Back to blog

Blog

The EU AI Act: What UK Businesses Need to Know Before August 2026

12 May 2026

The EU AI Act — the world's first comprehensive legal framework for artificial intelligence — entered into force in August 2024. Most of its major obligations kick in on 2 August 2026. That's less than three months away, and for many businesses the level of preparation is not where it needs to be.

This post explains what the Act requires, why it matters to UK businesses despite Brexit, and what practical steps you should be taking right now.

What Is the EU AI Act?

The EU AI Act applies a risk-based framework to AI systems — classifying them by the potential harm they can cause and imposing requirements accordingly.

There are four risk tiers:

Unacceptable risk — prohibited outright. This includes AI used for social scoring, real-time biometric surveillance in public spaces, and systems that exploit vulnerabilities to manipulate behaviour.

High risk — heavily regulated. AI used in employment decisions, credit scoring, recruitment screening, critical infrastructure, law enforcement, education, and healthcare falls here. Providers and deployers of high-risk AI face the most significant obligations.

Limited risk — lighter transparency requirements. Chatbots must disclose they are AI. Deepfake content must be labelled.

Minimal risk — no specific obligations. Most AI tools businesses use daily fall here.

Why Does It Apply to UK Businesses?

Brexit does not create a firewall. Like GDPR before it, the EU AI Act has extraterritorial reach — it applies wherever the output of an AI system affects people in the EU.

If any of the following apply to your business, the Act is likely relevant to you:

  • You have customers, clients, or end users based in the EU
  • You have EU employees or HR processes that affect EU-based staff
  • You are a subsidiary of an EU company, or work within EU supply chains
  • You deploy AI tools that make or influence decisions about EU individuals

For many UK businesses, at least one of these will be true — particularly those in professional services, technology, logistics, financial services, or any sector with international reach.

What the August 2026 Deadline Actually Means

The August 2026 date is when obligations for high-risk AI systems and general purpose AI (GPAI) models take full effect. This is the main compliance deadline.

Most SMBs will not be building AI — they will be deploying AI tools built by others (Microsoft, Google, Salesforce, and similar). As a deployer, your obligations are less onerous than those of the provider, but they are real:

  • Use AI systems only for their intended purpose, within the provider's instructions
  • Maintain human oversight over AI-assisted decisions — a human must be able to review, correct, or override AI outputs
  • Inform employees when AI is used in decisions that affect them, including performance monitoring, task allocation, or recruitment
  • Keep logs of AI system use where required
  • Conduct a Fundamental Rights Impact Assessment if you are a public body, or a private organisation deploying high-risk AI affecting EU individuals

The key question for most businesses is: what AI are we actually using, and does any of it fall into the high-risk category?

The Hidden AI Problem

This is where many businesses have a blind spot. When asked "do you use AI?", the instinctive answer is often "just Copilot" or "not really." In practice, AI is embedded in far more tools than most people realise.

AI is already present in:

  • Microsoft 365 — Copilot, Viva Insights, Smart Compose, spam filtering, meeting summaries
  • HR and recruitment platforms — CV screening, candidate ranking, performance analytics
  • CRM and sales tools — lead scoring, churn prediction, next-best-action recommendations
  • Customer service software — chatbots, ticket routing, sentiment analysis
  • Accounting and finance tools — anomaly detection, forecasting
  • Cybersecurity platforms — threat detection, behavioural analysis

Before you can assess your compliance position, you need a complete picture of every AI system your business uses — not just the ones you consciously chose.

What Good Preparation Looks Like

1. Conduct an AI audit

Map every AI system in use across your business: what it does, who uses it, what data it processes, and what decisions it influences. This is the foundation of everything else.

2. Classify your AI use cases by risk

Once you have your inventory, assess each use case against the Act's risk tiers. Most will be minimal risk. Some — particularly anything that influences employment, access to services, or customer decisions — may warrant closer scrutiny.

3. Get your data in order

High-quality, well-governed data is both a compliance requirement for high-risk AI and a practical prerequisite for AI that actually works. If you cannot answer basic questions about where your data lives, who has access to it, and how it is classified, that needs to be addressed before you can deploy AI responsibly. This is especially relevant for businesses using Microsoft Copilot, which surfaces content from across your Microsoft 365 environment.

4. Establish human oversight processes

For any AI-assisted decisions — particularly those affecting employees or customers — document how a human can review, challenge, or override the output. This does not need to be complex, but it does need to be deliberate.

5. Create an AI acceptable use policy

Your staff need to understand what AI tools are approved for use, what they are not, and how to use them appropriately. A written policy also demonstrates to regulators and customers that you are taking the issue seriously.

6. Review your supplier agreements

If you are using third-party AI systems, check what your vendors are doing to comply with the Act. Providers of high-risk AI have significant obligations — it is reasonable to ask for evidence of compliance.

A Note on Microsoft Copilot

Many of our customers have already adopted or are considering Microsoft 365 Copilot. As a Microsoft Partner, we want to be clear about where responsibility sits.

Microsoft, as the AI provider, is responsible for ensuring Copilot and the underlying Azure OpenAI models meet the Act's requirements at the model level. However, as a deployer, your business is still responsible for:

  • How Copilot is configured (what data it can access, who can use it)
  • Ensuring sensitive data is appropriately labelled and restricted before Copilot can surface it
  • Maintaining appropriate human oversight of Copilot-generated outputs
  • Communicating to staff how and where Copilot is being used

Getting the foundation right — data governance, sensitivity labels, access controls via Microsoft Purview — is essential before Copilot can be deployed responsibly and compliantly.

How MJM Technology Can Help

The EU AI Act is not a reason to avoid AI — it is a framework for using it responsibly. Businesses that get ahead of compliance now will be better placed to adopt AI confidently as the technology continues to develop.

We can help your business with:

  • AI audit and inventory — identifying every AI system in use and assessing its risk classification
  • Microsoft 365 data governance — configuring sensitivity labels, access controls, and Purview to create a secure foundation for Copilot and other AI tools
  • AI readiness assessment — reviewing your current position against the Act's requirements and producing a prioritised action plan
  • Policy development — creating an AI acceptable use policy tailored to your business
  • Ongoing advisory — as the regulatory landscape evolves, keeping you informed and compliant

The August 2026 deadline will arrive quickly. If you have not yet started thinking about this, now is the right time.

Get in touch to arrange a no-obligation conversation about AI Act readiness for your business.

Want to talk through your IT security?

We offer a free, no-obligation assessment for businesses across the UK.

Get in touch