The EU AI Act — Regulation (EU) 2024/1689 — is now in force. It is the world’s most comprehensive legal framework for artificial intelligence, and its reach extends well beyond the borders of the European Union. UK businesses that operate in EU markets, deploy AI systems used by EU residents, or build AI-enabled products exported to the EU are within its scope.
This guide explains the EU AI Act in plain language: how it works, what it requires, which obligations are already in force and which are coming, and what UK businesses need to do to prepare. We address the most common question we hear from clients: does the EU AI Act apply to my UK business?
Does the EU AI Act apply to UK businesses?Yes — for many UK businesses. The Act applies to any provider that places an AI system on the EU market or puts it into service in the EU, regardless of where that provider is established. It also applies to deployers of AI systems located in the EU. UK businesses that sell AI-enabled products or services to EU customers, use AI systems that affect EU residents, or deploy AI developed by EU-based providers are within scope. Brexit does not provide an exemption. |
How the EU AI Act Works: The Risk-Based Framework
The EU AI Act does not regulate all AI equally. It uses a four-tier risk classification system: the higher the risk of harm, the more stringent the compliance obligations. This proportionality is important for UK businesses to understand — it means that most everyday AI tools carry minimal obligations, while a small number of high-stakes applications face significant requirements.
| Risk Tier | Examples | Obligations |
| Unacceptable Risk (PROHIBITED) | AI for social scoring by public authorities; real-time biometric surveillance in public spaces; systems that exploit vulnerabilities; manipulation of human behaviour beyond conscious awareness. | Banned outright. These systems may not be placed on the EU market under any circumstances. |
| High Risk | AI in recruitment and CV screening; AI that assesses creditworthiness; AI used in education assessment; AI in medical devices; AI for critical infrastructure management; AI systems in law enforcement. | Mandatory conformity assessment, risk management system, data governance requirements, transparency and human oversight obligations, registration in EU database, post-market monitoring. |
| Limited Risk | AI chatbots and virtual assistants; AI that generates or manipulates images, audio, or video (deepfakes); AI that interacts directly with users. | Transparency obligations: users must be informed they are interacting with an AI system. Deepfake content must be labelled. |
| Minimal Risk | AI-powered spam filters, AI recommendations in streaming services, most productivity AI tools, AI grammar checkers. | No mandatory obligations under the Act. Voluntary codes of conduct are encouraged. |
EU AI Act Timeline: What Is Already in Force in 2026
The EU AI Act entered into force in August 2024 with a phased implementation timeline. In 2026, several obligations are already binding. UK businesses need to know where they stand against the current state of the law, not just where the law is heading.
| Date | Obligations Coming Into Force |
| August 2024 | Act enters into force. Prohibited AI systems banned immediately upon enforcement date (February 2025). |
| February 2025 | Prohibited AI systems banned. GPAI model provisions apply. Governance bodies established in EU member states. |
| August 2025 | Obligations for General Purpose AI (GPAI) models fully applicable, including transparency and copyright requirements. |
| August 2026 | High-risk AI system obligations (Annex I) fully applicable — conformity assessments, registration, human oversight, technical documentation. |
| August 2027 | High-risk AI systems embedded in regulated products (medical devices, machinery, etc.) fully in scope. |
Where UK businesses are right nowAs of 2026, the prohibition on unacceptable-risk AI is already in force, and GPAI model obligations are live. The full high-risk AI system compliance regime becomes mandatory in August 2026. UK businesses with high-risk AI applications need to be completing their conformity assessments and risk management documentation now, not waiting for the August deadline. |
High-Risk AI Systems: What Compliance Requires
High-risk AI systems face the most demanding compliance requirements. If your business deploys AI for any of the purposes listed in Annex III of the Act — which includes recruitment screening, credit assessment, educational evaluation, and several others — the following obligations apply.
- Risk management: A documented risk management system that identifies, analyses, and mitigates risks associated with the AI system throughout its lifecycle.
- Data and data governance: Training, validation, and testing data must meet quality standards and be relevant, representative, and free of known errors as far as possible.
- Technical documentation: Technical documentation describing the AI system’s design, development process, capabilities, limitations, and testing results.
- Record keeping and logging: High-risk AI systems must log decisions automatically to enable post-hoc auditing of outputs.
- Transparency and information: Deployers and affected individuals must be given adequate information about the AI system’s capabilities, limitations, and oversight mechanisms.
- Human oversight: High-risk AI systems must be designed to allow effective human oversight, including the ability to stop, override, or correct the system.
- Accuracy and robustness: The system must achieve an appropriate level of accuracy, robustness, and cybersecurity.
