EU AI Act 2026: What UK Businesses Need To Know Before August

AI is already part of how many businesses work. It helps write content, analyse data, support customer service, manage recruitment, summarise documents, create images, build workflows and make faster decisions.

For most small businesses, AI has arrived through everyday tools rather than one big transformation project. You might be using ChatGPT, Microsoft Copilot, Canva AI, CRM automation, website chatbots, scheduling tools, social media planners or recruitment software without thinking of them as “AI systems”. That is exactly why the EU AI Act matters.

Even though the UK is no longer part of the EU, some UK businesses will still be affected by the EU AI Act if they sell into the EU, serve EU customers, use AI systems that affect people in the EU, or work with EU-based clients and suppliers.

The key date many businesses are looking at is August 2026. More specifically, the main application date of the EU AI Act is 2 August 2026, although parts of the Act have already started to apply and some obligations are being phased in over a longer period.

This blog explains what UK businesses need to know, what is changing, and how to start getting your AI use in order without overcomplicating it.

What is the EU AI Act?

The EU AI Act is the European Union’s legal framework for artificial intelligence.

Its purpose is to regulate AI based on risk. That means the law does not treat every AI tool in the same way.

A simple AI writing assistant does not carry the same risk as an AI system used to assess job applicants, make credit decisions, support medical diagnosis or influence access to public services.

The Act separates AI systems into different risk levels:

• unacceptable risk

• high risk

• limited risk

• minimal risk

The higher the risk, the greater the legal responsibilities.

For most small businesses, the main point is not panic. It is awareness.

You need to know:

• where AI is being used in your business

• what type of AI tools you rely on

• whether those tools affect customers, employees, candidates or the public

• whether your business has links to the EU market

• what documentation, transparency and human oversight may be needed

Does the EU AI Act apply to UK businesses?

In some cases, yes.

A UK business may fall within scope of the EU AI Act if it:

• places an AI system on the EU market

• provides AI-enabled services to customers in the EU

• uses AI systems where the output affects people in the EU

• works with EU organisations that require suppliers to follow EU AI standards

• operates software, platforms or products used by EU-based users

• uses AI in recruitment, assessment, customer scoring or decision-making linked to EU individuals

This is where many UK businesses can get caught out.

The question is not, “Are we based in the EU?”

A better question is, “Could our AI use affect someone in the EU, or are we selling AI-related services into the EU market?”

If the answer is yes, the EU AI Act may be relevant to your business.

What changes in August 2026?

The EU AI Act is being introduced in stages. Some requirements have already started. For example, rules around prohibited AI practices and AI literacy began in February 2025. Rules for general-purpose AI models started applying from August 2025.

The next major date is 2 August 2026, when wider parts of the Act are due to apply and become enforceable.

This includes requirements connected to areas such as:

• transparency

• governance

• regulatory oversight

• responsibilities for providers and deployers of AI systems

• certain rules linked to high-risk AI systems

However, there is an extra layer you need to be aware of. In 2026, EU institutions reached political agreement on simplification measures which may delay some high-risk AI obligations.

This means businesses should not rely on one headline date alone. The exact position can depend on the type of AI system, how it is used and whether it falls into specific high-risk categories.

For UK businesses, the practical message is simple.

Do not wait until the last minute.

Even where certain dates move, the direction is clear. AI use is becoming more regulated, more documented and more accountable.

What counts as high-risk AI?

High-risk AI is one of the biggest areas for businesses to understand.

High-risk does not mean “AI that feels advanced”. It means AI used in areas where it could significantly affect people’s rights, safety, opportunities or access to services.

Examples can include AI used in:

• recruitment and candidate screening

• employee monitoring or performance assessment

• education and training decisions

• credit scoring or financial access

• access to public services

• law enforcement

• migration and border control

• medical devices or health-related assessment

• critical infrastructure

For small businesses, recruitment is one of the most relevant examples.

If you use AI to filter CVs, rank applicants, score interview responses or assess suitability for a role, that could bring greater responsibilities.

The same applies if you use AI to make decisions about customers, clients, eligibility, pricing or risk. Something I see often is businesses assuming AI compliance is only an issue for software companies. That is not the case. If you use AI in a way that affects real people, you need to understand your responsibilities.

What about everyday AI tools like ChatGPT, Copilot, Claude and Canva?

Most everyday AI tools will not automatically make your business high-risk.

Using AI to draft a social media caption, summarise meeting notes or brainstorm blog ideas is very different from using AI to decide who gets a job interview.

That said, low-risk AI use still needs common sense.

For example, you should think about:

• what information you are putting into AI tools

• whether personal data is being shared

• whether confidential business information is being uploaded

• whether AI-generated content is checked before publication

• whether customers know when they are speaking to a chatbot

• whether staff understand how to use AI responsibly

In most cases, small businesses do not need a complicated AI policy, but they do need a clear one.

A simple internal AI policy can cover:

• which AI tools are approved

• what staff can and cannot enter into those tools

• when human review is needed

• how AI-generated content should be checked

• how customer data should be protected

• who is responsible for reviewing AI use

That is a good starting point for UK GDPR as well as AI governance.

AI literacy matters

One part of the EU AI Act that businesses should not overlook is AI literacy.

AI literacy means people using or overseeing AI systems need enough understanding to use them properly.

That does not mean everyone needs to become a technical expert.

It means staff should understand:

• what AI can and cannot do

• where AI can make mistakes

• how to check outputs

• when not to use AI

• what data should not be entered

• when human judgement is needed

This matters because many AI risks come from overconfidence.

AI can sound certain when it is wrong. It can produce biased outputs. It can miss context. It can make content look polished even when the thinking behind it is weak.

Training your team on practical AI use is one of the simplest ways to reduce risk.

