EU AI Act for UK Business: Plain-English Timeline
Does the EU AI Act apply to your UK business? A plain-English timeline of AI rules from 2023 to 2025, plus a five-question compliance checklist.
Does the EU AI Act apply to your UK business? Probably not directly, but you are almost certainly already accountable for what your AI does under existing UK law. If you run a small or mid-sized UK company that uses AI tools, even just a chatbot or a writing assistant, this is the post that tells you where you actually stand. By the end you will know which rules touch you, which do not, and the five questions that turn AI governance from a worry into a quick, honest exercise. We are a Manchester technology business that advises and builds AI systems for UK small businesses, so this is the conversation we have with clients every week.
Read on, and you can skip the hundred-page policy.
How did AI go from principles to enforceable law?
AI regulation moved from voluntary principles to binding law in under three years, faster than almost any other part of the technology. For the first year after ChatGPT launched, it was a talking point. By 2025 it was a compliance deadline with real dates attached.
Here is the timeline in plain English.
| Date | Milestone | Who it affects |
|---|---|---|
| November 2023 | Bletchley Declaration: 28 governments agree frontier AI carries risks worth coordinating on | Frontier AI labs and governments; no binding rules yet |
| May 2024 | Seoul commitments: leading labs sign specific frontier-safety commitments (testing, risk thresholds, published frameworks) | The major AI model makers; voluntary but named obligations |
| August 2024 | EU AI Act enters into force: the first large-scale, binding AI law in a major market | Providers and deployers of AI, including some outside the EU |
| February 2025 | EU AI Act: bans on prohibited practices apply (social scoring, certain biometric uses) | Anyone placing such systems on the EU market |
| August 2025 | EU AI Act: obligations for general-purpose AI (GPAI) models apply | Makers of general-purpose models, and the firms that rely on them |
The Bletchley Declaration in November 2023 was the first time governments agreed, together, that frontier AI was worth coordinating on. It set no rules, but it started the international safety-summit cycle that continues today.
Between those two moments, the United States took a framework route rather than a statutory one. A White House executive order pushed safety-testing and reporting expectations onto the labs, and a shared risk-management vocabulary emerged for American organisations. It was guidance rather than statute, but it shaped procurement language everywhere, including here, because the documents vendors produce to satisfy one market tend to travel.
The Seoul commitments in May 2024 took the next step. The leading labs signed up to specific testing regimes, risk thresholds and published safety frameworks. Still voluntary, but a clear shift from vague principles to named obligations.
Then the EU AI Act entered into force in August 2024. It is the big one: the first large-scale, binding legal framework for AI in a major market. Its obligations arrived in stages, with bans on prohibited practices from February 2025 and rules for general-purpose AI models from August 2025. For details straight from the source, the European Commission’s AI Act pages set out the structure and timeline.
”I’m a UK business: does any of this apply to me?”
Most UK small businesses have no direct EU AI Act obligations, but “it’s EU law” is not the same as “it’s not your problem”. The UK has so far chosen regulator-led guidance over copying the Act, yet three things still reach you.
First, if you sell into the EU, or your AI system’s outputs are used in the EU, the Act can apply to you directly. Like GDPR before it, it reaches beyond the EU’s borders.
Second, if you use AI suppliers, and almost every business now does, knowingly or not, their compliance posture becomes part of your supply chain. The Act’s obligations on model providers are a big reason every serious vendor now publishes usage policies and documentation.
Third, if you process personal data with AI, UK GDPR already applies. The ICO has been explicit that “the AI did it” is not a defence. You remain accountable for automated decisions about people.
So what does this mean for you? For most small and mid-sized UK businesses, the honest summary is this: you are unlikely to have direct AI Act obligations, but you are already accountable for what your AI does, under data protection, consumer protection and plain old contract law. For the current state of UK policy, GOV.UK is the canonical reference.
What does sensible AI governance actually look like for an SME?
Sensible AI governance for an SME is not a hundred-page policy. It is five questions answered honestly.
- Inventory: what AI is actually in use in your business, including the tools employees adopted without asking?
- Data flow: what information goes into each tool, and where does it physically go? This is where the open-weight versus closed model choice becomes a compliance lever, not just a technical one.
- Human oversight: for decisions that affect customers or staff, where does a person check the output?
- Disclosure: do customers know when they are talking to an AI? Our own chatbot says so in its first message; it costs nothing and builds trust.
- Supplier diligence: for each AI vendor, where is data processed, is it used for training, and what do they document?
A business that can answer those five has done more genuine AI governance than most. It has also positioned regulation as a trust asset rather than a threat. Done well, “we use AI responsibly and can show you how” wins deals.
How do the AI labs fit into this picture?
The labs now formalise their own safety practice, and buyers have started to check it. Published system cards, responsible-scaling policies and external red-teaming have become standard alongside the law.
That changes procurement. Enterprise AI evaluations now routinely cover prompt-injection resistance, tool-call safety and data handling, not just whether the model is clever. When you assess a supplier, those are fair questions to ask, and good vendors expect them.
If automation is also on your agenda, our guide to what AI automation can actually do pairs well with this one, and the rise of AI agents explains why oversight matters more as systems start to act, not just answer.
The honest bottom line
Most UK small businesses are not in scope for the EU AI Act directly, but every one of them is already accountable for what its AI does. The five-question checklist above is the practical floor, and for most firms it is enough to be both compliant and credible.
If you would like a second pair of eyes on it, this is bread-and-butter work for our business consulting service: a free consultation, a straight answer on your exposure, and no hundred-page report.
Frequently asked questions
Does the EU AI Act apply to my UK business?
Usually not directly, but it can. The Act reaches UK firms that sell into the EU or whose AI outputs are used there, much like GDPR. You are also already accountable for your AI under UK data protection and consumer law.
When did the EU AI Act come into force?
The EU AI Act entered into force in August 2024. Its rules arrive in stages: bans on prohibited practices applied from February 2025, and obligations for general-purpose AI models applied from August 2025.
Is the UK following the EU AI Act?
No. The UK has so far chosen a regulator-led approach rather than copying the EU AI Act. Existing UK regulators, including the ICO, apply current law such as UK GDPR to AI rather than a single new AI statute.
Do I need to tell customers when they are talking to AI?
It is strong practice and increasingly expected. Clear disclosure builds trust and costs nothing. Our own chatbot states it is AI in its first message. For some EU use cases, transparency to users is also a direct legal requirement.
What is the simplest way to start AI compliance?
Make an inventory. List every AI tool actually in use, including ones staff adopted without asking. Then map what data goes into each one and where it goes. Those two steps alone put you ahead of most small businesses.
Can I blame my AI supplier if something goes wrong?
No. The ICO has been explicit that 'the AI did it' is not a defence. You remain accountable for automated decisions about people. Your supplier's compliance matters, but responsibility for outcomes stays with your business.