EU AI Act: What UK Companies Need to Know Before August 2026

 ·  Grace Blackwell

Update: 18 May 2026

On 7 May 2026, the EU Council and Parliament agreed to defer key high-risk AI deadlines as part of the Digital Omnibus Act. Standalone Annex III obligations move from August 2026 to December 2027. The extraterritorial provisions affecting UK companies are unchanged. Read the full update →

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, with most obligations applying from 2 August 2026. Post-Brexit, the UK is a "third country" for EU regulatory purposes, but the Act's extraterritorial provisions bring UK companies into scope regardless.

Three Ways the Act Catches UK Companies

Article 2(1) establishes three provisions with extraterritorial reach:

  1. Placing AI on the EU market (Article 2(1)(a)): Any UK company selling, licensing, or making AI systems available to EU customers is a "provider" under the Act, including SaaS products accessible from the EU.
  2. EU deployers using UK AI (Article 2(1)(b)): If an EU subsidiary or customer uses AI built by a UK entity, deployer obligations apply in the EU and provider obligations reach back to the UK.
  3. AI output used in the EU (Article 2(1)(c)): This captures scenarios where the AI system stays in the UK but its results affect EU persons. A UK insurer making decisions affecting EU policyholders is caught, as is a UK employer screening candidates who include EU nationals. This provision applies regardless of whether personal data is involved, which arguably gives it wider extraterritorial reach than GDPR.

What's Required

All AI systems must comply with the prohibited practices ban (Article 5), transparency obligations (Article 50), and AI literacy requirements (Article 4).

High-risk AI systems face the full obligation set: risk management (Article 9), data governance (Article 10), technical documentation (Article 11), logging (Article 12), human oversight (Article 14), accuracy and robustness (Article 15), quality management (Article 17), conformity assessment (Article 43), EU database registration (Article 49), post-market monitoring (Article 72), and serious incident reporting (Article 73). UK providers must also appoint an EU-established authorised representative (Article 22).

The UK has no equivalent horizontal AI legislation. The five DSIT principles are non-binding and do not constitute EU AI Act compliance preparation.

Penalties

Article 99 establishes three fine tiers:

  • €35 million or 7% of global turnover for prohibited practices (Article 5)
  • €15 million or 3% for other operator obligations
  • €7.5 million or 1.5% for supplying incorrect information to authorities

Key Dates

  • 2 February 2025: Prohibited practices (already in force)
  • 2 August 2025: GPAI model obligations (already in force)
  • 2 August 2026: Most obligations apply
  • 2 August 2027: Existing high-risk systems must comply

What to Do Now

  1. Inventory every AI system touching EU markets, persons, or producing output used in the EU
  2. Classify each system's risk tier against Annex III
  3. Gap analysis: map current state against applicable obligations
  4. Prioritise by penalty exposure: prohibited practices first, then high-risk obligations
  5. Appoint an authorised representative if placing systems on the EU market

Part of our guide: EU AI Act compliance for UK organisations.

Assess your position

HEX 165 scans your AI systems against 348 EU AI Act criteria and produces a compliance gap analysis with remediation actions. Book a demo or learn more about the platform.