has formally assessed whether any of them carry EU AI Act obligations. In the financial services firms I work with, the discovery process almost always surfaces tools that were never identified as AI systems at all.

How to find them:

- **Survey all departments.** Send a short questionnaire to each team lead asking what AI-enabled software their team currently uses.
- **Collect vendor documentation** for each identified tool: what it does, what data it processes, and what it is actually designed to do.
- **Classify each system** against the Annex III categories. The EU AI Act has four tiers: prohibited AI, high-risk AI, limited-risk AI, and minimal-risk AI.
- **Prioritise your effort** on confirmed high-risk systems. Document the others for completeness.

<Pullquote>The starting point is not specialist software. It is a shared spreadsheet, two hours with your compliance lead, and a systematic survey of every AI tool in use across the firm.</Pullquote>

---

## The Fraud Detection Risk Worth Understanding

One of the most common classification errors I see in Irish financial services SMEs involves fraud detection and AML screening tools.

Annex III contains language that appears to exclude fraud detection AI from the high-risk category. Many compliance teams have read this to mean their transaction monitoring and AML screening tools have no high-risk obligations.

That reading is too broad.

That exception applies only to AI used *solely* for financial fraud detection. If your fraud detection or AML tool also profiles individual customers for risk scoring, feeds outputs into credit or underwriting decisions, or generates individual risk assessments that affect access to financial services, the high-risk classification is likely to apply, but classification always depends on the system's actual intended purpose and deployment context.

The Central Bank's 2026 report names fraud prevention and detection among the AI use cases already deployed across the sector.<a href="#ref-4">[4]</a> I see this misclassification regularly in firms that bought operational efficiency software without checking whether the way they actually deploy it brings it into the high-risk category. The classification follows what the tool does within your firm, not what it says on the vendor's website.

---

## What the Central Bank Will Look For

The Central Bank's 2026 Regulatory and Supervisory Outlook sets out supervisory standards for AI deployment that integrate governance into firms' mainstream prudential and conduct risk frameworks, not as a standalone technology question. The standards it identifies include clear accountability and responsibility for AI use, human oversight of AI-assisted decisions, proportionate risk management commensurate with the scale and sensitivity of each deployment, and documented processes for meeting EU AI Act transparency requirements.<a href="#ref-4">[4]</a>

<Pullquote>When Central Bank examiners arrive for a thematic AI review, the AI register is the first thing they will ask for. It is the foundation document for everything else.</Pullquote>

In practical terms, examiners arriving for a thematic AI review in 2026 or 2027 will expect to see:

- A documented inventory of AI systems in use
- Named accountability for each system
- Evidence of human oversight procedures
- Log retention records for high-risk tools
- Ownership of AI governance sitting within the firm's risk management structure

The AI register is the foundation document that makes all of this demonstrable. Without it, there is nothing for the rest of your governance framework to anchor to.

---

## Your Four-Week Plan

With the revised deadline now set for 2nd December 2027, there is time to build an AI register properly rather than reactively. The following phased approach is still the right starting sequence: beginning now means you arrive at December 2027 with governance that is operational and tested, not assembled at the last minute.

**Week 1: Discover and document.** Survey all departments. Build the initial register in a shared spreadsheet. Assign one named owner per AI system identified.

**Week 2: Classify and prioritise.** Apply the Annex III risk classification to every system. Identify confirmed high-risk tools. Contact vendors of high-risk systems to obtain their Declaration of Conformity and instructions for use.

**Week 3: Close the compliance gaps.** For each high-risk system, verify log retention is in place, assign a named human overseer, and draft or review your affected-persons notification process. Assess whether a Fundamental Rights Impact Assessment is required under Article 27.

**Week 4 and beyond: Establish a governance rhythm.** Set a monthly review cycle for the register through August. Brief your board or senior management on your AI governance position. Integrate register management into your existing risk and compliance framework.

---

## The Business Case Beyond Compliance

Building an AI register before 2nd August is not a box-ticking exercise. Done properly, it creates three practical advantages for your firm.

