The UK has no AI Act — but the EU’s does reach UK businesses. If you sell into or operate in the EU, this is the AI law you can’t ignore. Here’s what applies in 2026, cited to official sources. (dgm implements osFoundry as an independent partner. General information, not legal advice.)
Why a UK business is in scope
The EU AI Act applies extraterritorially, like GDPR. It catches:
- providers placing AI systems or GPAI models on the EU market (regardless of where they’re established); and
- providers and deployers whose AI output is used in the EU, even if based outside the EU — e.g. in the UK.
So a UK business with no EU establishment can still be caught if its AI reaches the EU market. That surprises many UK firms who assume “no UK AI Act” means no AI statute applies to them.
The risk tiers
The Act classifies AI by risk:
| Tier | What it means |
|---|---|
| Prohibited | Banned practices (Art. 5) |
| High-risk | Strict obligations (documentation, oversight, conformity) |
| Limited-risk | Transparency (e.g. tell users they’re talking to AI) |
| Minimal-risk | Largely unregulated |
Plus a separate regime for general-purpose AI (GPAI) models.
The penalties
Up to €35m or 7% of global turnover for prohibited practices; up to €15m or 3% for high-risk and other breaches (implementation timeline). GDPR-scale — worth taking seriously.
Key dates (note the deferral)
- 1 Aug 2024 — entered into force.
- 2 Feb 2025 — prohibited practices + AI-literacy obligations apply (live now).
- 2 Aug 2025 — GPAI model obligations apply (live now).
- High-risk — deferred. The “Digital Omnibus” (Commission proposal Nov 2025; provisional political agreement ~May 2026) pushes Annex III standalone high-risk systems to 2 December 2027 and Annex I product-embedded systems to 2 August 2028. Confirm final adoption, as this was provisional in mid-2026.
What to do
- Assess EU exposure — does your AI’s output reach the EU market?
- Classify your systems against the tiers.
- Prioritise the live obligations — the prohibited-practice ban and GPAI rules already apply.
- Plan for high-risk deadlines if relevant.
Where osFoundry and dgm fit
dgm builds AI with the controls the Act rewards — documentation, transparency, human oversight, and audit logging — designed in from the start, on osFoundry (data control via self-hosting or an EU region; it publishes US/EU/JP regions). That makes classification and any conformity work far easier than retrofitting. We don’t make the legal classification — that’s for your advisers — but we build so the technical evidence is there.
dgm is an independent integration partner with zero integrations so far, and not a law firm. For definitive EU AI Act classification, take qualified legal advice. To scope an AI project that’s ready for EU-market obligations, book a consultation with dgm.