🚀 Launch offer: Sign up free and get 60 days full Pro access — no credit card needed. Claim it →

← Back to blog
AI Act10 Mar 2025 · 11 min read

EU AI Act: What UK Businesses Need to Know in 2025

The EU AI Act is now in force — the world's first comprehensive AI regulation. For UK businesses, it's more relevant than it may first appear: if you deploy AI-powered tools to EU customers, serve EU residents, or use AI systems that interact with EU data, the Act likely applies to you. And with the UK developing its own AI framework, understanding the EU's approach is essential groundwork.

The EU AI Act entered into force on 1 August 2024. Phased implementation means most obligations apply from August 2026, but high-risk AI provisions and the AI literacy requirement began applying earlier. Don't assume you have unlimited time.

1What the EU AI Act actually requires

The Act takes a risk-based approach, classifying AI systems into four tiers:

  • Unacceptable risk — banned outright (social scoring by governments, real-time biometric surveillance in public spaces, AI that exploits vulnerabilities of vulnerable groups)
  • High risk — permitted but subject to strict conformity assessments (AI in recruitment, credit scoring, education, critical infrastructure, law enforcement)
  • Limited risk — transparency obligations only (chatbots must disclose they're AI; deepfakes must be labelled)
  • Minimal/no risk — no mandatory requirements (most AI applications, including GDPR compliance tools, recommendation engines, spam filters)

For most UK SMEs, AI tools they use or deploy will fall into the "limited risk" or "minimal risk" category. However, if you use AI in HR processes (CV screening, performance assessment), credit decisions, or certain customer-facing interactions, high-risk provisions may apply.

2Does the EU AI Act apply to UK businesses?

The EU AI Act has explicit extra-territorial reach, similar to GDPR. It applies to you if:

  • You deploy an AI system (or output of an AI system) to users located in the EU — even if your company is in the UK
  • You are an EU-based user of an AI system deployed by a UK provider
  • The outputs of your AI system are used in the EU (e.g. AI-generated content distributed to EU audiences)

If your SaaS product, marketing automation, or customer-facing AI tool is used by EU customers, the Act reaches you.

Post-Brexit, the UK is not subject to the EU AI Act domestically — but UK businesses targeting EU markets must comply with it for those markets, just as with EU GDPR. Many UK companies operating across both markets will need to align with both frameworks.

3Key obligations by role

The Act distinguishes between providers (who develop or place AI systems on the market) and deployers (who use AI systems in their business). Most UK SMEs are deployers — using AI tools built by others.

  • Providers: conformity assessment, CE marking, registration in the EU AI database, post-market monitoring, incident reporting
  • Deployers of high-risk AI: conduct fundamental rights impact assessment, implement human oversight, maintain records, inform employees when AI monitors or evaluates them
  • Deployers of limited risk: disclose to users when they're interacting with AI (chatbot transparency)
  • All organisations: AI literacy obligation — ensure staff have sufficient understanding of AI to use it responsibly

4The AI literacy obligation

Article 4 of the EU AI Act requires all providers and deployers to ensure a sufficient level of AI literacy among staff. This applies from 2 February 2025 — one of the earliest provisions to take effect.

For practical purposes, this means organisations need to provide AI awareness training to staff who use, build, or make decisions based on AI tools. The requirement is proportionate to context and size, but it is a mandatory baseline, not a recommendation.

AlgoGrass's GDPR Training module includes AI literacy content aligned with Article 4 obligations — covering what AI is, how it makes decisions, risks to watch for, and how staff should apply human oversight. Explore the training module →

5AI Act and GDPR: the overlap

Most AI systems process personal data, which means GDPR applies alongside the AI Act. The two frameworks reinforce each other but have distinct requirements:

  • GDPR requires a lawful basis for processing personal data used to train or run AI — legitimate interests or consent are common bases, but require careful assessment
  • GDPR Articles 13–14 require transparency about automated decision-making — if AI makes or significantly influences decisions affecting individuals, this must be disclosed
  • GDPR Article 22 gives individuals rights not to be subject to solely automated decisions with significant effects — consider whether human review is needed
  • AI Act fundamental rights impact assessments overlap with GDPR DPIAs — in many cases a combined assessment is practical

6What UK businesses should do now

  • Inventory all AI tools your business uses — including third-party tools like AI recruitment software, AI customer service, AI analytics
  • Classify each: is it high-risk, limited-risk, or minimal-risk under the EU AI Act?
  • For any high-risk AI: start documenting your oversight processes and prepare for a fundamental rights impact assessment
  • Implement AI literacy training for staff (required since February 2025 if you serve EU users)
  • Review your privacy notice and DPIA for AI tools that process personal data — GDPR transparency requirements apply
  • Monitor the UK AI framework: the Government is developing a sector-led, voluntary approach which may become more formal in 2025–26

Run a GDPR compliance scan to check whether your AI-related data processing disclosures are in order before the EU AI Act's transparency obligations bite further. Free scan →

7Penalties

Fines under the EU AI Act are substantial — up to €35 million or 7% of global annual turnover for deploying prohibited AI systems; up to €15 million or 3% for other violations. EU member states are establishing national enforcement authorities. The European AI Office (established February 2024) oversees general-purpose AI models.

For UK businesses operating in EU markets, the risk is real — particularly for those in regulated sectors where AI is used in consequential decisions.

Check your GDPR and AI compliance position

AlgoGrass scans your website for GDPR risks and generates the documentation you need — including for AI Act-related transparency obligations. Start with a free scan.

Scan my website free →