**Audit readiness.** When the Central Bank asks about your AI governance (and the 2026 Outlook makes plain they will ask), a well-maintained register is your first line of evidence.

**Vendor risk management.** The discovery process routinely surfaces AI tools in use without proper vendor agreements, data processing addenda, or written instructions for use. Finding these gaps now costs far less than finding them during a regulatory inquiry. For the three criteria any compliant AI tool must meet on data residency and data processing, see [EU data residency and AI tools: what every Irish SME needs to know](/insights/eu-data-residency-sme-guide).

**Competitive differentiation.** Enterprise clients and institutional counterparties are increasingly asking for AI governance evidence in procurement and due diligence processes. An Irish financial services firm that can demonstrate a structured, documented AI governance framework is in a different position to one that cannot.

---


Does Your Financial Services Firm Have an AI Register? Here Is What the Law Requires.

> **Update: 8 May 2026.** On 7 May 2026, the European Commission announced a political agreement to extend the compliance deadline for stand-alone Annex III high-risk AI systems from 2nd August 2026 to **2nd December 2027**. AI embedded in regulated physical products faces a further extension to 2nd August 2028. This is a political agreement: the formal amending legislation has not yet been published. References to 2nd August 2026 throughout this article have been updated accordingly. The Article 50 watermarking and content labelling obligations are not affected by this change and remain due 2nd August 2026. Source: European Commission Press Release IP/26/1024, 7 May 2026.

The EU AI Act is already in force.<a href="#ref-1">[1]</a> A political agreement announced on 7 May 2026 has moved the main compliance deadline for Annex III high-risk AI systems from 2nd August 2026 to 2nd December 2027. For regulated Irish SMEs in financial services, insurance, health technology, and HR tech, this is not a reason to delay. The extension is an opportunity to build a compliant governance architecture while time permits.

This article explains which obligations apply, which sectors are most directly affected, and what needs to be in place before your organisation deploys or continues to operate a high-risk AI system.


## What is already prohibited

Not all of the EU AI Act's obligations start in August 2026. Eight categories of AI practice were prohibited from 2nd February 2025, six months after the Act entered into force.<a href="#ref-5">[5]</a> These bans are already in effect.

The two categories most likely to be relevant to Irish SMEs are:

- **Manipulative or deceptive techniques** (Article 5(1)(a)): AI that uses subliminal methods or deliberate deception to influence a person's behaviour in a way that causes them harm. This can arise in marketing AI, sales chatbots, or customer engagement tools that are configured to steer users towards decisions against their interests.
- **Exploiting vulnerabilities** (Article 5(1)(b)): AI that targets people based on age, disability, or financial hardship to distort their decisions in a way that causes harm. This is relevant to any AI tool used in consumer finance, insurance, or welfare services.

The other prohibited categories cover social scoring by public authorities, predictive criminal profiling, facial recognition database scraping, emotion recognition in workplaces and education, biometric categorisation by protected characteristics, and real-time biometric identification in public spaces. These are less likely to be relevant to most Irish SMEs, but organisations using AI in HR or customer-facing contexts should be aware of the emotion recognition prohibition in particular.

If your organisation is using any AI tool that could fall into these categories, that is not a future compliance question. It is a current one.

<Pullquote>Eight categories of AI practice have been prohibited since 2nd February 2025. The December 2027 deadline covers high-risk AI governance. These are two separate sets of obligations on two separate timelines.</Pullquote>

---


## What the current deadlines are

Following the political agreement announced on 7 May 2026, the obligations for providers and deployers of high-risk AI systems listed in Annex III of the EU AI Act (the Act's catalogue of high-risk use cases) become enforceable on 2nd December 2027 for stand-alone systems. AI systems embedded in regulated physical products face a further extension to 2nd August 2028. A provider is the organisation that builds or places an AI system on the market. A deployer is any organisation that uses it in a professional context.

