What is the EU AI Act?

The EU AI Act (“Act”) is a legal framework under EU law aimed at the development, placement and/or use of AI within the EU marketplace.

In this guide you can find details on:

• Which UK businesses are affected
• What The EU AI Act is
• The transparency rules
• What steps your business should be taking
• Timeframes 

Which UK businesses are subject to the Act?

UK businesses that provide or distribute AI systems on the EU market (known as “providers” and “distributors” respectively) or that place AI systems on the UK market where the output of those systems is used in the EU (known as “deployers”) are caught under the Act. Many UK businesses could fall within the category of being a “deployer”. For example, a design agency that uses AI to produce a brand marketing strategy or marketing materials which ultimately may be distributed to individuals in the EU.

What is the EU AI Act?

It is a set of binding rules for AI systems within the EU, having regard to a defined risk-based approach. Certain unacceptable AI practices are prohibited under the Act, whereas specific requirements are laid down for high-risk AI systems and obligations are imposed. In addition, transparency obligations apply for certain AI systems.

There is a general requirement of “AI literacy” in that providers or deployers of AI systems must take measures to ensure a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.

Prohibited AI practices include matters such as the placing or use of an AI system that deploys subliminal techniques beyond a person’s consciousness or purposefully manipulative or deceptive techniques that cause people harm or exploit people’s vulnerabilities in ways reasonably likely to cause significant harm.

Article 50 of the Act places transparency obligations on providers and deployers of certain AI systems, for instance:

• providers of AI systems intended to interact directly with people must ensure they are designed and developed so that the persons concerned are informed that they are interacting with an AI system (unless obvious from the point of view of a reasonably well-informed person);
• providers of AI systems generating synthetic audio, image, video or text content, must ensure the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated;
• deployers of an emotion recognition system or a biometric categorisation system must inform the people exposed to it of the operation of the system;
• deployers of an AI system that generates or manipulates image, audio or video content constituting a deep fake, must disclose that the content has been artificially generated or manipulated.

What steps should your business be taking?

UK businesses should consider whether any of their activities fall within the Act. In essence, if any of their products or deliverables end up in the EU where they have involved or involve AI systems, then they are likely to be caught under the Act.

UK businesses should carry out an internal audit to understand how and where AI is used in their business and whether as a “provider”, “distributor” or a “deployer” in respect of the EU market. As part of this, we recommend a review of “supply-side” and “client-facing” contract terms is carried out. This should reveal what AI any suppliers are using and whether any protections need to be put in place. Likewise, consideration should be given as to whether any restrictions or parameters need to be inserted in client contracts concerning use of the products and deliverables.

If the UK business does fall under the scope of the Act then they should consider if the AI literacy requirement is being met, whether any of the transparency obligations apply, whether any of the AI systems sit within the higher risk categories under the Act, and what steps, therefore, need to be taken to ensure compliance.

Breach of the rules on the prohibited AI practices, and breach of the obligations regarding high-risk and limited risk AI systems, could mean a significant fine. More info can be found at the European Commission’s AI Act Service Desk. 

When does the AI Act come into force?

The Act came into force on 1 August 2024, with phased implementation now through to 2027/8 under the EU’s proposed “Digital Omnibus on AI Regulation”.

The provisions concerning AI literacy and prohibited AI practices came into force on 2 February 2025.

The provisions concerning general purpose AI (“GPAI”) models, governance and penalties (without the fines for providers of GPAIs) came into effect on 2 August 2025.

The transparency obligations for providers and deployers of certain AI systems under the Act are due to come into force on 2 August 2026.

As above, the EU’s proposed “Digital Omnibus on AI Regulation” has pushed back certain of the other implementation deadlines through 2027/8.