Agefi Luxembourg - mars 2026

Mars 2026 47 AGEFI Luxembourg Informatique financière T he entry into force of the European Union’sArtificial IntelligenceAct (AIAct) inAugust 2024, and the application of the first prohibition in Fe- bruary 2025, marks a significantmiles- tone in the regulation of digital technologies. Similar in scope and ambition to theGeneral Data ProtectionRegulation (GDPR), theAIAct establishes a horizontal, risk-based frame- work applicable across sectors andbusinessmodels. Knowmore about the EUAIAct Its objective is to ensure that artificial intel- ligence systems usedwithin the EuropeanUnion are lawful, safe, transparent and fully respectful of fundamental rights.Within this regulatoryvision, ar- tificial intelligence is conceived not as a replacement forhumandecision-making,butasatrustedcompan- ion and copilot, fostering innovation while embed- ding ethical principles, accountability and human oversight. Consequently, the InternalAudit Function isdirectlyimpacted,reflectingitsroleinprovidingin- dependent assurance over governance, riskmanage- ment and regulatory compliance in an increasingly AI-enabled environment. Implications for Firms Internalauditteams,whichhavelonghelpedimprove governance andmanage risks, arenowat akey turn- ingpointwith the emergence of artificial intelligence. As AI rapidly transforms industries by enhancing analysis, decision-makingandoperational efficiency, itisalsoreshapinghowinternalauditorsevaluatecon- trols and organizational resilience. By integratingAI- driven tools, audit teams can detect anomalies faster, process vast datasets more accurately and provide deeper insights to leadership. This convergence not only elevates the strategic value of internal audit but alsoensuresorganizationsremainagileandwell-pre- pared amid accelerating technological change. AI as a strategic imperative for internal audit Traditional internal audit processes increasingly struggle withmassive data overflow, frequent regu- latory changes and the expectation to extract deeper insightsfromgrowingvolumesofinformation.These challenges are amplified by the rising complexity of businessenvironments,whereemergingrisksevolve rapidlyandrequireincreasinglydetailedanalysis. As organizations navigate frequent regulatory changes, theexpectationforinternalaudittodelivertimelyand accurate assurance continues to rise, creating oppor- tunities for AI to support deeper, more granular as- sessment of risks and sub-risks. In Luxembourg, this isparticularlyrelevantinareassuchasdataprotection, third-partymanagementandESG,whereAIcanhelp internal audit performmore comprehensive reviews to strengthenoverall risk coverage. DataProtection: Whendealingwithmillionsofaccess logs, processing records anddata-flowevents,AI en- ables internal audit to detect hidden anomalies by scanning large volumes of data-access and usage in- formationtoidentifyunusualpatterns,suchasexces- sive privileged access, atypical data extraction, or processing activities outside approved purposes that may signal deeperGDPRor privacy-related risks.AI alsoallowsinternalauditorstoprioritizedata-protec- tion gaps by benchmarking controls such as access rights management, dataminimization practices, re- tentionrulesandencryptioncoverageacrosssystems or entities, helping pinpoint where data-protection maturity and compliance areweakest. Third-PartyRisk: Vendorandsubcontractorinforma- tion is often dispersed across contracts, risk assess- ments, KPIs, etc., making it difficult to obtain a comprehensiveview.AIcansupportinternalauditors by analyzing unstructureddocuments at scale, read- ingcontractsanddue-diligencefilestosurfacemissing clauses, risky terms, or instances of non-compliance withinternalstandardsandregulatoryrequirements. ESG: ESGdata typically originates fromnumerous systems, suppliers and reports, whichmakes com- pleteness and consistency challenging toverify. For example, in terms of SFDR and Greenwashing risks, AI can screenwebsites, prospectuses and pe- riodic reports to check SFDRdisclosures, verifyPAI indicator coverage andflag broad/aspirational lan- guage not backed by method detail, mirroring CSSF expectations. This environment underscores a clear need forAI, as intelligent tools can analyze vast datasets, automate testingandenhance risk coveragewithgreater speed andprecisionthantraditionalmethods.Byintegrating AI into their methodologies, internal audit functions cankeeppacewith regulatory expectations, improve efficiency and deliver the strategic insights required in today’s increasingly complex business landscape. AI as a keydriver of internal audit efficiency According to the CSSF/BCL thematic review on the useofArtificialIntelligenceinLuxembourg,financial institutions highlight the enhancement of internal workflowsasthemostsignificantbenefitofAI(69%), followed by greater operational efficiency and cost savings (56%) and improved capability to