Where are we now? The EU AI Act’s implementation timeline
The EU Artificial Intelligence Act (AI Act) entered into force on 1 August 2024 and is being implemented in phases.
From 2 February 2025, the ban on AI systems posing “unacceptable risks” (e.g., social scoring, manipulative subliminal techniques) took effect. All organisations with operations in the EU must now ensure that none of their AI systems fall within the prohibited categories.
Two key milestones came into effect on 2 August 2025:
- Obligations for providers of General-Purpose AI (GPAI) models - such as large language models or image generators—now apply. Providers must ensure transparency, provide technical documentation, disclose any copyrighted material used in training, and, for “systemic risk” models, undertake risk assessments, adversarial testing, and incident reporting.
- Member States must designate competent authorities for enforcement and conformity assessments of high-risk and GPAI systems.
Further requirements such as those targeting high-risk AI systems will fully apply from 2 August 2026, with the final and most stringent duties applying by 2027 in relation to high-risk use cases (biometrics, safety, and critical infrastructure).
How does the EU AI Act affect UK companies?
The EU AI Act has broad extraterritorial reach, somewhat similar to the GDPR in its extraterritoriality.
It applies to:
- Any UK company that develops, markets, sells, or deploys AI systems in the EU.
- Any UK company whose AI system outputs are used in the EU, or whose service users are based in the EU even if the provider is outside of the EU.
Key impacts on UK businesses
- Providers (developers and commercialisers of AI) must ensure their AI systems comply with the EU risk categorisation, documentation, and transparency obligations if those systems are placed on the EU market.
- Deployers (enterprise-level users) of AI in the EU, whether as part of their operations or as part of services offered, must also comply, especially where “high-risk” AI is used (such as in HR/recruitment, finance, public services, infrastructure, etc.).
- Importers, distributors, service providers, and integrators including UK-based vendors customising or integrating AI for EU clients also fall within the AI Act’s scope.
- Penalties for non-compliance are potentially severe, with fines of up to 7% of global annual turnover for breaches in the most serious cases.
GPAI Model Providers
From August 2025, UK companies offering general-purpose AI models or services (such as SaaS or APIs used in the EU) face new obligations:
- Transparency: disclose how the model was trained, including data, and any third-party IP.
- Documentation: maintain technical details and risk assessments; for “systemic risk” models, this includes mandatory incident reporting and mitigation efforts.
- Downstream obligations: ensure that resellers, integrators, or customers in the EU receive necessary compliance information.
What should UK companies do now?
- Review your AI inventory: assess all AI systems in use or intended for use in the EU. Determine their risk classification under the AI Act.
- Check commercial arrangements: update supply agreements, licensing terms, and customer engagement to address allocation of compliance responsibilities, especially if you develop, fine-tune, or integrate AI for EU customers.
- Enhance governance and compliance systems:
- Appoint responsible officers.
- Develop or update technical documentation and impact assessments.
- Implement training for staff on compliance requirements.
- Monitor for Guidance: EU authorities are still publishing practical guidance for key provisions, such as the GPAI Code of Practice and harmonised standards. Stay alert for further updates, which can affect implementation timelines and compliance demonstration.
Key takeaways
- The EU AI Act is a live regulatory regime with extraterritorial reach. A “wait and see” approach is no longer viable for UK companies engaged with the EU market.
- Early investment in robust governance and compliance can provide strategic and reputational advantages in the European digital economy.
- Now is the time to consult with your legal advisers and compliance teams to ensure readiness and minimise risk.
For specific queries or tailored advice on the EU AI Act, please contact Tim Wright or another member of the Technology & Outsourcing team at Fladgate.
