// Compliance Intelligence Hub

EU AI Act, cross-checked and UK-aware

This hub is built for practical shipping teams: verified timeline milestones, role-based obligation mapping, and explicit scope logic so UK organisations are not incorrectly treated as EU-only unless EU market triggers apply.

Regulation (EU) 2024/1689 awareArticle 113 timeline logicUK jurisdiction guardrailsNot legal advice
4Core timeline milestones surfaced
UK != EUJurisdiction branch is explicit
Role-basedProvider, deployer, importer, distributor checks
Annex III awareHigh-risk gateway is modeled in checker

One-Page Scope Checker (UK-vs-EU first)

1. Jurisdiction2. EU trigger3. Role4. Risk5. Annex III6. Date
1) Jurisdiction

Where are you operating from?

UK alone does not trigger EU AI Act duties.

2) EU market trigger

Placed on EU market / put into service in EU?

If Yes, obligations can apply even from outside the EU.

3) Operator role

Role in value chain

Role changes the action checklist.

4) Risk profile

Primary risk band

When uncertain, start at limited and test scenarios.

5) Annex III signal

Likely Annex III high-risk use case?

A Yes here can push you into high-risk controls.

6) Date context

Assessment date (ISO)

Timeline-sensitive obligations are date-dependent.

EU AI Act likely not directly applicable (UK-only context)

Timeline stage: Phase 2 — GPAI & governance live · main deadline 2 Aug 2026 ahead · EU applicability: unlikely · 18 days to 2 Aug 2026

  1. Document why your offering is UK-only and not placed on the EU market — and that its output is not used in the EU.
  2. Run UK baseline controls: UK GDPR / Data Protection Act 2018, Equality Act 2010, sector rules.
  3. Use ICO AI guidance for accountability, explainability, and DPIA-style risk controls.
  4. Re-run this check if you expand to EU customers — the answer changes the moment you target the EU market.

Why this result

  • Jurisdiction is UK and EU-market trigger is set to No.
  • No current signal of placing system/model on EU market or EU use context.
Compliance intelligence only, not legal advice. Use this as a triage engine, then run legal sign-off for declarations and conformity evidence.

Verified Timeline (Article 113-aligned)

2 Feb 2025

Prohibitions + AI literacy apply

Chapter I and II application milestone: prohibited practices and AI literacy duties started applying.

2 Aug 2025

GPAI + governance blocks apply

Chapter V (GPAI), governance blocks, penalties sections, and Article 78 confidentiality milestone.

2 Aug 2026

Main bulk of AI Act applies

Article 113 main application date for remaining obligations, except specified carve-outs.

2 Aug 2027

Article 6(1) timing milestone

Article 6(1) and linked obligations apply from this date under Article 113(c).

Practical interpretation: August 2026 is the major operational deadline window for many teams, but staged duties started earlier and selected obligations continue to phase in after 2026.

The 8 Prohibited Practices (banned since 2 Feb 2025)

🎭 BANNED

Harmful manipulation & deception

AI-based manipulation or deception that causes harm.

🎯 BANNED

Exploitation of vulnerabilities

Exploiting age, disability, or social/economic situation to cause harm.

📊 BANNED

Social scoring

Evaluating people over time based on social behaviour or personal traits.

🔮 BANNED

Criminal-offence risk prediction

Assessing or predicting an individual's risk of committing a crime based on profiling alone.

📷 BANNED

Untargeted facial-image scraping

Scraping the internet or CCTV to build or expand facial recognition databases.

😐 BANNED

Emotion recognition at work & school

Inferring emotions in workplaces and education institutions (safety/medical exceptions aside).

🧬 BANNED

Biometric categorisation

Deducing protected characteristics (race, beliefs, orientation) from biometric data.

👁️ BANNED

Real-time remote biometric ID

Live remote biometric identification by law enforcement in public spaces (narrow exceptions).

These prohibitions apply to any system reaching the EU market — including from UK or other non-EU providers. The Commission has published guidelines on prohibited practices and on the AI-system definition to support application.

High-Risk Categories (the Annex III gateway)

  • Safety components in critical infrastructure (e.g. transport) where failure endangers life and health
  • Education & vocational training — access to education, exam scoring
  • AI-based safety components of products (e.g. robot-assisted surgery)
  • Employment & worker management — CV-sorting, recruitment tooling
  • Access to essential private & public services (e.g. credit scoring)
  • Remote biometric identification, emotion recognition and biometric categorisation
  • Law enforcement uses that may interfere with fundamental rights (e.g. evidence reliability scoring)
  • Migration, asylum and border control (e.g. automated visa examination)
  • Administration of justice and democratic processes (e.g. preparing court rulings)
If your system lands in one of these areas, the high-risk obligations below apply before it can be placed on the EU market.

