The European Union’s Artificial Intelligence Act is the world’s first comprehensive legal framework specifically governing the development and use of artificial intelligence. It entered into force in August 2024 and its provisions are being phased in over a two-year implementation period. For UK businesses with any exposure to EU markets, customers, or operations, the EU AI Act is not a distant regulatory development — it is a present compliance obligation.
This guide explains the EU AI Act in plain English: what it covers, who it applies to, how it classifies AI systems by risk, what the compliance obligations are, and what UK businesses need to do now.
Does the EU AI Act apply to UK businesses after Brexit? |
| Yes — if your business places AI systems on the EU market, deploys AI systems within the EU, or provides AI-enabled services to EU users, the EU AI Act applies to you. The Act has explicit extraterritorial reach: any organisation whose AI system outputs affect EU residents is in scope, regardless of where the organisation is headquartered. For UK businesses with European customers, partners, or employees, this is a direct compliance obligation — not a future consideration. |
The EU AI Act’s Risk-Based Approach
The EU AI Act classifies AI systems into four risk categories, with compliance obligations escalating in proportion to risk:
| RISK LEVEL | DEFINITION | EXAMPLES | COMPLIANCE OBLIGATION |
|---|---|---|---|
| Unacceptable Risk | AI systems that pose a clear threat to fundamental rights or safety | Social scoring by governments, real-time biometric surveillance, AI that exploits vulnerabilities of specific groups | Prohibited outright — cannot be placed on the EU market |
| High Risk | AI systems in regulated sectors or making significant decisions affecting individuals | AI in hiring, credit scoring, education, healthcare, border control, critical infrastructure | Extensive compliance obligations — risk management, data governance, human oversight, transparency, accuracy, registration |
| Limited Risk | AI systems that pose transparency risks — where users may not know they are interacting with AI | Chatbots, AI-generated content, emotion recognition | Transparency obligations — users must be informed they are interacting with AI |
| Minimal Risk | AI systems with minimal risk | Spam filters, AI-enabled product recommendations, basic automation | No mandatory requirements — but codes of practice encouraged |
High-Risk AI: What Are the Compliance Obligations?
The most significant obligations under the EU AI Act fall on providers and deployers of high-risk AI systems. If your business develops, places on the market, or uses a high-risk AI system, you must:
- Implement a risk management system: Establish and maintain a documented risk management system covering the full lifecycle of the AI system — from design through to deployment and monitoring.
- Ensure training data quality: The data used to train high-risk AI systems must meet quality criteria — sufficient representativeness, absence of known errors and biases, and relevance to the system’s intended purpose.
- Maintain technical documentation: Comprehensive technical documentation describing the AI system’s design, development, performance, and capabilities must be maintained and made available to regulators on request.
- Enable human oversight: High-risk AI systems must be designed so that human operators can monitor, understand, and override the system’s outputs. Fully autonomous high-risk AI — systems that make consequential decisions with no human oversight — is generally not permitted.
- Ensure accuracy, robustness, and cybersecurity: High-risk AI systems must meet appropriate standards of accuracy, and must be designed to be resilient against errors, faults, and adversarial manipulation.
- Register the system: High-risk AI systems must be registered in the EU AI Act’s public database before deployment.
- Conduct a conformity assessment: Before placing a high-risk AI system on the market, a conformity assessment must be conducted demonstrating that the system meets the Act’s requirements.
The EU AI Act Implementation Timeline
The EU AI Act’s provisions are being phased in over a 24-month implementation period from August 2024:
| DATE | PROVISION ENTERING INTO FORCE |
|---|---|
| February 2025 | Prohibited AI practices provisions apply — unacceptable risk AI systems must cease operation. |
| August 2025 | General purpose AI model (GPAI) obligations apply — applies to foundation model providers. |
| August 2026 | High-risk AI system obligations fully apply — high-risk AI deployers and providers must be compliant. |
| August 2027 | Obligations for certain high-risk AI systems in existing products (machinery, medical devices) apply. |
General Purpose AI Models (GPAIs): What UK Businesses Need to Know
A significant and novel part of the EU AI Act is its regulation of General Purpose AI (GPAI) models — large foundation models like GPT-4, Claude, and Gemini that can be adapted for a wide range of uses. Providers of GPAI models (typically large technology companies) face specific transparency and safety obligations. However, organisations that deploy GPAI models in their business operations also need to understand their obligations as deployers — particularly where the GPAI is used in a high-risk context.
