Yes, for most UK businesses with EU customers or EU-facing AI systems. The EU AI Act applies to any provider or deployer whose AI outputs are used in the EU, regardless of where the business is based (Article 2(1)(c), Regulation (EU) 2024/1689). Three tiers of obligation are already in force. The next key deadline is 2 August 2026, when transparency rules for chatbots and AI-generated content take effect. High-risk AI rules have been deferred to December 2027.
How does the EU AI Act define who it covers?
The Act's territorial reach mirrors the GDPR model: it follows the AI output into the EU, not just the business that built the system. Article 2(1)(c) is the key clause. It catches providers and deployers "established or located in a third country" where "the output produced by the AI system is used in the Union."
Post-Brexit, the UK is a third country. That single fact puts almost every UK business with EU customers, EU employees, or EU business partners into the potential scope of the Act.
Two roles matter. A provider is the entity that develops, trains, or places an AI system on the market. A deployer uses a third-party AI system within its own operations.
Each role carries distinct obligations. A UK retailer that builds an AI chatbot for its EU website is a provider. A UK law firm that subscribes to an AI contract-review tool and uses it on EU client files is a deployer. Many UK businesses are both at once.
The practical scope test: does any output, recommendation, or decision from your AI system land on someone in the EU? If yes, you are likely in scope. If every AI system you run touches only UK-based operations, customers, and staff with no EU counterparties, you are not.
Which of these three triggers catches your business?
Run through the triggers in order. Stop at the first that applies.
Trigger 1: You sell AI-powered products or services into the EU market. If you develop an AI tool and sell it to EU customers, you are a provider and fully in scope. For high-risk AI systems, Article 22 requires you to appoint an authorised representative physically established in the EU before placing your system on the EU market. A written mandate is required, and the representative is legally accountable to EU authorities.
Trigger 2: You use AI in your business in ways that affect EU people. A UK HR team using an AI CV-screening tool to assess candidates based in Germany is a deployer. A UK financial firm using an AI credit model to make lending decisions for EU customers is a deployer. You do not need to sell AI to be caught. Using it is enough if the output lands on someone in the EU.
Trigger 3: You build a general-purpose AI model. If you build and release a foundation model (the type underlying ChatGPT, Claude, or Gemini), the GPAI rules under Chapter V have applied since 2 August 2025. These catch model providers regardless of where users are located, as long as the model is accessible in the EU.
Trigger | Who it typically catches | Key obligation | In force from |
|---|---|---|---|
Provider placing AI on EU market | SaaS companies, AI tool builders with EU customers | EU authorised representative (for high-risk); conformity assessment; EU database registration | Annex III high-risk: 2 Dec 2027; Annex I high-risk: 2 Aug 2028 |
Deployer using AI that affects EU people | Any UK business with EU customers or EU employees | AI literacy (Art. 4); transparency disclosures (Art. 50); DPIA under UK GDPR for personal-data processing | Art. 4: 2 Feb 2025; Art. 50: 2 Aug 2026 |
GPAI model provider | AI labs, foundation model builders | Technical documentation; copyright compliance; systemic-risk evaluation for models above 10⁻²⁵ FLOPs | 2 Aug 2025 |
What was the 2 August 2026 deadline, and what changed in May 2026?
The original EU AI Act timetable had the heaviest obligations on high-risk AI arriving 2 August 2026. That changed. On 7 May 2026, the EU institutions reached a provisional political deal (the "Digital Omnibus") that deferred the most burdensome requirements for standalone high-risk AI systems. Here is what the timetable looks like now.
Two sets of obligations entered force on 2 February 2025: the prohibition on unacceptable-risk AI systems under Article 5, and the AI literacy obligation under Article 4. Both remain unchanged by the Omnibus. If you have not audited your AI systems against the eight prohibited categories since February 2025, that audit is overdue.
GPAI model rules entered force on 2 August 2025, also unchanged.
From 2 August 2026, the Article 50 transparency obligations apply. The core requirement: chatbots and AI systems that interact directly with people must tell users they are communicating with AI (unless this is obvious). AI-generated images, audio, and video must be labelled. Non-compliance carries fines of up to €15 million or 3% of global annual turnover.
High-risk rules for standalone Annex III systems (HR, credit scoring, biometrics, education, and others) have been deferred to 2 December 2027. High-risk AI embedded in regulated products under Annex I (medical devices, machinery) has been deferred further to 2 August 2028.
The Omnibus shifted the clock, not the direction. Prohibited AI is still prohibited. GPAI obligations still bite. The high-risk rules have more runway, but the design and procurement decisions happening right now will determine whether you hit December 2027 or miss it.
Which types of AI carry the heaviest obligations?
Unacceptable-risk AI (banned since February 2025)
Eight categories of AI are outright prohibited under Article 5. These include AI that manipulates people through subliminal techniques they cannot perceive; social scoring systems run by public authorities; real-time remote biometric identification in public spaces (with narrow law-enforcement exceptions); and AI that exploits vulnerabilities linked to age, disability, or socioeconomic status. Using or providing these in any context where outputs reach the EU is a breach. Fines reach €35 million or 7% of global annual turnover, whichever is higher.
General-purpose AI models (GPAI)
Foundation model providers are caught by Chapter V obligations applied since August 2025. These include publishing a summary of training data used, maintaining technical documentation, and complying with EU copyright law on training data. Providers of models with systemic risk (those trained using over 10⁻²⁵ FLOPs of compute) face additional adversarial testing, cybersecurity requirements, and incident reporting to the EU AI Office.
