Despite Brexit, companies in the UK will be affected by EU regulation on artificial intelligence, writes SIMON ROUDH
Artificial intelligence (AI) has moved from novelty to necessity in record time. From automating customer service, to screening CVs and generating marketing content, AI tools are now embedded in everyday business operations and, inevitably, regulation is catching up.
With the aim of fostering trustworthy AI in Europe, the European Union has taken the lead with the AI Act (Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence) being the world’s first comprehensive, cross-sector AI law.
For UK businesses, the instinctive reaction might be: “Post-Brexit, that’s an EU issue”, but many UK organisations will be directly affected.
Why it applies beyond the EU
The AI Act has extra-territorial reach, so applies not only to businesses established in the EU, but also to organisations outside it. In effect, if your business trades into Europe, provides services to EU customers, or uses AI systems whose outputs affect individuals in the EU, this is likely to be relevant.
A risk-based framework
The EU has adopted a “horizontal” approach – one framework applying across sectors. This contrasts with the UK’s more principles-based, regulator-led approach, where regulators (such as Ofcom, ICO, FCA and CMA) apply current laws to AI within their remits.
The AI Act categorises AI systems according to risk, namely: (1) unacceptable risk; (2) high risk; (3) limited risk and (4) minimal risk. Importantly, the focus is not on business size, but the function and impact of the AI system.
High-risk AI systems include certain ones used in recruitment, employee management, credit scoring, education, access to essential services, and components of safety-critical products. For many businesses, this is where the compliance burden will sit, but it’s also important to note that certain AI systems are excluded, including those solely for scientific research and development, and for personal activities.
What does “AI System” mean?
The European Commission issued guidance to clarify what qualifies as an “AI system”. The definition is deliberately broad and technology neutral. It captures systems that generate outputs such as predictions, recommendations or decisions influencing environments using machine learning, logic-based or statistical approaches.
That means this isn’t just about generative AI tools like chatbots. Recruitment screening software, credit scoring models, HR analytics platforms and risk assessment systems could all apply.
If your business uses AI to influence employment decisions, access to finance, access to education, critical infrastructure, or certain safety components, you may be in “high-risk” territory.
When do the rules apply?
Although the AI Act entered into force in August 2024, its obligations apply in stages, and the final, and operationally most significant milestone, will be reached on 2 August 2026 when most high-risk AI requirements become fully applicable and the transparency rules of the AI Act come into effect.
From that point, high-risk AI systems must comply with requirements including documented risk management systems, appropriate data governance, technical documentation and record-keeping, human oversight measures, and, where required, conformity assessments, before being placed on the market. Additionally, users of high-risk systems also have responsibilities.
The consequences of non-compliance
While financial penalties are significant with fines reaching up to €35 million or 7% of global annual turnover, depending on the breach, reputational and commercial risks may be just as important. Non-compliant systems can be withdrawn from the EU market. Customers and investors are increasingly asking detailed questions about AI governance, and in some sectors, being able to demonstrate responsible AI practices may become a prerequisite to doing business.
It’s not just about safety
While the AI Act focuses heavily on safety and transparency, wider legal risks remain and businesses must also consider:
- Data protection (especially under GDPR)
- Intellectual property risks (including training data concerns)
- Employment law implications (bias and automated decision-making)
- Contractual allocation of liability with AI vendors
The regulatory landscape will only become more complex as case law develops and further guidance is issued.
Five practical steps to take now
For UK businesses, the question is less “Does this apply?” and more “Where might it apply?”
Even if your exposure is uncertain, early action is sensible. Practical steps include:
1. Map your AI use
Identify where AI is used across your organisation. Include tools adopted informally by teams. You cannot manage what you cannot see.
2. Assess risk classification
Consider whether any systems could fall within the high-risk category, particularly in HR, finance, customer eligibility or safety contexts.
3. Review supplier arrangements
If you use third-party AI vendors, examine contractual terms. Who is responsible for regulatory compliance? What transparency rights do you have? How is liability allocated?
4. Establish governance
Assign internal ownership of AI oversight. This may involve board-level engagement, risk committees or formal policies on AI adoption and monitoring.
5. Build transparency into operations
Where required, ensure individuals are informed when they are interacting with AI systems. Transparency is not only a legal requirement in some cases but a trust-building measure.
Final thoughts: Regulation as a strategic opportunity
It is easy to view the AI Act as just another compliance burden, but customers, employees and regulators increasingly expect AI to be deployed responsibly, transparently and with clear accountability.
For UK organisations operating internationally, alignment with EU standards may become commercial advantage rather than regulatory inconvenience. Strong AI governance can reduce risk, strengthen reputation and reassure counterparties and investors.
AI will continue reshaping how organisations operate, and regulation will evolve alongside it. Understanding where your business sits within the regime now, and seeking appropriate professional advice where needed, is far less disruptive than attempting to retrofit compliance once enforcement action is on the horizon.
Simon Roudh is a legal adviser at Vialex
Related
#firms #heed #EUs #regulation #Daily #Business #Magazine