The short answer: yes. Brexit moved UK companies outside the EU’s regulatory perimeter. The EU AI Act treats UK companies as third-country providers — subject to the same extraterritorial obligations as US, Indian, or Canadian companies the moment their AI systems reach EU users. There is no special post-Brexit status, no UK-EU AI Act equivalence arrangement, and no transition period.

This post sets out exactly how the Act reaches UK companies, which obligations apply, and what UK AI providers need to do about it.

Key definitions

Before the analysis, four terms the EU AI Act uses that UK founders frequently misapply.

TermEU AI Act definitionWhy it matters for UK companies
ProviderAn entity that develops an AI system or has one developed and places it on the market under its own name or trademarkMost UK AI companies are providers — they build and sell AI systems. Being a provider triggers the full suite of obligations including the AR requirement
DeployerAn entity that uses an AI system under its own authority in a professional contextUK companies integrating third-party AI into their products or services may be deployers — different obligations, but still in scope
Placing on the marketMaking an AI system available for the first time on the EU market — whether for payment or free of chargeA UK company offering a free trial to an EU user is placing its system on the market. Revenue is irrelevant to triggering the obligation
Making available on the marketAny supply of an AI system for distribution or use in the Union in the course of a commercial activityAPI access, SaaS licensing, white-label arrangements — all count. The legal structure of the supply does not change the obligation

How the EU AI Act reaches UK companies

The Act’s extraterritorial scope is set out in Article 2. It applies to:

  • Providers placing AI systems on the EU market regardless of establishment
  • Providers whose AI systems are used in the Union
  • Deployers of AI systems established within the Union — but also deployers outside the Union where the system’s output is used in the Union

The critical phrase is regardless of establishment. The Act does not ask where you are incorporated, where your servers are hosted, or whether you have a single employee in an EU member state. It asks where your system is used.

For UK companies, this means:

ScenarioIn scope of EU AI Act?
UK company with EU SaaS subscribersYes
UK company licensing AI via API to EU businessesYes
UK company with white-label AI used by EU deployersYes
UK company with EU enterprise contractsYes
UK company offering free AI tool used by EU usersYes
UK company with zero EU users and no EU commercial activityNo
UK company whose AI output is used by a UK client who then operates in the EUDepends — the output test applies

Brexit and the EU AI Act: what changed

Before Brexit, UK companies operated within the EU’s single market and regulatory perimeter. EU legislation applied directly; UK-based entities were EU-established for regulatory purposes.

That changed on 31 December 2020.

Under the EU-UK Trade and Cooperation Agreement, no mutual recognition arrangement for AI regulation was established. The TCA covers goods, services, and data adequacy in limited respects — it does not extend to AI Act compliance or create any equivalence framework. The EU AI Act, which came into force after Brexit, treats the UK as a third country in the same way it treats the United States, India, or any other non-EU jurisdiction.

PositionPre-BrexitPost-Brexit
UK company’s regulatory statusEU-established providerThird-country provider
EU AI Act AR requirementDoes not applyApplies to high-risk AI providers
Technical documentationAs EU providerAs non-EU provider — must be held by AR
Conformity assessmentDirectThrough EU-recognised notified body
EU AI database registrationDirect registrationVia AR
Market surveillance contactDirectVia AR

Which EU AI Act obligations apply to UK companies

Obligations depend on your system’s risk classification. The Act classifies AI systems into four tiers.

Tier 1 — Prohibited practices (Article 5)

These apply to every provider and deployer regardless of risk tier, establishment, or revenue. They have been in force since 13 February 2025.

The eight prohibited practices under Article 5:

Prohibited practiceWhat it covers
Subliminal manipulationAI that influences behaviour below conscious awareness in a way that causes harm
Exploitation of vulnerabilitiesAI that exploits age, disability, or social/economic circumstances to distort behaviour
Social scoring by public authoritiesAI used by public bodies to evaluate or classify people based on social behaviour
Real-time remote biometric identification in public spacesWith narrow law enforcement exceptions
Biometric categorisation inferring sensitive attributesRace, political opinion, religious belief, sexual orientation, etc. from biometric data
Emotion recognition in workplace or educationAI that infers emotional states of employees or students
Untargeted scraping for facial recognition databasesBuilding or expanding databases by scraping faces from the internet or CCTV
Predictive policing based solely on profilingAI predicting criminal behaviour based on profiling without individual assessment

For UK companies: these prohibitions apply to you now. If your product touches any of these categories, you are already subject to enforcement risk regardless of your UK legal status.

Tier 2 — High-risk systems (Annex III)

High-risk obligations apply from 2 August 2026 for most systems. They are the most demanding in the Act.