What UK businesses should do now

The best first step is to map where AI is already being used. You do not need to make this complicated.

Create a basic AI register with:

• the name of the AI tool

• what it is used for

• who uses it

• what data goes into it

• whether it affects customers, staff or candidates

• whether it connects to EU customers or users

• who checks the output

• whether there is a supplier policy or data processing agreement

This gives you a clearer picture of your actual risk.

Then review each use case.

Ask:

• Is this AI being used for content, admin or productivity?

• Is it being used to support a human decision?

• Is it making or heavily influencing a decision?

• Could the decision affect someone’s rights, opportunities, finances or access to services?

• Is personal data involved?

• Are EU customers, users or employees affected?

The answers will help you work out where more control is needed.

Practical steps for small businesses

Here is a sensible starting point.

1. List the AI tools you use

Include the obvious ones and the hidden ones.

This might include:

• ChatGPT

• Microsoft Copilot

• Claude

• Google Gemini

• Canva AI

• CRM automation

• email marketing tools

• website chatbots

• analytics tools

• recruitment platforms

• call transcription tools

• social media scheduling tools

AI is often built into tools you already use, so check your existing software as well.

2. Decide what is approved

Your team should know which tools are allowed for business use.

This helps avoid staff using random free tools with customer data, business plans, financial details or confidential documents.

3. Create simple rules for data

This is one of the biggest areas of risk.

Set clear rules around:

• customer data

• employee data

• financial information

• login details

• contracts

• confidential documents

• sensitive personal data

A practical rule for most small businesses is: if you would not put it in a public document, do not put it into an AI tool unless you fully understand how that tool handles the data.

4. Keep humans involved

AI should support decision-making, not quietly replace judgement in areas that affect people.

This is especially relevant for recruitment, customer assessment, complaints, pricing, eligibility and staff management.

Human review should be part of the process.

5. Check supplier terms

If you use AI tools provided by third parties, look at their policies.

Check:

• where data is processed

• whether data is used for training

• what security measures are in place

• whether there is a data processing agreement

• what support they provide for EU AI Act compliance

• what documentation they can give you

This becomes more important if you are using AI in client delivery or customer-facing processes.

6. Train your team

AI training does not need to be long or technical.

A useful session could cover:

• what AI tools the business uses

• what staff can use them for

• what they should avoid

• how to check AI outputs

• how to protect data

• what to do if something feels risky

This is practical AI literacy.

The link between the EU AI Act and UK GDPR

The EU AI Act is not the only thing UK businesses need to think about.

If AI uses personal data, UK GDPR still applies.

That means you need to think about:

• lawful basis

• transparency

• fairness

• data minimisation

• accuracy

• security

• people’s rights

• automated decision-making

For example, using AI to help write a blog post may involve very little personal data risk.

Using AI to analyse customer behaviour, assess staff performance or screen candidates is different.

The risk is not the tool itself. It is how you use it.

Why this matters for trust

AI compliance can sound dry, but at its heart this is about trust.

• Customers want to know their data is handled properly.

• Staff want to know AI is not being used unfairly.

• Clients want to know suppliers are using AI responsibly.

• Business owners want to use AI without creating avoidable problems later.

What tends to work well is a calm, practical approach.

• You do not need to ban AI.

• You do not need to write a 40-page policy before anyone can use it.

• You do need to understand where AI sits in your business, what risks it creates and what rules you need around it.

A simple AI readiness checklist

Use this as a starting point:

• We know which AI tools are being used in the business

• We know which tools are approved

• We have clear rules on what data can and cannot be entered into AI tools

• We understand whether any AI use affects EU customers, users or staff

• We know whether AI is used in recruitment, scoring, assessment or decision-making

• We review AI outputs before using them

• We have a simple internal AI policy

• We have trained staff on responsible AI use

• We check supplier terms before using new AI tools

• We keep records of higher-risk AI use

If you cannot tick these yet, that is not a disaster.

It simply shows where to start.

Final thoughts

The EU AI Act is another sign that AI is moving from “try it and see” into a more mature phase.

For UK businesses, the main point is not fear. It is preparation. If you use AI for basic content, admin and productivity, your next step is likely to be simple policies, data rules and staff training.

If you use AI to assess people, rank people, make decisions or support regulated services, you need to look more carefully at whether high-risk rules may apply.

AI can still save time and improve how businesses work.

But the businesses that will benefit most are the ones that use it with clear thinking, human judgement and proper boundaries.

FAQs

Further Reading

This blog was informed by current guidance and updates from the European Commission, the European AI Office, the Council of the European Union and the UK Information Commissioner’s Office.

ICO guidance hub on artificial intelligence and data protection.

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/

European Commission AI Act overview and application timeline.

https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

EU AI Act Service Desk implementation timeline.

https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act

Council of the European Union update on AI Act simplification agreement, published 7 May 2026.

https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/

European Commission page on AI Act standardisation and the latest proposed high-risk application dates.

https://digital-strategy.ec.europa.eu/en/policies/ai-act-standardisation

European Commission high-risk AI classification guidance.

https://digital-strategy.ec.europa.eu/en/policies/guidelines-ai-high-risk-systems

Need a smarter way to keep your business visible on LinkedIn? I rate ContentSwarm* — and you can save 20% on your subscription with the code GEMMA.

Thinking about introducing AI Tools to your business but not sure where to start? I can help! Just book a slot with me here and let's have a chat.

Let me be your Virtual Digital & Marketing Support, helping your business with website updates, social media content creation & getting found online for the products/services you offer.

If you’re looking for help or support for a marketing project to help your business grow by improving your online presence, please check out the Digital Marketing Services I Provide.

Not sure or want to have a chat about this in more detail then please Contact Me directly.

Are you looking to upskill and learn more about AI, Business Analysis, Data Protection?

Check out these Online Courses now.