The short answer: yes. Brexit moved UK companies outside the EU’s regulatory perimeter. The EU AI Act treats UK companies as third-country providers — subject to the same extraterritorial obligations as US, Indian, or Canadian companies the moment their AI systems reach EU users. There is no special post-Brexit status, no UK-EU AI Act equivalence arrangement, and no transition period.
This post sets out exactly how the Act reaches UK companies, which obligations apply, and what UK AI providers need to do about it.
Key definitions
Before the analysis, four terms the EU AI Act uses that UK founders frequently misapply.
| Term | EU AI Act definition | Why it matters for UK companies |
|---|---|---|
| Provider | An entity that develops an AI system or has one developed and places it on the market under its own name or trademark | Most UK AI companies are providers — they build and sell AI systems. Being a provider triggers the full suite of obligations including the AR requirement |
| Deployer | An entity that uses an AI system under its own authority in a professional context | UK companies integrating third-party AI into their products or services may be deployers — different obligations, but still in scope |
| Placing on the market | Making an AI system available for the first time on the EU market — whether for payment or free of charge | A UK company offering a free trial to an EU user is placing its system on the market. Revenue is irrelevant to triggering the obligation |
| Making available on the market | Any supply of an AI system for distribution or use in the Union in the course of a commercial activity | API access, SaaS licensing, white-label arrangements — all count. The legal structure of the supply does not change the obligation |
How the EU AI Act reaches UK companies
The Act’s extraterritorial scope is set out in Article 2. It applies to:
- Providers placing AI systems on the EU market regardless of establishment
- Providers whose AI systems are used in the Union
- Deployers of AI systems established within the Union — but also deployers outside the Union where the system’s output is used in the Union
The critical phrase is regardless of establishment. The Act does not ask where you are incorporated, where your servers are hosted, or whether you have a single employee in an EU member state. It asks where your system is used.
For UK companies, this means:
| Scenario | In scope of EU AI Act? |
|---|---|
| UK company with EU SaaS subscribers | Yes |
| UK company licensing AI via API to EU businesses | Yes |
| UK company with white-label AI used by EU deployers | Yes |
| UK company with EU enterprise contracts | Yes |
| UK company offering free AI tool used by EU users | Yes |
| UK company with zero EU users and no EU commercial activity | No |
| UK company whose AI output is used by a UK client who then operates in the EU | Depends — the output test applies |
Brexit and the EU AI Act: what changed
Before Brexit, UK companies operated within the EU’s single market and regulatory perimeter. EU legislation applied directly; UK-based entities were EU-established for regulatory purposes.
That changed on 31 December 2020.
Under the EU-UK Trade and Cooperation Agreement, no mutual recognition arrangement for AI regulation was established. The TCA covers goods, services, and data adequacy in limited respects — it does not extend to AI Act compliance or create any equivalence framework. The EU AI Act, which came into force after Brexit, treats the UK as a third country in the same way it treats the United States, India, or any other non-EU jurisdiction.
| Position | Pre-Brexit | Post-Brexit |
|---|---|---|
| UK company’s regulatory status | EU-established provider | Third-country provider |
| EU AI Act AR requirement | Does not apply | Applies to high-risk AI providers |
| Technical documentation | As EU provider | As non-EU provider — must be held by AR |
| Conformity assessment | Direct | Through EU-recognised notified body |
| EU AI database registration | Direct registration | Via AR |
| Market surveillance contact | Direct | Via AR |
Which EU AI Act obligations apply to UK companies
Obligations depend on your system’s risk classification. The Act classifies AI systems into four tiers.
Tier 1 — Prohibited practices (Article 5)
These apply to every provider and deployer regardless of risk tier, establishment, or revenue. They have been in force since 13 February 2025.
The eight prohibited practices under Article 5:
| Prohibited practice | What it covers |
|---|---|
| Subliminal manipulation | AI that influences behaviour below conscious awareness in a way that causes harm |
| Exploitation of vulnerabilities | AI that exploits age, disability, or social/economic circumstances to distort behaviour |
| Social scoring by public authorities | AI used by public bodies to evaluate or classify people based on social behaviour |
| Real-time remote biometric identification in public spaces | With narrow law enforcement exceptions |
| Biometric categorisation inferring sensitive attributes | Race, political opinion, religious belief, sexual orientation, etc. from biometric data |
| Emotion recognition in workplace or education | AI that infers emotional states of employees or students |
| Untargeted scraping for facial recognition databases | Building or expanding databases by scraping faces from the internet or CCTV |
| Predictive policing based solely on profiling | AI predicting criminal behaviour based on profiling without individual assessment |
For UK companies: these prohibitions apply to you now. If your product touches any of these categories, you are already subject to enforcement risk regardless of your UK legal status.
Tier 2 — High-risk systems (Annex III)
High-risk obligations apply from 2 August 2026 for most systems. They are the most demanding in the Act.
