Skip to content

The EU AI Act – what does it mean for UK organisations that use or provide AI systems?

Insight

EU

The EU AI Act (the Act) is the world’s first comprehensive regulatory framework for artificial intelligence, imposing wide-ranging obligations on each stage of the AI supply chain. While it is EU, rather than UK, law, the Act has significant extraterritorial effect and UK businesses will have to tread carefully. The Act's scope is broad, extending not only to developers and suppliers of AI systems, but also to businesses who simply use AI systems.

The regulations are already partially in effect. The Act came into force on 1 August 2024, with phased implementation up to August 2027 (potentially to be extended further under the EU's proposed 'Digital Omnibus Regulation on AI' unveiled in November 2025). This means that many UK businesses who use or provide AI systems will, or already do, fall under the scope of the Act, exposing them to potentially significant penalties for breach (up to €35m or 7% of worldwide turnover).

What obligations are imposed by the Act?

The Act takes a risk-based approach to regulation, with obligations generally linked to an AI system's risk-categorisation, and the relevant organisation's position in the supply chain relating to that system. For example:

  • All risk levels: some obligations apply to all in-scope businesses regardless of the risk level. These include a requirement (applicable since 2 February 2025) for businesses to ensure their staff and others operating or using AI systems are sufficiently 'AI literate'.
  • Limited risk: limited risk systems are systems intended to interact directly with individuals (eg chatbots) or create content viewed by an individual (eg deepfake creation tools). 'providers' of these systems (i. those who place them on the EU market or put them into service under their trade mark) and 'deployers' (ie businesses using the system) must comply with various transparency requirements from 2 August 2026. For example, deployers of an AI system which generates images, sounds or videos that resemble existing objects, places, people or events must, with some exceptions, disclose that the content has been artificially generated or manipulated.
  • High-risk: high-risk systems attract more onerous obligations. These include systems which play specified roles in education, employment, biometrics, critical infrastructure and safety (among other areas). Providers, deployers, distributors and importers of high-risk systems are subject to various requirements, such as 
    • For deployers: monitoring the performance of the High-risk AI system in accordance with its instructions for use, reporting incidents to applicable EU market surveillance authorities, conducting impact assessments, and implementing technical measures.
    • For providers/distributors: quality management/monitoring obligations, CE markings requirements and, for providers based outside the EU, the appointment of an EU representative.

These are currently set to apply primarily from 2 August 2026 (though that may change if the Commission's Digital Omnibus on AI proposals are adopted).

  • Unacceptable risk: 'Unacceptably' high-risk systems are subject to outright prohibitions (applicable since 2 February 2025). Examples are systems which deploy manipulative, subliminal techniques or infer people’s emotions in a workplace or educational setting (other than for medical reasons).

The EU Commission unveiled its 'Digital Omnibus on AI' proposals in November 2025, which, if adopted, would adapt some of these obligations. For example, they would shift the responsibility for fostering AI literacy to EU Member States and the Commission, and would tweak the obligations applying to high-risk systems to emphasise proportionality for smaller or medium-sized businesses. They may also result in the implementation date for high-risk system obligations – which currently mostly come into effect on 2 August 2026 – being pushed back to 2027/2028.

Extra-territorial scope – what UK businesses and organisations are subject to the EU AI Act?

The Act has significant extraterritorial effect, and UK businesses may fall within its scope if they make AI systems available on the EU market (as 'providers' or 'distributors' of that system under the terminology of the Act). But they are also vulnerable to being caught by the Act if they simply use AI systems within the UK (as 'deployers'). These scenarios are examined in more detail below:

UK providers/distributors

UK providers/distributors of AI systems caught by the Act include:

  • UK entities which make AI systems available on the EU market, or put them into service there. This includes:
    • 'providers', who place the system, or supply it for first use, on the EU market for the first time under their own name or trade mark, having developed or arranged the development of the system; and
    • 'distributors', who otherwise make the system available on the EU market (and are generally subject to less onerous obligations under the Act).

For example, if a UK-based education tech firm incorporated an AI search/chatbot function into the software it sells to customers, which it then sells in the EU, . It may even fall under the more onerous "high-risk" classification if it is intended to be used for the specific education-related purposes referred to in the Act (such as access/admission to schools, evaluating learning, assessing appropriate education levels, or monitoring student behaviour during tests).

  • UK entities placing AI systems on the UK market, where the output of those systems is used in the EU.

UK deployers

UK deployers of AI are caught by the Act if they use AI systems in the UK, and the output produced by the system is then used in the EU. Many UK businesses are already likely to fall within this category (or, particularly as AI use becomes more widespread, to start falling within it). This could apply in the following illustrative scenarios:

  • Deployer example 1: a professional services firm uses AI to draft elements of an advice note for a client in the EU.
  • Deployer example 2: a cultural organisation uses AI to create elements of an advertisement for an online event, which is distributed to individuals in the EU.

