Ask the question directly in a UK boardroom — "does the EU AI Act apply to us?" — and you will usually hear one of two wrong answers. The first is "no, we left the EU." The second is "yes, everything with AI in it is caught." Neither survives contact with the text. Regulation (EU) 2024/1689 is extraterritorial by design: it follows the AI system and its output, not your place of incorporation. Whether it reaches a UK organisation turns on three specific routes into scope, and on a question most guidance skips entirely — whether you are a provider or a deployer.
This post is the plain-English version of that decision. If you would rather test your own position as you read, our interactive EU AI Act checker walks the same logic question by question and gives you a written answer to take to the board.
Key takeaways
- The EU AI Act reaches UK organisations through three routes: placing AI systems on the EU market, AI output being used in the EU, or operating through an EU establishment. UK incorporation protects you from none of them.
- Most UK regulated organisations are deployers of vendor AI, not providers. Deployer duties under Article 26 are lighter but real — and most published scope guidance is written for providers, which is exactly the gap.
- Parts of the Act already bind in-scope organisations: prohibitions and AI-literacy duties since 2 February 2025, general-purpose AI model rules since 2 August 2025, and Article 50 transparency from 2 August 2026 as originally scheduled.
- The high-risk dates have moved. Under the Digital Omnibus on AI agreement of 7 May 2026, Annex III systems shift to 2 December 2027 and embedded systems to 2 August 2028 — but the amendment was still awaiting formal adoption as of mid-June 2026.
- Even if you are fully out of scope, the UK's five regulatory principles and UK GDPR still govern your AI. The gap analysis is worth doing either way.
The three routes into scope
Article 2 of the Act sets out who is caught. For a UK organisation, three routes matter.
Route one: you place an AI system on the EU market. If you sell, license or otherwise supply an AI system — or a general-purpose AI model, or software with an AI feature in it — to customers in the EU, you are a provider in scope, irrespective of where you are established. This is the route most UK software and data businesses already understand, because it works the same way as product regulation generally: the market you sell into sets the rules.
Route two: your AI's output is used in the EU. This is the broadest and least understood route. Article 2(1)(c) catches providers and deployers established in a third country "where the output produced by the AI system is used in the Union". Recital 22 explains the intent: to stop organisations circumventing the Act by running the system outside the EU while its results land inside it. A UK firm screening candidates for roles in its Frankfurt office, or producing AI-assisted credit decisions consumed by an Irish branch, can be in scope without ever "selling" anything into the EU. The recital frames this around output intended to be used in the Union — incidental access by someone who happens to be in the EU is not the test — but where EU use is part of how your business operates, assume the route is live.
Route three: you have an EU establishment. A subsidiary or branch in the EU that uses AI is itself a deployer located within the Union under Article 2(1)(b), caught directly. For groups, that converts a legal question into a governance one: whether to run one AI standard across the group at the EU grade, or maintain two regimes and police the boundary between them.
If none of the three applies — UK operations, UK clients, no EU-bound output — you are outside the Act. That answer is worth establishing properly and minuting, because insurers, investors and counterparties will ask you to evidence it.
Provider or deployer? The question that decides your workload
The Act assigns obligations by role, defined in Article 3. A provider develops an AI system (or has it developed) and places it on the market under its own name. A deployer uses an AI system under its own authority in a professional context.
Most UK regulated organisations are deployers. They buy recruitment-screening tools, credit models, document-analysis systems and copilots from vendors; they do not build them. Yet much of the published guidance, and most of the free scope checkers online, walk you through provider duties — conformity assessments, technical documentation, CE marking, appointing an authorised representative in the EU. If you are a deployer, that is largely someone else's homework, and reading it tells you very little about your own.
Deployer duties sit in Article 26, and for high-risk systems they are concrete: use the system in accordance with the provider's instructions; assign human oversight to people with the competence, training and authority to exercise it; ensure input data you control is relevant and sufficiently representative; monitor operation and report serious incidents; retain system logs for at least six months; and inform workers before a high-risk system is used on them. Article 27 adds a fundamental-rights impact assessment for public bodies, private operators providing public services, and deployers using AI for creditworthiness or life and health insurance pricing.
One trap deserves a line in the board minutes. Under Article 25, a deployer becomes a provider — inheriting the full provider obligations — if it puts its own name on a high-risk system, substantially modifies one, or changes a system's intended purpose. White-labelling a vendor's screening tool, or fine-tuning a model to do something its provider never intended, can quietly move you up a category.
The risk tiers, with UK-relevant examples
The Act is risk-based, and the tier determines the obligation.
Prohibited practices (Article 5) have applied since 2 February 2025: social scoring, untargeted scraping of facial images, and — with narrow medical and safety exceptions — emotion recognition in the workplace and in education. The May 2026 omnibus agreement adds prohibitions on AI that generates non-consensual intimate imagery or child sexual abuse material, intended to take effect on 2 December 2026 once the amendment is adopted.