The obligations themselves are unchanged: risk management systems, technical documentation, human oversight measures, and conformity assessments. The formal amending text has not yet been published, but the political agreement is confirmed. Organisations deploying high-risk AI systems without the required governance architecture will be operating out of compliance from December 2027. The penalties under the Act are significant: up to €15 million or 3% of global annual turnover for most violations, and up to €30 million or 6% of global turnover for prohibited AI uses.<a href="#ref-2">[2]</a>

<Pullquote>2nd December 2027 is the new planned enforcement date for Annex III stand-alone high-risk AI systems. That is 19 months away: enough time to build governance that genuinely holds up, rather than a compliance exercise assembled under pressure.</Pullquote>

---


## Which Irish SMEs are most directly affected?

The high-risk categories in Annex III are specific. An organisation is not automatically in scope simply because it uses AI. The question is whether the AI system performs a function that falls within one of the listed categories and whether it plays a material role in a consequential decision.

The categories most relevant to regulated Irish SMEs are:

- **Financial services:** AI used in creditworthiness assessment, insurance risk scoring, or eligibility decisions for financial products
- **Human resources:** AI used in recruitment, candidate screening, promotion decisions, or performance evaluation
- **Health and education:** AI used in access decisions for publicly funded services, or in systems that influence care pathways
- **Law enforcement and border management:** AI used by public authorities in risk profiling or access control decisions

The boundary between in-scope and out-of-scope is not always obvious. It depends on what the system does, not just where it is deployed. Some examples make the distinction clearer:

- **Financial services:** An AI model that analyses an applicant's income, employment history, and spending patterns to approve or decline a loan is in scope under Annex III point 5(b). An AI chatbot that answers general questions about loan eligibility without making any individual assessment is not.
- **HR technology:** An AI platform that scores and ranks CVs by inferred traits or skills to filter candidates for shortlisting is in scope under Annex III point 4. A basic keyword search tool that returns matching CVs without ranking or scoring is not.
- **Health insurance:** An AI system that processes individual health data to calculate personalised premiums or decline coverage is in scope under Annex III point 5(a). AI used to summarise anonymised aggregate claims data for internal forecasting is not.

Many Irish SMEs in these sectors are already using AI systems that fall into one or more of these categories, often through third-party tools. The obligation applies to deployers as well as providers. If your organisation is using a tool that meets the Annex III criteria, the compliance requirements fall on you regardless of who built it.<a href="#ref-3">[3]</a>

<Pullquote>If you operate in financial services, HR technology, or health tech and use AI in decision-making, you are likely in scope.</Pullquote>

---


## What governance architecture needs to be in place?

For deployers of in-scope systems, the core requirements are:

- A **risk management system** that identifies and mitigates risks specific to the intended use
- **Technical documentation** covering the system's purpose, data used, performance characteristics, and limitations
- **Human oversight measures** that allow a qualified person to understand, monitor, and if necessary override the system's outputs
- A [**Fundamental Rights Impact Assessment**](/insights/what-is-a-fundamental-rights-impact-assessment-and-who-needs-one) for deployers that are public bodies or private entities providing public services.<a href="#ref-4">[4]</a> A Fundamental Rights Impact Assessment is a structured review of how an AI system's outputs could affect people's rights, including rights to equal treatment, privacy, and access to services.
- A **post-market monitoring plan** to track system performance once in use
- An **incident reporting mechanism** for serious incidents or malfunctions

A note on conformity assessment: the formal conformity assessment for a high-risk AI system is the provider's obligation, not the deployer's. The provider must produce an EU declaration of conformity and, for most Annex III categories, self-certify compliance before placing the system on the market. Deployers do not need to commission their own conformity assessment. What deployers must do is verify that the provider has completed theirs, by checking for the EU declaration of conformity and the instructions for use. Deployers must then maintain their own records of use, monitoring, and any issues reported to the provider, under Article 26.<a href="#ref-6">[6]</a>

These are not paper compliance exercises. Each requires a functioning operational process, not just a policy document. The risk management system must be integrated into how the AI system is actually used. Human oversight must be genuinely exercisable, not nominal.

