Back to Insights

    20 May 2026

    Is Your Business in Scope for the EU AI Act? A UK Guide

    Many UK businesses assume the EU AI Act doesn't apply to them. They're wrong. Here's how to check.

    SH

    Sam Hawkins

    Syntra Automate

    "We're a UK company — the EU AI Act doesn't apply to us."

    We hear this from business leaders every week. And every week, most of them are wrong.

    The EU AI Act — officially Regulation (EU) 2024/1689 — is the world's first comprehensive AI law. It entered into force on 1 August 2024, and its high-risk obligations start applying from 2 August 2026. That is just over a year away. If your business uses AI in ways that touch the EU, you are likely in scope — regardless of where your registered office sits.

    The Brexit misconception

    Brexit removed the UK from the EU's regulatory perimeter for many things. AI is not one of them.

    The EU AI Act was deliberately drafted with extraterritorial reach. Article 2(1)(c) is the clause that catches most UK businesses off guard. It states that the Act applies to providers and deployers of AI systems established outside the EU where the output produced by the AI system is used in the EU.

    Read that again: where the output is used in the EU. Not where the system is built. Not where the company is headquartered. Where the output lands.

    What "used in the EU" actually means in practice

    This is broader than many people assume. If your AI system produces an output — a decision, a recommendation, a score — and that output affects someone or something within the EU, you are likely in scope.

    Concrete examples:

    • A UK recruitment firm uses an AI screening tool to shortlist candidates. Some candidates are based in Germany, France, or Ireland. The AI output is used in the EU. In scope.
    • A UK SaaS company offers a platform with AI-powered features to EU-based customers. In scope.
    • A UK financial services firm uses AI-driven credit scoring affecting EU-based clients. In scope.
    • A UK company with EU employees uses AI tools for performance management or HR decisions affecting staff in EU member states. In scope.

    The pattern is clear. If your business has EU customers, EU employees, or EU-facing operations, and you use AI in those relationships, the EU AI Act almost certainly applies to you.

    The risk tiers

    The EU AI Act defines four risk categories:

    Unacceptable risk — Banned outright. Includes social scoring by governments, real-time biometric identification in public spaces (with narrow exceptions), and AI that manipulates behaviour in harmful ways.

    High risk — Permitted but heavily regulated. Must meet strict requirements around risk management, data governance, transparency, human oversight, accuracy, and cybersecurity. These systems must be registered in the EU database and undergo conformity assessments.

    Limited risk — Transparency obligations only. Chatbot users, for example, must know they are interacting with AI.

    Minimal risk — No specific obligations beyond existing law.

    Annex III: the high-risk categories that catch UK businesses

    Annex III lists the areas where AI systems are classified as high risk. Several are directly relevant to UK businesses:

    • Employment and workers management — AI used for recruitment, CV screening, interview evaluation, promotion decisions, task allocation, or performance monitoring.
    • Essential private and public services — AI used to evaluate creditworthiness or establish credit scores. UK lenders with EU exposure take note.
    • Critical infrastructure — AI used as safety components in digital infrastructure, road traffic, or utilities.
    • Education and vocational training — AI used to determine access to education or evaluate learning outcomes.

    These are not theoretical categories. They describe AI systems thousands of UK businesses already use.

    What the August 2026 deadline means

    The prohibitions on unacceptable-risk AI already apply as of February 2025. But the big milestone is 2 August 2026 — when obligations for high-risk AI systems under Annex III come into force.

    From that date, if you deploy a high-risk AI system whose output is used in the EU, you must be fully compliant: documented risk management, data governance procedures, technical documentation, transparency measures, human oversight mechanisms, and EU database registration.

    The fines are serious

    For prohibited AI practices, fines reach up to EUR 35 million or 7% of total worldwide annual turnover — whichever is higher. For other infringements, up to EUR 15 million or 3% of turnover.

    The EU demonstrated with GDPR that it will impose significant fines on non-EU companies. There is every reason to expect the same with the AI Act.

    What to do right now: three immediate steps

    1. Inventory your AI systems

    You cannot assess what you cannot see. Catalogue every AI system, tool, and feature your organisation uses — including those adopted by individual teams without formal procurement. Marketing tools with AI features, HR screening software, AI-powered analytics, chatbots — all of it.

    2. Check for EU nexus

    For each system, ask: does the output affect anyone or anything in the EU? If yes — or even maybe — treat it as potentially in scope.

    3. Classify by risk tier

    Map each in-scope system against the Act's risk tiers. Pay particular attention to Annex III. If any systems fall into a high-risk category, you have compliance work ahead before August 2026.

    These three steps will not make you compliant. But they will tell you exactly where you stand — and that is the essential starting point.

    The bottom line

    The EU AI Act has extraterritorial reach by design. If your UK business uses AI in any way that touches the EU — and most internationally active businesses do — you are likely in scope. The high-risk deadline of 2 August 2026 is approaching fast, and the fines for non-compliance are substantial.

    The businesses that act now will be ready. The ones that assume Brexit shields them will not.

    Want to know where your business stands?

    Request a free AI audit. Personally reviewed, delivered to your inbox within 5 business days.

    Get a free AI audit