What is the EU AI Act?
The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It regulates the development, deployment, and use of AI systems within the European Union — and it has direct implications for UK businesses that serve EU clients or use AI in ways that affect EU residents.
The Act takes a risk-based approach, classifying AI systems into four tiers:
- Unacceptable risk — Banned outright (e.g. social scoring, real-time biometric surveillance)
- High risk — Subject to strict requirements (e.g. AI in recruitment, credit decisions, education)
- Limited risk — Transparency obligations (e.g. chatbots must disclose they're AI)
- Minimal risk — No specific requirements (e.g. spam filters, AI-powered games)
Does it apply to UK businesses?
Yes — in several scenarios:
If you serve EU clients, and your AI tools process their data or make decisions affecting them, you may be in scope.
If you use AI in hiring, even for UK-based roles, and your hiring process could affect EU nationals, the high-risk provisions may apply.
If your AI tools are developed by EU companies, the compliance obligations flow through the supply chain.
Even if you believe you're entirely outside scope, the EU AI Act is widely expected to influence UK regulation. The UK government has signalled it will introduce its own AI governance framework, and businesses that prepare for the EU Act now will be well-positioned for whatever comes next.
Key dates
- February 2025 — Prohibitions on unacceptable-risk AI systems took effect
- August 2025 — Requirements for general-purpose AI models began applying
- August 2026 — Full enforcement, including high-risk AI system requirements
What UK SMEs should do now
1. Map your AI use
Identify every way your business uses AI — tools, processes, decision-making, customer interactions. Include the tools your staff are using without approval (Shadow AI).
2. Classify your risk
For each AI use, determine which risk category it falls into under the Act. This is where most businesses get stuck — the classification isn't intuitive and getting it wrong means over- or under-investing in compliance.
3. Identify gaps
Compare your current state against what the regulation requires. Where do you meet the requirements already? Where do you fall short?
4. Build an action plan
Prioritise actions by deadline and risk. Some requirements are already in force. Others don't kick in until August 2026. You need a clear calendar showing what needs to happen by when.
5. Brief your leadership
Directors and senior partners need to understand what the Act means for the business. A plain English summary — not a legal document — is what they need to make informed decisions.
The penalties are real
Non-compliance can result in fines of up to €35 million or 7% of global annual turnover, whichever is higher. These penalties are designed to be proportionate but dissuasive — meaning they're calculated to be felt by businesses of any size.
Don't wait
August 2026 is not far away. Building compliance from scratch takes months, not weeks. The businesses that start now will be ready. The ones that wait until summer 2026 will be scrambling.