The Annex III high-risk categories most relevant to UK AI companies:

CategoryExamples relevant to UK AI sector
BiometricsIdentity verification, facial recognition, emotion inference
Critical infrastructureAI managing energy, water, transport, or financial infrastructure
EducationAI determining access to education, assessing students, monitoring behaviour
Employment and HRCV screening, interview analysis, performance monitoring, promotion decisions
Essential servicesCredit scoring, insurance risk assessment, emergency service dispatch
Law enforcementRisk assessment, polygraph-adjacent tools, crime analytics
Migration and borderVisa assessment, asylum processing, border surveillance
Administration of justiceAI assisting court decisions, legal research tools used in proceedings

High-risk obligations for UK providers include:

ObligationWhat it requires
Risk management system (Article 9)Documented, ongoing risk identification and mitigation across the system lifecycle
Data governance (Article 10)Training data management, bias examination, data quality standards
Technical documentation (Annex IV)Comprehensive documentation of system design, development, and performance
Record-keeping (Article 12)Automatic logging of system operation where technically feasible
Transparency (Article 13)Clear information for deployers on capabilities, limitations, and oversight requirements
Human oversight (Article 14)Design measures enabling human monitoring, intervention, and override
Accuracy and robustness (Article 15)Performance standards for accuracy, robustness, and cybersecurity
Conformity assessmentSelf-assessment or notified body assessment depending on category
EU AI database registrationRegistration before placing system on market
Declaration of conformityWritten declaration that system meets applicable requirements
Post-market monitoring (Article 72)Ongoing monitoring of system performance after deployment

Tier 3 — Limited risk (transparency obligations)

AI systems that interact with humans — chatbots, emotion recognition, deepfake generation — must disclose their AI nature. Applies from 2 August 2026.

Tier 4 — Minimal risk

No mandatory obligations. Most AI systems fall here. A documented determination that your system is minimal risk is itself a useful compliance record.

GPAI models

General-purpose AI models have separate obligations under Articles 51–56, regardless of risk tier. UK companies developing foundation models or large language models used in the EU must comply with transparency, copyright, and — where systemic risk is identified — additional safety obligations. These apply from 2 August 2025.

The Authorised Representative requirement

This is the obligation most UK companies have missed.

Article 22 requires non-EU providers of high-risk AI systems to appoint an EU-established Authorised Representative before placing the system on the EU market.

QuestionAnswer
Who must appoint an AR?Non-EU providers of high-risk AI systems placing systems on the EU market
When must the AR be appointed?Before placing the system on the EU market — not after first sale
What must the AR be?A natural or legal person established in an EU member state
What does the AR do?Acts as point of contact for EU authorities, maintains technical documentation copy, cooperates with market surveillance
Can a registered address service act as AR?No — the AR has active legal obligations that a letterbox cannot fulfil
Can an EU distributor act as AR?Only if they explicitly agree to the legal obligations in writing
What is the penalty for operating without an AR?Up to €15 million or 3% of global annual turnover

The AR is not a formality. Market surveillance authorities write to the AR. The AR must respond substantively. An AR without knowledge of your product and legal standing to act on your behalf provides no meaningful protection.


Does existing UK compliance help?

UK AI companies frequently ask whether their existing UK regulatory compliance reduces their EU AI Act obligations. The short answer is: it provides context but not credit.

UK complianceRelevance to EU AI Act
UK GDPR / DPA 2018 complianceUseful context; does not satisfy EU AI Act data governance obligations
ICO AI guidance complianceDemonstrates regulatory maturity; no standing under EU law
FCA AI model risk managementSector-specific; does not satisfy Annex III high-risk obligations
UK GDPR Article 27 representativeSeparate appointment; does not satisfy EU AI Act Article 22 AR requirement
Cyber Essentials / NCSC guidanceUseful baseline; does not satisfy CRA or EU AI Act cybersecurity obligations
ISO 42001 certificationDirectly relevant; referenced in EU AI Act conformity pathways
CE marking (pre-Brexit)No longer valid for EU market access post-Brexit

Enforcement: is this actually happening?

Yes. The EU AI Act is not pending enforcement — it is in force.

