Back to blog EU AI Act compliance

EU AI Act Compliance Checklist for UK Businesses

A practical 2026 checklist for UK businesses using AI, serving EU customers, or preparing governance evidence for regulated buyers.

If your business uses AI and serves customers in the EU, or thinks it might one day, the EU AI Act can apply to you, even as a UK company. In 2026, the compliance picture changed significantly: some deadlines moved, others did not, and a dangerous myth has taken hold that "the AI Act was delayed."

That is only half true. Some obligations slipped to December 2027. Others take effect on 2 August 2026, exactly as scheduled.

This guide gives UK businesses a practical, up-to-date compliance checklist reflecting the Digital Omnibus amendments finalised in June 2026.

Does the EU AI Act apply to my UK business?

The short answer: probably, if you touch the EU market at all.

The EU AI Act has extraterritorial reach. It applies to UK businesses in three common situations:

  • You place an AI system on the EU market, for example software with AI features sold to customers in Ireland, Germany or France.
  • You deploy AI whose outputs are used in the EU, for example a UK-hosted chatbot serving EU customers.
  • You are part of an EU supply chain, where your product or service is embedded in something an EU company sells.

Brexit did not remove this exposure. UK businesses face a double challenge: complying with the EU AI Act for European operations while also meeting the UK's principles-based approach to AI regulation, enforced through existing regulators such as the ICO and FCA rather than a single AI statute.

The 2026 timeline: what actually changed

In November 2025, the European Commission proposed the Digital Omnibus on AI, a package of amendments to fix implementation problems with the original Act. After months of negotiation, the European Parliament endorsed it on 16 June 2026 and the Council gave final approval on 29 June 2026.

DateWhat applies
2 February 2025Prohibited AI practices banned, including social scoring and manipulative techniques.
2 August 2025General-purpose AI model obligations, including transparency, copyright policy and training-data summaries.
2 August 2026Article 50 transparency obligations. Users must be told when they interact with AI; AI-generated content must be disclosed.
2 December 2026Watermarking requirements extend to legacy systems; new prohibition on AI-generated non-consensual intimate imagery takes effect.
2 August 2027Member states must establish national AI regulatory sandboxes.
2 December 2027High-risk obligations for standalone Annex III AI systems.
2 August 2028High-risk obligations for AI embedded in regulated products such as medical devices, machinery and lifts.

The key insight: the delay bought time for high-risk paperwork, not for transparency. If your chatbot, content generator or customer-facing AI serves EU users, your first hard deadline is 2 August 2026.

Step 1: Build your AI inventory

You cannot classify, test or evidence what you have not found. Every compliance journey starts with a complete inventory of AI systems across your organisation.

  • Customer-facing AI: chatbots, virtual assistants, recommendation engines and AI-generated content.
  • Internal decision-support AI: hiring tools, credit or eligibility scoring, fraud detection and performance evaluation.
  • Embedded AI: AI features inside procured software such as CRM lead scoring, email tools and meeting transcription.
  • Shadow AI: tools individual teams adopted without central approval.

For each system, record the owner, vendor or in-house team, processed data, affected decisions, and whether outputs reach EU users. If you want to see this discipline in practice, the Nova platform was built around exactly this governance-ready inventory model.

Step 2: Classify each system by risk

The AI Act is a risk-based law. Obligations scale with the risk tier of each system:

  • Unacceptable risk: prohibited systems such as social scoring and manipulative or exploitative techniques.
  • High risk: AI used in employment, education, essential services, credit, insurance, law enforcement, migration and critical infrastructure.
  • Limited risk: chatbots, AI-generated content, emotion recognition and deepfakes that require transparency.
  • Minimal risk: spam filters, AI in games and most internal productivity tools.

Classification sounds simple. In practice, it is where businesses often get it wrong. An internal HR helper that influences promotion decisions may be high-risk; a simple FAQ bot that discusses benefit eligibility may cross into regulated territory.

Step 3: Meet the August 2026 transparency obligations

From 2 August 2026, if your AI serves EU users you must ensure:

  • People are told clearly and at the point of interaction when they are communicating with AI rather than a human.
  • Text, images, audio and video generated by AI are identifiable as such.
  • Deepfakes and manipulated content depicting real people, places or events are labelled.
  • Emotion recognition and biometric categorisation notices are provided where those systems are lawful.

Action for UK businesses this quarter: audit every customer touchpoint where AI is involved, and confirm disclosure is visible, plain-language and present at the moment of interaction.

Step 4: Prepare high-risk systems for December 2027

Sixteen extra months sounds generous. It is not, because the work involved is substantial and sequential:

  1. Risk management system
  2. Data governance
  3. Technical documentation
  4. Logging and traceability
  5. Human oversight
  6. Accuracy, robustness and cybersecurity evidence
  7. Conformity assessment and registration

Start now and you have a realistic 18 months. Start in mid-2027 and you will be attempting a year of structured work in a quarter.

