The short answer is yes — for UK businesses that sell AI-powered products or services to EU customers, or whose AI systems make decisions affecting EU individuals. The EU AI Act has the same extraterritorial design as GDPR. Brexit does not create an exemption. Here is what UK businesses need to know, including the EU authorized representative requirement that many are unaware of.
The EU AI Act follows the same extraterritorial design as GDPR: it looks at where the affected persons are, not where the company is incorporated. Article 2(1) creates three separate hooks that can bring a non-EU business into scope:
If you make an AI system available to EU customers — by selling it, licencing it, or deploying it for them — you are placing it on the EU market or putting it into service in the EU. This is the primary hook for UK SaaS companies, AI product companies, and any business that deploys AI for EU customers.
If you have an EU-established entity (a subsidiary, a branch, a registered office) that uses AI systems, that entity is a deployer established in the EU and falls directly in scope. The UK parent's location is irrelevant for the EU entity's own obligations.
The broadest hook: even if you do not directly place an AI system on the EU market, if the output of your AI is used within the EU — to make decisions about EU individuals, to provide services to EU users, or by EU-based customers of your platform — the Act can apply. This catches scenarios where a UK business sells to other businesses that then use the AI for EU end users.
The practical test for UK businesses: look at each of your AI systems and ask — does any EU person make a decision based on its output, does any EU customer use it, or does it directly affect EU individuals? If the answer to any of these is yes, you are likely in scope for that system.
You are a UK-established company. You sell AI-powered products or services to customers based in the EU — whether via a website, API, app, or direct sales.
Why this verdict
Obligations
The test is where your AI system's output is used, not where your company is incorporated or where your servers are located. A UK company with EU customers is almost certainly within scope for any AI system used in making decisions about those EU customers.
Your group has a UK parent but also has an EU-established entity — whether a subsidiary company, a branch office, or a registered presence in an EU member state.
Why this verdict
Obligations
UK groups with EU subsidiaries may find the compliance workstream is primarily managed at the EU entity level. However, if AI systems were developed at group level (in the UK), the UK parent's provider obligations also come into play for any system placed on the EU market through the subsidiary.
You are a UK-established company. All of your customers and operations are in the UK. Your AI systems' outputs are used exclusively by UK persons or entities.
Why this verdict
Obligations
Important caveat: if a UK-only customer later resells your product or uses it to serve EU end users, the output may reach the EU indirectly. Review your customer contracts and intended use cases. If any EU persons will be affected by decisions made by your AI system, the purely-UK-facing assumption breaks down.
This is the most commonly overlooked obligation for UK businesses. Under Article 22 of the EU AI Act, providers of high-risk AI systems who are not established in the EU must appoint an EU authorized representative before placing the system on the EU market. This is a direct parallel to the GDPR Article 27 representative requirement — but it is a separate appointment for a separate law.
Who this applies to:
Non-EU providers of high-risk AI systems who place those systems on the EU market. This includes UK companies that: (a) have built their own high-risk AI system (e.g. a credit scoring model, an HR screening tool, a medical AI system); and (b) make that system available to EU customers.
Non-EU providers who place a high-risk AI system on the EU market or put a high-risk AI system into service in the EU. This includes UK companies with EU customers. You do not need an EU authorized representative if you are only a deployer (using AI systems, not placing them on the market). The requirement applies to providers only.
The EU rep acts as your point of contact for EU market surveillance authorities and national competent authorities. They can be required to provide documentation about your AI system on request, cooperate with investigations, and act on your behalf in regulatory proceedings. They take on some liability — which is why the mandate must be in writing and the rep must be specifically authorised to act.
By a written mandate from you (the provider) to the EU rep. The mandate must authorise the representative to: be addressed by authorities in addition to or instead of you; cooperate with authorities on request; and to act generally as your representative in the EU. The representative's name and contact details must be stated in the Annex IV technical documentation and in the EU AI Act database registration.
Any natural person or legal entity established in the EU — a company, a law firm, a consultancy, or an individual. Many EU law firms and compliance consultancies now offer EU AI Act representative services, similar to GDPR Article 27 representative services. The EU rep does not need to be in any specific EU member state, but their details must be documented.
No — they are separate roles under separate laws, though they can be the same person or organisation. Your GDPR Article 27 representative handles data protection law; your EU AI Act Article 22 representative handles AI Act compliance. UK companies subject to both laws need both, potentially from the same provider if they offer both services.
