The EU AI Act: a readiness guide for UK organisations

The EU AI Act is the first broad law setting rules for how artificial intelligence is built and used, and it is phasing in now. For most organisations the question is not whether AI matters to them, it already does, but whether their use of it will stand up to a new set of obligations. This guide sets out what the Act is, who it catches, and a calm, practical path to readiness before the headline deadline in August 2026.

A risk-based law, not a blanket ban

The Act takes a risk-based approach, which is the single most useful thing to understand about it.

A small number of AI uses are prohibited outright. A defined set are treated as high-risk and carry real obligations: risk management, technical documentation, human oversight, record-keeping and more. Most everyday uses are limited or minimal risk and carry lighter duties, mainly about being transparent that AI is in use.

So the practical question for most organisations is narrow and answerable: where are we already using AI, and does any of it fall into the high-risk category? Answer that early and the rest becomes a manageable programme rather than a last-minute scramble.

The timeline

The obligations do not all land at once. The dates that matter:

• ·February 2025: prohibited practices take effect, alongside a duty to ensure staff working with AI have adequate AI literacy.
• ·August 2025: governance and transparency obligations begin for general-purpose AI models.
• ·August 2026: the core obligations for high-risk AI systems apply. This is the headline date for most organisations.
• ·August 2027: high-risk obligations extend to AI embedded in products already covered by EU product-safety law.

The work to prepare for August 2026 is not a two-week job, which is exactly why starting now matters. Preparation in good time is far cheaper than retrofitting governance, documentation and evidence under deadline.

Are you in scope? UK organisations included

A common and costly assumption is that a UK base puts you out of reach. It does not. The Act has extraterritorial effect: if your AI affects people in the EU, or its output is used there, you can be in scope.

Three rough lenses help:

• ·If you build or sell AI, you may be a provider, with the heaviest obligations.
• ·If you use AI in your operations or decisions, you may be a deployer, with duties around human oversight and appropriate use.
• ·If you serve the EU, your UK registration is not an exemption. This is a UK question too.

Most organisations are deployers rather than providers, which is good news: the deployer obligations are real but more contained. The risk is not knowing which AI uses you have, or which of them are high-risk.

A four-step path to readiness

We help clients prepare through the same continuous-compliance engine and certified assessment partners that handle their other frameworks. The shape of the work is consistent.

1. Discover

Find where AI is already used across the business, including shadow AI: tools that teams have adopted without going through procurement. You cannot govern what you cannot see, and discovery almost always surfaces more than leadership expects. This step turns the Act from an abstract worry into a concrete, sized list.

2. Classify

Work out which uses are likely high-risk and which fall outside scope, so effort goes where the obligations actually are. Most uses will not be high-risk; confirming that is as valuable as finding the ones that are.

3. Govern

Stand up an AI management system. ISO 42001, the AI Management System standard, maps neatly here and shares the ISO 27001 structure, so if you already run an information security management system much of the groundwork carries over. Put a named owner in place, a clear acceptable-use policy, and human oversight with a route to handle errors and complaints.

4. Evidence

Produce the documentation, oversight records and decision logs the Act expects, and keep them current rather than reconstructing them before an assessment. Continuous compliance is what keeps readiness from decaying the moment the project ends.

A clear word on what readiness is, and isn't

We help you build audit-ready AI governance and prepare for the EU AI Act. ISO 42001 is a management-system standard and a strong commercial signal that procurement increasingly expects. It is not, on its own, legal compliance with the Act, and we do not present it as such. Where you need a formal legal view on scope or obligations, we will say so and point you to it. Our job is to get the governance, documentation and evidence into good shape so that whatever the legal position, you can demonstrate you took it seriously and acted in good time.

Where to start

If you do one thing this quarter, run a discovery exercise and a quick scope assessment. The fastest way to begin is the EU AI Act readiness check: eight questions, an honest read on your scope and gaps, and a clear next step. When you want to turn that into a plan, book a call and we will map a calm, costed path to readiness well ahead of August 2026.