High-risk systems are listed in Annex III, and the list reads like a catalogue of ordinary UK back-office AI. Recruitment and selection — screening and filtering applications, evaluating candidates — is point 4. Creditworthiness assessment of natural persons is point 5(b); for UK lenders and insurers with EU exposure this lands on top of an already layered domestic regime, which we map on our financial services sector page. Eligibility for essential public services and benefits — the triage systems increasingly used in housing and welfare administration — is point 5(a). Education, biometrics and critical infrastructure follow. A second high-risk category covers AI embedded as a safety component in products already regulated under EU law (Annex I), on a later timetable.
Transparency-tier systems carry Article 50 duties: people must be told when they are interacting with an AI system; synthetic audio, image and video content must be marked as artificially generated; deepfakes and AI-written text published on matters of public interest must be disclosed. These duties apply to limited-risk systems generally — any customer-facing chatbot or generative tool with EU users is enough.
Minimal-risk systems — the bulk of everyday AI — carry no new obligations under the Act, though UK data protection law and your sector regulator still apply.
The timeline as of June 2026 — and what is still pending
The Act entered into force on 1 August 2024 with staggered application. As of June 2026, the position is this:
Already applying. Prohibitions and the Article 4 AI-literacy duty since 2 February 2025. Obligations on providers of general-purpose AI models since 2 August 2025. The Commission's powers to fine GPAI providers activate on 2 August 2026.
Applying on schedule. Article 50 transparency applies from 2 August 2026, as originally enacted. The omnibus did not move it. The one concession in the 7 May agreement is a grace period for the machine-readable marking duty in Article 50(2): systems already on the market before 2 August 2026 get until 2 December 2026 to comply.
Moved — but not yet law. On 7 May 2026 the Council and Parliament reached political agreement on the Digital Omnibus on AI, proposed by the Commission on 19 November 2025. It defers the high-risk obligations from 2 August 2026 to 2 December 2027 for stand-alone Annex III systems, and from 2 August 2027 to 2 August 2028 for high-risk AI embedded in regulated products. As of mid-June 2026 the amending regulation still required a Parliament plenary vote, formal Council adoption and publication in the Official Journal; Covington's analysis anticipated final approval in June and publication in July 2026. Treat the deferred dates as near-certain but not yet binding, and have someone confirm adoption before any compliance plan relies on them — the same caution we gave in our guide to what UK boards govern instead of an AI Act.
Penalties are set by Article 99: up to €35 million or 7% of worldwide annual turnover for prohibited practices, up to €15 million or 3% for most other breaches — including the deployer duties in Article 26 and the transparency duties in Article 50 — and up to €7.5 million or 1% for supplying misleading information to authorities. For companies, the higher of the two figures applies; for SMEs, the lower.
Your situation, in one table
| Your situation | Likely status | First action |
|---|---|---|
| You sell or license AI (or software with an AI feature) to EU customers | Provider — in scope | Map each system to a risk tier; confirm conformity-assessment and authorised-representative duties against the 2 December 2027 high-risk date |
| You use vendor AI and its output reaches EU clients, branches or counterparties | Deployer — likely in scope via Article 2(1)(c) | Inventory which outputs cross into the EU and test each against Annex III |
| You have an EU subsidiary or branch that uses AI | The subsidiary is an in-scope deployer | Decide whether the group runs one EU-grade AI standard or two regimes |
| You run a customer-facing chatbot or generative AI with EU users | Article 50 transparency applies from 2 August 2026 | Confirm disclosure and content-marking with your vendor this quarter |
| UK-only operations, UK-only clients, no EU-bound output | Out of scope | Minute the assessment with evidence — then govern to the UK principles anyway |
What to do this quarter, even if you are out of scope
Being outside the EU AI Act does not return you to a vacuum. The UK's five cross-cutting principles — safety, transparency, fairness, accountability, contestability — are what your existing regulators apply to your AI now, and UK GDPR binds wherever personal data is processed. The controls that evidence the UK principles and the controls that satisfy Article 26 overlap almost entirely: a live AI inventory, named human oversight, vendor due diligence, log retention, a register your board actually reviews. Work done for one regime is work done for the other.
So the quarter's agenda is the same whichever side of the scope line you sit. Establish your position on each of the three routes and minute it. Inventory your vendor AI and trace where its output goes. If any customer-facing generative AI touches EU users, close the Article 50 gap before 2 August 2026. And assign one named owner to watch the omnibus through to the Official Journal, because the high-risk dates your plan depends on are agreed but not yet enacted.
The question "does the EU AI Act apply to us?" has a knowable answer. The boards that struggle are not the ones in scope; they are the ones that never established which side of the line they are on.
Last reviewed: 12 June 2026.
If you want that answer in writing rather than in principle, start with our EU AI Act checker — the interactive version of this article. To see how your wider AI governance compares against board-level good practice, take the ten-minute Board AI Scorecard. And if the scope assessment needs doing properly, with evidence your board can minute, our AI governance diagnostic (from £3,950) covers EU AI Act exposure alongside the UK principles.