What UK Businesses Should Do Now
Step 1: Audit Your AI Use
Identify all AI systems in use within your business — including third-party tools that use AI. For each system, determine its risk classification under the EU AI Act. Many standard business tools (AI-assisted recruitment software, automated credit scoring, AI clinical decision support) will be classified as high-risk.
Step 2: Assess Your Compliance Gaps
For high-risk AI systems, assess your current position against the Act’s requirements — risk management documentation, training data quality, human oversight mechanisms, and technical documentation. Identify the gaps that need to be addressed before August 2026.
Step 3: Review Your AI Vendor Contracts
Many organisations deploy AI through third-party vendors. Reviewing your AI vendor contracts to understand who bears the compliance obligations under the Act — the provider (vendor) or the deployer (you) — is essential. In many cases, the deployer has significant obligations that cannot be delegated entirely to the vendor.
Step 4: Build or Commission a Governance Framework
Building an AI governance framework that addresses the EU AI Act’s requirements — as well as your UK regulatory obligations — is the most effective way to manage AI compliance holistically. An AI governance framework built to EU AI Act requirements will also satisfy most other regulatory expectations for AI governance.
How Elberra Consulting Supports EU AI Act Compliance
Elberra Consulting provides EU AI Act compliance advisory services to UK businesses — helping organisations understand their obligations, classify their AI systems, assess their compliance gaps, and develop governance frameworks that meet the Act’s requirements. Our AI ethics specialists combine regulatory expertise with practical business understanding to deliver compliance programmes that work in the real world, not just on paper.
Book a free EU AI Act compliance consultation |
| Our AI specialists will review your AI use, assess your EU AI Act compliance obligations, and give you a clear action plan for achieving compliance before the August 2026 deadline. |
| Book your free consultation → elberraconsulting.co.uk/free-consultation/ |
Frequently Asked Questions
Will the UK adopt equivalent AI legislation?
The UK government has so far taken a sector-based approach to AI regulation — relying on existing sector regulators (FCA, ICO, CQC) to develop AI governance guidance within their existing powers, rather than introducing a single cross-sector AI Act equivalent. However, the government’s Pro-innovation Approach to AI Regulation is under review, and pressure to introduce more formal AI legislation is growing. UK businesses should monitor developments closely.
What are the penalties for EU AI Act non-compliance?
Penalties for EU AI Act non-compliance are significant: up to €35 million or 7% of global annual turnover for violations related to prohibited AI practices; up to €15 million or 3% of global annual turnover for violations of other obligations; and up to €7.5 million or 1.5% of global annual turnover for providing incorrect information to authorities. Member State national competent authorities are responsible for enforcement.
Does the EU AI Act apply to AI I have built in-house?
Yes. The EU AI Act applies to AI system providers — and if you have developed an AI system in-house for deployment within your organisation (or for deployment to others), you are a provider subject to the Act’s obligations, not just a deployer. The compliance obligations for in-house developers are generally more extensive than for organisations that deploy third-party AI tools.
What is a foundation model under the EU AI Act?
A foundation model (referred to as a General Purpose AI model in the Act) is a large AI model trained on broad data that can perform a wide range of tasks. GPT-4, Claude, Gemini, and Llama are examples. The EU AI Act imposes specific transparency, evaluation, and safety obligations on providers of foundation models — primarily the large technology companies that develop them, rather than the businesses that use them through APIs.