Step 5: Test AI behaviour before release

Documentation describes what your AI should do. Only testing shows what it actually does. Traditional software QA was not designed for probabilistic systems.

  • The same question, rephrased, can produce a different and wrong answer.
  • Agents hallucinate policy, facts and confidence where no basis exists.
  • Systems keep answering when the safe behaviour is to refuse or escalate to a human.
  • Behaviour drifts as models, prompts and integrations change.

This is the gap DaBuDa's AI Agent Test Lab exists to close: testing AI agents against realistic service scenarios, edge cases, vulnerable-user journeys and escalation rules before release. For a worked example, see our council AI assurance case study.

Step 6: Build your governance evidence trail

Every step above produces artefacts. Organise them from day one:

  • AI inventory and risk classifications with named owners and review dates.
  • Test findings and response traces showing what was tested, what failed and what was fixed.
  • Risk register with severity, impact, mitigation and release conditions.
  • Release decision records showing who approved go-live, on what evidence and with what conditions.
  • Monitoring and drift evidence showing the system still behaves as tested after launch.

To see the standard we recommend, you can download a sample AI assurance evidence pack.

Penalties: what non-compliance costs

  • Prohibited practices: fines up to EUR 35 million or 7% of global annual turnover, whichever is higher.
  • Breaches of other obligations: up to EUR 15 million or 3% of turnover.
  • Incorrect or misleading information to authorities: up to EUR 7.5 million or 1% of turnover.

For most businesses, the larger cost of non-compliance is commercial: failed procurement bids, blocked enterprise deals and reputational damage from a public AI failure.

The UK angle: FCA, ICO and sector regulators

  • The ICO applies UK GDPR to AI, including automated decision-making, fairness, transparency and DPIAs.
  • The FCA expects financial firms to manage AI within existing frameworks, including Consumer Duty, SM&CR accountability and model risk management. Our financial services AI governance guide covers FCA-specific evidence expectations.
  • Sector and product law still applies, including equality law, consumer protection and product liability.

The practical upshot: the systems, inventories and evidence you build for EU AI Act compliance are the same assets UK regulators expect.

Quick-reference compliance checklist

By 2 August 2026

  • Complete AI system inventory, including shadow AI and vendor-embedded features.
  • Confirm which systems have EU users or EU-facing outputs.
  • Verify no system touches prohibited practices.
  • Implement AI-interaction disclosures on EU-facing chatbots and assistants.
  • Label AI-generated content and plan machine-readable watermarking.
  • Confirm GPAI obligations are met if you build on foundation models.

By 2 December 2026

  • Extend watermarking to systems that were live before August 2026.
  • If you offer image or audio generation, implement safeguards against non-consensual intimate imagery.

By 2 December 2027

  • Classify all Annex III high-risk systems and assign owners.
  • Stand up risk management, data governance and technical documentation.
  • Design and evidence human oversight for each high-risk system.
  • Run structured behavioural testing and capture findings.
  • Complete conformity assessment and EU database registration.
  • Assemble the governance evidence pack for board and audit review.

Continuous

  • Monitor deployed systems for drift and re-test after substantial modifications.
  • Keep the inventory current as teams adopt new tools.
  • Track UK regulatory developments from the ICO, FCA and sector regulators.

Frequently asked questions

Did the EU AI Act get delayed to 2027?

Partially. High-risk Annex III obligations moved to 2 December 2027. Transparency obligations under Article 50 still apply from 2 August 2026, prohibited practices have been enforceable since February 2025, and GPAI rules since August 2025.

We're a UK company with no EU offices. Are we in scope?

Having no EU offices is not the test. If your AI outputs are used by people in the EU, such as customers, job applicants or end users, you may be in scope.

Our AI comes from a vendor. Isn't compliance their problem?

No. The Act places obligations on deployers as well as providers, and UK regulators such as the FCA are explicit that accountability cannot be outsourced.

What's the single most important thing to do this month?

Build the inventory. Every other obligation depends on knowing what AI you actually have.

How do we prove our AI behaves safely?

Through structured, scenario-led testing that produces documented findings: response traces, failure modes, escalation gaps and release conditions. This is what the AI Agent Test Lab produces, and what the Nova platform manages on an ongoing basis.

Before your AI reaches production

Make the evidence visible.

DaBuDa helps councils and regulated enterprises test AI behaviour, expose failure modes, and create governance-ready evidence before go-live.

This article is provided for general information and does not constitute legal advice. For advice on your specific obligations under the EU AI Act or UK law, consult a qualified legal professional.