DateWhat happened
1 August 2024EU AI Act entered into force
2 February 2025Article 5 prohibited-practice prohibitions became enforceable
2 August 2025GPAI model obligations became enforceable
2 August 2026High-risk system obligations, AR requirement, and most remaining provisions become enforceable
2 August 2027High-risk AI systems covered by existing EU product safety legislation come into scope

National market surveillance authorities in each EU member state are responsible for enforcement. The EU AI Office has direct enforcement authority over GPAI providers. Fines are:

ViolationMaximum fine
Article 5 prohibited practices€35 million or 7% of global annual turnover
Other high-risk system violations€15 million or 3% of global annual turnover
Incorrect or misleading information to authorities€7.5 million or 1% of global annual turnover

These apply to non-EU companies. EU enforcement of extraterritorial regulation has been established through GDPR — UK companies that assumed GDPR enforcement would not reach them discovered otherwise. The AI Act follows the same model and the same enforcement infrastructure.

What UK companies need to do — by priority

PriorityActionDeadline
ImmediateScreen your product against Article 5 prohibited practicesAlready in force
ImmediateDetermine your risk classification under Annex IIINeeded before August 2026
ImmediateDetermine your role: provider, deployer, or bothNeeded before August 2026
Before August 2026Appoint an EU Authorised Representative if high-riskHard legal deadline
Before August 2026Build your Article 9 risk management systemHard legal deadline
Before August 2026Complete Annex IV technical documentationHard legal deadline
Before August 2026Register in EU AI databaseHard legal deadline
Before August 2026Complete conformity assessmentHard legal deadline
OngoingPost-market monitoring systemFrom launch
If GPAIComply with Articles 51–56Already in force from August 2025

FAQ

My UK company has always sold into the EU — did Brexit change my EU AI Act obligations? Yes, fundamentally. Before Brexit, UK companies were EU-established providers. After Brexit, you are a third-country provider. The EU AI Act — which came into force after Brexit — was written with this distinction built in. UK companies that have been selling AI into the EU since before the Act came into force are already subject to its extraterritorial obligations, including the Authorised Representative requirement for high-risk systems.

We only have a few EU customers — does the Act still apply? Yes. The Act does not set a revenue threshold, a user number threshold, or a market share threshold for triggering obligations. A single EU user receiving output from a high-risk AI system is sufficient. The obligation is binary — you are either placing the system on the EU market or you are not.

Our AI product is free to use — does that change anything? No. The Act explicitly covers AI systems made available free of charge. “Placing on the market” includes any supply for distribution or use in the Union in the course of a commercial activity, whether or not payment is involved. A free tool with EU users is on the EU market.

We use a third-party AI model — are we a provider or a deployer? It depends on what you do with it. If you build a product on top of a third-party model and place that product on the market under your own name, you are a provider of that product — with provider obligations. If you use a third-party AI system internally or deploy it to end users without material modification or rebranding, you are more likely a deployer. The distinction turns on the specifics of your arrangement and is one of the most frequently misapplied questions in EU AI Act compliance.

Does our UK notified body certification carry over to EU conformity assessment? No. UK notified bodies lost their EU recognition on Brexit. For EU AI Act conformity assessment, you need a notified body established in an EU member state and recognised by the EU. Your UK certifications may provide useful documentation of your testing and quality management processes, but they do not satisfy EU conformity assessment requirements.

What is the fastest way to establish a compliant EU AI Act position? Four steps in order: determine your risk classification, screen against Article 5, appoint an EU Authorised Representative if high-risk, and begin building your technical documentation and risk management system. The classification and Article 5 screen can be done quickly with a lawyer-led assessment. The AR appointment can be executed within three to five working days of instruction. The documentation and risk management system is the longer build — but it starts with knowing your classification, which is why that comes first.

Is there any UK-EU arrangement that could change this in future? Possibly, but nothing is imminent. A UK-EU digital partnership is under discussion as part of the post-Brexit relationship reset initiated in 2025, but no AI-specific equivalence or mutual recognition arrangement has been agreed or formally proposed. UK companies should plan on the basis of the current third-country framework and treat any future equivalence arrangement as a potential upside, not a planning assumption.

We’re a UK company with an EU subsidiary — does the subsidiary satisfy the AR requirement? Possibly. If your EU subsidiary is the entity placing the AI system on the EU market under its own name, it may be the provider for EU AI Act purposes — in which case no separate AR is needed. If the UK parent is the provider of record and the EU subsidiary is a distribution entity, the subsidiary may be able to act as AR if it explicitly assumes the legal obligations. This requires careful legal structuring — the wrong arrangement leaves you with a subsidiary that exists on paper but does not satisfy Article 22 in practice.

European Compliance Suite provides lawyer-built EU AI Act assessments and Authorised Representative services for UK companies. If you are unsure how the Act applies to your product, a free 15-minute scoping call will give you a clear answer before you commit to anything.


Leave a Reply

Your email address will not be published. Required fields are marked *