EU AI Act: What UK Businesses Need to Do Before August 2026
The EU AI Act’s high-risk obligations take effect on 2 August 2026. The Act applies to any UK business whose AI systems affect EU individuals — Brexit does not create an exemption. Fines for non-compliance reach up to €35 million or 7% of global annual turnover.
Key facts
The readiness gap is significant. Most European organisations have not moved beyond early-stage preparation.
Not fully ready
Only 11% of European organisations report being “fully ready” for the EU AI Act. Source: ISACA 2026 Tech Trends Pulse Poll, Oct 2025.
Can’t halt AI in an incident
59% of European organisations cannot say how quickly they could halt an AI system in an incident — suggesting most lack a working AI inventory. Source: ISACA 2026 AI Pulse Poll, Feb 2026.
Minimal or no governance
54% of UK organisations have minimal AI governance or none at all. Source: Trustmarque AI Governance Index 2025, Jul 2025.
Maximum fines
Fines for non-compliance reach up to €35 million or 7% of global annual turnover, whichever is higher.
Does this apply to you?
You are in scope if you:
- Sell AI-powered products or services to EU customers
- Use AI to make decisions that affect EU citizens (employment, credit, insurance, customer profiling)
- Deploy AI in any of the 8 high-risk categories under Annex III
Sources: RMOK Legal EU AI Act Compliance Guide · SnapGRC
What you need to do
Five steps to move from awareness to compliance readiness.
-
1. Inventory all AI systems
Map every AI system in your organisation, including embedded AI in SaaS tools. You can’t govern what you don’t know about.
-
2. Classify by risk tier
Classify each system as prohibited, high-risk, limited risk, or minimal risk under the EU AI Act framework.
-
3. Build high-risk compliance documentation
For high-risk systems: build risk management documentation, data governance records, human oversight mechanisms, and conformity assessments.
-
4. Appoint a governance lead
Designate a governance lead with authority to oversee AI compliance. This needs to be a named individual, not a committee or department.
-
5. Review AI vendor contracts
Review all AI vendor contracts for compliance provisions. Your vendors’ obligations under the Act flow through to you as deployer.
EU AI Act Timeline
Key dates for UK businesses to track.
Prohibited practices
Prohibited AI practices provisions came into force. Social scoring, real-time biometric surveillance (with narrow exceptions), and manipulative AI are banned.
GPAI model obligations
General-purpose AI model obligations take effect. Providers of foundation models must meet transparency and documentation requirements.
High-risk system obligations
The main deadline. High-risk AI system obligations under Annex III take full effect. Conformity assessments, risk management, and human oversight are mandatory.
Regulated products
Obligations for AI systems embedded in regulated products (Annex I) — including medical devices, machinery, and transport — take full effect.
The Digital Omnibus Amendments
The European Commission has proposed targeted amendments (the ‘digital omnibus’) that could extend some high-risk deadlines to December 2027 for Annex III systems and August 2028 for Annex I systems. Parliamentary negotiations are underway.
This does not remove the need to prepare
Readiness work takes months, and procurement teams, investors, and auditors will ask for evidence of compliance regardless of deadline shifts. Starting now ensures you are prepared whether the deadline is August 2026 or later.
Don’t wait for the final deadline to start preparing.
Book a free 30-minute scoping call. We’ll assess your AI systems, identify your risk level under the EU AI Act, and tell you exactly what needs to happen to get your governance in order.