The Annex III high-risk categories most relevant to UK AI companies:
| Category | Examples relevant to UK AI sector |
|---|---|
| Biometrics | Identity verification, facial recognition, emotion inference |
| Critical infrastructure | AI managing energy, water, transport, or financial infrastructure |
| Education | AI determining access to education, assessing students, monitoring behaviour |
| Employment and HR | CV screening, interview analysis, performance monitoring, promotion decisions |
| Essential services | Credit scoring, insurance risk assessment, emergency service dispatch |
| Law enforcement | Risk assessment, polygraph-adjacent tools, crime analytics |
| Migration and border | Visa assessment, asylum processing, border surveillance |
| Administration of justice | AI assisting court decisions, legal research tools used in proceedings |
High-risk obligations for UK providers include:
| Obligation | What it requires |
|---|---|
| Risk management system (Article 9) | Documented, ongoing risk identification and mitigation across the system lifecycle |
| Data governance (Article 10) | Training data management, bias examination, data quality standards |
| Technical documentation (Annex IV) | Comprehensive documentation of system design, development, and performance |
| Record-keeping (Article 12) | Automatic logging of system operation where technically feasible |
| Transparency (Article 13) | Clear information for deployers on capabilities, limitations, and oversight requirements |
| Human oversight (Article 14) | Design measures enabling human monitoring, intervention, and override |
| Accuracy and robustness (Article 15) | Performance standards for accuracy, robustness, and cybersecurity |
| Conformity assessment | Self-assessment or notified body assessment depending on category |
| EU AI database registration | Registration before placing system on market |
| Declaration of conformity | Written declaration that system meets applicable requirements |
| Post-market monitoring (Article 72) | Ongoing monitoring of system performance after deployment |
Tier 3 — Limited risk (transparency obligations)
AI systems that interact with humans — chatbots, emotion recognition, deepfake generation — must disclose their AI nature. Applies from 2 August 2026.
Tier 4 — Minimal risk
No mandatory obligations. Most AI systems fall here. A documented determination that your system is minimal risk is itself a useful compliance record.
GPAI models
General-purpose AI models have separate obligations under Articles 51–56, regardless of risk tier. UK companies developing foundation models or large language models used in the EU must comply with transparency, copyright, and — where systemic risk is identified — additional safety obligations. These apply from 2 August 2025.
The Authorised Representative requirement
This is the obligation most UK companies have missed.
Article 22 requires non-EU providers of high-risk AI systems to appoint an EU-established Authorised Representative before placing the system on the EU market.
| Question | Answer |
|---|---|
| Who must appoint an AR? | Non-EU providers of high-risk AI systems placing systems on the EU market |
| When must the AR be appointed? | Before placing the system on the EU market — not after first sale |
| What must the AR be? | A natural or legal person established in an EU member state |
| What does the AR do? | Acts as point of contact for EU authorities, maintains technical documentation copy, cooperates with market surveillance |
| Can a registered address service act as AR? | No — the AR has active legal obligations that a letterbox cannot fulfil |
| Can an EU distributor act as AR? | Only if they explicitly agree to the legal obligations in writing |
| What is the penalty for operating without an AR? | Up to €15 million or 3% of global annual turnover |
The AR is not a formality. Market surveillance authorities write to the AR. The AR must respond substantively. An AR without knowledge of your product and legal standing to act on your behalf provides no meaningful protection.
Does existing UK compliance help?
UK AI companies frequently ask whether their existing UK regulatory compliance reduces their EU AI Act obligations. The short answer is: it provides context but not credit.
| UK compliance | Relevance to EU AI Act |
|---|---|
| UK GDPR / DPA 2018 compliance | Useful context; does not satisfy EU AI Act data governance obligations |
| ICO AI guidance compliance | Demonstrates regulatory maturity; no standing under EU law |
| FCA AI model risk management | Sector-specific; does not satisfy Annex III high-risk obligations |
| UK GDPR Article 27 representative | Separate appointment; does not satisfy EU AI Act Article 22 AR requirement |
| Cyber Essentials / NCSC guidance | Useful baseline; does not satisfy CRA or EU AI Act cybersecurity obligations |
| ISO 42001 certification | Directly relevant; referenced in EU AI Act conformity pathways |
| CE marking (pre-Brexit) | No longer valid for EU market access post-Brexit |
Enforcement: is this actually happening?