After Brexit, the UK chose a different path for AI regulation. This creates a two-track compliance reality for UK businesses operating in both markets.
The practical risk of the "we're a UK company" assumption
Some UK businesses assume that because the UK has not enacted an EU AI Act equivalent, they have no binding AI obligations beyond existing law. This assumption is wrong for any business with EU-facing AI. The EU AI Act's extraterritorial hooks apply regardless of domestic UK law. A UK company that ignores EU AI Act obligations for its EU-facing AI because "we're not an EU company" is taking a compliance risk — and from August 2026, an enforcement risk.
PROVIDER
You place AI on the EU market. Same obligations as an EU-based provider. Appoint EU authorized representative (Article 22) before August 2, 2026.
DEPLOYER/PROVIDER
Article 50 chatbot disclosure applies in the EU. If you built the chatbot: provider obligations. If you use a vendor chatbot: deployer obligations.
PROVIDER
No EU AI Act obligations if output affects only UK persons. UK GDPR Article 22 and FCA guidance apply.
PROVIDER
Annex III 5(a) — consumer creditworthiness AI is high-risk. Full provider obligations. EU authorized representative required.
DEPLOYER
No EU AI Act high-risk obligations if hiring decisions affect only UK employees. UK Equality Act and UK GDPR still apply.
PROVIDER (UK parent) + DEPLOYER (EU entity)
EU subsidiary faces full deployer obligations for HR AI under Annex III. UK parent faces provider obligations for systems it developed and deployed group-wide.
PROVIDER
If building high-risk AI: Annex IV documentation, conformity assessment, CE marking, EU database registration, and EU authorized representative required before launch in EU.
DEPLOYER
If outputs affect only UK employees with no EU-facing decisions, EU AI Act likely does not apply. Article 4 AI literacy equivalent is a UK GDPR/ICO expectation. Check whether any use case crosses into EU territory.
UK businesses with EU-facing AI face both the EU AI Act and UK-specific obligations. These frameworks run in parallel — EU AI Act compliance for EU-facing activity, UK frameworks for UK-facing activity.
UK GDPR (the retained EU GDPR, now the UK GDPR under the Data Protection Act 2018) continues to apply to UK businesses. Article 22 of UK GDPR gives UK data subjects rights against automated individual decision-making — the same right that exists in EU GDPR, and that the EU AI Act builds upon for deployers. A UK business with UK customers still faces UK GDPR Article 22 obligations; a UK business with EU customers faces EU GDPR Article 22 plus the EU AI Act obligations simultaneously.
The UK Government's AI Regulation Policy Paper (March 2023) and subsequent policy established a "pro-innovation" approach: no single binding AI law, instead principles applied by existing regulators through existing powers. DSIT, the ICO, the FCA, CMA, and sector regulators each apply AI governance within their existing remit. This approach was still non-binding as of mid-2026 — the UK had not passed a statutory AI Act equivalent. UK businesses should not assume this means they have no AI obligations: UK GDPR, sector regulation, and the EU AI Act (for EU-facing products) all still apply.
The UK ICO has published substantial guidance on AI and data protection, including guidance on explaining AI decisions, AI auditing, and AI fairness. This guidance is not legally binding in the same way the EU AI Act is, but it indicates how the ICO will interpret UK GDPR obligations in an AI context. UK businesses already following ICO AI guidance have a head-start on the documentation and transparency elements of the EU AI Act.
The FCA has published a Discussion Paper (DP 5/22) and supervisory statements on AI in financial services. FCA principles on governance, explainability, and fair treatment of customers align with EU AI Act obligations for financial services AI. UK-regulated financial services firms dealing with EU customers or operating in EU markets face both FCA expectations and EU AI Act obligations.
AI systems used in employment, credit, or access to services in the UK are subject to the Equality Act 2010. If an AI system discriminates (directly or indirectly) on the basis of a protected characteristic, it can constitute unlawful discrimination regardless of the EU AI Act. This is a domestic UK obligation that runs in parallel with EU AI Act anti-bias requirements for high-risk systems — and the Equality Act applies to UK-only businesses as much as EU-facing ones.
Map your AI systems by territory
For every AI system you use or have built, determine: (a) is it used by or for EU customers or EU-based employees? (b) does its output inform decisions about EU individuals? If yes to either, it falls within the EU AI Act's territorial scope for those activities.