<Pullquote>The obligations require operational governance, not just documentation.</Pullquote>

---


## What about AI systems already in use before August 2026?

The Act includes transition provisions for systems already in deployment. Under Article 111, high-risk AI systems already placed on the market or put into service before the applicable compliance date have a further period to come into conformity, provided they have not undergone significant changes.<a href="#ref-1">[1]</a> Under the original text, this meant systems in use before 2nd August 2026 had until 2nd August 2027. Following the political agreement, the transition dates will shift accordingly: the precise provisions will be confirmed when the formal amending text is published.

For organisations currently operating high-risk AI systems, the practical question is not whether you are exempt, but how to use the available time effectively. The earlier you begin, the more robust your governance will be.

<Pullquote>Transition provisions exist but do not remove the obligation. They provide time to comply, not permission to delay indefinitely.</Pullquote>

---


## Key takeaways

- Following the political agreement of 7 May 2026, the EU AI Act's Annex III high-risk AI system obligations are now planned to become enforceable on 2nd December 2027 for stand-alone systems, and 2nd August 2028 for AI embedded in regulated physical products.
- Regulated Irish SMEs in financial services, HR technology, and health tech are among the sectors most directly in scope.
- The obligations apply to deployers, not just to organisations that build AI systems.
- Compliance requires operational governance: risk management, human oversight, and documentation that reflect how the system is actually used.
- Organisations already using high-risk AI systems before the deadline have transition provisions, but not an indefinite exemption.

<Pullquote>The December 2027 deadline applies to AI systems already in use, not only new deployments. Organisations that have not yet assessed their position have time to act, and the time to start is now, not in late 2027.</Pullquote>

---

## What to do now

If you are not certain which of your AI systems fall into the high-risk categories, or whether your current governance meets the required standard, the right starting point is a structured compliance assessment. The revised December 2027 deadline means you have the opportunity to build governance that will genuinely hold up, not a rushed checklist produced under pressure.

For a detailed explanation of what a Fundamental Rights Impact Assessment involves and who needs one, see [what is a Fundamental Rights Impact Assessment and who needs one](/insights/what-is-a-fundamental-rights-impact-assessment-and-who-needs-one). If your AI tools also raise data residency questions, see [EU data residency and AI tools: what every Irish SME needs to know](/insights/eu-data-residency-sme-guide). For financial services firms, see [Does your financial services firm have an AI register?](/insights/ai-register-financial-services-ireland-eu-ai-act) for a practical guide to the internal documentation Article 26 requires.

A Clear Gate Systems EU AI Act Compliance Audit identifies which of your AI systems are in scope, what governance needs to be in place, and the most practical sequence for building it.

[Book a discovery call](/contact) to discuss what this would involve for your organisation.


EU AI Act compliance deadlines for Irish SMEs: updated for December 2027

A Fundamental Rights Impact Assessment is a structured governance document required under Article 27 of the EU AI Act.<a href="#ref-1">[1]</a> It must be completed before deploying certain high-risk AI systems. It applies to deployers (organisations that use an AI system in their own operations) rather than to providers (the organisations that built or placed the system on the market). It is not the same as a data protection impact assessment, and completing a DPIA does not satisfy this requirement.

Fundamental rights, in this context, means the rights set out in the EU Charter of Fundamental Rights.<a href="#ref-3">[3]</a> These include the right to human dignity, non-discrimination, privacy, a fair trial, access to social security, and the right to an effective remedy. They are broader than data protection rights. A FRIA assesses whether an AI system could put any of those rights at risk for the people it affects.

This article explains what a FRIA covers, which organisations are required to complete one, what the process involves, and how it fits with other compliance obligations.


## What does Article 27 of the EU AI Act require?

Article 27 requires deployers of high-risk AI systems to carry out a Fundamental Rights Impact Assessment before putting the system into use. The assessment must document the deployment context, identify which fundamental rights are potentially affected, and record the measures taken to address those risks.

The requirement applies to deployers, not providers. If your organisation is integrating or operating a high-risk AI system rather than building one for sale, this obligation falls on you.