process large volumes of data (52%), all reflectingAI’s strong contribution to strengthening internal efficiency. Asorganizations confront rising regulatoryexpecta- tions, expandingdata volumes and increasingpres- sure to deliver real-time assurance, artificial intelligence (AI) emerges as a transformative force reshaping the internal audit function.Across indus- tries, audit teams are beginning to leverage AI not merely as a tool for efficiency, but as a strategic en- abler capable of elevating riskdetection, strengthen- ing oversight and enhancing overall audit quality. One of the most significant advancements comes fromAI-driven data analysis . Modern AI engines can process vast quantities of transactional and op- erational data in seconds, uncovering patterns, cor- relations and anomalies that traditional manual techniquesoftenmiss.Thisabilityallowsinternalau- ditors to broaden their coverage while sharpening the precision of their risk assessments. Complementingthis, advancedanalytics isbecoming an increasingly valuable asset for risk-focused plan- ning.Byexamininghistoricalpatternsandbehavioral indicators,AI helps highlight areas thatmaywarrant earlier attention, allowing auditors to prioritize their work more effectively. Rather than predicting risks, thisshiftenhancesinternalauditabilitytomovefrom purely reactive reviews toward more informed, for- ward-lookinginsightsthatstrengthenhoworganiza- tions safeguard their control environments. AIisalsodrivingprogressin continuousmonitoring , an area previously constrained by manual capacity. Automated surveillance tools nowmonitor controls andexceptionsinrealtime,providingearlywarnings when unusual activity is detected. For organizations navigating volatile markets and complex regulatory regimes,thisreal-timevisibilitysignificantlystrength- ens resilience. Finally, AI is freeing internal audit teams from time consumingadministrativeworkthroughthe automa- tionofroutinetasks .Activitieslikedataentry,recon- ciliationandreportgeneration,cannowbecompleted automatically, allowing auditors to redirect their ef- forts toward judgment-based analysis, stakeholder engagement and strategic advisory roles. Together, theseadvancementsillustrateabroadershift: AIisnot replacing auditors but empowering them. As busi- nesses continue to digitalize and regulatory expecta- tions intensify, AI-enabled audit functions will be better positioned to deliver timely insights, enhanceorganizationaltrustandcontribute meaningfullytostrategicdecision-making. EUAIAct:An IAwake-up call WhileAI offers significant potential, its adoption in Internal Audit comes with important challenges and consider- ations.Organizationsmustcarefully manage data privacy and security risks, ensuring that sensitive infor- mationremainsprotectedthrough- out AI-driven processes. Audit teamsalsoneedpersonnelwiththe right skills and judgment to inter- pret AI outputs effectively and avoidmisinterpretation. These challenges are becoming even more relevant with the introductionof the EUAIActwhich aims at addressingtheriskstosafetyandfundamentalrights, mainly in the context of Regulation (EU) 2019/1020, aiming to improve market surveillance and compli- ance of products, oriented toward consumer protec- tion and creating a single market for trustworthyAI intheEU.Supervisors(CSSF,CAA,CNPDandmar- ket surveillance authorities) will increasingly expect structured, auditable evidence ofAI governance and controls. TheAI Act is designed to complement, not replace,existingfinancialregulation.InLuxembourg, thismeansinternalauditorsmustconsideralignment with DORA (ICT and operational resilience), CSSF governance and outsourcing circulars as well as GDPRandCNPDexpectations. Implementation timeline and keymilestones 02/02/2025 > P rohibited systems 02/08/2025 > Governance and General-Purpose AI model rules apply 02/08/2026 > All rules of the AI Act apply obligations for high-risk systems defined in Annex III 02/08/2027 > Obligations for high-risk systems defined in Annex I Implementation delay up to 16 months proposed by the European Commission on 19/11/2025 . Source: ABBL conference - The CSSF’s InsightsonAIActImplementation This regulatory framework re- inforces the need for Internal Audit to understand how AI models are developed, docu- mented, tested and monitored and to verify that appropriate governancecontrolsareinplace across the AI lifecycle. Beyond compliance, the AI Act acceler- atesabroadertransformationof the internal audit profession. Auditors are not expected to becomeAI experts, but theymustdevelopsufficientAIliteracytounderstand howautomatedsystemsinfluencedecisionsandrisks. Indoingso,internalauditstrengthensitsroleasakey assurance provider at the intersection of technology, governance and regulation, supporting trust and ac- countability inLuxembourg’s highly regulated envi- ronment. TheintroductionoftheAIActwillprofoundlyimpact