High-risk AI systems (Annex III, deadline 2 December 2027)
The Annex III categories most likely to catch UK businesses are:
AI used in recruitment, CV screening, and performance appraisal
AI that determines access to credit or evaluates creditworthiness
Remote biometric identification and emotion-recognition systems
AI used in educational assessments and admissions
AI for benefits administration, asylum decisions, or border control
AI managing critical infrastructure (energy, water, transport)
These carry the heaviest compliance burden: a quality-management system, technical documentation, conformity assessment, EU market registration, and human-oversight mechanisms. The December 2027 deadline sounds generous. Building a quality-management system from scratch and appointing an EU authorised representative typically takes 12 to 18 months. Procurement decisions made in mid-2026 will determine whether compliance is feasible by that date.
Limited-risk AI (transparency, 2 August 2026)
Most UK businesses using off-the-shelf AI tools land here. If you deploy a customer-facing chatbot, use an AI assistant to draft customer communications, or run any AI that interacts directly with people in the EU, Article 50 applies from 2 August 2026. The disclosure requirement is specific: a banner, a label, or a system message stating "this is AI" is what the regulation requires. Fines for non-compliance: up to €15 million or 3% of global annual turnover.
What does your fine exposure actually look like?
The headline figures (€35 million, €15 million) are designed to catch large technology platforms. For most UK businesses, the binding constraint is the percentage-of-turnover cap, not the euro ceiling. Here is why.
Under Article 99, fines are capped at either a fixed euro amount or a percentage of global annual turnover, with the higher of the two applying. The break-even sits at approximately £420 million in annual global turnover (Tom & Co analysis of EU AI Act Article 99 penalty thresholds at EUR/GBP 0.845, June 2026). Below that level, the percentage cap is always the smaller and therefore operative figure in every tier.
In practice: a UK business with £5 million in annual turnover faces a maximum prohibited-AI fine of £350,000 (7%), a maximum Article 50 transparency fine of £150,000 (3%), and a maximum misleading-information fine of £50,000 (1%). Significant, but not existential. Article 62 also gives SMEs and start-ups some flexibility on documentation formats.
How does the EU AI Act sit alongside UK data protection law?
The EU AI Act and UK GDPR run in parallel. They do not replace each other. A UK business in scope of the EU AI Act must separately comply with the UK GDPR rules on automated decision-making (Article 22 UK GDPR), data protection impact assessments, and the ICO's AI and data protection guidance.
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2026. It requires the ICO to produce a statutory code of practice on AI and automated decision-making, covering transparency, bias, and rights of redress. That code is expected in late 2026 or 2027 and will create domestic UK obligations that sit alongside (not instead of) the EU AI Act.
The UK government's own framework, set out by DSIT, remains principles-based and non-statutory: five cross-sectoral principles (safety, transparency, fairness, accountability, contestability) applied through existing sector regulators including the ICO, FCA, CMA, and Ofcom. There is no UK equivalent of the EU AI Act's binding risk-tier structure. UK businesses operating entirely in the domestic market face a lighter framework. Those that touch the EU face the EU's binding rules on top.
What should a UK business do this quarter?
The Article 50 transparency deadline arrives in weeks. The prohibited-AI bans and GPAI obligations are already in force. Here is where to focus.
1. Map your EU exposure. For every AI system your business uses or provides, identify whether any output, recommendation, or decision reaches an EU customer, EU employee, or EU partner. A one-page spreadsheet with system name, vendor, internal use, and EU touch-points is a proportionate starting point for most SMEs.
2. Check Article 50 compliance before 2 August 2026. Any AI system interacting directly with people in the EU (chatbots, AI assistants, virtual agents) needs clear disclosure language in place before that date. Any AI-generated images, audio, or video served to EU users needs labelling. The Commission's Code of Practice on AI-generated content, published in June 2026, gives practical guidance on compliant disclosure formats.
3. Audit your AI uses against the prohibited categories. Article 5 has applied since February 2025. Run an internal review against the eight prohibited categories. If any tool or practice raises a flag, involve legal counsel. This is the highest-risk area and the longest-standing obligation.
4. If you provide high-risk AI systems to EU customers, start the compliance clock now. 2 December 2027 sounds distant. Building a quality-management system, running a conformity assessment, and appointing an EU authorised representative typically takes 12 to 18 months for a first-time project.
5. Document your AI literacy measures. Article 4 has applied since 2 February 2025. If you are in scope and have not recorded what AI literacy training or measures you have implemented for staff who work with AI, do so now. A brief policy or a training log is proportionate for most SMEs.
6. Run your UK GDPR DPIA alongside EU AI Act work, not instead of it. If any of your AI systems process personal data with a high risk, the ICO expects a Data Protection Impact Assessment. The EU AI Act's conformity assessment is a separate document serving a different regulator. You may need both if you operate in both markets.
About the author
Tom McCaul is the founder of Tom & Co, a digital growth agency specialising in e-commerce, AI strategy, and digital transformation for ambitious UK brands. With over 15 years in digital commerce and agency leadership, Tom writes on AI adoption, UK regulation, and the practical realities of implementing AI in growing businesses. Connect with Tom on LinkedIn.
Related Tom & Co articles
A field guide to UK AI regulation in 2026: who regulates what, and what it means for your business. Covers the UK domestic framework, including ICO, FCA, CMA, and the DSIT principles.
AI governance for UK SMEs: a practical starting framework. Covers building internal AI governance that satisfies both the ICO and the EU AI Act.
How to build an AI strategy for a UK SME. Covers the broader strategic context for choosing and deploying AI systems responsibly.