AI Governance by Industry: Framework for European SMEs

TL;DR: A practical EU SME guide to AI governance that fits your industry. Covers financial services, healthcare, legal, manufacturing, and energy sectors.

AI governance for a Belgian fintech and AI governance for a Portuguese logistics operator are not the same problem. They share a regulatory base layer (GDPR + EU AI Act), but the sector-specific rules, risk classifications, and operational constraints diverge sharply. A governance framework that ignores your industry context is a compliance gap waiting to surface, and the gap closes hard on 2 August 2026 when most EU AI Act obligations begin to apply.

For mid-market executives in regulated sectors, the practical question is no longer whether to govern AI but whose framework you copy. The wrong answer here is "the IT department's", because the controls that actually keep you compliant live in compliance, in clinical, in plant, in trading, and in operations. An industry-fit AI governance framework is a three-layer stack: the EU-wide base (GDPR + EU AI Act), your sector-specific regulatory overlay, and your operational controls tailored to how AI actually touches your workflows. Most companies build the first layer and stop. The second and third layers are where governance either protects you or fails you.

Why Generic AI Governance Fails in Regulated Industries

The standard advice for AI governance is to write an acceptable use policy, set up review gates, and log what your AI tools do. That advice is correct but incomplete for any company operating under sector-specific regulation.

A fintech using AI for credit scoring faces FSMA/MiFID II obligations that a gaming studio does not. A hospital deploying AI for clinical decision support faces MDR classification requirements that a law firm does not. A manufacturer using AI for predictive maintenance faces machinery directive and ICS/OT security requirements that an e-commerce company does not.

Generic governance frameworks miss these sector layers. The result: companies believe they are compliant because they have a policy, but their actual regulatory exposure is unaddressed.

The Three-Layer Governance Stack

Every industry-fit governance framework follows the same architecture. The layers are cumulative, not alternative.

Layer 1: EU-Wide Base (Universal)

This layer applies to every European company using AI, regardless of industry:

GDPR (data protection): lawful basis for processing, data minimisation, data subject rights, cross-border transfer rules, breach notification (72 hours)
EU AI Act: risk classification (prohibited, high-risk, limited, minimal), transparency obligations, conformity assessment for high-risk systems, incident reporting. Most rules apply from 2 August 2026; high-risk AI embedded in products covered by Annex I sectoral legislation has obligations that apply from 2 August 2027
Product safety: General Product Safety Regulation for AI-enabled products

Every company needs this layer. It is not optional and it is not sufficient on its own.

Layer 2: Sector-Specific Regulatory Overlay

This is the layer most companies miss. Each regulated industry has rules that modify, extend, or constrain how AI can be used in that specific context.

Industry	Sector-Specific Rules	Key AI Constraint
Financial services	MiFID II, PSD2, DORA (in force since 17 January 2025), FSMA (Belgium), BaFin (Germany), AFM (Netherlands)	Algorithmic trading explainability, credit scoring fairness, operational resilience
Healthcare	MDR, IVDR, clinical decision support classification	AI as medical device if it influences clinical decisions
Legal	Bar association rules, professional privilege, court admissibility	AI-generated legal advice vs AI-assisted research distinction
Manufacturing	Machinery Directive 2006/42/EC (in force today), Machinery Regulation (EU) 2023/1230 (general application from 20 January 2027, with some provisions applying earlier), ICS/OT security, quality management (ISO 9001)	Safety-critical AI in production lines, predictive maintenance reliability
Energy	NIS2 (EU-level obligations; national transposition and supervisory detail vary by Member State), DORA, critical infrastructure designation	AI in grid management and energy trading under stricter cyber obligations
Veterinary	MDR-adjacent, GDPR for owner PII, CE marking as quality signal	MDR does not apply to vet-only devices, but quality expectations transfer

Layer 3: Operational Controls (Your Implementation)

This layer translates the regulatory requirements into daily operating procedures:

Data handling rules specific to your industry's data types (patient records, financial transactions, legal case files, production telemetry)
Model validation protocols appropriate for your risk level (clinical validation for healthcare, backtesting for financial models, safety certification for manufacturing)
Audit trail requirements that satisfy your sector regulator, not just GDPR
Incident response procedures that account for your industry's reporting obligations (financial regulators expect different timelines than health authorities)
Human oversight requirements calibrated to the decision's impact (a credit denial requires different oversight than a marketing recommendation)

How to Build Your Industry-Fit Framework

Step 1: Map your regulatory surface

Identify every regulation that applies to your AI usage. Start with the Layer 1 base, then add your sector-specific rules from Layer 2. If you are unsure which sector rules apply, that uncertainty is the first gap to close.

