On 7 May 2026, negotiators from the European Council, the European Parliament and the European Commission reached a provisional agreement on the “Digital Omnibus on AI” — a package that, among other changes, pushes back the date when the EU AI Act’s toughest rules for high–risk systems start to bite. For most fintech and lending teams the headline that matters is narrow but consequential: the obligations for AI–driven credit scoring, originally due to apply on 2 August 2026, would move to 2 December 2027. The rules themselves have not been softened — only the clock has been reset. If your product decides who gets a loan, a card or a credit line in the EU, this is the development to read carefully this summer.
What actually changed in May 2026
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 with a staggered timeline. Bans on prohibited practices and AI–literacy duties came first; the heavy compliance burden for “high–risk” systems listed in Annex III was scheduled for 2 August 2026. The Digital Omnibus, agreed in principle on 7 May 2026, proposes deferring those Annex III obligations by sixteen months to 2 December 2027, and high–risk AI embedded in regulated physical products (Annex I) to 2 August 2028.
Two caveats keep this from being a reason to relax. First, the change is still a provisional political agreement: it only takes legal effect once it is formally adopted and published in the Official Journal, which is expected before 2 August 2026 — the very date the old deadline would otherwise hit. Second, nothing about the substance has been watered down. The same documentation, oversight and testing duties apply; teams simply have more runway to build them properly instead of bolting them on at the last minute.
Why credit scoring sits in the “high–risk” category
Annex III of the Act is explicit. Point 5(b) classifies as high–risk any AI system “intended to be used to evaluate the creditworthiness of natural persons or establish their credit score,” with a carve–out only for systems used to detect financial fraud. Point 5(c) adds risk assessment and pricing for life and health insurance. In plain terms: if a model influences whether a person is approved, what limit they receive, or what rate they pay, it is in scope — whether you built it or licensed it.
The Act also draws a line between a “provider” (the party that develops the system or places it on the market) and a “deployer” (the party that uses it). Fintechs that train their own scoring or underwriting models carry the provider obligations, which are the heaviest. Firms that merely use a third–party model still inherit deployer duties around human oversight, monitoring and informing affected customers.
What the obligations require — and where they land in software
The high–risk requirements read like a product backlog as much as a legal text. They are spread across the Act’s Chapter III and include:
- A documented risk–management process that runs across the model’s lifecycle (Article 9).
- Data governance covering the quality, relevance and representativeness of training, validation and test data (Article 10).
- Technical documentation and automatically generated logs so decisions can be traced and reproduced (Articles 11 and 12).
- Transparency for the people who operate the system, plus meaningful human oversight of individual outcomes (Articles 13 and 14).
- A conformity assessment before the system goes live, and post–market monitoring after (Articles 43 and 72).
- For affected customers, a right to a clear explanation of an automated decision that affects them (Article 86).
Read that list again and notice how much of it is an interface and data problem. Logs and audit trails are storage and API work. Human oversight is a review queue with the right controls. Explanations are screens and customer–facing copy. Conformity evidence is a documentation portal. The legal team defines the obligation; software is where it actually lives.
Why the extra time is a build window, not a snooze button
A sixteen–month deferral is tempting to file under “later.” That would be a mistake for two reasons. The features the Act demands — explainable decisions, reviewable overrides, complete audit logs, clean data lineage — are exactly the features that reduce disputes, speed up internal audits and build customer trust, regardless of the regulation. They pay for themselves before any deadline. And retrofitting them into a live scoring stack is far more expensive than designing them in. Teams that treat late 2027 as a target to design toward, rather than a wall to hit, will ship calmer and cheaper.
How Vadimages helps
Vadimages builds the web and mobile software that turns these obligations into working product. We don’t give legal advice or build the scoring models — we build the application layer around them so the obligations have somewhere to run. For a lender or fintech, that typically means:
- A human–in–the–loop review web app: a queue where underwriters can see a flagged decision, the factors behind it, and approve, override or escalate — with every action recorded.
- Decision audit logging and a searchable history, built into the back end and surfaced through dashboards so compliance teams can reconstruct any individual outcome.
- Customer–facing explanation and adverse–action screens in the applicant portal or mobile app, written in plain language and wired to your decision data.
- An integration layer (REST or GraphQL) that connects your front end to whichever scoring engine, data provider or core banking system you use, so models stay swappable.
- An internal documentation and evidence portal where model cards, data–governance records and monitoring reports live in one reviewable place.
These are standard web and mobile deliverables — portals, dashboards, review tools, API integrations and applicant apps — shaped to fit how high–risk AI obligations actually play out in a user’s day.
Bottom line
The EU did not lower the bar for AI credit scoring on 7 May 2026; it moved the deadline from August 2026 to December 2027, pending formal adoption. The smart response is to use the runway. The audit trails, human–review queues and explanation screens the Act requires are the same things that make a lending product trustworthy and operable — and they are software you can start building now. Vadimages can help you design that application layer so compliance and good product are the same project.
This article is for general information only and is not legal or compliance advice; confirm your obligations under the EU AI Act with qualified counsel.