Classify each EU-facing system
Use the risk classifier to determine whether each EU-facing system is prohibited, high-risk, limited-risk, or minimal-risk. This determines which obligations apply. Most UK businesses will find their AI is minimal-risk (Article 4 literacy + Article 50 transparency only) — but any system touching employment, credit, healthcare, or education decisions warrants careful review.
Determine your role: provider, deployer, or both
For each EU-facing high-risk AI system: did you build it? If yes, you are a provider. Do you use it but did not build it? You are a deployer. Many UK businesses are deployers of third-party AI (using vendor platforms) — their obligations are lighter than providers, but still mandatory.
Appoint an EU authorized representative if you are a provider of high-risk AI
If you have built a high-risk AI system and place it on the EU market, you must appoint an EU authorized representative under Article 22 before August 2, 2026. Engage an EU-established law firm or compliance consultancy that offers this service. The appointment must be in writing and their details must appear in your Annex IV technical documentation.
Implement Article 4 AI literacy and Article 50 transparency disclosures
Even for minimal-risk AI, the EU AI Act requires: staff who use AI have sufficient AI literacy (Article 4, in force since February 2025) and any customer-facing chatbots identify as AI (Article 50, from August 2, 2026). These apply to your EU-facing activities regardless of risk level.
Yes — for UK businesses that place AI systems on the EU market or whose AI system outputs are used within the EU. The EU AI Act has the same extraterritorial design as GDPR: Article 2(1) extends the Act's reach to providers and deployers outside the EU where the AI system is placed on the EU market or its output is used in the EU. A UK company whose AI-powered product is used by EU customers is almost certainly in scope, regardless of where the company is incorporated.
If you are a provider (i.e. you built or substantially modified an AI system) and you place a high-risk AI system on the EU market, yes — you must appoint an EU authorized representative under Article 22. This requirement applies to non-EU providers. If you are only a deployer (you use an AI system built by someone else, without substantially modifying it), you do not need an EU authorized representative, but you still have the Article 26 deployer obligations.
As of mid-2026, no. The UK Government has adopted a "pro-innovation" approach: no single AI law; instead, existing regulators (ICO, FCA, CMA, etc.) apply existing powers to AI within their sectors. DSIT published policy papers and the AI Opportunities Action Plan, but no binding statutory AI Act equivalent had been passed. This means UK businesses with purely UK-facing AI face lighter domestic obligations — but those with EU-facing AI still face the EU AI Act directly.
No. They are separate roles under separate laws. Your GDPR Article 27 representative handles data protection compliance under EU GDPR. Your EU AI Act Article 22 representative handles AI Act compliance. The same organisation can provide both services, but they must be separately appointed and documented for each law. Check with your current EU representative provider whether they also offer EU AI Act representation.
Yes. EU market surveillance authorities have powers under the AI Act to investigate non-compliant AI systems, require documentation from providers and deployers, and restrict or prohibit market access for AI systems that do not comply. Where a UK provider has an EU authorized representative, the representative can be held responsible in the provider's place. For UK providers without an EU representative, authorities may issue market access restrictions — meaning EU importers or distributors of the product could face liability. Enforcement will primarily target high-risk and prohibited systems rather than minimal-risk ones, but the legal powers exist.
Where the AI system is hosted does not determine applicability — the tests are where the system is placed on the market and where its output is used. A UK company whose AI is hosted on an EU server but all of whose customers are UK-based would still likely be outside the EU AI Act's scope for those UK-facing activities. Conversely, a UK company whose AI is hosted in the UK but whose output is used in the EU is still in scope.
If you are a UK-established company and the AI system's outputs are used only for UK decisions, your EU AI Act deployer obligations do not apply (you are not an EU-established deployer and the output is not used in the EU). However, if you use that API to make decisions affecting EU individuals — for example, serving EU customers — the output-use-in-the-EU hook may bring you into scope as a deployer for those activities. Review each use case by where the AI output is acted upon, not where the API is hosted.
No — the answer is to understand your obligations and build a compliance programme, not to withdraw from the EU market. Most UK businesses with EU customers will find their AI use is minimal-risk (Article 50 transparency obligations only, no high-risk obligations). The classifier can help you assess this quickly. Only businesses with genuinely high-risk AI that is not yet compliant should consider whether to delay market entry for new systems — existing products need to be assessed and remediated, not withdrawn.
Use the free EU AI Act risk classifier. Answer 5 questions about your AI system and get a clear classification — Prohibited, High-Risk, Limited Risk, or Minimal Risk — with the specific obligations that apply.
Classify your AI system — free