Annex III is the EU AI Act's list of high-risk AI categories. It includes AI systems used in employment decisions, access to education, credit and insurance assessments, law enforcement, border control, and the administration of justice. The categories are specific. Not every AI system used in these sectors will qualify as high-risk, and Article 27 does not apply to every Annex III category. Most safety-component systems classified under Annex III point 2 are excluded from its scope. Classification depends on the function the system performs and the role it plays in the decision-making process.

<Pullquote>Article 27 requires deployers of high-risk AI systems to assess and document the impact on people's fundamental rights before the system goes live. The obligation sits with the organisation using the system, not the organisation that built it.</Pullquote>

---


## Who is required to complete a FRIA?

The obligation applies to deployers that are bodies governed by public law, or private entities providing public services. It does not apply to every private commercial operator that uses a high-risk AI system.

Bodies governed by public law include government departments, public health bodies, courts, and publicly funded universities. Private entities providing public services would include, for example, private operators contracted to deliver welfare services, immigration processing, or other public-facing functions on behalf of a state body.

For Irish financial services firms, health insurers, and HR technology providers, two questions determine whether a FRIA is required. First: is the organisation acting in a public service capacity? Second: does its AI deployment fall into one of the high-risk categories in Annex III?

Some Annex III categories apply regardless of the public or private distinction. Deployers of systems in Annex III points 5(b) and 5(c) are required to complete a FRIA whether or not they are acting in a public service capacity. Point 5(b) covers AI used in employment and worker management decisions. Point 5(c) covers AI used to determine access to essential private services: credit scoring and insurance risk assessment are both included. For HR technology providers and Irish financial services firms, these categories are the most practical trigger to check against.

<Pullquote>The FRIA obligation targets public-sector deployments and private operators acting in a public service role. It does not apply automatically to all commercial AI users.</Pullquote>

---


## What does a FRIA need to cover?

The regulation does not prescribe a fixed template, but it does define the required content. A FRIA must cover the following areas:

- The intended purpose of the AI system and the specific deployment context
- The period and frequency of intended use
- A description of the population or groups likely to be affected
- An identification of the fundamental rights that could be at risk
- An assessment of the likelihood and severity of adverse impact on those rights<a href="#ref-1">[1]</a>
- The human oversight measures required by the system's instructions for use
- A description of the measures in place to mitigate each identified risk

The following rights must each be considered where relevant to the specific deployment and the people it affects:

- The right to human dignity
- The right to non-discrimination
- The right to a fair trial
- The right to access social security and essential services
- The right to an effective remedy when an AI-assisted decision causes harm
- The right to privacy and data protection (in addition to, not instead of, the GDPR obligations)

<Pullquote>A FRIA requires organisations to think systematically about who is affected by the AI system and what could go wrong for them, in terms that go beyond data privacy.</Pullquote>

---


## How is a FRIA different from a DPIA?

A Data Protection Impact Assessment under GDPR Article 35 addresses risks to personal data and the rights of data subjects within the data protection framework. A FRIA addresses fundamental rights more broadly, including rights that have nothing to do with personal data.

The two assessments are not interchangeable. An organisation may need both, and completing one does not satisfy the other. Where a deployment involves personal data and also falls under Article 27, both assessments will be required.

That said, a FRIA can reference a completed DPIA to avoid duplicating the analysis of data-related risks. The FRIA then adds the layer of analysis that the DPIA does not cover. This includes rights such as access to justice, non-discrimination on protected grounds, and the right to an effective remedy when AI-assisted decisions cause harm.

<Pullquote>A DPIA covers data risks under GDPR. A FRIA covers fundamental rights broadly under the EU AI Act. Both may be required for the same deployment.</Pullquote>

---


## When must a FRIA be completed?

The EU AI Act is clear that a FRIA must be completed before the system is put into service or use. Retrospective completion is not permitted.

For systems already in deployment, the EU AI Act's transition rules apply. Under Article 111, the FRIA obligation does not apply to a high-risk AI system already in use before the applicable compliance date unless a significant change is made to it after that date.<a href="#ref-2">[2]</a> Following the political agreement of 7 May 2026, the compliance date for stand-alone Annex III systems is now 2nd December 2027. The transition provisions will be confirmed in the formal amending text when published. That period is not open-ended, and organisations should not treat it as indefinite cover for inaction.