Step 2: Classify your AI use cases by risk

Not every AI use case carries the same regulatory weight. A coding assistant used by your engineering team is minimal risk. An AI system that influences clinical decisions or credit approvals is high risk. Map each use case to the EU AI Act risk classification and your sector-specific risk framework.

Step 3: Build controls per risk tier

Design your operational controls to match the risk tier, not the technology. High-risk use cases need conformity assessment, ongoing monitoring, and human oversight. Minimal-risk use cases need transparency and logging. Do not apply high-risk controls to minimal-risk use cases; you will create governance fatigue for the operations team and the compliance lead without reducing actual risk. A worked example: a German Mittelstand machine builder using AI for visual quality inspection on a single welded seam needs Layer 3 model validation against its own production data, but does not need the full conformity assessment a safety-critical hazard-detection camera would attract under the EU AI Act.

Step 4: Designate ownership by function

AI governance cannot live exclusively in IT. In a Belgian fintech, the compliance lead owns the explainability requirement; in a Spanish hospital, the clinical director owns the validation protocol; in a Dutch utility, the operations director and the CISO jointly own the NIS2 control set. Map each governance responsibility to the function that already owns the underlying domain risk, and write the owner's name into the policy.

Step 5: Set a review cadence

Regulations change. Your AI usage evolves. Build a review cycle:

Quarterly: review AI use case register and risk classifications
Annually: full regulatory mapping refresh (new guidance, enforcement actions, sector-specific updates)
Per incident: update controls based on what failed

Frequently Asked Questions

Do I need separate governance for each AI tool?

No. Govern by use case and risk tier, not by tool. A coding assistant and a customer service chatbot may use the same underlying model but have very different risk profiles. Your governance should reflect the use case risk, not the vendor name.

How do I know which EU AI Act risk category applies to my industry?

The EU AI Act defines high-risk categories explicitly in Annex III. If your AI system is used for credit scoring, employee recruitment, law enforcement, medical devices, or critical infrastructure management, it is likely high risk. If it is used for content recommendation, code generation, or internal analytics, it is likely minimal risk. When in doubt, treat it as high risk until you have confirmed otherwise.

Can I use the same governance framework across multiple European countries?

Yes, with adjustments. The EU-wide base (GDPR + EU AI Act) is harmonised across Member States. Sector-specific rules vary: Belgian financial services face FSMA, German firms face BaFin, Dutch firms face AFM. Your governance framework should have a common core with country-specific appendices for sector regulation, owned by the local compliance lead and reviewed by the CTO and Head of Operations.

What happens if I operate in multiple industries?

Build the framework once with a shared Layer 1 and Layer 2 overlays for each industry you operate in. A mid-market business that provides AI solutions to both healthcare and financial services clients needs both the MDR overlay and the MiFID II overlay, but the base layer and many operational controls can be shared. The CTO typically owns the shared core; the per-vertical compliance owner extends it.

Industry Deep Dives

Each of these articles covers the three-layer governance stack for a specific industry:

Get Governance That Fits Your Industry

If your AI governance is built on generic templates that do not account for your sector's regulatory requirements, you have a compliance gap, not a governance framework.

Our AI Readiness Assessment evaluates your current AI governance against the specific regulatory stack for your industry. It identifies gaps in your Layer 2 and Layer 3 controls before a regulator does.

If you already know the gaps and need help building the sector-specific controls, our AI Consulting services design governance frameworks that satisfy both the EU-wide base and your industry-specific obligations.

How to Build an AI Governance Framework That Fits Your Industry (Not Just Your IT Department)

Why Generic AI Governance Fails in Regulated Industries