The short version
The EU AI Act is the world's first comprehensive law on artificial intelligence. It came into force in August 2024 and its provisions are rolling out in waves through 2026 and 2027. The Act classifies AI systems into four risk tiers, bans the highest-risk uses outright, and imposes obligations that scale with the risk. UK businesses are in scope if they sell AI systems into the EU, use AI to process EU residents' data, or build AI into products used by EU customers. Most ordinary UK businesses using ChatGPT-style tools will fall into the lowest-risk tier with minimal obligations — but the minimal tier still has some, and getting them right is cheap if you know they exist.
What is the EU AI Act?
The EU AI Act is the EU's flagship piece of AI regulation. It was approved in 2024, entered into force in August of that year, and is being phased in through staggered application dates running into 2027. The Act is enforced by national regulators in each EU member state under the coordination of the new European AI Office in Brussels.
Think of it as GDPR for AI. Same EU regulatory style: a comprehensive horizontal law that classifies what you do, imposes obligations proportionate to the risk you create, and threatens substantial fines (up to €35 million or 7% of global annual turnover for the most serious breaches — even higher percentages than GDPR's 4%).
Unlike GDPR, the EU AI Act has not been domesticated into UK law. The UK has taken a different regulatory approach, relying on existing sector regulators (the ICO, the FCA, the MHRA, etc.) to handle AI issues under their current powers, supplemented by voluntary guidance and codes of practice. The UK government has signalled a more "pro-innovation" stance and may yet legislate its own AI bill, but as of 2026 the EU Act is the main horizontal AI law you might run into.
When does the EU AI Act apply to a UK business?
The Act has extraterritorial scope — meaning it can apply to organisations outside the EU. You are in scope if any of these are true:
- You are a provider (you develop or place on the EU market) of an AI system
- You are a deployer (you use, in a professional capacity) of an AI system whose output is used in the EU
- You are a distributor or importer that brings AI systems into the EU market
- Your AI system's output is used in the EU, regardless of where the system itself runs
For a typical UK SMB, the most likely route into scope is the second one: you use AI to process information about EU customers, or to produce outputs that affect EU customers. If you have any EU customers and you use AI in serving them, you're a deployer for the purposes of the Act.
If you have no EU customers, no EU employees, no EU market presence at all, the Act does not directly apply to you. (UK GDPR still does for UK customers, of course.)
The four risk tiers
The Act's central idea is that not all AI is created equal, and the rules should scale with how much harm a system could cause. Four tiers:
| Tier | What it covers | Examples | What's required |
|---|---|---|---|
| Unacceptable risk | AI uses considered fundamentally incompatible with EU values | Social scoring by governments; mass biometric surveillance; emotion recognition in workplaces or schools; predictive policing based on personality alone | Banned outright since February 2025 |
| High risk | AI in safety-critical or fundamental-rights-critical contexts | Recruitment screening; credit scoring; medical diagnosis; critical infrastructure; education access; law enforcement; migration; administration of justice | Heavy obligations: conformity assessment, risk management system, technical documentation, human oversight, post-market monitoring, registration in EU database |
| Limited risk | AI systems that interact with humans or generate content | Chatbots, deepfakes, generative AI outputs | Transparency obligations: tell users they're interacting with AI; label AI-generated content |
| Minimal risk | Everything else | Spam filters, AI in video games, inventory optimisation, privacy filters | No specific obligations beyond voluntary codes of practice |
Most UK businesses using off-the-shelf AI (ChatGPT, Copilot, Claude, etc.) for ordinary office tasks — drafting emails, summarising documents, generating images for marketing — sit in minimal risk. The obligations are essentially "be sensible".
If you're using AI in any of the high-risk contexts in the table above, you should already be talking to a specialist lawyer because the obligations are extensive and audit-heavy.
What "high-risk" actually means
The eight categories of high-risk AI listed in Annex III of the Act:
- Biometric identification and categorisation
- Critical infrastructure (water, gas, electricity, transport)
- Education and vocational training (admissions, scoring, exam supervision)
- Employment, workers management and self-employment access (CV scoring, performance evaluation, monitoring)
- Essential private and public services and benefits (credit scoring, social security eligibility, emergency response dispatching)
- Law enforcement
- Migration, asylum and border control
- Administration of justice and democratic processes
If your business uses an AI system in any of these contexts — building it, selling it, or using it on EU residents — the high-risk regime applies. This is a heavy lift: it requires a quality management system, technical documentation, risk management, data governance, human oversight, accuracy testing, robustness testing, registration in the EU database of high-risk AI, and ongoing post-market monitoring.
For the average UK business, the practical question is "could my use of AI accidentally fall into a high-risk category?" The honest answer is: only if you're using AI to make decisions about people in one of those categories. Using ChatGPT to summarise a contract is minimal-risk. Using a CV-scoring AI to filter job applicants in an EU office is high-risk. The line is whether the AI is making decisions about individuals in a way that affects their rights, opportunities, or essential services.
What if you only sell to the UK?
