The EU AI Act for UK SMEs: What You Actually Need to Do

If your product uses AI and the output is consumed by anyone in the EU, the EU AI Act applies to you. It does not matter that you are a UK company, that your servers are in London, or that you have no European customers on the books today. The Act is extraterritorial in the same way GDPR is. The first enforcement deadlines have already passed; the big one for general-purpose and high-risk systems is 2 August 2026.

The four risk tiers

• Unacceptable — banned outright (social scoring, real-time biometric ID in public spaces, manipulative systems). Already in force since 2 February 2025.
• High risk — strict obligations (CV screening, credit scoring, critical infrastructure, medical devices, education scoring). Full compliance by 2 August 2026.
• Limited risk — transparency obligations only (chatbots, deepfakes, emotion recognition). Article 50 disclosure rules.
• Minimal risk — most AI products fall here (spam filters, recommendation engines for low-stakes content). No specific obligations.

How to work out which tier you are in

Start with the use case, not the technology. A large language model used to summarise meeting notes is minimal risk. The same model used to score job applicants is high risk. The Act regulates outcomes for users, not model architectures. Map every AI feature in your product to a use case, then check Annex III for the high-risk list.

The 10-step compliance checklist

• Inventory every AI system in your product, including third-party APIs
• Classify each by risk tier with a documented rationale
• For limited-risk systems: add user-facing disclosure ('You are interacting with AI')
• For high-risk systems: build a risk management system and document it
• Implement data governance — training data lineage, bias testing, quality checks
• Produce technical documentation per Annex IV (architecture, training, evaluation)
• Set up logging so AI outputs can be reconstructed and audited
• Define human oversight measures appropriate to the use case
• Run a conformity assessment before placing the system on the EU market
• Register high-risk systems in the EU database and apply CE marking

What SMEs often get wrong

Assuming the model provider has done the work. OpenAI, Anthropic and Google handle their own GPAI obligations. Yours start where their API ends — how you deploy, contextualise and surface the output to a user.

Treating it as a legal task. The Act requires evidence built into your engineering and product processes: data lineage, evaluations, logging, human-in-the-loop design. Lawyers cannot retrofit this in week 50.

Ignoring the SME concessions. The Act includes proportionality clauses for SMEs and start-ups, including simplified technical documentation and priority access to regulatory sandboxes. Use them.

Penalties

Up to €35m or 7% of global annual turnover for prohibited AI. Up to €15m or 3% for high-risk non-compliance. For an SME, the bigger commercial risk is being de-listed from enterprise procurement processes that now ask the AI Act question on the security questionnaire.