For new deployments after the applicable compliance date, the position is clear. Any in-scope deployer putting a high-risk AI system into service after that date must have completed a FRIA beforehand.

<Pullquote>The FRIA must be completed before deployment. It cannot be done after the system is already in use.</Pullquote>

---


## Key facts summary

- A FRIA is required under Article 27 of the EU AI Act for deployers of high-risk AI systems listed in Annex III (the Act's list of high-risk AI categories).
- The obligation applies to public bodies and private entities providing public services. It does not apply automatically to all commercial deployers.
- A FRIA is not a DPIA. It covers fundamental rights broadly, not just data protection. Both may be required for the same deployment.
- The assessment must identify the population affected, the rights at risk, the severity of potential harm, and the mitigation measures in place.
- Completion must happen before the AI system is deployed. Retrospective completion is not compliant.
- The completed FRIA must be notified to the relevant national market surveillance authority.

---

## How to assess whether your organisation needs a FRIA

The first question for any Irish organisation is whether their AI deployments fall into a high-risk category and whether they are acting in a public service capacity. Those two questions determine whether a FRIA is required.

For a broader picture of what the EU AI Act requires from Irish businesses and when, see [what the August 2026 EU AI Act deadline means for Irish SMEs](/insights/what-the-august-2026-eu-ai-act-deadline-means-for-irish-smes). If your AI tools also raise data residency questions, see [EU data residency and AI tools: what every Irish SME needs to know](/insights/eu-data-residency-sme-guide). For financial services firms, [building an internal AI register](/insights/ai-register-financial-services-ireland-eu-ai-act) is the Article 26 foundation work that determines which systems require a FRIA.

A Clear Gate Systems EU AI Act Compliance Audit identifies which of your AI systems are in scope, whether a FRIA is required, and what the assessment needs to cover for your specific deployment context.

[Book a discovery call](/contact) to discuss what this would involve for your organisation.


What is a Fundamental Rights Impact Assessment and who needs one?

There is a rule that sits quietly underneath the EU AI Act, one that most AI governance conversations skip straight past. It is not the headline obligation about audit logs or human oversight. It is more foundational than that. It governs where your data lives, how it moves, and whether the AI tools your business uses every day are operating inside the law or silently outside it. The rule is EU data sovereignty. And for Irish SMEs using commercial AI tools (Microsoft Copilot, ChatGPT, Google Gemini, recruitment platforms, loan decisioning software), it is now one of the most practical compliance questions you face.

This article explains what EU data residency means for AI tools in practice, why vendor GDPR claims are not sufficient assurance, and what three criteria any compliant AI tool must meet.


## What EU data residency actually means (and what it does not)

The EU does not legally require you to store data within EU borders. What it prohibits is transferring personal data outside the European Economic Area without a valid legal mechanism in place. The distinction is clear: GDPR is a transfer law, not a localisation law.<a href="#ref-5">[5]</a>

That said, the practical reality for AI systems is more complex. When your staff use an AI tool that processes prompts, queries, or document content containing personal or sensitive data, that processing is a data transfer if it occurs on servers outside the EEA, even temporarily. This becomes acute with generative AI. A prompt containing a client's name, a patient's details, or an employee's performance history can trigger GDPR's cross-border transfer obligations in real time, without anyone in your business being aware.

The EU AI Act adds obligations on top of GDPR. Under Article 10, providers of high-risk AI systems must ensure training data is governed, documented, and traceable.<a href="#ref-4">[4]</a> As a deployer, your obligation is to verify that any high-risk provider you use can demonstrate that compliance. Separately, if an AI tool's inference-time processing involves your personal data and occurs outside the EEA without adequate safeguards, that triggers GDPR transfer obligations. Fines under the EU AI Act reach 7% of global annual turnover for prohibited AI practices, exceeding even GDPR's 4% cap.<a href="#ref-2">[2]</a>

