Many UK businesses assumed Brexit created a clear regulatory separation from European law.The expectation was straightforward: EU regulations would apply inside the EU, and UK businesses would operate under domestic rules, guided by UK regulators and UK legislation.However, the introduction of the EU AI Act has proven that assumption incorrect.
The EU AI Act Has No Borders
The EU AI Act is not limited by geography in the traditional sense of regulatory law.If an AI system is placed on the EU market, or if its outputs are used within the European Union, the Act applies — regardless of where the company is based.
This means that UK-based companies are still fully in scope if they:
- Provide AI systems used by EU residents
- Offer hiring tools screening EU candidates
- Operate credit scoring systems involving EU applicants
- Run customer service AI systems interacting with EU users
In effect, Brexit does not create exemption from AI regulation exposure.The EU adopted this approach deliberately, following the same extraterritorial design logic used in the GDPR framework.
Designed After the GDPR Model
The architects of the EU AI Act learned directly from the implementation of the GDPR.Rather than limiting enforcement to EU-based entities, they extended regulatory reach to any organisation whose technology affects EU citizens or markets.
This principle is simple but powerful:
Regulation follows data and impact, not company headquarters.
As a result, incorporation location is no longer the defining factor. User location and system output determine regulatory scope.
The Enforcement Timeline Is Fixed
The EU AI Act is already in motion, with full applicability for most obligations expected on 2 August 2026.From that date, the framework transitions from legislation to enforceable regulatory reality.
Non-compliance with high-risk obligations may result in penalties of up to:
- €35 million, or
- 7% of global annual turnover
whichever is higher.The European Commission has also indicated there are no current plans to delay or extend this timeline.
What the Act Requires
The EU AI Act introduces different obligations depending on system classification.
General-Purpose AI Models
Providers of foundation or general-purpose AI models must:
- Maintain detailed technical documentation
- Provide information to downstream AI system integrators
- Ensure compliance with EU copyright law
- Publish summaries of training data sources
These requirements apply regardless of the provider’s location.
High-Risk AI Systems
Systems used in areas such as:
- Recruitment and employment screening
- Credit scoring and financial decision-making
- Education and assessment tools
- Healthcare diagnostics
- Critical infrastructure
are subject to stricter obligations, including:
- Conformity assessments before deployment
- Human oversight mechanisms
- Continuous monitoring after deployment
- Full documentation and auditability
These are not optional standards — they are legal requirements.
The UK Regulatory Gap Does Not Provide Protection
The UK currently has no equivalent comprehensive AI statute comparable to the EU AI Act.However, this absence does not reduce compliance obligations for companies operating across both markets.UK businesses serving EU users must comply with EU requirements in addition to any domestic UK regulatory frameworks.
This creates a dual compliance environment:
- UK sector-based AI governance
- EU-wide binding AI legislation
Both apply simultaneously where applicable.
What This Means for Law Firms
For legal advisors and law firms, the implications are immediate.Any client developing, deploying, or integrating AI systems that interact with EU users must undergo structured scope assessment.The key legal question is no longer whether the EU AI Act applies.
It is whether the organisation can demonstrate:
- Awareness of applicability
- Proper documentation of compliance scope
- Implementation of required controls
This reflects a shift from theoretical compliance to evidential compliance.
The GDPR Precedent
The GDPR demonstrated how extraterritorial regulation functions in practice.Enforcement was not limited by geography. It was driven by impact.The EU AI Act follows the same principle — but with broader scope, higher penalties, and more technical obligations.In this sense, it is often described as:
The GDPR for artificial intelligence.
Conclusion
Brexit did not remove UK businesses from European regulatory influence in the field of AI.Instead, the EU AI Act extends compliance obligations across borders, focusing on where AI systems are used rather than where companies are located.With the enforcement deadline of 2 August 2026 approaching, businesses are already operating within the compliance window.For law firms and corporate legal teams, the priority is no longer preparation.It is execution.
