For five years the working assumption in many UK boardrooms has been that EU regulatory risk left with the Withdrawal Agreement. The EU AI Act has quietly retired that assumption. Regulation (EU) 2024/1689 entered into force on 1 August 2024 with a staged timetable, and the most consequential of those stages — high-risk system requirements, Article 50 transparency obligations and Commission enforcement powers over general-purpose AI — apply from 2 August 2026. With under three months to go, the firms walking into our consultations are not the ones that have read the Act and decided it doesn’t apply to them. They are the ones who never read it because they assumed Brexit had done the work. Article 2 of the Act takes a very different view, and its extraterritorial scope is the single most under-appreciated regulatory exposure facing UK mid-market firms today.
Which UK firms are caught
Article 2 of the Act sets out three routes by which a UK firm comes into scope. Each captures a distinct commercial pattern.
Firms placing AI systems on the EU market. A UK fintech that licenses AI-driven advisory software to clients in Germany, France or the Netherlands is a provider under the Act, regardless of where the firm is incorporated or where the model is trained. The relevant test is whether the system is made available on the Union market — by direct sale, white-label, API or embedded in another product. UK SaaS vendors with even a handful of EU customers are in scope.
Firms acting as deployers of high-risk AI in the EU. A UK group that runs a French subsidiary and deploys an AI-assisted recruitment tool there is a deployer in the EU. The Act treats the deploying entity as the regulated party for that operation, which means the UK parent’s group-level AI procurement, model selection and oversight choices fall under the Act through the deployer route — even where the model originates from a US or Israeli vendor.
Firms whose AI output is used in the EU. This is the route most often missed. A UK insurance broker whose AI underwriting model determines premiums for EU-domiciled customers, or a UK marketing-analytics provider whose AI-generated scoring is consumed by an EU controller, falls within Article 2(1)(c). The test attaches to the output, not to the location of training, inference or commercial entity. UK firms with no EU office, no EU subsidiary and no EU sales contracts can still be in scope on this basis.
The 2 August 2026 milestone — what enters into force
Three blocks of obligations apply from 2 August 2026.
The high-risk system regime (Chapter III) starts to bite for systems falling under Annex III categories — biometrics, critical infrastructure, employment, essential private and public services, law enforcement, migration and justice. Providers must complete conformity assessments, register systems in the EU database, maintain technical documentation, implement post-market monitoring and ensure human oversight. Deployers must run the system in accordance with instructions for use, monitor performance, and notify the provider and authorities of serious incidents. (Article 6(1) — the high-risk classification route tied to Annex I product-safety law — is carved out until 2 August 2027.)
Article 50 transparency obligations apply across a much broader population than the high-risk regime. Providers of generative AI must mark synthetic audio, image, video and text in a machine-readable format. Deployers of systems that interact with natural persons must inform those persons that they are dealing with an AI unless it is obvious from the context. Deployers of deepfake-producing systems must disclose the artificial nature of the content. Article 50 reaches well beyond the regulated sectors and is the obligation most UK firms with customer chatbots, content-generation tooling or synthetic-media workflows will need to satisfy directly.
Commission enforcement powers over providers of general-purpose AI models (Chapter V) become operational. The AI Office can request information, conduct evaluations and impose penalties on GPAI providers — including non-EU providers that place models on the EU market.
The prohibitions in Chapter II, the AI literacy obligations in Article 4 and the GPAI provider rules in Chapter V are already in force, having applied from 2 February and 2 August 2025 respectively.
The 2 August 2027 milestone — Article 6(1) and full GPAI compliance
Two further changes fall in 2027. Article 6(1) — the route that classifies an AI system as high-risk because it is a safety component of a product covered by Annex I Union harmonisation law — applies in full. This pulls in AI embedded in machinery, medical devices, in vitro diagnostics, automotive systems, lifts, radio equipment and the other product categories listed in Annex I, and significantly expands the high-risk perimeter. Separately, GPAI models placed on the EU market before 2 August 2025 must reach full compliance with Chapter V obligations by 2 August 2027 — the grandfathering window closes.
Risk classification — what counts as high-risk for a typical UK mid-market firm
Most UK mid-market firms will not encounter the Annex I product-safety route. The relevant exposure is Annex III, and four categories there account for the majority of practical classifications.
Employment, workers’ management and access to self-employment. AI used to recruit, screen CVs, target job adverts, evaluate candidates, allocate tasks, or monitor and evaluate performance is high-risk. The trigger is the function, not the vendor. A firm using a third-party CV-screening tool from a US vendor is a deployer of a high-risk system and inherits the deployer obligations under Article 26.
Creditworthiness and credit scoring. AI used to evaluate the creditworthiness of natural persons, or to establish their credit score, is high-risk — with a narrow exception for AI used to detect financial fraud. UK lenders, brokers, BNPL providers and insurance firms with AI in the underwriting or pricing path will be caught.
Education and vocational training — access and admission. AI used to determine access to, or admission to, educational and vocational training institutions, or to evaluate learning outcomes used to steer the learning process, is high-risk. UK edtech and corporate-learning firms operating into the EU should expect classification.
Essential private services. AI used to evaluate eligibility for essential private services — including credit, life and health insurance, and emergency response triage — is high-risk under Annex III point 5. The conformity assessment requires risk management throughout the lifecycle, data governance, technical documentation, record-keeping, transparency to deployers, human oversight and accuracy/robustness/cybersecurity testing — with EU-database registration and an EU declaration of conformity.
What to do now — a four-step action plan
- Build an AI inventory. You cannot classify what you cannot see. Catalogue every AI system used by, embedded in, or procured for the business — including the shadow-IT layer of generative AI subscriptions held by individual teams. Capture the provider, the use case, the data classes processed and the geography of users and outputs.
- Classify each use case against the EU AI Act risk taxonomy. For each entry on the inventory, determine whether the system is prohibited (Chapter II), high-risk (Annex III or Annex I route), subject to Article 50 transparency, or minimal. Record the reasoning — the classification is itself a documentation obligation.
- Run a conformity-assessment gap analysis for any high-risk use case. Map the firm’s current controls — risk management, data governance, technical documentation, logging, human oversight, accuracy and cybersecurity testing — against the Article 9–15 requirements. Identify the gaps and set a remediation timeline anchored to 2 August 2026.
- Implement Article 50 transparency labelling for any user-facing AI output. Chatbot disclosure, synthetic-content marking and deepfake disclosure must be operational by 2 August 2026. Build the labelling into the product surface and the standard operating procedures; do not rely on a one-line disclaimer in a privacy notice.
How Rhentech helps
Rhentech runs a senior-led AI governance engagement designed to deliver the four steps above on a single timeline. The engagement begins with an AI Usage Audit — a structured discovery of every AI system used by, deployed by or relied upon by the firm, including the shadow-IT layer that compliance functions rarely see. The audit feeds into an EU AI Act classification matrix, a conformity-assessment gap analysis for any high-risk use case, and an Article 50 transparency design covering every user-facing AI surface. Where the firm has procurement gates that reference ISO 42001 — increasingly common in Fortune 500 and FTSE vendor questionnaires — we align the governance artefacts to the ISO 42001 control framework so the same body of work satisfies both regulators and buyers.
If your firm sells, deploys, or produces AI output that touches the European Union, the time to start is now. Book a free initial consultation and we will scope an AI Usage Audit aligned to your 2 August 2026 deadline.