<Pullquote>Under GDPR, AI processing of personal data outside the EEA is a transfer that requires safeguards such as Standard Contractual Clauses. The AI Act adds specific duties for high-risk AI providers and deployers, but defers to GDPR on data flows.</Pullquote>

---


## The Microsoft Copilot problem: a live example

In April 2026, a concrete illustration of exactly this problem emerged. Microsoft quietly enabled "Flex Routing" for all EU/EFTA Microsoft 365 Copilot tenants: a configuration that allows Copilot's LLM inferencing to occur outside the EU Data Boundary during periods of peak demand.<a href="#ref-1">[1]</a> The setting goes live by default on 17th April 2026, meaning every Irish business using Copilot will have their AI processing temporarily shifted outside EU jurisdiction, with no opt-in required.

Microsoft's own documentation confirms that LLM inferencing calls (the process of generating a response from a prompt) may route to servers in the US, Canada, or Australia.<a href="#ref-1">[1]</a> Microsoft maintains that data at rest continues to reside within the EU. But the processing (the actual AI inference) may now occur outside it. For organisations subject to GDPR, DORA (the Digital Operational Resilience Act, which applies to financial entities), or sector-specific data residency rules in financial services or healthcare, the compliance question is pointed: can you demonstrate that no personal data was processed outside the EU Data Boundary during a given period? With Flex Routing enabled and not reviewed, the honest answer is no.

The mitigation is straightforward. Sign into the Microsoft 365 Admin Centre using an account with the AI Administrator role. Navigate to **Copilot > Settings > Flexible inferencing during peak load periods** and select **Do not allow flex routing**. The action takes minutes. But the fact that it needs to be taken at all illustrates the broader point: EU data sovereignty for AI tools is not a configuration that vendors manage for you. It requires active, documented governance from within your organisation.

It is also worth noting that the Data Protection Commission has ongoing scrutiny of Microsoft Ireland's EU data practices. No specific guidance on Flex Routing has been issued as of publication.

<Pullquote>A vendor shipping a default configuration that routes your data outside the EU is not a rare event. It happened with Microsoft Copilot in April 2026. The configuration can be corrected, but only by someone in your organisation who knows to look for it.</Pullquote>

---


## Why this matters specifically for Irish SMEs

Ireland has already designated approximately 15 national competent authorities for EU AI Act enforcement under Statutory Instrument 366/2025, effective from late 2025.<a href="#ref-6">[6]</a> They include the Data Protection Commission for data governance, the Central Bank for financial AI, and the Workplace Relations Commission for HR AI. The Regulation of Artificial Intelligence Bill 2026, currently at General Scheme stage and not yet enacted, would give these authorities specific enforcement powers and establish an AI Office of Ireland.<a href="#ref-3">[3]</a>

These authorities would have powers that extend explicitly to online tools and digital interfaces. The proposed enforcement framework would allow authorities to conduct unannounced inspections and require access to source code. They could also order the removal of non-compliant AI functionality from apps and platforms used by Irish organisations.<a href="#ref-2">[2]</a> For an SME that has never formally assessed which AI tools it uses, the compliance risk is real. Deployers of high-risk AI systems face additional obligations on top of data residency, including [Fundamental Rights Impact Assessments](/insights/what-is-a-fundamental-rights-impact-assessment-and-who-needs-one).

The practical implication is this: before you can build an AI Quality Management System (the governance framework required under Article 17 of the EU AI Act for high-risk AI providers), before you can design audit logs or human oversight mechanisms, you need to answer a more basic question. Are the AI tools you use permitted to process this data in the first place? If the answer is uncertain, your governance architecture is built on sand.

The EU AI Act itself applies directly to Irish organisations whether or not the Bill passes into law. The authorities are already designated. The Bill would provide the specific enforcement powers and establish the AI Office; without it, those operational mechanisms are not yet in place.

<Pullquote>Ireland is establishing one of the most structured AI enforcement frameworks in the EU. The organisations best placed to respond are those that have already answered the foundational data residency question.</Pullquote>

---


## The three criteria for a compliant AI tool

A Clear Gate Systems Green List assessment is not a marketing category. It is a structured framework that determines whether a commercial AI tool meets the minimum requirements for compliant use under the EU AI Act, GDPR, and sector-specific regulatory obligations. A tool meets the standard by satisfying all three of the following criteria.

