The EU AI Act: What UK Businesses Need to Know

The EU AI Act entered into force on 1 August 2024, making it the first comprehensive legal framework for artificial intelligence in the world. It applies in stages, with different provisions coming into effect at different points through 2027. If your business operates in Europe, sells products there, or processes data about EU citizens, it is relevant to you — regardless of the fact that the UK is no longer in the EU.

The Extraterritorial Scope

Like GDPR, the EU AI Act has extraterritorial reach. It applies to:

• Providers that place AI systems on the EU market or put them into service in the EU, regardless of where the provider is established
• Users of AI systems located within the EU
• Providers and users located in third countries (including the UK) where the output of the AI system is used in the EU

A UK business that builds an AI product used by EU customers, or deploys AI that processes EU citizens' data, is within scope.

The Risk-Based Framework

The Act takes a risk-based approach, categorising AI systems into four tiers:

Unacceptable risk (prohibited): Systems that manipulate behaviour subconsciously, exploit vulnerabilities of specific groups, use real-time biometric identification in public spaces (with narrow exceptions), and social scoring systems used by public authorities. These are banned outright.

High risk: Systems used in critical infrastructure, education, employment, essential services (banking, insurance), law enforcement, migration, and administration of justice. High-risk AI must meet requirements around data quality, documentation, transparency, human oversight, accuracy, and robustness. This includes AI used in hiring decisions, credit scoring, and medical devices.

Limited risk (transparency obligations): Chatbots and AI-generated content must be disclosed as AI. Users must be informed they're interacting with an AI system.

Minimal risk: The vast majority of AI applications — spam filters, recommendation engines, AI-assisted writing tools — fall here and face no specific obligations beyond existing laws.

General Purpose AI Models

A separate set of obligations applies to providers of General Purpose AI (GPAI) models — large models like GPT-4, Claude, and Gemini that can be used for many different tasks. Providers of these models must:

• Maintain technical documentation about training data and capabilities
• Comply with EU copyright law
• Publish a summary of training data

Models that pose systemic risk (currently defined as those trained using more than 10^25 FLOPs) face additional requirements including adversarial testing, incident reporting, and cybersecurity obligations.

Most UK businesses are users of GPAI models rather than providers, so these obligations fall primarily on the model providers (OpenAI, Anthropic, Google, Microsoft). However, businesses deploying GPAI in high-risk use cases take on additional responsibilities as deployers.

Key Dates

• February 2025: Prohibited AI practices rules applied
• August 2025: GPAI model obligations and governance rules apply
• August 2026: High-risk AI system requirements apply (most significant for business deployments)
• August 2027: Certain legacy systems and high-risk AI embedded in regulated products must comply

The most operationally significant deadline for the majority of businesses deploying AI is August 2026 — when requirements for high-risk systems come into full effect.

What This Means for UK Businesses Practically

For most UK businesses deploying internal AI tools — knowledge base assistants, document processing, sales automation, operations automation — the AI Act will impose limited direct obligations, since these use cases typically fall in the minimal or limited risk categories.

Where it becomes more significant:

If you're using AI in hiring: Automated CV screening, candidate scoring, and interview analysis tools are classified as high-risk. You'll need to be able to explain decisions, provide human oversight, and maintain appropriate documentation.

If you're using AI in financial services: Credit scoring, insurance risk assessment, and fraud detection AI used in decisions affecting individuals are high-risk and must meet transparency and accuracy requirements.

If you build AI products sold into the EU market: You take on obligations as a provider — documentation, conformity assessments, CE marking in some cases.

The UK Regulatory Position

The UK government has taken a principles-based, sector-specific approach rather than legislation. The AI Safety Institute (now DSIT's AI function) and sector regulators (FCA, ICO, CMA, Ofcom) are developing AI guidance within existing regulatory frameworks. There is no direct equivalent of the EU AI Act in UK law as of 2025.

However, businesses operating in both markets effectively need to comply with the stricter EU standard — particularly as GDPR already creates obligations around automated decision-making (Article 22) that overlap significantly with AI Act requirements.

Preparing Now

The most practical steps for UK businesses operating in or selling to the EU:

1. Inventory your AI deployments — document what AI systems you use, who supplies them, and what decisions they influence
2. Identify any high-risk use cases — particularly in HR, financial services, or safety-critical processes
3. Review your AI supplier contracts — understand how your GPAI and AI software providers are addressing compliance, particularly if you're a deployer
4. Align AI governance with GDPR processes — much of what you already do for GDPR (data mapping, impact assessments, transparency) translates directly to AI Act compliance

The Act is not a reason to slow AI adoption. It is a reason to adopt AI thoughtfully — which was good practice anyway.