What the EU AI Act Means for UK Businesses in 2026

The EU AI Act, formally Regulation (EU) 2024/1689 of the European Parliament and of the Council, entered into force on 1 August 2024. It is the world's first comprehensive legislative framework governing artificial intelligence, and it applies not only to EU member state companies but to any organisation whose AI systems are placed on the EU market or affect people in the EU. For UK businesses, that extraterritorial scope is the most important fact about the regulation. Leaving the EU has not removed British companies from the Act's reach.

Whether a UK business must comply with the EU AI Act depends on what it does, not where it is incorporated. A London-based AI company selling a model to a German business client is covered. A Manchester-based HR software firm using AI tools to screen candidates in France is covered. A Bristol tech startup developing an AI recruitment system for a UK-only market is not currently covered, though any future EU expansion changes that calculus. The first step for any UK business is determining whether its products or services are within scope.

The Four-Tier Risk Framework

The EU AI Act classifies AI systems into 4 risk categories, with legal requirements that increase in proportion to risk.

Unacceptable risk systems are prohibited. These include AI that manipulates people subliminally to cause harm, AI that exploits vulnerabilities of specific groups, social scoring systems used by public authorities, and, with limited law enforcement exceptions, real-time remote biometric identification in public spaces. These prohibitions applied from February 2025.

High-risk systems face the most stringent requirements: mandatory conformity assessments, technical documentation, human oversight mechanisms, and registration in an EU database. High-risk categories include AI used in critical infrastructure, AI used in educational assessment, AI used in employment decisions, AI used in access to essential services, AI used in law enforcement, and AI used in border management.

Limited risk systems, which include chatbots and AI-generated content, face transparency obligations: users must be informed they are interacting with AI, and AI-generated content must be labelled.

Minimal risk systems, including most AI games, spam filters, and AI-assisted writing tools for personal use, face no mandatory requirements under the Act, though the European Commission has encouraged voluntary codes of conduct.

What Counts as a High-Risk AI System

The high-risk classification is where most UK business compliance burden falls, and where the most significant uncertainty remains. The Act defines high-risk AI by reference to specific Annex lists rather than by a functional definition, which means the classification exercise requires careful cross-referencing of product functionality against the regulatory text.

Employment and recruitment AI is a high-risk category of particular relevance to UK businesses. AI tools used for automated CV screening, scoring of assessments, monitoring of worker performance, or informing promotion and dismissal decisions fall within Annex III, Category 4 of the Act. Any UK business providing such tools to EU clients, or using such tools to manage employees in EU jurisdictions, is subject to the full high-risk compliance framework, including conformity assessment before deployment.

AI used in access to credit, insurance, or essential services is a second high-risk category with broad UK business relevance. UK fintech companies serving EU customers through passporting or equivalence arrangements, and UK insurers using AI underwriting tools for EU policyholders, face mandatory technical documentation requirements, bias testing obligations, and the requirement to maintain human oversight capable of overriding automated decisions.

The General-Purpose AI Provisions

General-purpose AI models, meaning large foundation models that are capable of being adapted to many different downstream tasks rather than designed for a single specific use, face their own requirements under Chapter V of the Act. These provisions became applicable in August 2025.

Developers of general-purpose AI models with wide deployment must provide detailed technical documentation to the European AI Office, comply with EU copyright law in their training processes, and publish summaries of training data. Models designated as 'systemic risk' GPAI models, defined as those trained using computing power above a threshold of 10^25 floating-point operations, face additional obligations including adversarial testing and incident reporting requirements. The AI Office, an enforcement body established within the European Commission in early 2024, has primary regulatory authority over GPAI models.

For UK developers of foundation models deployed in the EU market, including API providers, fine-tuning services, and model hosting platforms, these provisions create a documentation and testing burden that did not exist before August 2025. The question of whether UK-developed models deployed through EU-based distributors or cloud platforms require direct developer compliance or whether distributor compliance suffices is one that the European AI Office's guidance is still clarifying.

How the UK's Own Approach Compares

The UK has explicitly chosen not to adopt the EU AI Act's framework. The government's position, set out in its 2023 AI Regulation White Paper and reaffirmed in the 2025 AI Action Plan, is a principles-based, sector-specific approach where existing regulators apply their existing powers to AI in their domains. This approach is deliberately lighter-touch than the EU's mandatory compliance architecture.

The practical consequence is a regulatory divergence that creates a two-regime compliance burden for UK companies operating in both markets. A UK company building a high-risk AI product for EU deployment must comply with the EU AI Act's conformity assessment requirements and documentation standards. The same company faces no equivalent mandatory requirement in the UK domestic market, though sector regulator expectations (from the FCA, ICO, or Ofcom depending on the domain) may impose similar practical requirements.

Whether that divergence is sustainable long-term is contested. The UK AI Safety Institute is working on evaluation methodologies compatible with both the EU AI Act's technical standards and the US National Institute of Standards and Technology's AI Risk Management Framework. The ambition is mutual recognition arrangements that reduce the compliance burden for UK companies operating in multiple jurisdictions. As of 2026, those arrangements remain aspirational rather than operational.

Fun fact: The EU AI Act is the world's first comprehensive legal framework governing artificial intelligence. From the European Commission's initial proposal in April 2021 to formal publication in the Official Journal in July 2024, the regulation took just over 3 years to negotiate, an unusually compressed timeline for a piece of legislation of this technical and political complexity.

What UK Businesses Should Do Now

For UK businesses uncertain about their obligations under the EU AI Act, the immediate practical steps are: map all AI tools in use or being developed against the Act's risk classification framework; identify which products or services touch EU customers or are deployed in EU jurisdictions; assess whether any use cases fall within the high-risk Annex categories; and take legal advice on conformity assessment obligations if the answer is yes.

The European AI Office's website publishes rolling guidance, and the Commission has issued a set of non-binding guidelines on high-risk AI classification that provide useful clarification on borderline cases. The Act's enforcement architecture gives national market surveillance authorities primary enforcement responsibility for non-GPAI provisions, meaning that a UK company placing a product on the French market could face enforcement action from France's CNIL or its equivalent AI supervisory authority.