The EU AI Act: What UK businesses need to know

Artificial intelligence is now part of everyday business – from drafting emails and analysing data to automating admin and supporting decision-making.

With growing use comes new regulation. Enter the EU Artificial Intelligence Act (AI Act): the world’s first comprehensive legal framework for AI, something I wrote about in an early edition of Byte-sized AI.

While this is EU legislation, it’s very relevant to UK businesses, especially those with European customers, suppliers, or operations. The good news? This isn’t about banning AI or putting the brakes on innovation. It’s about using AI safely, transparently, and responsibly.

What are the quick takeaways?

The EU AI Act is not designed to stop businesses using tools like Microsoft Copilot, ChatGPT, or automation platforms. Instead, it focuses on:

• Making higher-impact AI systems safer and more transparent
• Ensuring people remain accountable for important decisions
• Increasing trust in AI among customers, employees, and regulators

For most SMEs, this is about using AI responsibly – not using it less.

Does the EU AI Act apply to UK businesses?

Potentially, yes.

The EU AI Act has extraterritorial reach, meaning it can apply even if your business is based entirely in the UK. You may be in scope if:

• You sell products or services into the EU
• Your AI systems process data about EU residents
• AI supports decisions that affect people in the EU (for example recruitment decisions, credit checks, or monitoring activities)

If your AI use is purely domestic and has no EU touchpoints, the direct impact may be limited. However, many UK organisations are affected indirectly through clients, suppliers, or the software platforms they rely on.

👉 Official EU guidance: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

When is the EU AI Act going to be introduced?

The AI Act isn’t arriving all at once. It’s being introduced gradually to give organisations time to adapt.

1 August 2024
The AI Act entered into force and became EU law.

2 February 2025

• Certain AI practices became banned (such as social scoring and some biometric uses)
• AI literacy became a legal requirement – organisations must ensure staff using AI understand its risks and limitations

2 August 2025
Rules for general-purpose AI models (including large language models) start to apply.

2 August 2026
Core enforcement begins for most high-risk AI systems, including fines.

At this point, penalties can reach €35 million or up to 7% of global annual turnover for the most serious breaches.

👉 Full timeline here: https://artificialintelligenceact.eu/implementation-timeline/

How does the EU AI Act categorises AI?

The Act uses a risk-based approach, recognising that not all AI systems pose the same level of risk.

What does this mean for SMEs?

For most organisations, compliance is practical rather than legalistic. It usually means:

• Knowing where AI is used in your business
• Being clear on what AI supports versus what humans decide
• Ensuring people can challenge or review AI-supported outcomes
• Using trusted, well-governed platforms

Crucially, AI is still treated as a tool. Accountability always sits with the business – not the software.

AI literacy: an early requirement that’s already live

One of the first obligations under the AI Act is AI literacy, which became mandatory on 2 February 2025.

Organisations must take “reasonable steps” to ensure staff using AI:

• Understand what AI can and can’t do
• Are aware of AI risks such as bias, hallucinations, and data misuse
• Use AI appropriately within their role

This doesn’t require formal qualifications or lengthy training programmes – just sensible, proportionate awareness.

👉 A helpful UK-focused summary: https://www.cripps.co.uk/thinking/eu-ai-act-ai-literacy-becomes-law/

How does the EU AI Act fit with UK regulation?

The UK does not currently have a standalone AI law. Instead, regulators such as the Information Commissioner’s Office (ICO) apply existing frameworks – including UK GDPR – to AI use.

For many UK businesses, this creates dual expectations:

• EU AI Act requirements where AI affects the EU
• UK data protection and sector-specific rules domestically

👉 The ICO’s AI and data protection risk toolkit is a practical place to start: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/ai-and-data-protection-risk-toolkit/

Why is this actually good news?

The EU AI Act is designed to increase trust, not slow innovation. For SMEs, it often:

• Encourages safer, more deliberate AI adoption
• Reduces long-term regulatory risk
• Rewards organisations that plan and document their AI use

In practice, the businesses getting the most value from AI are those that adopt it thoughtfully and transparently.

---