EU AI Act Compliance: A Guide for UK Organisations

The EU AI Act (Regulation (EU) 2024/1689) is the first broad law governing artificial intelligence. It applies a risk-based framework to the systems organisations build and deploy, and its reach extends well beyond the European Union. Many UK organisations are in scope. This guide sets out the essentials and links to detailed articles on each part.

Who It Applies To

The Act has extraterritorial reach under Article 2. A UK organisation can be caught where it places an AI system on the EU market, where an EU-based deployer uses a UK-built system, or where the output of a system is used within the EU. The UK has no equivalent horizontal AI law, so for many British firms the EU AI Act is the first binding AI regime they meet.

Detail: EU AI Act: what UK companies need to know.

The Risk Tiers

The Act sorts AI systems by the risk they present. Prohibited practices are banned outright. High-risk systems, listed in Annex III and in Annex I product legislation, carry the heaviest obligations, covering risk management, data governance, technical documentation, human oversight and post-market monitoring. Limited-risk systems face transparency duties, and minimal-risk systems are largely unregulated. Classification turns on how a system is used and in what domain, not on the technology behind it.

Detail: how agentic AI systems are classified.

Key Dates

The obligations phase in over several years, and the Digital Omnibus agreement of May 2026 deferred the high-risk deadlines.

• 2 February 2025: prohibited practices in force
• 2 August 2025: general-purpose AI (GPAI) model obligations in force
• 2 December 2027: standalone Annex III high-risk obligations (deferred from August 2026)
• 2 August 2028: product-embedded Annex I high-risk obligations (deferred from August 2027)

Detail: what the Omnibus deadline changes mean.

Penalties

Enforcement is tiered. The most serious breaches, the use of prohibited practices, can draw fines of up to €35 million or 7 per cent of global annual turnover, whichever is higher. Lower tiers apply to breaches of operator obligations and to supplying incorrect information.

Detail: the three fine tiers explained.

Sector Overlap

The AI Act does not sit alone. Financial entities also fall under DORA, which sets ICT risk, incident reporting and third-party obligations that apply to AI systems as much as to any other technology. Organisations in regulated sectors need to read the AI Act alongside the rules already governing them.

Detail: DORA and AI in financial services.

How to Prepare

Preparation starts with an inventory. An organisation cannot classify or govern AI systems it has not catalogued, so a clear record of what is in use comes first. From there, classify each system against the risk tiers, then build the documentation, risk management and human-oversight controls the high-risk obligations require.

Two practical points help. A recognised management framework such as ISO/IEC 42001 gives structure to the governance work, though certification is not the same as legal conformity. And technical scanning surfaces risks that questionnaires miss, particularly for agentic systems. You can run a free compliance pre-check on your own code as a starting point.

Frequently Asked Questions

Does the EU AI Act apply to UK companies?

Yes, in many cases. Under Article 2, a UK organisation is in scope where it places an AI system on the EU market, where an EU deployer uses its system, or where the system's output is used in the EU. See our article on UK companies.

When do the main obligations take effect?

Prohibited practices have applied since February 2025 and GPAI model obligations since August 2025. The high-risk obligations were deferred by the May 2026 Digital Omnibus to December 2027 for standalone Annex III systems and August 2028 for product-embedded systems.

What are the maximum penalties?

Up to €35 million or 7 per cent of global annual turnover, whichever is higher, for the use of prohibited practices. Lower tiers apply to other breaches.

Does ISO 42001 certification mean EU AI Act compliance?

No. ISO/IEC 42001 is a management-system standard that supports preparation and produces much of the evidence the Act expects, but it is not a harmonised standard under the Act, so certification is not the same as legal conformity.