- Conformity assessment: Before placing a high-risk AI system on the EU market, the provider must complete a conformity assessment demonstrating compliance with all applicable requirements.
General Purpose AI Models: A Separate Obligation
The EU AI Act creates a distinct category for General Purpose AI (GPAI) models — large-scale AI models trained on broad data that can perform a wide range of tasks, including large language models. This category is already in force and applies to businesses that develop or deploy GPAI models in the EU.
GPAI providers face transparency obligations (publishing a summary of training data, technical documentation), copyright compliance requirements (documenting copyrighted material used in training), and — for the most powerful models — additional obligations including adversarial testing and incident reporting. Businesses that are not themselves GPAI developers but use GPAI models via APIs (such as OpenAI, Anthropic, or Google’s models) are generally in the ‘deployer’ rather than ‘provider’ role, which carries lighter obligations — but obligations nonetheless.
Practical Steps for UK Businesses in 2026
The most important thing UK businesses can do in 2026 is to stop treating EU AI Act compliance as a future problem. The prohibition obligations are already in force. GPAI obligations are live. The August 2026 deadline for high-risk AI obligations is months away. The following steps provide a practical starting point.
| Action | Priority | Detail |
| Conduct an AI applicability assessment | Immediate | Determine whether the EU AI Act applies to your business based on your markets, customers, and AI use. |
| Complete an AI inventory | Immediate | Document every AI system in use, whether built in-house or procured. Include AI embedded in third-party software. |
| Classify your AI systems by risk tier | This month | Apply the EU AI Act risk classification to each system. Any that fall into the high-risk category need urgent attention. |
| Check for prohibited AI applications | This month | Verify that none of your current or planned AI applications fall within the prohibited categories. These are banned immediately. |
| Begin high-risk AI compliance programme | Before August 2026 | If you have high-risk AI systems, begin the conformity assessment, risk management documentation, and technical documentation process now. |
| Review GPAI model use | This quarter | If you use large language models or other GPAI via APIs, assess your deployer obligations under the Act. |
| Update AI procurement contracts | This quarter | Ensure contracts with AI vendors include representations and warranties regarding EU AI Act compliance. |
How Elberra Consulting Supports EU AI Act Compliance
Elberra Consulting provides EU AI Act compliance services for UK businesses assessing their obligations and building the systems needed to meet them. Our AI ethics and governance team combines regulatory expertise with practical business experience to help you navigate compliance in a way that is proportionate to your AI risk profile.
Our services include EU AI Act applicability assessments, AI system risk classification, high-risk AI conformity assessment support, technical documentation preparation, risk management framework development, and ongoing compliance advisory. We also provide AI governance framework development for businesses that need a broader governance structure alongside their EU AI Act compliance programme.
| Book a free EU AI Act compliance consultation |
Frequently Asked Questions
Does the EU AI Act apply to UK businesses after Brexit?
For many UK businesses, yes. The EU AI Act follows the product and the market, not the nationality of the provider. Any UK business that places an AI system on the EU market, provides AI services to EU customers, or operates AI systems that affect EU residents is within scope. The applicability depends on the specifics of how your AI is used and who it affects — not simply on where your business is registered.
What is the penalty for non-compliance with the EU AI Act?
Penalties depend on the nature of the violation. Deploying a prohibited AI system carries the highest penalties: up to 35 million euros or 7% of global annual turnover, whichever is higher. Violations of other obligations carry penalties of up to 15 million euros or 3% of global annual turnover. Providing incorrect information to authorities carries penalties of up to 7.5 million euros or 1% of global annual turnover. For SMEs, proportionate ceilings apply. These penalties are comparable to GDPR enforcement levels and should be taken seriously.
What is a high-risk AI system under the EU AI Act?
High-risk AI systems are defined in Annex III of the Act and include AI used in biometric identification, critical infrastructure management, education and vocational training assessment, employment and worker management (including recruitment screening), essential private and public services (including creditworthiness assessment), law enforcement, migration and asylum processing, and administration of justice. If your business uses AI for any of these purposes and those systems affect EU residents, you are likely in scope for high-risk obligations.
We use an AI system built by a third-party vendor — are we responsible for compliance?
Yes — as a deployer of the AI system, you have obligations under the EU AI Act even if you did not build the system yourself. Deployers of high-risk AI systems must implement human oversight measures, monitor system performance, and ensure the system is used for its intended purpose. You must also maintain records of use and cooperate with providers and national authorities. The provider (the company that built the system) carries the primary compliance burden, but deployers are not exempt. Your contracts with AI vendors should address this allocation of responsibility explicitly.