Challenges in determining whether a UK deployer does or does not fall under the Act

One potential risk for UK deployers of AI is that there may well be many businesses in the UK using AI who do not intend for the outputs of that use to ever end up in the EU – and so who do not expect to be subject to the EU AI Act – but whose outputs inadvertently do end up in the EU.

To illustrate, suppose the scenario in deployer example 1 were altered so that the professional services firm used AI to draft elements of an advice note for a client in the UK. Unbeknownst to the firm, the client then shares the recommendations with their EU subsidiary who implements the recommendations. Does the professional services firm fall under the EU AI Act? It might seem extreme, and unworkable, if that were the case. However, while the background recitals to the Act suggest that the Act will only apply to deployers where the output is intended to be used in the EU, the wording of the legally binding operative provisions make no mention of intention at all. The strict interpretation of the Act therefore increases the range of UK businesses that could find themselves subject to the Act, at least until the Commission or courts provide clarity.

Another risk for UK deployers is inadvertently using AI to create a work product, without being aware of it, and then falling under the Act by using/sharing the work products within the EU. For example, suppose a business uses a software system to assist with some of its client communications, including communications to EU clients. The business is not made aware by the software provider that some of the functions of the software are driven by AI and that the (parts of) the work product are in turn an 'output' of an AI system. A related question here is exactly how the Commission and courts will interpret 'output' – for example, how direct does the link need to be between the AI system, and the ultimate work product that is shared within the EU, for the work product to constitute or contain an AI system output?

To the extent there is any ambiguity about the applicability of the Act in these cases, UK businesses should be vigilant about ensuring that their suppliers disclose how and whether AI plays a role in the services/products supplied to them, and to contractually require clients not to send work products to the EU (where they include the outputs of AI used by the business). From a risk and enforcement perspective, this is to be balanced against the fact that it may be challenging for EU authorities to monitor whether an output is indeed an output of an AI system (though there will of course be more obvious examples, like deepfake images).

Penalties and enforceability

Penalties for breach can be very high, but are dependent on the type of breach. Breach of prohibitions relating to Unacceptable Risk systems are treated most severely, and can land the infringer with a fine of up to 7% of global annual turnover or €35m (whichever is higher). Breach of obligations regarding high-risk and limited risk systems attract slightly lower but still substantial penalties of up to 3% of global annual turnover or €15m (whichever is higher). There is a question mark as to enforceability of AI literacy requirement, as no specific penalties seem to be set out in the regulations.

EU Enforcement of penalties on UK based entities is likely to be more complex than enforcement on EU-based entities – particularly on deployers who do not have a physical presence in the EU and who do not have to appoint an EU representative unlike UK providers of AI systems.

What steps should UK businesses be taking?

Key questions for UK businesses to ask themselves are:

  • Whether they might fall under the Act – noting that, absent clear guidance from the Commission, this could encompass any UK business that uses AI where the output of that use ends up in the EU (intentionally or not): a potentially very large, and growing, number of businesses.
  • If they might fall under the scope, do they sit safely within the no-risk category of use which attracts, at least for the time being, lighter touch (and less easily enforceable) AI literacy obligations, or will more onerous requirements apply requiring further work to ensure compliance?

To manage exposure to the EU AI Act, UK businesses should:

  • Conduct internal reviews to determine whether their use of AI may render them a provider, deployer or distributor of AI systems under the Act.
  • Understand if the business intends to limit the risk of falling within the scope of the Act at all, update supplier and client contracts to ensure that:
    • suppliers disclose all AI systems/AI outputs being provided to them; and
    • clients are prevented from sharing work outputs which contain AI outputs with EU entities.
  • If the business does fall under the scope of the Act, set up procedures to:
    • ensure the AI Literacy requirement is met unless and until the Digital Omnibus on AI is adopted; and
    • undertake a review of whether any uses fall into higher risk categories imposing more substantial obligations, and put in place a plan for compliance with the obligations that do apply.
  • Stay updated on EU guidance, enforcement cases and other regulatory developments.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, February 2026

Want to know more?

Contact us

About the authors

Alan Baker lawyer photo

Alan Baker

Partner

Alan advises on all aspects of data protection law, commercial contracts and the use of information and intellectual property assets, as well as commercial regulatory issues. He helps clients to balance the sometimes competing objectives of minimising compliance risks and maximising commercial rewards.

Alan advises on all aspects of data protection law, commercial contracts and the use of information and intellectual property assets, as well as commercial regulatory issues. He helps clients to balance the sometimes competing objectives of minimising compliance risks and maximising commercial rewards.

Email Alan +44 (0)20 3375 7441
Leo Salem lawyer

Leo Salem

Associate

Leo advises clients on intellectual property, commercial and information law matters across advisory, contentious and transactional contexts. His clients span cultural institutions, media and arts organisations, private individuals, charities, educational bodies and businesses.

Leo advises clients on intellectual property, commercial and information law matters across advisory, contentious and transactional contexts. His clients span cultural institutions, media and arts organisations, private individuals, charities, educational bodies and businesses.

Email Leo +44 (0)20 3375 7033

More by the authors

Further reading

Related sectors & services

Continue to next section
Back to top