Book now
/ Insights/ Commentary/ Strategy/ AI Consultancy

Does the EU AI Act apply to us?

Martin Lulham
The word BRUSSELS followed by a question mark, set in heavy outlined capitals, with a thick red horizontal line running across the frame behind the letters.

The question lands in about one in three first conversations we have with a UK business about AI governance, usually phrased like this: does the EU AI Act apply to us, or is this a Brussels problem?

Most of the time the answer is genuinely "it's a Brussels problem." But not always, and the test is narrower and more mechanical than the headlines imply. The interesting part, for a UK firm, is working out which side of the line you're on — because if you are in scope, you want to know sooner than 2026.

Here's the short version.

The test is about where the AI ends up, not where you're based

Post-Brexit, the UK is a third country from the EU's perspective. That doesn't exempt you. The Act reaches UK firms in two main ways.

First, if you place an AI system on the EU market — sell it, license it, make it available to EU users — you're a provider under the Act, full stop. A UK SaaS company with customers in Dublin and Berlin is already there.

Second, if the output of your AI system is used in the EU, you're in scope as a provider or deployer even if your company never sets foot there. A UK consultancy whose triage bot is used by a French client's support team counts. So does a UK tooling vendor whose model scores CVs that end up on the desk of a German HR manager.

The mechanical test isn't "are we EU?" It's "where does this system, or its output, end up being used?" That question gets easier to answer the more precisely you describe the workload.

Provider vs deployer matters more than people realise

Most UK firms building with AI are, for most workloads, deployers — using someone else's model (OpenAI, Anthropic, Mistral, a specialist vendor) inside their own process. The duties on deployers are lighter than on providers, but they're not zero. High-risk deployers have instructions-for-use obligations, human-oversight obligations, logging obligations, and — for public bodies and certain large deployers — fundamental-rights impact assessments.

If your firm builds its own models or meaningfully customises an open one into a distinct system, you become a provider for that system and pick up the heavier set of duties.

Most organisations are both, for different workloads, at the same time. Keeping the two roles separate on paper is most of the governance work.

Risk tiers, and the one most SMEs actually care about

The Act sorts AI systems into four bands: prohibited, high-risk, limited-risk (mostly transparency obligations — "users must know this is AI") and minimal-risk. The prohibited tier is narrow — social scoring, real-time biometric ID in public spaces, certain manipulative or exploitative uses. The minimal tier is most of what people worry about and shouldn't — your internal copy-editing assistant is not the regulator's problem.

The tier that matters for day-to-day planning is high-risk, and specifically Annex III — the list of use-cases that are automatically high-risk. Anyone working in recruitment, credit scoring, education, critical infrastructure, access to essential services, migration and asylum, or certain law-enforcement applications should start here. If your workload lands in Annex III, the obligations are substantial: a quality-management system, risk-management process, data-governance documentation, logging, human oversight, technical documentation, a conformity assessment, registration in the EU database. It's not ISO 27001, but it's adjacent, and a mature ISMS meaningfully reduces the net new work.

GPAI — general-purpose AI — runs on a separate track, with its own transparency and model-card duties on providers of the underlying models. Most UK firms won't be GPAI providers. You still need to track which GPAI models your deployments sit on top of, because some of the deployer duties reference them.

The dates

  • 2 Feb 2025: prohibited-use provisions in force.
  • 2 Aug 2025: GPAI provider obligations in force.
  • 2 Aug 2026: the bulk of the Act — including high-risk duties for most Annex III systems — in force.
  • 2 Aug 2027: embedded high-risk systems (the ones built into regulated products like medical devices or vehicles).

Aug 2026 is the one every UK firm with EU exposure should have a clear answer on by the end of this year.

What the work actually looks like

For a UK firm that concludes the Act applies to at least some of its workloads, the practical programme is narrower than the headline reading suggests:

  • An AI inventory — every workload, with its owner, its model, its data path, its users and, crucially, the geography of its outputs.
  • A classification pass — for each workload, prohibited / high-risk / limited / minimal, and whether you're provider or deployer or both.
  • A DPIA overlay — the Annex III workloads need more than a UK GDPR DPIA, but a UK GDPR DPIA is the right starting point; the extra pages are about risk management, logging and human oversight.
  • Deployer-duty evidence for the workloads where you're using someone else's AI — instructions-for-use on file, oversight documented, logs retained.
  • A review cadence — because the workloads change faster than the policy document, and the Act expects that.

Threaded through your existing ISO 27001 / NCSC CAF / ICO work rather than running alongside it. That's most of what we mean by a compliance engagement.

If you're reading this and you're unsure

Ask two questions. Do any of our AI-touching workloads produce outputs used in the EU? And do any of them look like the Annex III list? If the honest answer to both is no, park it — the Act isn't your problem this year. If either is yes, start the inventory now. Aug 2026 isn't far away when the work is a year of board-level reporting, not a long weekend of paperwork.

/ Start a conversation

Let's talk about what you're trying to build.

Book a discovery session and we'll walk through the workflow, the systems and the shape of the solution.

Book a discovery sessionTalk through a challenge