EU AI Act: What UK Organisations Need to Know

Extraterritorial reach

The EU AI Act follows the same extraterritorial principle as the GDPR. It applies to providers of AI systems that are placed on the market or put into service in the EU, regardless of where the provider is established. It also applies to deployers of AI systems that are established in the EU, and to providers and deployers established outside the EU where the output produced by the AI system is used in the EU.

For UK organisations, this means the Act may apply if any of the following conditions are met: the organisation sells AI-powered products or services to EU customers; the organisation's AI features are available to EU users (including through SaaS platforms); the organisation provides AI models or components that are integrated into products used in the EU; or the organisation deploys AI systems on behalf of EU-based clients.

Many UK companies discover that the EU AI Act applies to them through supply chain requirements. An EU-based enterprise client may require its UK AI vendor to demonstrate compliance as a condition of the contract, even before formal enforcement begins.

Key obligations by risk tier

The EU AI Act classifies AI systems into four risk tiers. Prohibited AI practices (such as social scoring and certain biometric categorisation uses) are banned outright. High-risk AI systems face the most extensive obligations: conformity assessment, risk management systems, data governance, technical documentation, transparency to users, human oversight provisions, and ongoing monitoring.

Limited-risk systems, which include chatbots and AI-generated content, face transparency obligations: users must be informed that they are interacting with AI, and AI-generated content must be labelled. Minimal-risk systems face no specific obligations under the Act, though voluntary codes of practice are encouraged.

General-purpose AI models (foundation models) face separate obligations around technical documentation, copyright compliance, and transparency. Models with systemic risk face additional requirements including adversarial testing and incident reporting.

Timelines and the Omnibus agreement

The EU AI Act entered into force in August 2024, with obligations being phased in over a staggered timeline. Prohibited practices and AI literacy requirements applied from February 2025. Obligations for general-purpose AI models applied from August 2025.

The most significant set of obligations, covering high-risk AI systems, was originally scheduled for August 2026. However, under the Omnibus simplification agreement, these high-risk obligations have been extended to December 2027. This extension gives organisations additional time to prepare, but it does not reduce the scope or substance of the requirements.

Organisations should treat the extension as preparation time rather than reason to delay. The conformity assessment process, risk management system documentation, and technical documentation requirements are substantial. Organisations that begin preparation now will be ready when enforcement begins; those that wait may find the timeline insufficient.

What UK organisations should do now

The first step is visibility: know what AI systems the organisation uses, including AI features embedded in third-party software. Many organisations are unaware of the full scope of their AI use. An AI System Register provides this visibility.

The second step is classification: determine which systems may fall within the EU AI Act's scope, and at which risk tier. This requires understanding both the system's function and the context of its deployment.

The third step is gap assessment: evaluate current governance practices against the Act's requirements and identify where the organisation falls short. A governance assessment structured around the VAGF framework maps directly to the EU AI Act's requirements, producing a clear picture of the organisation's compliance position.

The UK is developing its own AI regulatory approach, currently focused on sector-specific guidance rather than a single horizontal regulation. However, for UK organisations with EU exposure, the EU AI Act represents the binding compliance obligation. Governance implemented to meet the EU AI Act will also satisfy emerging UK requirements, making it the practical starting point for any UK organisation.