Last updated: 10 June 2026
The EU AI Act applies to a surprising number of UK SMEs, and 2 August 2026 is the date on which the bulk of its day-to-day obligations switch on. If you sell into the EU, host EU users, or supply AI-enabled products to manufacturers on the continent, you are almost certainly in scope — Brexit does not exempt you. With the 2026 AI Omnibus political agreement pushing the deadline for stand-alone high-risk AI systems back to 2 December 2027 and embedded products to 2 August 2028, UK directors now have a short but realistic window to put the right governance in place before enforcement bites.
This is a director-level checklist, not a legal opinion. Use it to scope a board conversation, allocate ownership, and decide whether you need outside help — particularly in the manufacturing supply chain, where the AI Act overlaps with existing CE-marking and machinery safety regimes.
Why the EU AI Act applies to UK businesses
The AI Act has extraterritorial scope, modelled on GDPR. Under Article 2, a UK business falls into scope if any of the following are true (European Commission AI Act framework, EU):
- You place an AI system or general-purpose AI (GPAI) model on the EU market, regardless of where you are established
- You are a deployer of an AI system established or located in the EU (including EU subsidiaries or sales offices)
- You are based outside the EU but the output of your AI system is used in the EU
- You import, distribute or integrate AI systems into products sold in the EU
- You are a UK manufacturer embedding AI components into machinery, medical devices, vehicles or other regulated products sold into the bloc
In practice, that captures most UK exporters using AI in customer-facing tools, recruitment software, fraud detection, predictive maintenance, manufacturing quality control, MedTech, or any CV-screening or HR analytics tool used across an EU workforce.
The 2026 timeline UK directors need to plan against
The Act entered into force on 1 August 2024 and switches on in stages. The 2026 picture, after the AI Omnibus political agreement of spring 2026, looks like this (EU AI Act Implementation Timeline):
- 2 February 2025 (already live): Prohibited AI practices banned. AI literacy obligation applies to all providers and deployers.
- 2 August 2025 (already live): Governance rules and GPAI model obligations apply.
- 2 August 2026: Article 50 transparency obligations, chatbot disclosure, deepfake/synthetic content labelling, AI literacy enforcement, penalties regime fully operational. Member States must have an AI regulatory sandbox running.
- 2 December 2026: Generative AI systems already on the market before 2 August 2026 must comply with Article 50(2) watermarking by this date (four-month grace period).
- 2 December 2027: Stand-alone high-risk AI systems (Annex III — biometrics, employment, education, critical infrastructure, etc.) become subject to full HRAIS obligations. Pushed back from the original August 2026 date by the AI Omnibus agreement (Latham & Watkins AI Act update, May 2026).
- 2 August 2028: AI systems embedded as safety components in regulated products (Annex I — machinery, medical devices, lifts, toys, in-vitro diagnostics) become subject to full HRAIS obligations.
A crucial detail in the transitional regime: systems already on the EU market before their respective application date only fall under HRAIS obligations if they undergo a substantial design change after that date (Stibbe AI Act briefing). Manufacturers shipping AI-enabled machinery before 2 August 2028 therefore have an incentive to lock product designs ahead of that date.
The four risk tiers — and where most UK SMEs sit
The Act sorts AI systems into four risk categories, with obligations scaling sharply with risk:
- Unacceptable risk (prohibited). Social scoring, real-time biometric identification in public spaces, manipulative AI exploiting vulnerabilities. Already banned since February 2025.
- High-risk. Annex III standalone systems (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice) and Annex I AI embedded in regulated products. Subject to the full HRAIS obligations from 2027–28.
- Limited risk. Chatbots, emotion recognition, deepfakes, AI-generated synthetic content. Subject to transparency obligations under Article 50 from August 2026.
- Minimal risk. Everything else — spam filters, AI-powered video games, basic recommendation engines. No specific obligations beyond voluntary codes of conduct.
Most UK SMEs find that the bulk of their AI footprint is minimal-risk, with one or two systems in the limited-risk tier and — if they touch HR, recruitment, manufacturing or regulated products — a small number in the high-risk tier. The director’s job is not to memorise the Act but to make sure someone has been through the inventory.
High-risk obligations in plain English
If even one of your systems is high-risk, the Act imposes a recognisable quality-management discipline: risk management, data governance, technical documentation, record-keeping, transparency to users, human oversight, accuracy, robustness, and cybersecurity. Providers must register the system in the EU AI database, run a conformity assessment (self-assessment for most, third-party for the highest-risk), and appoint an authorised representative in the EU if they are not established there (Article 22, EU AI Act).
Deployers — the organisation actually using the system in operations — have a lighter but still substantial set of duties: implementing the human oversight measures the provider specifies, monitoring performance, logging incidents, running fundamental rights impact assessments where required, and ensuring staff have sufficient AI literacy.
For a UK manufacturer embedding a defect-detection vision system into a CNC line that is then sold into Germany, you are simultaneously a provider (you put the integrated machine on the EU market) and a deployer of the underlying AI system. The compliance burden sits with you, not your AI vendor.
