AI & Funds #7 – Applicability Of EU AI Act

This seventh instalment in the AI & Funds series revisits the six previous briefings issued when the law was still in draft and provides a comparative legal analysis of how the EU framework on artificial intelligence, ultimately promulgated as Regulation (EU) 2024/1689 (the “AI Act”), has settled in relation to investment funds.

The AI Act has a staggered application schedule that culminates in August 2027. Article 50 of the AI Act on transparency is the section most likely to be relevant to investment funds in practice; and this becomes applicable in August 2026.

The following six sections examine each prior insight in the order in which it was published, set out the contemporaneous position taken at the time of writing, and compare how the law ultimately developed to see whether the lacunae identified at that time were resolved.

Investment Discretion (AI & Funds Insight #1)

The first insight asked when investment discretion shifts from the human investment manager to the AI system, and observed that no legal definition of AI had yet been agreed at either EU or Maltese level. The piece noted the European Commission’s broad definition in Article 3 of the draft regulation and the narrower formulation aimed at distinguishing AI from classical software. That insight had concluded that, in the absence of a settled definition, liability for investment decisions would remain with the licensed human investment manager.

The position envisaged at the time has, in substance, held. The AI Act contains a single legal definition of an “AI system” in Article 3(1) of the AI Act, closely aligned with the OECD formulation, finally resolving the definitional debate flagged in the original briefing.

For ease of reference, Article 3(1) of the EU AI Act defines an ‘AI system’ as follows: “a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”

For the asset management sector, the regulatory architecture envisaged in earlier insights in this series remains the same, namely, that licensed investment managers retain investment discretion and any liability arising from misapplying it.

Non-Contractual Liability (AI & Funds Insight #2)

The second briefing analysed the European Commission’s parallel proposal for a directive on adapting non-contractual civil liability rules to artificial intelligence (the “AI Liability Directive”), then progressing alongside the AI Act. The piece set out the rebuttable presumptions of causation and the disclosure obligations in Articles 3 and 4 of the proposal and considered how those rules might interact with the divergent depositary liability regimes under UCITS V and the AIFMD.

The legislative path of that proposal was halted and is currently closed. The AI Liability Directive was withdrawn by the European Commission in its 2025 Work Programme, on the basis that no foreseeable agreement could be reached among the co-legislators. The consequence for fund practitioners is that the rebuttable presumptions and discovery rules examined in the February 2023 briefing will not enter the EU acquis in the form proposed at that time.

Civil liability arising from the use of AI in the management of UCITS and alternative investment funds is now primarily a combination of: (i) national tort and contract law; (ii) sectoral regulatory liability based on MiFID II, UCITS and AIFMD breaches (including governance, outsourcing and operational-resilience failings, where ESMA’s statement of 30 May 2024 on firms’ use of AI under MiFID II confirms continuing expectations on testing, validation, governance and best-interest duties); and (iii) strict liability under the revised Product Liability Directive (Directive (EU) 2024/2853) (“PLD”). The revised PLD treats software, including AI systems, as a product for the purposes of strict product liability.

Risk Classifications (AI & Funds Insight #3)

The third article in the series examined the four risk classifications proposed by the European Commission, namely prohibited, high risk, limited risk and minimal risk, and concluded that investment funds governed by UCITS V, the AIFMD and analogous national regimes such as the Maltese Professional Investor Fund framework would not be classified as deployers of high-risk AI systems. The piece noted that the only operative obligation likely to apply to the sector was the transparency requirement under Article 52 of the draft text (now Article 50).

The four-tier classification has been retained in the final AI Act, though the contours within each tier were materially altered during the legislative process. The risk classifications in the final EU AI Act are: (i) unacceptable risk (prohibited AI practices under Article 5); (ii) high risk (subject to the most extensive requirements under the Act); (iii) limited risk (subject to transparency obligations); and (iv) minimal risk (no mandatory obligations). The list of prohibited practices in Article 5 of the adopted Regulation has been expanded to capture practices such as untargeted scraping of facial images for facial-recognition databases, emotion recognition in the workplace and educational institutions, and certain forms of predictive policing, none of which were prohibited in the initial EU Commission proposal analysed at the time.

Transparency Obligations (AI & Funds Insight #4)

The fourth insight compared the transparency obligations under the AIFMD with those in Article 52 of the draft AI Act, and concluded that most of the draft Article 52 obligations would have limited application to investment managers and depositaries whose contractual counterparties are corporate vehicles rather than natural persons. The piece noted that the AIFMD imposed ongoing disclosure obligations, whereas the draft AI Act imposed a one-time obligation at the point of deployment.

