The EU AI Act is the European regulation that classifies AI systems by risk — from prohibited (social scoring) to high-risk (credit scoring) to limited transparency (chatbots) — and phases in obligations from 2025-2027. For finance teams: most internal applications fall in the lowest risk categories, but specifically HR, credit, and compliance AI demand early documentation, data-quality audits, and human oversight.
The EU AI Act has been in force since August 2024 and its phased rollout continues through 2027. For finance teams, the question is not whether the law applies, but which parts already touch the work — and which are mostly a reputation issue that doesn't hit most SME and scale-up finance functions. This is not legal advice; it's a working interpretation for CFOs and controllers who want to know themselves where to pay attention.
The four risk categories in a finance context
The Act splits AI into four risk categories based on the application — not the underlying model. The same Claude that is Tier 1 for a commercial forecast can be Tier 3 for automatic credit scoring.
Tier 4 — Unacceptable risk (prohibited)
Social scoring, manipulative systems, real-time biometric identification. Doesn't touch finance teams. Worth knowing: an AI that judges employees on facial expressions during a variance discussion falls here too. We don't see this in practice.
Tier 3 — High risk (strict rules)
This is the category where finance really has to pay attention. Annex III of the Act covers, among others:
- Creditworthiness assessment of natural persons — automatic scoring for consumer credit, payment plans, or retail finance. Relevant for B2C businesses and for B2B finance teams working with individuals.
- Fraud detection and AML — some of these systems fall under Annex III for insurance and financial services. For regular SMEs letting AI flag "suspicious transaction patterns" it's usually Tier 2, but if automated decisions follow (block account, refuse payment), it shifts toward Tier 3.
- Recruitment and selection, and — relevant for finance — HR applications that decide on employment terms or compensation. An AI doing salary benchmarks is Tier 2; an AI co-deciding on bonus allocation can be Tier 3.
For Tier 3 systems, risk management, data governance, technical documentation, logging, and human oversight apply. For SME finance: if you procure such a system, you're the deployer and must show that you use it correctly, keep logs, and maintain human oversight. If you build it yourself (in N8N, in custom code), you're the provider, and the full list of obligations applies.
Tier 2 — Limited risk (transparency)
Most relevant finance use sits here. A chatbot for AR queries, AI-generated payment reminders, AI commentary on reports sent to external stakeholders. Obligation: recipients must know they are communicating with (or via) AI, and AI content has to be identifiable as such.
Practical translation for finance: a line under a payment reminder ("This reminder was prepared with AI assistance and reviewed by our AR team") is enough. Don't hide it — that undermines the transparency requirement and creates trouble later.
Tier 1 — Minimal risk (free)
By far most internal finance use sits here: AI in spam filters, help with Excel formulas, summary of your own meeting, draft of an internal memo. No specific AI Act obligations, just the other laws (GDPR, confidentiality, contracts) that already applied.
GDPR versus EU data residency — a common confusion
A point where boards and finance managers regularly mix things up: GDPR and EU data residency are not the same.
GDPR is the rulebook: how you may handle personal data, on what legal basis, with which rights for data subjects, with which breach-notification obligation (72 hours). The rules apply worldwide to anyone processing data on EU citizens.
EU data residency is the address: where the servers physically sit. That isn't a GDPR requirement. GDPR explicitly allows data to be processed outside the EU provided there are adequate safeguards (Standard Contractual Clauses, an adequacy decision, binding corporate rules).
Practical consequence for finance: a tool can be GDPR-compliant without the data sitting in the EU (ChatGPT Business via SCCs is one example), and a tool can be EU-hosted and still have GDPR shortcomings in logging or retention. For some finance contexts — a trust office, an asset manager, a bank — additional sector regulation (MiFID, MiCA) requires data to stay physically inside the EU. That's sector-specific, not GDPR.
Compliance status of the tools — spring 2026
The situation changes quickly. A snapshot for the tools common in SME finance:
- Microsoft 365 Copilot — historically the most mature on EU compliance, especially relevant because many finance teams already work in Office. Watchpoint: since April 2026 Flex Routing is on by default, which routes queries to US servers when EU capacity is full. Admins must explicitly switch this off for the finance tenant.
