The EU AI Act and you: what UK businesses need to know

The EU AI Act is the world's most ambitious AI regulation. It applies in the EU. The UK is not in the EU. So why does it matter for a business in North Wales?

The honest answer is: usually it does not, but in some cases it does. This article sets out the cases.

The basics

The EU AI Act is a risk-based regulation. It sorts AI uses into four categories:

• Prohibited. Social scoring of citizens, manipulative subliminal techniques, real-time biometric ID by police in public spaces (with exceptions). Banned outright.
• High-risk. AI in critical infrastructure, education, employment decisions, law enforcement, border control. Heavy compliance requirements.
• Limited risk. Things like chatbots, deepfakes, AI-generated content. Transparency obligations - users must be told they are interacting with AI.
• Minimal risk. Everything else - spam filters, AI in video games, most office productivity AI. Essentially no regulation.

Most North Wales SMEs using AI fall into the bottom two categories. Almost no one is operating high-risk or prohibited AI systems.

When the EU AI Act applies to a UK business

The Act has extraterritorial reach in three specific cases:

1. You sell AI products or services into the EU. If you build an AI tool or product and offer it to EU customers, the Act applies to that product, regardless of where you are based.

2. The output of your AI system is used in the EU. If you operate an AI system from the UK that produces output used by people in the EU, the Act applies.

3. You are processing data on EU subjects. Less directly Act-related and more GDPR-related, but the two intertwine in practice.

If none of these apply to your business, the EU AI Act has no direct legal effect on you. Most North Wales SMEs - serving local UK customers, using mainstream AI tools - sit outside its reach.

Why you should care anyway

Three reasons even UK-only SMEs should pay attention.

1. Your suppliers are subject to it. ChatGPT, Claude, Gemini and most other AI tools are global products. Their providers comply with the EU AI Act. That means the way these tools behave - what they will and will not do, the disclosures they make - is shaped by EU rules. You inherit those defaults whether you are in the EU or not.

2. The UK will likely follow with similar rules. The UK government has signalled a "lighter touch" AI regulation approach but has also confirmed it will introduce some form of statutory regulation. The shape will likely look more like the EU AI Act than not.

3. The transparency obligations are good practice anyway. "Tell users they are interacting with AI" is a sensible discipline regardless of the law. Adopting these habits now means no scramble when UK rules arrive.

What this means in practice

For most North Wales SMEs, three concrete actions are sensible.

Transparency. If your business uses AI to interact with customers - chatbot, AI-drafted emails, AI-generated content - be transparent. You do not necessarily have to name the tool, but if asked whether AI is involved, the honest answer should be obvious. The AI policy template covers this.

Avoid the high-risk categories. Do not use AI to make automated decisions that significantly affect people without human review. Hiring decisions, loan approvals, insurance assessments, performance management. These cross from "limited risk" to "high risk" quickly. The data privacy guide covers the related GDPR Article 22 point.

AI-generated content disclosure. If you publish AI-generated images, videos or audio that could mislead, label them. The EU AI Act requires this for deepfakes; common sense requires it for any case where authenticity matters.

If you do sell into the EU

If your business has EU customers, the Act may apply to specific AI systems you operate. The compliance requirements depend on the risk level of those systems.

For most SMEs even with EU customers, the requirements amount to: documentation, transparency, monitoring. None of it is impossible, but it is real work and worth scoping properly.

If you are in this situation, get specific legal advice. The Act is detailed, and the conformity assessment for high-risk systems in particular is not something to navigate without a specialist.

The UK angle

The UK government published its AI Regulation White Paper in 2023 and committed to a sector-led, principles-based approach rather than a single AI Act. Five principles - safety, transparency, fairness, accountability, contestability - are being applied through existing regulators (ICO for data, FCA for financial services, MHRA for healthcare, etc).

What this means in practice for North Wales SMEs: your existing regulator will tell you the AI rules for your sector. The ICO has been particularly active with practical guidance. Watch their output if you are in any data-handling work.

A statutory UK AI Act has not yet been introduced as of writing. The likely shape is closer to the EU model than the original "principles only" plan, but the timing is unclear.

The honest summary

For most North Wales SMEs in 2026, the EU AI Act is background context rather than active compliance. The behaviours it requires - transparency, no fully-automated decisions about people, label deepfakes - are sensible practice regardless. The ICO's position on AI is the more directly relevant rule book.

If you are selling AI products into the EU, building a chatbot for an EU audience, or operating in any high-risk sector, take specific legal advice. For everyone else, adopt good habits now and watch the UK regulatory space.

If you would like to walk through what compliance currently looks like for your specific business, that is what a discovery call is for.