The transparency provisions of the draft Article 52 were carried into Article 50 of the adopted AI Act in substantially similar form, with three principal heads of obligation covering: (a) AI systems interacting with natural persons (requiring disclosure that the individual is interacting with an AI system); (b) biometric categorisation and emotion-recognition systems; and (c) AI-generated synthetic image, audio and video content (requiring labelling). Translated for investment funds, the triggers in Article 50 should be integrated into existing AIFMD, UCITS and MiFID disclosure and marketing-compliance workflows in advance of 2 August 2026 if applicable to that particular investment product and/or investment strategy.

Human Bias (AI & Funds Insight #5)

The fifth analysis examined the risk that human bias embedded in training data would be reproduced and amplified by AI systems and considered the human oversight obligations in Article 14 and the data governance obligations in Article 10 of the draft text at the time. The piece had observed that those safeguards applied only to high-risk AI systems, with the consequence that trading algorithms and similar tools used in asset management, classified as limited-risk, would attract only the Article 52 transparency obligations.

The substantive obligations on human oversight and data governance survived into Articles 14 and 10 of the promulgated EU AI Act in materially the same form. Nevertheless, the lacuna identified in the original briefing persists: managers of UCITS and AIFs that deploy AI to inform investment decisions are not, as such, brought within the high-risk regime, and the obligation to mitigate human bias in AI outputs continues to be sourced from the broader principle of investor protection rather than from a sector-specific AI rule.

Conflicts of Interest (AI & Funds Insight #6)

The sixth insight examined how the conflict of interest rules in the UCITS Directive and the AIFMD would interact with AI use in asset management, and noted the Parliament’s proposal to establish an AI Office to support the harmonised application of the AI Act. The piece anticipated that existing conflicts policies would need to be amended to reflect AI usage, drawing the analogy with the sustainability-related amendments effected by Commission Delegated Regulation (EU) 2021/1255.

The expectation that conflicts of interest policies would require amendment, by analogy with the sustainability amendments under Delegated Regulation (EU) 2021/1255, remains the prudent course for AIFMs and UCITS management companies, even though the European Commission has not yet adopted a delegated act extending the conflicts framework to AI-specific conflicts in the way that was done for sustainability risks. The characterisation of the AI Act as a lex generalis, capable of being supplemented through sectoral instruments and regulatory technical standards, has been borne out by the structure of the adopted Regulation.

Entry into Force and Phase-in Timeline

For Malta-based fund managers and other regulated entities, three practical points require attention if the AI falls within a risk tier that triggers obligations under the Act (failing which, the system will be treated as minimal-risk and no transparency obligation will arise).

First, the AI literacy obligation in Article 4 has applied since 2025, and AIFMs, UCITS management companies and MiFID firms that deploy or use AI systems in their operations should ensure that staff have a sufficient level of AI literacy to discharge their functions.

Second, although portfolio management AI systems are not listed in Annex III of the AI Act, any AI system used for the purpose of evaluating the creditworthiness of natural persons or for the pricing of life or health insurance is high risk, and managers whose investment strategies involve consumer credit or insurance-linked products should assess the perimeter accordingly.

Third, the transparency obligations in Article 50, which become applicable on 2nd August 2026, should be integrated into existing AIFMD and UCITS disclosure workflows in good time, and existing conflicts of interest policies should be reviewed in advance of that date to capture AI-specific conflicts in the manner contemplated by the sixth briefing in this series if the investment fund directly involves an AI system that falls within a category under the EU AI Act triggering the application of Article 50. In practical terms, most funds will act as deployers, rather than providers, of AI systems, and the systems they use will typically be minimal-risk. Consequently, a licensed investment manager or investment fund is unlikely to fall within the scope of Article 50 as currently formulated.

The Malta Financial Services Authority (MFSA), as a forward-thinking fintech regulator with expertise in both the investment funds industry and technological developments, plays a central supervisory role in the local funds sector, potentially in conjunction with other authorities such as the MDIA if AI usage becomes more prevalent. Service providers advising investment funds in Malta should also take heed of national implementing measures such as the one setting the AI authority designations.

On the 7th of May 2026, the EU Parliament and EU Council provisionally agreed to amend the AI Act by (i) deferring key application dates to 2nd December 2026, regulatory sandboxes to 2nd August 2027, high‑risk obligations for stand‑alone systems to 2nd December 2027 and for embedded/product AI to 2nd August 2028; (ii) narrowing the high‑risk applicability and softening overlaps with sectoral product regimes; and (iii) streamlining centralised enforcement for vertically integrated providers of GPAI‑based systems within the EU AI Office. The proposed amendments are being referred to as the “AI Omnibus”, with the package still pending formal legislative adoption which is expected by July 2026.

In the absence of AI guidelines in AIFMD II (which had a transposition deadline in April 2026), ESMA’s ongoing guidance on AI usage under MiFID, AIFMD and UCITS currently remains the principal relevant EU financial regulatory guide alongside the AI Act framework for the usage of AI in investment funds.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.