On 2 August 2026 the EU Artificial Intelligence Act stops being a future problem. From that date the obligations for high-risk AI systems are enforceable, and the regulators gain the power to investigate and fine. If your firm has any exposure to the EU market, this is the deadline that turns principle into practice.
The detail that catches UK firms off guard is reach. The Act is not confined to companies based in the EU. It applies wherever the output of an AI system is used inside the bloc, or wherever a system is placed on the EU market. A UK firm with EU clients, EU staff, or EU end users can be in scope. GDPR taught everyone this lesson once already. The AI Act repeats it.
Does the Act actually apply to you?
The fastest way to answer is to ask three questions. Do you place an AI system or a general-purpose AI model on the EU market? Do you use AI whose output is consumed by people in the EU? Are you a deployer of AI inside an EU operation? A yes to any of these can pull you into scope.
For a UK financial firm, a law firm, or a healthcare provider with European clients or offices, the honest answer is usually that some part of the business qualifies. The Act does not require you to be an EU company. It follows the use and the output, not the registered address.
This is why "we are a UK firm, so it does not apply" is a dangerous assumption. It is the same assumption many made about GDPR, and it was wrong then too.
The four risk tiers
The Act sorts AI into tiers and matches the obligations to the risk.
Prohibited. A small set of uses are banned outright, such as social scoring and certain biometric categorisation. These rules have been in force since early 2025.
High risk. The demanding tier. It covers AI used in areas like recruitment, creditworthiness, biometric identification, and other uses listed in Annex III. High-risk systems carry obligations on risk management, data quality, documentation, logging, human oversight, and accuracy. These are the obligations that become enforceable on 2 August 2026.
Limited risk. Mostly transparency duties, such as telling people when they are interacting with an AI system or labelling synthetic content.
Minimal risk. The majority of everyday AI, which carries no specific obligations beyond good practice.
On top of the tiers sit the rules for general-purpose AI models, the foundation models behind tools like ChatGPT, Claude, and Gemini. Providers of those models face their own transparency, documentation, and copyright duties, and the largest models face systemic-risk obligations.
What changes on 2 August 2026
Two shifts matter. First, the high-risk obligations in Annex III become enforceable, so a firm operating an in-scope system has to be able to show it meets the risk management, documentation, oversight, and logging requirements. Second, the enforcement machinery switches on. From that date regulators can investigate, demand corrections, and levy fines.
The penalties are structured like GDPR. The ceiling for the most serious breaches, such as deploying a prohibited practice, reaches up to 7 percent of global annual turnover. Other breaches carry lower ceilings. As with GDPR, the headline figure is the maximum, not the going rate, but it sets the seriousness of the regime.
What to do before the deadline
The work divides into a sequence, and the order matters.
Build an AI inventory. You cannot classify what you cannot see. Most firms discover they have no reliable picture of which AI tools staff use, which are sanctioned, and what data each can reach. This is the foundation, and it is the step most commonly skipped. A discovery exercise such as an AI data leakage assessment produces that baseline, including the unsanctioned and embedded AI that rarely shows up on a software register.
Classify by risk tier. With an inventory in hand, sort each use into prohibited, high, limited, or minimal. The high-risk items are where the 2 August obligations bite. This is also where many firms find uses they did not realise were high risk, such as AI in hiring or credit decisions.
Document and evidence. High-risk systems need technical documentation, logging, and records of human oversight. Build the evidence trail now, while you have time, rather than assembling it under a regulator's timeline. This connects directly to building an AI governance framework for the enterprise that keeps the documentation current rather than letting it drift.
Put human oversight in place. For high-risk systems the Act expects meaningful human review, not a rubber stamp. Decide who is accountable, what they can see, and when they can intervene.
How this sits alongside the FCA and PRA
UK financial firms have a second regime to satisfy. The FCA and PRA have chosen to govern AI through existing rules and the Senior Managers regime rather than a separate AI rulebook, and they expect clear accountability for AI-influenced decisions and evidence of human oversight. Our CISO guide to the EU AI Act goes deeper on the obligations, and the same evidence trail feeds an AI audit trail for compliance that a UK supervisor will also expect.
The good news is that the two regimes ask for much of the same evidence. A clean inventory of AI use, a record of how decisions are overseen, and documentation that a third party can follow will serve both the EU AI Act and your UK supervisor. Do the discovery and governance work once, and most of it counts twice.
The deadline is the easy part to plan for
A fixed date is a gift, because it lets you work backwards. The harder truth is that most firms are not behind on documentation. They are behind on visibility. They cannot classify their AI use because they have never mapped it.
That is the gap to close first. Start with what is actually happening across your tools and your data, then classify, document, and oversee from a position of fact. With a few weeks still on the clock before 2 August, the firms that move now will face the deadline with evidence rather than guesswork.
