Where are you operating from?
UK alone does not trigger EU AI Act duties.
This hub is built for practical shipping teams: verified timeline milestones, role-based obligation mapping, and explicit scope logic so UK organisations are not incorrectly treated as EU-only unless EU market triggers apply.
UK alone does not trigger EU AI Act duties.
If Yes, obligations can apply even from outside the EU.
Role changes the action checklist.
When uncertain, start at limited and test scenarios.
A Yes here can push you into high-risk controls.
Timeline-sensitive obligations are date-dependent.
Timeline stage: Phase 2 — GPAI & governance live · main deadline 2 Aug 2026 ahead · EU applicability: unlikely · 18 days to 2 Aug 2026
Chapter I and II application milestone: prohibited practices and AI literacy duties started applying.
Chapter V (GPAI), governance blocks, penalties sections, and Article 78 confidentiality milestone.
Article 113 main application date for remaining obligations, except specified carve-outs.
Article 6(1) and linked obligations apply from this date under Article 113(c).
AI-based manipulation or deception that causes harm.
Exploiting age, disability, or social/economic situation to cause harm.
Evaluating people over time based on social behaviour or personal traits.
Assessing or predicting an individual's risk of committing a crime based on profiling alone.
Scraping the internet or CCTV to build or expand facial recognition databases.
Inferring emotions in workplaces and education institutions (safety/medical exceptions aside).
Deducing protected characteristics (race, beliefs, orientation) from biometric data.
Live remote biometric identification by law enforcement in public spaces (narrow exceptions).
Adequate risk assessment and mitigation systems across the lifecycle.
High-quality datasets to minimise risks of discriminatory outcomes.
Activity logging that makes results traceable.
Detailed documentation for authorities to assess compliance.
Clear, adequate information to the deployer.
Appropriate human oversight measures built into operation.
High levels of robustness, cybersecurity and accuracy.
of global annual turnover — whichever is higher (Art. 99)
providers, deployers, importers, distributors, notified bodies (Art. 99)
supplying wrong information in response to requests (Art. 99)
fines imposed by the Commission (Art. 101)
Not automatically — the UK is not in the EU. But the Act has extraterritorial reach: it can apply to a UK firm that places AI systems or GPAI models on the EU market, puts them into service in the EU, or where the system's output is used in the EU. UK-only operations follow the UK framework instead (principles-based regulator guidance, UK GDPR, sector rules).
Under Article 113, the remainder of the AI Act starts to apply — including high-risk obligations under Annex III and the Article 50 transparency duties. Carve-outs remain: Article 6(1) product-safety classification obligations apply from 2 August 2027.
Up to €35 million or 7% of global annual turnover (whichever is higher) for prohibited-practice violations; up to €15M or 3% for most other obligations; up to €7.5M or 1% for supplying incorrect information. For SMEs and startups, the lower of the two amounts applies.
Eight practices have been prohibited since 2 February 2025 — including harmful manipulation, social scoring, untargeted facial-image scraping, emotion recognition in workplaces and schools, and real-time remote biometric identification for law enforcement (narrow exceptions).
Yes. Obligations for general-purpose AI model providers (Chapter V) have applied since 2 August 2025 — transparency, documentation and copyright-related duties, plus extra requirements for models with systemic risk. Models placed on the market before that date have until 2 August 2027 to comply.
No. It is compliance intelligence for engineering and product teams — a structured triage layer. For conformity declarations, filings, and legal sign-off, involve qualified counsel and verify against the official EUR-Lex text.