Is your AI tool covered by the EU AI Act? A plain-English guide for UK businesses
The EU just pushed back its AI compliance deadlines to December 2027. But the rules are still coming. Here is what UK businesses need to know.
This article is for general information only. It is not legal advice. If you have specific compliance concerns, speak to a qualified solicitor.
The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. Most UK business owners have heard of it, fewer have read anything about it, and almost none know whether it applies to them.
Here is a plain-English summary of what it actually says, the updated timeline, and what you need to do (which, for most professional services firms, is less than you might fear).
What the EU AI Act actually is
The EU AI Act is a regulation that classifies AI systems by the level of risk they pose and imposes legal requirements accordingly. The higher the risk, the more you have to do to comply.
Risk levels run from unacceptable (banned outright) through high risk (significant compliance obligations) to limited risk (transparency requirements only) and minimal risk (no specific obligations).
The vast majority of AI tools used in everyday business fall into the limited or minimal risk categories. ChatGPT helping you draft a proposal letter is minimal risk. An AI system making autonomous decisions about whether to hire or reject job applicants is high risk.
The Act also has provisions for general-purpose AI models, the kind that power most commercial AI tools. The companies that build those models, like OpenAI and Anthropic, have their own obligations. As a user of those tools, your obligations are lighter.
The updated timeline
The EU pushed back some of its original deadlines. Here is where things stand as of early 2026:
Already in force: Rules covering unacceptable-risk AI (banned systems, like real-time biometric surveillance in public spaces) and obligations for general-purpose AI model providers.
August 2026: Rules for high-risk AI systems in product-embedded contexts (medical devices, vehicles, machinery) begin to apply.
December 2027: The main deadline for high-risk standalone AI systems. This is the one most businesses think about. HR recruitment tools, credit scoring systems, and educational assessment tools fall here.
August 2028: High-risk AI embedded in regulated products. The longest runway.
For most professional services firms, December 2027 is the meaningful date, and even then, only if you are using or deploying genuinely high-risk AI systems.
Who does this apply to?
Brexit means the EU AI Act does not automatically apply to UK businesses operating solely in the UK. However, it does apply in the following situations:
You sell to EU customers. If your firm provides services to clients based in the EU, and you use AI systems in that service delivery, the Act may apply to those AI uses.
You process data from EU-based individuals. If your AI tools interact with data belonging to EU residents, this brings you within scope in some scenarios.
You use EU-based staff. High-risk AI used in employment contexts involving EU-based employees is covered.
The practical reality for most UK professional services firms is that if you are using standard tools like ChatGPT, Copilot, or Claude for drafting, research, or summarisation, you are not in high-risk territory regardless of where your clients are based.
What counts as high risk
The specific high-risk categories under the Act include: AI used in recruitment and HR to filter or score candidates, AI used to assess creditworthiness, AI used in education to evaluate students, AI used in law enforcement or migration processing, and AI used in critical infrastructure management.
Most tools used in professional services do not fall into these categories. A law firm using AI to draft documents is not in scope. An accountancy practice using AI to summarise financial reports is not in scope. A consultant using ChatGPT to prepare a slide deck is not in scope.
Where firms need to be more careful is if they start using AI to make, or materially influence, decisions about people. Automated scoring of job applicants, AI-generated credit assessments, AI-driven performance ratings. Those are the areas that attract obligations.
What to do now
For most UK professional services firms, the honest answer is: not much urgently.
That said, there are three things worth doing now that will put you in good shape when compliance expectations mature:
Document your AI use. Keep a simple record of what AI tools you use, what you use them for, and what human oversight exists. This does not need to be complicated. A spreadsheet with four columns covers it. If you ever need to demonstrate compliance or due diligence, having this on file matters.
Check your tools' compliance posture. The major AI providers (OpenAI, Anthropic, Google, Microsoft) are actively working on EU AI Act compliance for their platforms. Most publish information about this publicly. It is worth knowing where your key tools stand.
Think about human oversight. The Act places significant weight on meaningful human oversight of AI-assisted decisions. In most professional services contexts, this is already happening. The AI drafts, the fee earner reviews. Document that this is your process.
The regulation is designed to govern high-risk uses of AI, not to create barriers to productivity tools. If you use AI sensibly, with human judgment in the loop for anything consequential, the Act is unlikely to require significant changes to how you work.
Stay informed, keep records, and review when the December 2027 deadline approaches with fresh eyes. That is the practical advice.
Explore more on AdaHQ
Everything you need to start using AI in your business.