EU AI Act: What It Is and Why It Matters for Your Business

The EU AI Act (Regulation (EU) 2024/1689) is now live, and its reach extends well beyond Europe. For founders and executives building or deploying AI in the UK, the United States or Australia, this regulation is already shaping procurement decisions, enterprise due diligence, and investor expectations.

The gap between perceived and actual readiness is striking. According to Littler's 2025 European Employer Survey, which drew on responses from more than 400 in-house lawyers, HR professionals and business executives across Europe, 80% of employers say they are at least somewhat prepared for the EU AI Act. But of that group, only 40% are conducting training, only 34% are doing internal audits or risk assessments of AI use, only 29% have assigned internal ownership or responsibility for compliance, and only 18% describe their organisations as "very prepared".

The August 2026 deadline, when obligations for high-risk AI systems fully apply, is closing fast.

Understanding what the EU AI Act requires, who it applies to, and how it interacts with your local regulatory environment is quickly becoming a core expectation for technology businesses operating at scale.

Here's what you need to know.

We'll cover:

• What is the EU AI Act?
• The EU AI Act timeline: where things stand now
• EU AI Act risk categories explained
• EU AI Act penalties: what's at stake
• What the EU AI Act means for UK companies
• What the EU AI Act means for US companies
• What the EU AI Act means for Australian companies
• EU AI Act compliance: where to start

Let's start with the basics of the EU AI ACT.

What is the EU AI Act?

The EU AI Act is the world's first comprehensive legal framework governing artificial intelligence. Adopted by the European Parliament and the Council in 2024, it entered into force on 1 August 2024 and applies progressively from 2 February 2025. It establishes a risk-based system for regulating AI: classifying systems by the level of harm they could cause, and imposing obligations accordingly.

The Act applies to any organisation that places an AI system on the EU market or puts one into service within the EU, regardless of where that organisation is based. That territorial scope is critical. A SaaS company headquartered in Sydney, a startup operating out of London, or a platform business based in San Francisco, can all fall within the Act's reach if their product or its outputs are used by customers in Europe.

In that sense, the EU AI Act functions much like the GDPR did for data privacy: it sets a global compliance floor that technology businesses cannot ignore simply because they are not incorporated in Europe.

For a broader view of how AI regulation is developing across jurisdictions, our Global Legal Toolkit for AI covers the key frameworks in detail.

The EU AI Act Timeline: Where Things Stand Now

The Act entered into force in August 2024 and is being implemented in phases:

• February 2025: Bans on prohibited AI practices took effect: the hardest line in the Act.
• August 2025: Obligations for general-purpose AI (GPAI) models applied, including transparency requirements and, for the most capable models, systemic risk assessments. Note that the fines regime specific to GPAI model providers (Article 101) does not apply until August 2026.
• August 2026: The main obligations for high-risk AI systems apply, covering conformity assessments, technical documentation, human oversight requirements, and registration in the EU database.
• August 2027: Obligations apply for high-risk AI systems that are safety components of products regulated under EU harmonisation legislation listed in Annex I to the Act (Article 6(1)).

For most technology businesses, August 2026 is the most operationally significant deadline. Yet the Littler survey found that of the 80% of employers who feel somewhat prepared, the majority have yet to implement foundational compliance steps, and only around a third have conducted internal AI audits or assigned a compliance owner. Feeling ready and being ready are not the same thing.

Preparation that begins under deal or regulatory pressure is rarely preparation done well. The time to establish your position is before those conversations start.

EU AI Act Risk Categories Explained

The EU AI Act organises AI systems into four broad risk categories. Where your product falls determines what is required of you.

Unacceptable risk: prohibited practices

A small category of AI applications are banned outright. These include social scoring systems by either public or private actors (Article 5(1)(c)), real-time biometric surveillance in public spaces (with narrow exceptions), AI that manipulates behaviour through subliminal techniques, and systems that exploit vulnerabilities of specific groups. These bans applied from February 2025.

High risk

This is the most consequential category for technology businesses. High-risk AI systems include those used in hiring and employment decisions, credit scoring, educational assessment, critical infrastructure, law enforcement, migration control, and the administration of justice. Providers of high-risk systems face significant obligations: conformity assessments, technical documentation, data governance requirements, human oversight mechanisms, and registration in the EU's AI database.

If your product touches these domains, even as one feature among many, it is worth establishing now whether it falls within scope.

Limited risk

AI systems with specific transparency obligations. Chatbots, for example, must disclose that users are interacting with AI. Deepfakes must be labelled. The obligations here are comparatively light, but non-compliance is not cost-free.

Minimal risk

The vast majority of AI applications, such as spam filters, recommendation engines, and most productivity tools, fall here. No mandatory obligations apply, though voluntary codes of practice are encouraged.

EU AI Act Penalties: What's at Stake

The EU AI Act's penalty structure is deliberately steep. As confirmed in Articles 99 and 101 of the Act, violations of the prohibited practices provisions can attract fines of up to €35 million or 7% of global annual turnover, whichever is higher.

