nerdster.ai
← All insights

Compliance & governance

The EU AI Act for UK SMEs: what to actually do in 2026

It applies to UK firms, the fines are real, and 2026 is the prep year, not the panic year. Here is the short version, and the two documents every business needs.

June 2026 · 7 min read

The short version

  • It can apply to UK firms, not just EU ones, if your AI touches people in the EU.
  • 2026 is the year to get your governance in order, not the year to panic.
  • You need two things: an AI register and a one-page AI policy.

The EU AI Act sounds like someone else’s problem, a Brussels rule for big tech. For a lot of UK businesses, it isn’t. If your business uses AI in a way that touches people in the EU, whether that’s customers, candidates or suppliers, it can reach you, wherever you’re based.

Does it actually apply to us?

Often, yes. The Act has extraterritorial scope: it covers any organisation that develops, deploys or uses AI affecting individuals in the EU. A UK firm with EU clients, EU staff or an EU-facing product is in scope. Most small businesses won’t be running “high-risk” systems, but almost everyone is a deployer of AI now, and deployers have obligations too.

What’s the timeline?

The genuinely banned uses (things like social scoring and manipulative AI) have already been off the table since early 2025. The heavier obligations for high-risk systems phase in over the following years. The practical takeaway: treat 2026 as the year you get your house in order, not the year nothing happens. Compliance here is an ongoing habit, not a one-off project.

What happens if we ignore it?

The headline penalties are large, up to €35 million or 7% of global turnover for the most serious breaches. SMEs are not the primary target of enforcement, but “we didn’t know it applied to us” is not a defence, and clients in regulated sectors increasingly ask suppliers to show their AI is governed.

And the UK’s own rules?

The UK has deliberately not passed a single AI law. Instead it asks existing regulators to apply existing rules to AI in their patch. In practice:

  • ICO / UK GDPR: the same data-protection duties, now applied to what you feed into AI tools.
  • FCA: if you sell to UK retail consumers, Consumer Duty plus the FCA’s AI guidance shape pricing, advice and outcomes.
  • SRA: for law firms, client confidentiality under Rule 6 still applies when an AI vendor processes client data.

The two documents you actually need

Almost every framework, EU or UK, comes back to the same two artefacts:

  1. An AI register: one living list of every AI tool the business uses, who uses it, and what data goes in.
  2. An AI policy: plain rules for staff: which tools are permitted, what data can and can’t go in, and when a human must review the output before it’s used.

Where to start this quarter

  1. List the AI tools already in use (you’ll find more than you expect).
  2. Decide what client or personal data may never be pasted into a public tool.
  3. Write the one-page policy. Name the approved tools. Name a human reviewer for anything client-facing.
  4. Put a date in the diary to review it, the rules and the models will both move.

None of this needs a consultant’s deck or a six-figure programme. It needs someone to own it, write it down, and keep it current. That is exactly what a fractional Head of AI does, and it is the first thing our 90-minute audit leaves you with. The whole game is simple: governance that lets you use AI confidently, not paralysis that stops you using it at all.

Frequently asked

Does the EU AI Act apply to UK businesses?

Often, yes. It has extraterritorial scope: if your AI affects people in the EU (customers, candidates or suppliers), it can apply regardless of where you are based.

What is the deadline for the EU AI Act?

Banned uses have applied since early 2025; the heavier high-risk obligations phase in over the following years. Treat 2026 as the year to get your governance in order, not the year nothing happens.

What are the penalties?

Up to €35 million or 7% of global turnover for the most serious breaches. SMEs are not the main enforcement target, but "we did not know" is not a defence.

What do we actually need to do first?

Two things: an AI register (a living list of every AI tool you use and what data goes in) and a one-page AI policy (which tools are allowed, what data can go in, and when a human must review).

Want this sorted, properly?

Our 90-minute audit leaves you with a one-page action list: three things AI should be doing, what it will cost and what it will save. Keep the report either way.

Book a call More insights