The EU AI Act and UK Firms: What Selling Into Europe Now Requires

The EU AI Act reaches UK companies whose AI systems or outputs touch the EU market. Here's how the risk tiers work, which deadlines have already passed and what a small firm must do to comply.

Brexit doesn't exempt you

The EU AI Act applies extraterritorially. If you place an AI system on the EU market, or the output of an AI system you use is used in the EU, the Act can apply regardless of where your company is based. A West Bromwich SaaS firm with customers in Dublin is in scope. So is a UK recruiter using an AI tool to screen candidates for a role in Berlin. The test is where the system or its output lands, not where your registered office sits.

The good news is that obligations are tiered by risk, and most everyday small-business uses of AI land in the lighter tiers. The work is in knowing which tier you're in, and whether the Act sees you as a provider or merely a deployer, because those two answers determine almost your entire workload.

The risk tiers, in plain English

  • Prohibited: social scoring, manipulative techniques that cause harm, emotion recognition in workplaces and schools (narrow exceptions aside), and untargeted scraping of facial images. Banned outright across the EU since February 2025.
  • High-risk: AI used in recruitment and employment decisions, credit scoring, education and exam assessment, access to essential services, and safety components of regulated products. This tier carries the heavy obligations.
  • Transparency risk: chatbots must disclose that users are talking to a machine, and realistic AI-generated or manipulated content (deepfakes) must be labelled as synthetic.
  • Minimal risk: spam filters, drafting assistants and most internal productivity tools. No new obligations beyond voluntary codes.

General-purpose AI models such as those behind ChatGPT, Claude and Gemini carry their own obligations, but those sit with the model providers, not with businesses using them. Building on top of these tools doesn't exempt what you build, though: your chatbot or screening tool is judged on its own use case.

Need a hand with this?

Our team delivers AI & Machine Learning for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →

Provider or deployer? Your role decides your workload

A provider develops an AI system, or has one developed, and places it on the market under its own name. A deployer uses an AI system under its own authority. Most UK SMBs are deployers, and deployer duties for high-risk systems are comparatively manageable: use the system according to the provider's instructions, ensure trained human oversight, monitor operation, keep the logs the system generates, and inform workers or candidates when a high-risk system is used on them.

The trap is accidental promotion. If you white-label an AI product, put your brand on it and sell it into the EU, or substantially modify a high-risk system, you can become a provider. That brings the full compliance stack: a risk management system, technical documentation, conformity assessment, CE marking, and, if you have no establishment in the EU, appointing an authorised representative there. Price that in before your product roadmap commits you to it.

Dates that matter in 2026

  • August 2024: the Act entered into force.
  • February 2025: prohibitions took effect, along with the AI literacy duty, which requires firms using AI to ensure staff are adequately trained for it.
  • August 2025: obligations for general-purpose AI model providers began.
  • August 2026: the bulk of high-risk system obligations apply, which means this summer.
  • 2027: remaining rules for high-risk AI embedded in already-regulated products.

Brussels has debated simplifying parts of the Act and easing some deadlines. Until any change is formally adopted, plan against the dates above rather than betting on a delay.

Where common small-business uses actually land

  • A customer-service chatbot on your website serving EU visitors: transparency tier. Disclose that it's AI and offer a route to a human.
  • AI-generated marketing images and video: label content as synthetic where it's realistic enough to mislead; otherwise minimal risk.
  • CV screening or interview scoring involving EU candidates: high-risk. As a deployer you need human review of outcomes, log retention and clear information to candidates.
  • Credit, affordability or insurance-style decisions about EU individuals: high-risk, same deployer duties.
  • Internal drafting and summarising tools: minimal risk, but the AI literacy duty still applies, so document that staff have been trained.

Key Takeaway

If your AI systems or their outputs reach the EU, the AI Act applies to you despite Brexit. Most SMB uses land in the light tiers: label your chatbot as AI, mark realistic synthetic content, and train staff. The heavy duties attach to high-risk uses like CV screening and credit decisions, and to anyone selling or white-labelling AI into the EU. Build a simple AI register, classify each use, fix the cheap transparency items now, and treat August 2026's high-risk deadline as firm.

Your compliance to-do list

  • 1. Inventory every AI use in the business and mark which ones touch EU customers, candidates or users.
  • 2. Classify each against the risk tiers above; most will be minimal or transparency tier.
  • 3. Decide your role for each: deployer in most cases, provider if you sell or white-label AI.
  • 4. For chatbots and generated content, add disclosure notices and synthetic-content labels now; they're cheap.
  • 5. For any high-risk use, implement human oversight, keep logs and inform the people affected.
  • 6. Ask your AI vendors for their EU AI Act documentation and keep it on file; their compliance underpins yours.
  • 7. Assign one named owner and revisit the register quarterly, because your AI use will change faster than the law.

Penalties scale to the breach: up to €35 million or 7% of global turnover for prohibited practices, and up to €15 million or 3% for most other violations, with proportionality for SMEs built into the enforcement framework. For most small firms, though, the sharper risk is reputational: getting recruitment AI wrong costs trust long before it costs a fine. If you'd like a second pair of eyes on your AI register or your chatbot's compliance, our team can help.

Work With Us

Need Help With Your Digital Strategy?

Our team of experts is ready to help. Get a free consultation and tailored proposal.