EU AI Act: What UK Businesses Need to Know Before August 2026

The EU AI Act is the world's first comprehensive AI regulation, with full enforcement beginning 2 August 2026. This guide covers what UK businesses must do — and what they can safely ignore.

·10 min read
The EU AI Act is the world's first comprehensive AI regulation, with full enforcement beginning 2 August 2026. UK businesses are affected if their AI systems are used by people in the EU, if they provide AI outputs to EU customers, or if they process data from EU individuals. Only 12% of UK SMEs using AI meet all exemption criteria. Penalties reach up to €35 million or 7% of global turnover. The good news: most UK SME AI use cases (55%) fall into the minimal-risk category with no specific compliance burden. This guide explains the risk classifications, what UK businesses must do, and how to prepare before the deadline.

Does the EU AI Act apply to UK businesses?

Yes — and for the same reason the GDPR does. The EU AI Act applies extraterritorially. If your business is based in the UK but any of the following are true, you're in scope:

  • Your AI systems or AI-powered products are used by people located in the EU
  • You provide AI-generated outputs (text, images, analysis, recommendations) to EU customers
  • You process personal data from EU individuals using AI tools
  • You deploy or develop AI systems that are placed on the EU market

For most UK businesses with any EU-facing activity, the Act applies. Only 12% of UK SMEs using AI meet all the criteria for full exemption.

Risk classification explained

The EU AI Act classifies AI systems into four risk tiers. Your obligations depend on which tier your AI tools fall into:

Prohibited (unacceptable risk)

AI practices banned outright from August 2025: social scoring by governments, real-time remote biometric identification in public spaces (with exceptions), manipulation of vulnerable groups, and untargeted scraping of facial images. Most UK SMEs will never encounter these.

High risk

AI used in critical areas: recruitment and HR decisions, credit scoring, insurance underwriting, educational assessment, law enforcement, and critical infrastructure. These require conformity assessments, risk management systems, data governance measures, human oversight, and detailed documentation. Approximately 15% of typical UK SME AI use cases may qualify.

Limited risk

AI that interacts with people or generates content. Requires transparency disclosures: users must be told they're interacting with AI, and AI-generated content must be labelled. This covers chatbots, AI writing tools used for customer communications, and AI-generated images or videos. Around 30% of SME use cases.

Minimal risk

AI used for internal purposes with no direct impact on individuals' rights: internal data analysis, code completion, document summarisation, internal search. No specific compliance obligations. This is where approximately 55% of typical UK SME AI use falls.

55%
minimal risk (no burden)
30%
limited risk (transparency)
15%
high risk (full compliance)
€35M
maximum penalty

What UK SMEs need to do

Regardless of risk classification, every UK business using AI should take these steps before August 2026:

  1. Inventory all AI tools: know what AI your organisation uses. Shadow AI — tools employees use without approval — is your biggest blind spot.
  2. Classify by risk: for each tool, determine which EU AI Act category it falls into. Most will be minimal or limited risk.
  3. Document governance decisions: record who approved each tool, under what conditions, and when. This is the evidence trail regulators want.
  4. Ensure human oversight: for any AI making or influencing decisions about individuals (hiring, customer service, credit), ensure a human can review and override.
  5. Add transparency disclosures: where AI interacts with EU users (chatbots, automated emails, AI-generated content), clearly disclose that AI is being used.

The timeline

  • August 2024: EU AI Act enters into force
  • February 2025: AI literacy requirements apply
  • August 2025: Prohibited AI practices are banned
  • August 2026: Full enforcement — all provisions apply, including high-risk AI system requirements

The window for preparation is closing. Businesses that start now have time to build governance incrementally. Those that wait until 2026 will face a compliance rush.

Penalties

The EU AI Act penalties are modelled on GDPR fines — proportionate but significant:

  • €35 million or 7% of global turnover for prohibited AI practices
  • €15 million or 3% of turnover for violating high-risk AI requirements
  • €7.5 million or 1.5% of turnover for providing incorrect information to regulators

For SMEs and startups, the Act includes proportionality provisions — fines should be "effective, proportionate and dissuasive" rather than punitive. But the risk of investigation alone is costly in time and reputation.

How Governably helps with EU AI Act compliance

Governably automates the hardest parts of EU AI Act preparation for UK SMEs:

  • AI tool discovery: automatically scans your Google Workspace and Microsoft 365 to find every AI tool with OAuth access — including shadow AI you didn't know about.
  • Risk classification: each discovered tool is tagged with its EU AI Act category (unacceptable, high-risk, limited, minimal) based on our catalogue of 164 AI tools.
  • Governance workflow: approve, flag, or block each tool with three clicks. Document conditions, assign accountability, record the decision.
  • Policy builder: create an AI governance policy from templates in minutes — covering approved tools, prohibited activities, and review cycles.
  • Compliance reports: generate a PDF report showing your complete AI inventory, governance decisions, and policy status — ready for regulators, auditors, or insurers.

Sources

  1. European Parliament. Regulation (EU) 2024/1689 — Artificial Intelligence Act. artificialintelligenceact.eu
  2. EU AI Act. Article 99 — Penalties. artificialintelligenceact.eu
  3. EU AI Act. Article 113 — Entry into Force and Application. artificialintelligenceact.eu
  4. EU AI Act. Implementation Timeline. artificialintelligenceact.eu
  5. EUR-Lex. Regulation (EU) 2024/1689 — Full Text. eur-lex.europa.eu
  6. UK Government (DSIT). AI Regulation: A Pro-Innovation Approach. gov.uk

Frequently asked questions

Does the EU AI Act apply to UK businesses?

Yes, if your AI systems are used by people in the EU, if you provide AI-powered products or services to EU customers, or if your AI outputs reach EU individuals. The Act applies extraterritorially — the same model as GDPR.

When does the EU AI Act take full effect?

The Act entered into force in August 2024. Prohibited AI practices are banned from August 2025. Full enforcement of all provisions, including high-risk AI system requirements, begins 2 August 2026.

What are the penalties for non-compliance?

Up to €35 million or 7% of global annual turnover (whichever is higher) for the most serious violations involving prohibited AI practices. Up to €15 million or 3% of turnover for other violations.

Do most UK SME AI use cases fall into the high-risk category?

No. An estimated 55% of typical UK SME AI use cases (chatbots, writing assistants, data analysis) fall into the minimal-risk category with no specific compliance burden. Around 30% fall into limited-risk requiring transparency disclosures. Only approximately 15% may qualify as high-risk.

What does a UK SME need to do to comply?

At minimum: inventory all AI tools in use, classify each by risk level, document your AI governance decisions, ensure human oversight for automated decisions affecting individuals, and provide transparency disclosures where AI interacts with EU users.

How does Governably help with EU AI Act compliance?

Governably automates AI tool discovery (shadow AI scanning), classifies tools against the EU AI Act risk categories, documents governance decisions (approve/flag/block), and generates compliance reports showing your AI inventory and governance posture.