Yes. The EU AI Act is not pending enforcement — it is in force.
| Date | What happened |
|---|---|
| 1 August 2024 | EU AI Act entered into force |
| 2 February 2025 | Article 5 prohibited-practice prohibitions became enforceable |
| 2 August 2025 | GPAI model obligations became enforceable |
| 2 August 2026 | High-risk system obligations, AR requirement, and most remaining provisions become enforceable |
| 2 August 2027 | High-risk AI systems covered by existing EU product safety legislation come into scope |
National market surveillance authorities in each EU member state are responsible for enforcement. The EU AI Office has direct enforcement authority over GPAI providers. Fines are:
| Violation | Maximum fine |
|---|---|
| Article 5 prohibited practices | €35 million or 7% of global annual turnover |
| Other high-risk system violations | €15 million or 3% of global annual turnover |
| Incorrect or misleading information to authorities | €7.5 million or 1% of global annual turnover |
These apply to non-EU companies. EU enforcement of extraterritorial regulation has been established through GDPR — UK companies that assumed GDPR enforcement would not reach them discovered otherwise. The AI Act follows the same model and the same enforcement infrastructure.
What UK companies need to do — by priority
| Priority | Action | Deadline |
|---|---|---|
| Immediate | Screen your product against Article 5 prohibited practices | Already in force |
| Immediate | Determine your risk classification under Annex III | Needed before August 2026 |
| Immediate | Determine your role: provider, deployer, or both | Needed before August 2026 |
| Before August 2026 | Appoint an EU Authorised Representative if high-risk | Hard legal deadline |
| Before August 2026 | Build your Article 9 risk management system | Hard legal deadline |
| Before August 2026 | Complete Annex IV technical documentation | Hard legal deadline |
| Before August 2026 | Register in EU AI database | Hard legal deadline |
| Before August 2026 | Complete conformity assessment | Hard legal deadline |
| Ongoing | Post-market monitoring system | From launch |
| If GPAI | Comply with Articles 51–56 | Already in force from August 2025 |
FAQ
My UK company has always sold into the EU — did Brexit change my EU AI Act obligations? Yes, fundamentally. Before Brexit, UK companies were EU-established providers. After Brexit, you are a third-country provider. The EU AI Act — which came into force after Brexit — was written with this distinction built in. UK companies that have been selling AI into the EU since before the Act came into force are already subject to its extraterritorial obligations, including the Authorised Representative requirement for high-risk systems.
We only have a few EU customers — does the Act still apply? Yes. The Act does not set a revenue threshold, a user number threshold, or a market share threshold for triggering obligations. A single EU user receiving output from a high-risk AI system is sufficient. The obligation is binary — you are either placing the system on the EU market or you are not.
Our AI product is free to use — does that change anything? No. The Act explicitly covers AI systems made available free of charge. “Placing on the market” includes any supply for distribution or use in the Union in the course of a commercial activity, whether or not payment is involved. A free tool with EU users is on the EU market.
We use a third-party AI model — are we a provider or a deployer? It depends on what you do with it. If you build a product on top of a third-party model and place that product on the market under your own name, you are a provider of that product — with provider obligations. If you use a third-party AI system internally or deploy it to end users without material modification or rebranding, you are more likely a deployer. The distinction turns on the specifics of your arrangement and is one of the most frequently misapplied questions in EU AI Act compliance.
Does our UK notified body certification carry over to EU conformity assessment? No. UK notified bodies lost their EU recognition on Brexit. For EU AI Act conformity assessment, you need a notified body established in an EU member state and recognised by the EU. Your UK certifications may provide useful documentation of your testing and quality management processes, but they do not satisfy EU conformity assessment requirements.
What is the fastest way to establish a compliant EU AI Act position? Four steps in order: determine your risk classification, screen against Article 5, appoint an EU Authorised Representative if high-risk, and begin building your technical documentation and risk management system. The classification and Article 5 screen can be done quickly with a lawyer-led assessment. The AR appointment can be executed within three to five working days of instruction. The documentation and risk management system is the longer build — but it starts with knowing your classification, which is why that comes first.
Is there any UK-EU arrangement that could change this in future? Possibly, but nothing is imminent. A UK-EU digital partnership is under discussion as part of the post-Brexit relationship reset initiated in 2025, but no AI-specific equivalence or mutual recognition arrangement has been agreed or formally proposed. UK companies should plan on the basis of the current third-country framework and treat any future equivalence arrangement as a potential upside, not a planning assumption.
We’re a UK company with an EU subsidiary — does the subsidiary satisfy the AR requirement? Possibly. If your EU subsidiary is the entity placing the AI system on the EU market under its own name, it may be the provider for EU AI Act purposes — in which case no separate AR is needed. If the UK parent is the provider of record and the EU subsidiary is a distribution entity, the subsidiary may be able to act as AR if it explicitly assumes the legal obligations. This requires careful legal structuring — the wrong arrangement leaves you with a subsidiary that exists on paper but does not satisfy Article 22 in practice.
European Compliance Suite provides lawyer-built EU AI Act assessments and Authorised Representative services for UK companies. If you are unsure how the Act applies to your product, a free 15-minute scoping call will give you a clear answer before you commit to anything.

Leave a Reply