theworkofinternalauditors,reshapingtheirrespon- sibilities and the nature of their assessments. - Enhancedfocusonethical auditing :Under theEU AI Act, internal audit will increasingly focus on the assessment of AI systems, extending beyond tradi- tional controls. This includes not only technological and risk considerations, but also key ethical aspects suchashumanoversight,transparency,biaspreven- tion and respect for fundamental rights, reinforcing internalaudit’sroleinensuringresponsibleandtrust- worthyAI use. -Increasedcomplexityinauditing :TheAIActintro- duces newcompliance requirements and riskassess- ments specific to AI technologies. Internal auditors will face greater complexity in theirwork, necessitat- ing a deeper understanding of AI algorithms, data sources and the potential for bias or ethical concerns. Thiscomplexitywillrequireauditorstodevelopnew methodologies and tools tailored toAI audits. - Integration of technology in auditing processes : TheAIAct encourages the use ofAI in various busi- nessprocesses,whichmeansinternalauditorswillin- creasingly rely on advanced analytics andAI tools to enhance their audit procedures. This integrationwill transform traditional auditing practices, enabling more efficient data analysis and risk identification. - Proactive riskmanagement : With theAIAct’s em- phasis on risk-based categorization, internal auditors will shift from a reactive to a proactive approach in theirwork.Theywillneedtoanticipatepotentialrisks associated withAI systems and implement controls beforeissuesarise,fundamentallychangingtheirrole fromcompliance checkers to strategic risk advisors. -Continuouslearningandadaptation :Theevolving landscapeofAI technologies andregulationswill ne- cessitateongoingeducationforinternalauditors.They will need to stay abreast of technological advance- ments and regulatory changes, which will require commitment to continuous learning and adaptation in their professional development. The EUAIActmarks a turning point and thosewho actnowwillshapethefutureoftrustedinternalaudits. Tomove confidently into the next era, organizations shouldactivelyadoptAI-enabledsolutionstoenhance their audit needs, efficiency, insight and assurance quality. Success will also depend on investing in ro- bust training and upskilling programs that equip audit teams with the capabilities required to under- stand, interpret and responsibly applyAI tools.With the right technologies and competencies, organiza- tions can unlock the full value ofAI and ensure their internal audit functions remain robust, scalable and fit for evolving regulatory expectations. Abdelhay TOUDMA EY Luxembourg Technology Consulting Partner, Governance, Risk and Compliance Leader Kenza BENHSIKI EY Luxembourg Senior Manager Risk Consulting The EU AI Act: A turning point for the Internal Audit Function Source :EY Abonnement aumensuel (journal + éditiondigitale) 1an (11numéros) =55€abonnement pourLuxembourget Belgique - 65€pour autrespays L’édition digitale du mensuel en ligne sur notre site Internet www.agefi.lu est accessible automatiquement aux souscripteurs de l’éditionpapier. NOM:....................................................................................................................................................................... ADRESSE:.............................................................................................................................................................. LOCALITÉ:............................................................................................................................................................ PAYS:....................................................................................................................................................................... TELEPHONE:...................................................................................................................................................... EMAIL:.................................................................................................................................................................... - Je verse ……€ au compte d’AGEFI Luxembourg à la BIL / LU71 0020 1562 9620 0000 (BIC/Swift : BILLLULL) -Jedésireunefacture :...................................................................................................................................... -N°TVA : ................................................................................................................................................................ Abonnement aumensuel en ligne Si vouspréférezvous abonner en ligne, rendez-vous à lapage ‘S’abonner’ sur notre site In- ternet https://www.agefi.lu/Abonnements.aspx Abonnement à notre newsletter / Le Fax quotidien (5 jours/semaine, du lundi auvendredi) Informations en ligne sur https://www.agefi.lu/Abonnements.aspx Abonnez-vous / Subscribe Source:AIthematicreportCSSF/BCL