EU AI Act fines up to €35 million, why UK businesses are already in scope
TL;DR
The EU AI Act becomes enforceable in August 2026 and carries fines of up to €35 million. Brexit provides zero legal protection, the Act's extra-territorial reach applies to any business whose AI systems affect EU citizens, regardless of where the company is registered. The tools most likely to catch you out are not exotic AI products; they are the HR platforms, CRM systems, and marketing automation tools already running in your business. If you have not started a compliance audit, you are already behind.
Does Brexit protect UK businesses from the EU AI Act?
No. This is the most dangerous misconception in circulation right now. The EU AI Act is built on the same extra-territorial principle that made GDPR so disruptive: the law follows the person affected, not the company's registered address.
If your AI system offers goods or services to people in the EU, or if the output of that system is used in the EU, you are in scope. It does not matter whether your office is in London, your team is in Leeds, and your servers are in Scotland. If you are using an AI tool to profile a potential customer in Italy, you are on the hook. If your recruitment software automatically rejects a CV from a candidate in Poland, you are liable. If your dynamic pricing algorithm shows a different price to a user in Dublin than to one in Doncaster, you are in the EU's regulatory crosshairs.
Thinking you can ignore this because of Brexit is like standing in the path of a freight train and hoping it will swerve. It won't.
The architects of the AI Act watched how businesses misread GDPR's reach and built an even more explicit jurisdictional framework this time around. Ignorance will not be a defence. The EU has been debating and publicising this Act for years. The expectation from Brussels is that you have been paying attention and preparing.
What is the EU AI Act and when does it bite?
The EU AI Act is a comprehensive, legally binding horizontal law covering all industries and all AI use cases, from recruitment software to dynamic pricing to security cameras. It classifies AI systems into four risk tiers:
- Unacceptable risk, banned outright
- High-risk, subject to strict pre-market and ongoing compliance obligations
- Limited-risk, transparency requirements apply
- Minimal-risk, largely unregulated
The enforcement deadline for high-risk AI systems is August 2026. Fines reach up to €35 million for the most serious violations. These penalties are deliberately punitive, sized to hurt even large organisations and make examples of non-compliance.
Is your HR software a liability?
Almost certainly. AI-powered applicant tracking systems, the platforms that screen CVs, rank candidates, and conduct initial sentiment analysis on video interviews, are a textbook example of high-risk AI under the Act. Why? Because they have a material impact on a person's ability to earn a livelihood.
Consider a typical scenario. A UK company using a popular cloud-based HR platform receives an application from a software developer in Italy. Her CV is formatted to European standards rather than the UK norm. The AI, trained predominantly on British and American CVs, misinterprets her experience, scores her below the threshold, and automatically moves her to the rejected pile. She never reaches a human reviewer.
When she files a complaint with a European regulator, that regulator demands:
- A full risk assessment of the HR platform
- Complete documentation of the algorithm's decision-making process
- Proof of human oversight
The company subscribes to the SaaS platform, they did not build the AI. Under the Act, that does not matter. Liability rests with the deployer. The fact that the vendor has not provided compliance documentation is the deployer's problem to solve, not a defence.
Is your marketing automation putting you at legal risk?
Very likely. AI-powered CRM systems that build customer profiles from browsing history, purchase data, and social media activity, then use those profiles to drive dynamic pricing or personalised targeting, fall squarely into the high-risk category when they affect EU citizens.
A UK e-commerce business using a marketing automation platform to show higher prices to high-value customers in Berlin, because the algorithm has profiled them as having greater willingness to pay, is engaging in potentially discriminatory, opaque, automated decision-making. The AI Act puts strict transparency and fairness requirements on exactly this type of system. If the business cannot explain how its pricing algorithm works and has no governance framework in place, it is in breach.
This is not a futuristic problem. It is happening right now, in thousands of UK businesses. The very engine you have built for growth has become your biggest liability.
See where AI fits in your business. Free.
A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.
What is the UK government actually doing about this?
Not enough. The contrast between the EU's approach and the UK's is stark.
The EU has a single, clear, legally binding horizontal law. It defines terms, categorises risks, sets hard deadlines, and establishes colossal penalties. The message from Brussels is unambiguous: comply, or face the consequences.
The UK has opted for a light-touch framework built on five guiding principles, safety, transparency, fairness, accountability, and contestability, to be interpreted and applied by existing regulators such as the ICO and the FCA. There is no new legislation, no central AI authority, and no new fines. The government's headline response includes a £10 million fund for free training courses to help SMEs upskill and a new website.
It is the equivalent of facing a hurricane with a pamphlet on how to swim.
The UK is an outlier globally. Singapore established its National AI Council years ago and operates a government-led strategy, AI Singapore (AISG), with active co-investment, including a 400% tax deduction for businesses investing in AI development and adoption. Canada, Australia, and China are each developing their own comprehensive AI regulations. The world is moving towards clear, legally binding rules. The UK, in its post-Brexit positioning as agile and un-bureaucratic, has left its own businesses to navigate a global regulatory minefield without a map.
This is not being pro-innovation. It is being pro-ambiguity. Waiting for the UK to legislate is not a strategy. The EU's deadline is fixed.
Why 'we're just an SME' is the most dangerous assumption you can make
The AI Act is not a problem for Google and Microsoft. It is a problem for your business, right now, specifically because of the SaaS tools you are already using.