**Criterion 1: EU Data Residency Guarantee.** The tool must process and store data within the EEA, or the vendor must provide a fully documented legal mechanism (Standard Contractual Clauses, Binding Corporate Rules, or an EU adequacy decision) for any data that leaves the EEA. Vague contractual assurances are insufficient. The vendor must be able to confirm in writing where inference-time processing occurs, not just where data is stored at rest.

**Criterion 2: No Training on Customer Data.** The tool must not use customer data, prompts, queries, or outputs to train or improve its underlying model without explicit, documented, revocable consent. This flows directly from GDPR Article 25 (data protection by design)<a href="#ref-5">[5]</a> and the EU AI Act's Article 10 data governance obligations.<a href="#ref-4">[4]</a> Tools that use client content to improve their models are not eligible unless a Zero Data Retention (ZDR) agreement is in place: a contractual commitment from the vendor that no data from your prompts or queries is stored or used after the session ends.

**Criterion 3: Signed Data Processing Agreement.** The vendor must be willing and able to sign a GDPR-compliant DPA that includes EU AI Act-specific clauses: categories of data processed, purpose and legal basis, sub-processor locations and restrictions, retention and deletion timelines, and incident notification obligations. A vendor that declines to sign a DPA, or provides one that predates the EU AI Act, does not meet this criterion.

<Pullquote>Three criteria, all three required. Meeting two out of three is not sufficient for regulated contexts.</Pullquote>

---


## A note on "GDPR compliant" vendor claims

One of the most important things to understand before assessing any AI tool is that vendor GDPR compliance claims are not verification. Every major AI vendor states they are GDPR compliant. What this typically means is that they have signed the European Commission's Standard Contractual Clauses, which are the legal minimum for data transfers to the US under the EU-US Data Privacy Framework. It does not mean their data processing meets the additional requirements of the EU AI Act. It does not mean their inference-time processing stays in the EU. And it does not mean they will not change their data routing configuration without prominent notice, as Microsoft's April 2026 Flex Routing update demonstrated.

Tool assessments should be reviewed at least every six months as vendor policies change. Any tool used in a regulated context should have a signed, current DPA in place. DPAs written before 2025 are unlikely to address AI-specific obligations adequately.

<Pullquote>"GDPR compliant" means the vendor has signed a minimum data transfer mechanism. It does not indicate that their AI processing meets the full requirements of the EU AI Act or stays within EU borders.</Pullquote>

---


## How to audit your AI tools for EU data residency compliance

If you are not certain which AI tools your organisation is using, where their processing occurs, or whether your current DPAs address AI-specific obligations, the right starting point is a structured AI system inventory.

If you want to begin before engaging outside help, start by listing every AI tool your organisation uses and identifying which vendor handles the data processing. That inventory is the foundation for everything else.

A Clear Gate Systems EU AI Act Compliance Audit identifies every AI system your organisation is using, classifies each one by risk level, and assesses your data governance position against GDPR and EU AI Act requirements. It produces a prioritised action plan that your team can implement.

For a full overview of what the EU AI Act requires from Irish businesses and when, see [what the August 2026 EU AI Act deadline means for Irish SMEs](/insights/what-the-august-2026-eu-ai-act-deadline-means-for-irish-smes). For financial services firms, see [Does your financial services firm have an AI register?](/insights/ai-register-financial-services-ireland-eu-ai-act) for the Article 26 documentation requirements.

[Book a discovery call](/contact) to discuss what this would involve for your organisation.


Practical guidance on EU AI Act compliance and governance

How to introduce AI into your business: a practical guide for Irish SMEs

Does Your Financial Services Firm Have an AI Register? Here Is What the Law Requires.

EU AI Act compliance deadlines for Irish SMEs: updated for December 2027

What is a Fundamental Rights Impact Assessment and who needs one?

EU data residency and AI tools: what every Irish SME needs to know