High-Risk Obligations (what providers must build)

01

Risk management

Adequate risk assessment and mitigation systems across the lifecycle.

02

Data governance

High-quality datasets to minimise risks of discriminatory outcomes.

03

Logging & traceability

Activity logging that makes results traceable.

04

Technical documentation

Detailed documentation for authorities to assess compliance.

05

Deployer information

Clear, adequate information to the deployer.

06

Human oversight

Appropriate human oversight measures built into operation.

07

Robustness & security

High levels of robustness, cybersecurity and accuracy.

Penalty Ceilings (Articles 99 & 101)

up to €35M or 7%

Prohibited-practice violations

of global annual turnover — whichever is higher (Art. 99)

up to €15M or 3%

Most other obligations

providers, deployers, importers, distributors, notified bodies (Art. 99)

up to €7.5M or 1%

Incorrect / misleading info to authorities

supplying wrong information in response to requests (Art. 99)

up to €15M or 3%

GPAI model providers

fines imposed by the Commission (Art. 101)

For SMEs and startups, each cap applies at whichever of the two amounts is lower. Member States laid down national penalty rules in line with these ceilings.

Transparency Duties (Article 50 — from Aug 2026)

  • Tell people when they interact with an AI system (e.g. chatbots) unless it is obvious
  • Make AI-generated content identifiable — machine-readable marking of synthetic audio, image, video and text
  • Clearly and visibly label deep fakes
  • Label AI-generated text published to inform the public on matters of public interest
  • Inform people exposed to emotion recognition or biometric categorisation systems
The Commission published a Code of Practice on marking and labelling AI-generated content (June 2026) to support these duties — align provenance tooling with it early.

UK vs EU Scope (critical guardrail)

  • Being based in the UK does not automatically place you inside EU-only obligations — the UK is not an EU Member State.
  • The Act has extraterritorial reach (Article 2): it can apply to UK firms that place AI systems/models on the EU market, put them into service in the EU, or whose system output is used in the EU.
  • For UK-only operations, rely on the UK legal stack and regulator guidance (ICO, sector regulators, equality and consumer law) — the UK uses a principles-based approach with no single horizontal AI act.
  • The checker on this page asks jurisdiction and EU-market exposure first to avoid false positives.
This page is compliance intelligence, not formal legal advice. Use it to structure internal decisions, then run legal review for production declarations and conformity documentation.

FAQ

Does the EU AI Act apply to UK companies?

Not automatically — the UK is not in the EU. But the Act has extraterritorial reach: it can apply to a UK firm that places AI systems or GPAI models on the EU market, puts them into service in the EU, or where the system's output is used in the EU. UK-only operations follow the UK framework instead (principles-based regulator guidance, UK GDPR, sector rules).

What happens on 2 August 2026?

Under Article 113, the remainder of the AI Act starts to apply — including high-risk obligations under Annex III and the Article 50 transparency duties. Carve-outs remain: Article 6(1) product-safety classification obligations apply from 2 August 2027.

What are the maximum fines?

Up to €35 million or 7% of global annual turnover (whichever is higher) for prohibited-practice violations; up to €15M or 3% for most other obligations; up to €7.5M or 1% for supplying incorrect information. For SMEs and startups, the lower of the two amounts applies.

Which AI practices are already banned?

Eight practices have been prohibited since 2 February 2025 — including harmful manipulation, social scoring, untargeted facial-image scraping, emotion recognition in workplaces and schools, and real-time remote biometric identification for law enforcement (narrow exceptions).

Do GPAI model rules already apply?

Yes. Obligations for general-purpose AI model providers (Chapter V) have applied since 2 August 2025 — transparency, documentation and copyright-related duties, plus extra requirements for models with systemic risk. Models placed on the market before that date have until 2 August 2027 to comply.

Is this page legal advice?

No. It is compliance intelligence for engineering and product teams — a structured triage layer. For conformity declarations, filings, and legal sign-off, involve qualified counsel and verify against the official EUR-Lex text.

Cross-Fact-Check Sources

Official EU policy page (European Commission)
Risk tiers, the 8 prohibited practices, high-risk categories, transparency timing, GPAI policy context.
Regulation (EU) 2024/1689 — full official text (EUR-Lex)
The binding legal text in all 24 EU languages — the ultimate authority.
AI Act Article 113 explorer (text mapped to OJ version)
Entry into force and staged application dates.
EU AI Act Service Desk (Commission)
Official single information platform for AI Act questions.
UK Government white paper (DSIT)
UK principles-based approach; no single horizontal UK AI Act in that framework.
ICO AI guidance index
UK data protection compliance resources for AI systems.