Glossary
EU AI Act
Last updated
Part of our topic guide on AI Governance & Data Strategy.
The EU AI Act is the European Union's law regulating artificial intelligence, in force since 1 August 2024. It sorts AI systems by risk level and sets rules accordingly — and it can bind UK organisations even without an EU presence, wherever their AI system's output is used in the EU.
Why it matters
If your business builds or uses AI systems and any part of that work touches the EU market, this law can apply to you directly — not just to EU-based competitors. That catches more UK employers than most expect: a UK company with no EU office can still fall under the Act if its AI system's output is used in the EU, or if it places an AI system on the EU market.
Our view: this is exactly why capability has to sit ahead of the tools. A team that understands what an AI system does, what data feeds it and what "high-risk" means in practice can spot exposure long before a compliance audit does. Buying a governance checklist doesn't fix that gap — building the judgement to use it does.
How it works
The Act classifies AI systems by risk and layers in obligations as different provisions come into force:
- 1 August 2024 — the Act entered into force.
- 2 February 2025 — banned practices (Article 5) and AI literacy duties (Article 4) started applying.
- 2 August 2025 — obligations for general-purpose AI (GPAI) models, plus governance and penalty provisions.
- 2 August 2026 — most remaining provisions apply.
- High-risk (Annex III) obligations — originally due 2 August 2026, but under the EU's "Digital Omnibus on AI" this is being pushed back, provisionally to around December 2027 (or August 2028 for high-risk systems built into product safety components). As of mid-2026 this change is provisionally agreed but not yet formally adopted by the European Parliament and Council, so treat the later date as expected rather than settled — check the latest position before relying on it.
There's no equivalent UK law. The UK regulates AI through existing sector regulators — bodies like the ICO, CMA, FCA and Ofcom — under a principles-based approach, rather than one dedicated AI statute. A UK employer can therefore be watching two different pictures at once: no domestic AI Act, but potential EU AI Act exposure depending on where their AI system's output lands.