AI is no longer a standalone technology product, it is a feature. It has been quietly embedded in the accounting, HR, marketing, and logistics platforms that millions of businesses rely on every day. You did not need to buy an AI product to be at risk. You just needed to buy a modern CRM, a modern HR platform, or a modern logistics tool. The vendors of these tools are not always transparent about what is running under the hood.
Run through these questions honestly:
- Do you use software to filter job applications?
- Do you use a system that monitors employee performance or productivity?
- Do you engage in automated customer profiling for marketing or pricing?
- Do you use AI for credit scoring or fraud detection?
- Do you operate security cameras that use facial recognition?
If you answered yes to any of these, and you have any connection to the EU market, customers, service users, website visitors, you have a serious, time-sensitive compliance problem. Ignorance is not a defence. Saying you did not know will be about as effective as telling a traffic warden you did not see the double yellow lines.
What does actual compliance look like?
Compliance is not a box-ticking exercise or a one-day training course. It is a complex, resource-intensive project that cuts across your entire organisation. There are four core workstreams:
1. AI Inventory A full audit of every process, tool, software subscription, and system to identify where and how AI is being used. This requires conversations with every department head, HR, marketing, finance, operations. The right question is not "are you using AI?" It is "does your software automate decisions, rank people, or make predictions?"
2. Risk Assessment Each identified AI system must be mapped against the EU's detailed criteria to determine its risk classification. The Act provides specific definitions and annexes that must be legally interpreted and applied to your specific use case. Misclassifying a system carries serious consequences.
3. Governance Framework For every high-risk system, the Act mandates:
- A risk management system covering the AI's entire lifecycle
- High-quality, relevant, and unbiased training data
- Extensive technical documentation that a regulator can fully interpret
- Robust human oversight mechanisms so automated decisions can be challenged and corrected
- Appropriate levels of accuracy, robustness, and cybersecurity
Writing two policy documents does not satisfy this. It requires fundamentally re-engineering how you select, deploy, and manage technology.
4. Data Management and Transparency You must be able to demonstrate to regulators, and in some cases to your customers, exactly how your AI works, what data it uses, and that it is operating fairly. This requires a level of record-keeping and diligence that most SMEs are simply not set up for.
This is a board-level issue. It requires dedicated resources, a clear budget, and expert guidance. Your IT manager cannot handle it in their spare time.
What to do this week
August 2026 sounds distant. It is not. In the context of the work required, it is already close. Start here:
- Convene a board-level conversation this week. Frame this as a regulatory risk issue, not an IT project. Assign a named owner with authority and budget.
- Start your AI inventory immediately. Email every department head asking: what software do we use that automates decisions, scores people, or personalises content for customers? Compile the full list before anything else.
- Assess your EU exposure. Do any of your AI-assisted processes affect people in EU member states, customers, job applicants, website users? If yes, you are in scope and the clock is already ticking.
- Review your vendor agreements. Your SaaS vendors may have EU AI Act compliance documentation. Request it. If they cannot provide it, that is a material risk signal that needs escalating.
- Get qualified advice. Risk classification and governance framework obligations require legal and technical expertise. A single misclassification can result in a multi-million euro investigation.
- Do not wait for the UK government to act. There is no UK equivalent legislation on the horizon that will shield you from EU enforcement. If you have any EU market exposure, treat the EU AI Act as your governing framework now.
Where to from here
Book a free 60-minute AI audit, we'll explore exactly what workflows are worth augmenting with AI.
Live with passion & AI,
Brett
Need an AI operator inside your team?
Place a Chief AI Officer, an AI Officer, or embed an Anaboo Forward Deployed Engineer for 3–6 months.
Frequently asked questions
Does Brexit protect UK businesses from the EU AI Act?
+
No. The EU AI Act has explicit extra-territorial reach. If your AI system affects people in the EU, customers, job applicants, website visitors, you are in scope regardless of where your company is registered.
What are the maximum fines under the EU AI Act?
+
Fines reach up to €35 million for the most serious breaches. The penalties are deliberately punitive and sized to make non-compliance an existential business risk, not a manageable overhead.
What counts as a high-risk AI system under the EU AI Act?
+
Systems with a material impact on people's livelihoods or fundamental rights, including AI-powered CV screening, employee performance monitoring, dynamic pricing algorithms, customer profiling for marketing, credit scoring, and facial recognition security cameras.
When does EU AI Act enforcement start for high-risk AI systems?
+
August 2026. Given the scale of compliance work required, AI inventory, risk classification, governance framework, documentation, organisations that have not yet started are already significantly behind.
Does the UK have its own equivalent AI law?
+
No. The UK government has opted for a light-touch framework based on five guiding principles enforced by existing regulators such as the ICO and FCA. There is no new legislation, no central AI authority, and no new fines.
Are SMEs affected by the EU AI Act or is it just for large corporations?
+
SMEs are directly in scope if they deploy AI systems that affect EU citizens. Liability under the Act rests with the deployer, so if you subscribe to an AI-powered SaaS platform and use it to make decisions affecting EU people, the responsibility is yours, not the software vendor's.
What steps are required to comply with the EU AI Act?
+
Four core workstreams: a full AI inventory across your organisation, a risk classification assessment for every identified system, a governance framework for any high-risk systems covering data quality, technical documentation, human oversight, and cybersecurity, and ongoing data management and transparency processes.
Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.