The penalties — and why SMEs get a discount
The penalties regime is heavier than GDPR at the top end (Article 99, EU AI Act):
- Prohibited AI practices: up to €35 million or 7% of total worldwide annual turnover, whichever is higher
- Most other violations (high-risk obligations, transparency breaches): up to €15 million or 3% of worldwide turnover
- Providing incorrect or misleading information to authorities or notified bodies: up to €7.5 million or 1% of worldwide turnover
- GPAI model providers face separate fines up to €15 million or 3% of worldwide turnover under Article 101
Crucially, for SMEs (including start-ups), the fine is the _lower_ of the percentage and the cash amount, not the higher. Practically this caps SME exposure significantly, but it does not remove reputational and contractual risk — a public enforcement action against a UK manufacturer will surface in every tender response and acquisition data room for years.
Where fractional IT leadership fits in
Most UK SMEs do not have an in-house AI governance lead, a Chief AI Officer or a dedicated MLOps function. The work usually lands on an over-stretched IT manager, a head of operations, or — worst case — a junior compliance officer copying templates from the internet. That is how organisations end up with shadow AI deployments, missing technical documentation and unverified vendor claims.
A fractional IT director with manufacturing and regulated-products experience can absorb this workstream in 1–3 days a month:
- Stand up an AI register covering every AI system in use across the business, mapped to provider/deployer status and risk tier
- Run a gap assessment against high-risk obligations for systems heading into Annex III or Annex I territory
- Set vendor due-diligence standards so new AI tools cannot be procured without conformity documentation
- Build an AI literacy programme for staff using AI in operations
- Co-ordinate with the company’s legal advisers on EU authorised representative arrangements
For UK manufacturers specifically, the AI Act sits on top of existing CE marking, the Machinery Regulation and sector-specific safety regimes. A specialist manufacturing IT consultancy like Bailey & Associates brings the OT/IT integration depth — PLC, SCADA, MES, MOM — that pure governance consultancies typically lack. Our fractional IT directors routinely partner with sector specialists of that kind so manufacturers get both board-level governance and shop-floor execution.
A practical 90-day plan for the boardroom
If your last AI-readiness conversation was a slide in a 2025 board pack and nothing has happened since, here is a defensible 90-day plan that lands you safely on the August 2026 transparency deadline:
- Days 1–30: Inventory and triage. Build a single register of every AI system in use, in development, or embedded in product. Classify by risk tier. Identify which systems are likely to be high-risk under Annex I or Annex III.
- Days 31–60: Gap assessment and ownership. Map each obligation to a named owner. For limited-risk systems, design and roll out the Article 50 transparency disclosures (chatbot notices, deepfake labels, AI-content watermarking). For high-risk systems, draft technical documentation and human-oversight procedures even if the formal HRAIS deadline is still 2027 or 2028 — buyers in the EU are already asking.
- Days 61–90: Training, vendor due diligence, and board sign-off. Roll out AI literacy training for affected staff (this obligation is already live). Issue an updated AI procurement policy. Bring the board a sign-off pack covering the inventory, the risk classification, the gap-closure plan and any residual risk.
This is the kind of structured, time-boxed programme an experienced fractional director runs in their sleep.
Frequently asked questions
Q: Does the EU AI Act apply to UK companies after Brexit?
A: Yes. The AI Act has extraterritorial scope under Article 2. UK businesses are in scope if they place AI systems on the EU market, supply AI-enabled products to EU customers, or operate AI systems whose outputs are used in the EU — regardless of where the UK business is established.
Q: What is the main EU AI Act compliance deadline for 2026?
A: 2 August 2026 is the headline date. Most remaining obligations apply from that day, including Article 50 transparency obligations, chatbot disclosure, AI literacy enforcement, and the full penalties regime. Generative AI systems already on the market get a four-month watermarking grace period to 2 December 2026.
Q: When do high-risk AI obligations actually apply to UK SMEs?
A: After the AI Omnibus political agreement of spring 2026, stand-alone high-risk systems under Annex III apply from 2 December 2027, and AI embedded in regulated products under Annex I from 2 August 2028. Existing systems are grandfathered unless they undergo significant design changes from those dates.
Q: What are the fines for non-compliance with the EU AI Act?
A: Up to €35 million or 7% of worldwide turnover for prohibited practices, €15 million or 3% for most other violations, and €7.5 million or 1% for providing incorrect information to authorities. For SMEs and start-ups, the fine is the lower of the percentage and cash amount.
Q: Do UK manufacturers using AI in machinery need to comply?
A: Yes — and they have the heaviest burden. AI embedded as a safety component in regulated products (machinery, medical devices, lifts, in-vitro diagnostics) is high-risk under Annex I. UK manufacturers exporting AI-enabled products into the EU must meet the full HRAIS regime by 2 August 2028, on top of existing CE marking and sectoral safety legislation.
Ready to put board-level AI governance in place?
Leadership Services places experienced fractional IT directors into UK SMEs and manufacturers within a week, from £1,795 per month, with no long-term tie-ins. If you would like an outside director to own your EU AI Act readiness programme — inventory, gap assessment, vendor due diligence and board sign-off — book a free 30-minute consultation and we will introduce you to the right director for your sector.