- Claude Enterprise — ISO 27001 + ISO 42001 certified. EU residency via deployment on AWS or GCP, not via the native Claude.ai platform.
- ChatGPT Enterprise — fully EU-compliant since January 2026, including EU data residency. Business tier is GDPR-compliant via SCCs but without EU residency.
- Gemini Workspace — DPA and SCCs in place, processing in the US. No EU residency in the standard configuration.
- Saldus.ai — EU hosting (Vercel EU + Supabase EU), customer-owned model choice, no training on customer data, DPA on request. With embedded deployments, everything runs on customer-owned infrastructure — no data leaves the customer environment.
- Grok (xAI) — multiple ongoing GDPR/DSA investigations, no EU residency, consumer terms on all tiers. Not defensible for finance use with personal data.
This is not legal advice. Terms of service change regularly, and a compliance check belongs with every new tool purchase. Set a quarterly reminder.
The AI literacy obligation for finance teams
Since February 2025, Article 4 of the AI Act applies: employers must ensure that employees working with AI have "sufficient AI literacy" given their role and the systems they use. "Sufficient" is not hard-defined.
In practice for finance: a demonstrable training programme where the team learns how AI works, what its limitations are (hallucinations on numbers, outdated training data, the difference between "sounds good" and "is correct"), and which risks the organization is running. A 30-minute session with a simple summary suffices, provided you can show everyone attended (attendance list, short quiz, or a signed memo).
For finance, this is no formality. A controller who doesn't know an AI can cheerfully cite a plausible but invented IFRS paragraph is a liability incident waiting to happen. An AP clerk who doesn't know an AI can follow hidden instructions inside a supplier PDF (prompt injection), likewise.
Five practical steps for finance
What does a CFO or finance manager of an SME or scale-up actually need to do?
1. Inventory every AI system that touches finance data. Not just the explicit tools (Copilot, Claude), but also the AI hidden inside existing SaaS: fraud detection in your payment system, classification AI in your expense tool, recommendations in your banking portal, OCR in your invoicing chain. Ask every vendor: which AI is in it, which risk category, which documentation do you provide?
2. Classify each system per risk category. For most finance applications this will be Tier 1 or Tier 2. If you have Tier 3 (credit assessment, automated payment blocking, HR compensation algorithms), reserve time for proper documentation and account for the chance you may have to switch vendors.
3. Codify transparency for Tier 2 communications. If you send AI-generated payment reminders or AR communication: make it visible. If you have a chatbot on the invoicing portal: label it. Cheap, simple, avoids trouble later.
4. Set up an AI register for finance. One spreadsheet with, per system: vendor, tier, data classification, GDPR status, data residency, responsible person in finance, date of last review. This is the base of any audit trajectory and at the same time a simple steering instrument towards the supervisory board or an investor.
5. Tie it to a finance AI policy. The AI register is the "what do we have" side; the policy is the "who is allowed to do what" side. Both are needed. See AI governance for finance for the policy side.
Audit grade — how local GAAP/IFRS-EU and the AI Act converge
The Act requires logging, technical documentation, and human oversight for Tier 3 systems. For finance this overlaps with what RJ and IFRS-EU already require around internal control (Dutch BW2 Article 393/393a, in-control statement). Practically: if you include AI tools in your periodic ICFR evaluation and keep your AI-action audit trail the same way you keep your bookkeeping, you cover both regimes in one go.
That sounds innocent but is the point at which finance teams can prevent an audit discussion: don't wait until the external auditor asks "how do we know this commentary was reviewed by a human" — embed the evidence in the standard close procedures.
Saldus in practice
Saldus is built from this EU context: EU hosting by default, customer-owned model choice (no vendor lock-in on a single US provider), an audit trail per AI action at the level an external auditor expects, and — for the most sensitive data — an embedded variant where the entire platform runs on customer-owned infrastructure. It doesn't release you from the AI literacy obligation or the AI register, but it removes the "is my tool actually compliant" question.