EU AI Act for UK businesses: does it apply, and ISO 42001

The EU AI Act applies to UK businesses more often than people expect. If you place an AI system on the EU market, deploy one inside the EU, or the output of your system is used in the EU, you are in scope under Article 2, no matter where your company is based.[1] Brexit created no exemption, and the trigger is the system’s reach, not your registered address.

This guide is for the founder or operations lead who has to make an AI tool defensible without a legal department behind them. It covers when the Act applies, what to do before 2 August 2026, how its duties map onto the ISO 42001 management standard, and how to run credible governance without a dedicated compliance team.

Last updated 29 May 2026.

One honesty note up front. OpenKit helps clients design systems and governance that align toward the EU AI Act and ISO 42001. We hold ISO 27001, ISO 9001, and Cyber Essentials and are GDPR compliant. We are not certified to ISO 42001, and we are not a notified body or conformity assessor under the Act. Where formal certification or third-party assessment is needed, we point you to accredited bodies and help you arrive ready.

Does the EU AI Act apply to UK businesses?

Often, yes. Article 2 of the EU AI Act sets out extraterritorial scope, and three situations pull a UK company in.[1] You do not need an EU office for any of them to bite.

You are a provider when you developed the AI system and it is placed on the EU market or put into service in the EU, which catches SaaS platforms that EU users can sign up to. You are a deployer when you use an AI system within the EU, even one built elsewhere, which covers UK firms with EU subsidiaries or operations. The broadest trigger is the third: your system’s output is used in the EU, so a model whose results inform decisions about people in the EU is in scope even if you never targeted that market.

The working test is simple. Does your AI system affect anyone in the EU? If the answer is yes, or even maybe, assume you are in scope and plan from there. Finding out after enforcement starts is the expensive way to learn it.

What must be in place by 2 August 2026?

The Act rolls out in phases, and 2 August 2026 is the date most high-risk obligations become enforceable for providers and deployers.[2] By then a high-risk system needs a quality management system, technical documentation, a completed conformity assessment, EU database registration where required, and a working post-market monitoring plan. The earlier phases have already landed: prohibited practices since 2 February 2025, and general-purpose AI model duties since 2 August 2025.[2]

One caveat worth stating plainly. The European Commission has proposed a Digital Omnibus package that would adjust some timing for high-risk systems, and that process is still moving through the EU legislative institutions.[3] The substance of the obligations is settled; what is in flux is the exact date. The responsible plan is to prepare as if 2 August 2026 holds. If the timeline slips, you have built the infrastructure early. If it does not, you are not scrambling.

How does the EU AI Act map to ISO 42001?

ISO/IEC 42001 is the international management system standard for artificial intelligence, published in December 2023.[4] It is not the same thing as the EU AI Act: the Act is law with conformity assessments and penalties, while ISO 42001 is a voluntary standard you can be certified against by an accredited body. They fit together well, though. An AI management system built to ISO 42001 produces most of the operational evidence the Act asks for, so you are documenting once and using it twice.

The table below maps the Act’s main high-risk duties onto the ISO 42001 clauses and Annex A controls that do similar work. It is a planning aid, not a legal equivalence; ISO 42001 certification does not satisfy the Act’s conformity assessment, and the Act reaches obligations ISO 42001 does not, such as EU database registration.

The honest read of that table: an ISO 42001 management system carries most of the operational weight, but it does not make you EU AI Act compliant on its own. You still owe the legal conformity assessment and registration, and you still have to check your evidence against the Act’s article-by-article contents.

A UK-operator action checklist

If you are a UK business that may be in scope, the work breaks into seven concrete steps. None of them require a deadline panic if you start now, and the early ones cost time rather than money.

• Build an AI system inventory. List every AI system you build, deploy, or use, with what it does, what data it touches, who uses the output, and which jurisdictions that output reaches.
• Classify each system by risk tier. Prohibited, high-risk, limited, or minimal. Pay particular attention to hiring, credit, insurance, education, and access-to-essential-services use cases, which are where Annex III bites for most companies.[1]
• Map data flows end to end for anything high-risk. Collection, preparation, training, inference, output, and retention. This doubles as GDPR data-mapping evidence the ICO already expects.[5]
• Design human oversight that works. Operators who understand the system, can evaluate its output, and have real authority to override or stop it. A confirm button nobody questions does not count.
• Start the technical documentation now. System purpose, model and design rationale, training-data characteristics and limitations, test results, and a change log. Retrofitting this six weeks before a deadline does not work.
• Name one governance owner. A single accountable person who maintains the inventory and classifications, coordinates documentation, and tracks regulatory change. It is the cheapest step here and the one that stops the rest from drifting.
• Confirm transparency duties for limited-risk systems. Chatbots, AI-generated content, and similar tools mainly owe disclosure to users, which is lighter but still mandatory.

Governance without a dedicated compliance team

Most UK SMEs reading this do not have a compliance department, and they do not need one to be defensible. AI governance at this size is mostly engineering discipline written down: a current inventory, an honest risk classification, documented oversight for anything that affects people, and one named owner who keeps it true. You can run all of that on existing tools without hiring a single specialist.

What a small team usually lacks is not capability but pattern recognition. The conformity assessment process borrows from EU product safety frameworks used for medical devices and machinery, so teams that have never touched that world spend longer than they should working out what assessors actually look for. That is the part where an outside perspective earns its keep, and it is bounded work rather than an open-ended retainer.

OpenKit works with UK businesses on AI governance and compliance, including risk classification, documentation frameworks, and the oversight architecture that makes a system defensible rather than performative. We hold ISO 27001, ISO 9001, and Cyber Essentials and are GDPR compliant, which gives us a working foundation in governance, and we are direct about what those certifications cover and what they do not. We help clients design toward the EU AI Act and ISO 42001; we do not hold ISO 42001 and we are not a conformity assessor, so for formal certification we get you ready and hand you to an accredited body.

If you are earlier in your AI journey and still working out where AI fits, our AI consulting work starts with the strategic questions before implementation, and for organisations weighing data sovereignty as part of compliance, our private AI deployment work covers the infrastructure side.

Rethink what's possible with AI

Book a free strategy session and find where AI fits your business, and where it does not

• Free consultation
• No commitment required
• Honest advice on where AI helps

Start AI Project Email Us Instead

Typical response time: within 24 hours

Frequently asked questions

References

1. European Union. (2024). Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), accessed on 29 May 2026, https://eur-lex.europa.eu/eli/reg/2024/1689/oj
2. European Commission. AI Act implementation timeline, accessed on 29 May 2026, https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
3. European Commission. (2025). Digital Omnibus, accessed on 29 May 2026, https://digital-strategy.ec.europa.eu/en/policies/digital-omnibus
4. International Organization for Standardization. (2023). ISO/IEC 42001:2023 Artificial intelligence management system, accessed on 29 May 2026, https://www.iso.org/standard/42001
5. Information Commissioner’s Office. Guidance on AI and data protection, accessed on 29 May 2026, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/