If you have no EU customers, no EU employees, no EU market presence, the EU AI Act doesn't directly apply to you. But two things are worth knowing:
- The UK is likely to legislate something similar. The UK AI Bill has been in and out of parliamentary discussion since 2023-2024. When it lands, it's likely to take a more "pro-innovation" stance than the EU Act — relying on sector regulators rather than horizontal law — but the underlying risk categories will be recognisable.
- UK regulators are using existing powers to address AI risks already. The ICO has issued AI-specific guidance under UK GDPR; the FCA has issued consultation papers on AI in financial services; the Equality and Human Rights Commission has flagged AI bias as an enforcement priority. The EU AI Act gives them a reference point for what "good" looks like, even when they're enforcing UK law.
So even a UK-only business benefits from understanding the EU framework. The categorisations, the transparency obligations, the risk-management discipline — these are likely to appear in UK regulator guidance whether or not we get our own AI Act.
Generative AI and the Act
A separate part of the EU AI Act covers general-purpose AI models — the foundation models like GPT-4, Claude, Gemini, Llama. The obligations sit primarily on the model providers (OpenAI, Anthropic, Google, Meta) rather than on you as a user. Provider obligations include:
- Publishing technical documentation
- Summarising the copyrighted training data they used
- Marking AI-generated content (watermarking)
- Complying with EU copyright law
If you're using a general-purpose AI system in your business, your obligations are limited mostly to the transparency duties under the limited-risk tier:
- Tell people when they're interacting with an AI rather than a human
- Label AI-generated content if it's plausibly mistaken for human-generated
- For some systems, log when they're used to make decisions
These are minimal compared to what the providers have to do, but they're not zero.
How the AI Act interacts with GDPR
The two laws overlap but don't duplicate each other. A simple way to keep them straight:
| Cares about | Asks | |
|---|---|---|
| GDPR | Personal data | Are you handling it lawfully, fairly, and securely? |
| EU AI Act | AI systems | Is your AI system safe, transparent, and proportionate to the risk it creates? |
An AI system that processes personal data has to comply with both. A typical example: a recruitment AI scoring CVs is high-risk under the AI Act (Annex III category 4: employment) and it processes personal data under GDPR. So it needs:
- A risk management system, technical documentation, human oversight, registration (AI Act)
- A lawful basis for processing, transparency, data subject rights, a DPIA (GDPR)
The two regulators sometimes work together. The EU AI Office coordinates with national data protection authorities; in the UK the ICO has been the lead voice on AI even though we're not under the AI Act directly.
How Trinito sits within the Act
For completeness — Trinito's own self-classification under the EU AI Act is minimal risk. We are a privacy-enhancing filter; we make no decisions about individuals; we don't fall into any of the eight Annex III high-risk categories. We've documented our reasoning in our Statement of Applicability on request and we'll revisit the classification when EU implementing acts publish further detail.
For a UK business using Trinito to filter prompts before sending them to a downstream LLM, the picture is similar. Trinito doesn't change your AI Act classification (the downstream LLM is what determines that), but it makes both your GDPR posture and your AI Act transparency posture much easier to evidence. Records of every prompt sent, every redaction applied, every external send — those are exactly the records that an AI Act auditor (or a GDPR auditor) will ask for.
What you actually need to do in 2026
If your business uses AI in any meaningful way, work through this short list:
- Identify what AI you use. Make a list. ChatGPT, Copilot, Claude, Gemini, Midjourney, Otter, Notion AI, the AI in your CRM, the AI in your email client. Bigger than you think
- For each, classify the use case against the four risk tiers. Almost all will be minimal; flag anything that might fall into limited (chatbots, content generation that could be mistaken for human) or — unlikely but check — high-risk
- For limited-risk uses, implement the transparency obligations. Label AI-generated content. Tell users when they're interacting with an AI. Update your privacy notice
- For high-risk uses (rare), engage a specialist lawyer immediately. The obligations are extensive and the deadlines are not flexible
- Update your acceptable-use policy so your team knows what they can and can't do with AI tools. Most accidental compliance failures come from staff doing reasonable-seeming things they didn't know were regulated
- For any AI use that processes personal data, do a DPIA under UK GDPR. The EU AI Act doesn't require this directly, but GDPR does
- Have a sensible answer ready when a customer or regulator asks "how do you govern your AI use?". The Act is increasing the rate at which procurement officers, insurers, and journalists ask this
Further reading
| Resource | What it covers |
|---|---|
| European Commission's official AI Act page | The authoritative source, including the full text, application dates, and FAQ |
| European AI Office | The new EU body coordinating enforcement |
| UK ICO guidance on AI and data protection | What UK businesses should do under UK GDPR, which is currently our equivalent regulator focus |
| Our GDPR explainer | The data protection law that overlaps with the AI Act for any AI processing personal data |
| Our ISO 27701 explainer | The privacy management standard that evidences GDPR compliance, including for AI use |
The one-sentence summary
The EU AI Act is a comprehensive risk-tiered law on AI use that applies to UK businesses with any EU connection; most ordinary office use of AI sits in the minimal-risk tier with light obligations, but anyone deploying AI in employment, credit, education, healthcare or law-enforcement contexts is in heavy-obligation territory and should be talking to a specialist.