Non-compliance by providers of high-risk AI systems carries fines of up to €15 million or 3% of global turnover. Supplying incorrect, incomplete or misleading information to authorities is subject to fines of up to €7.5 million or 1% of global turnover (Article 99(5)). Transparency obligations under Article 50 sit in the 3% bracket above.

These figures are calibrated to match, and in some cases exceed, the GDPR's enforcement scale, which produced over €4 billion in fines across Europe between 2018 and 2024. Regulators have been explicit that AI enforcement will be a priority, not an afterthought.

For businesses operating across multiple jurisdictions, the compounding effect of EU fines alongside domestic enforcement exposure, from the FTC in the US, the ICO and CMA in the UK, or the ACCC and OAIC in Australia, represents a material commercial risk that legal and product teams need to plan for together.

What the EU AI Act Means for UK Companies

The UK is no longer subject to EU law, and the government has deliberately chosen not to adopt an EU AI Act equivalent. The UK's approach remains sector-led: existing regulators, such as the ICO, CMA, FCA, and others, are responsible for governing AI within their respective domains under existing legal frameworks.

But that does not mean UK companies can treat the EU AI Act as irrelevant.

Any UK business that sells into the EU market, serves EU-based customers, or operates through EU entities is subject to the Act.

According to two surveys commissioned by ACT | The App Association of more than 1,000 tech SMEs across the EU, UK and US in total, six in ten EU and UK technology businesses face delayed access to frontier AI models as a direct result of the regulatory environment; with 58% of developers reporting regulation-driven product launch delays and more than one-third reporting that they had been forced to strip out or downgrade features to comply.

The same report found that EU and UK tech firms lose an estimated £81,000–£280,000 annually per firm from delayed AI model access and launch timelines, rising to £139,000–£393,000 for directly affected businesses.

In practice, UK companies face a dual compliance environment: the EU AI Act for their European operations, and a more fragmented but increasingly active domestic landscape. The ICO has confirmed that AI systems involving personal data fall squarely within GDPR's scope, meaning that even without a dedicated UK AI statute, data-driven AI systems carry real regulatory exposure. Understanding your data flows is essential; our guide to data processing terminology and acronyms is a practical reference for teams working through this environment.

The question of whether the EU AI Act applies to UK companies is less about geography than commercial reach: if your product is used by EU customers, the Act applies, regardless of where you are incorporated.

What the EU AI Act Means for US Companies

The United States still lacks a federal AI law, but that does not insulate US companies from the EU AI Act's requirements. If a US business offers AI products or services to customers in EU member states, it falls within the Act's territorial scope.

The contrast between the US and EU regulatory environments is sharpening in measurable ways. The App Association survey found that 62% of US tech SMEs actively use AI compared with just 50% of EU and UK counterparts. US firms report median cost savings of 10.7% from AI adoption versus 8.9% in the EU and UK, and 94% of US tech SMEs plan to increase AI investment, compared to 89% in Europe.

Beyond direct EU exposure, US companies face an increasingly active domestic enforcement environment. The FTC has treated AI-related deception and inflated capability claims as enforcement priorities, with its Operation AI Comply sweeps signalling that unsupported marketing claims carry real regulatory risk. State-level privacy and employment laws are adding further complexity.

Regulators are also increasingly scrutinising so-called ‘AI washing’: overstated or misleading claims about AI capability, functionality or performance in marketing materials and investor communications. For many businesses, legal risk now extends beyond how AI systems operate to how AI products and services are represented commercially.

For US founders and executives, the EU AI Act is best understood not only as a compliance requirement for European markets, but as an emerging global benchmark: one that is beginning to shape what sophisticated buyers, investors and partners expect from any AI-enabled business.

Our review of the key AI legal developments of 2025 sets out how enforcement across the US, UK, EU and Australia evolved last year and what it means for 2026 planning.

What the EU AI Act Means for Australian Companies

Australia has taken a different approach to AI governance, focusing on targeted reforms to existing privacy and consumer protection frameworks rather than adopting a standalone AI statute. The government's National AI Safety Framework and the ongoing Australian Privacy Act reform process are shaping expectations, particularly for organisations deploying AI in high-impact domains such as employment, credit assessment, biometric verification, and government services.

But like the UK and the US, Australian companies with EU market exposure are directly subject to the EU AI Act. Australian SaaS businesses, AI platform providers, and technology companies with European clients or distribution partners cannot assume that domestic regulatory settings are the only ones that apply.

The commercial stakes are rising. Enterprise customers in Europe are embedding AI governance criteria into vendor procurement processes: asking suppliers to demonstrate data provenance, governance structures, and human oversight mechanisms before contracts are awarded. 

In practice, we are increasingly seeing enterprise procurement teams ask AI vendors detailed questions around training data provenance, human oversight, model governance and subcontractor use before contracts are signed. For many businesses, the compliance conversation is now beginning in procurement rather than with regulators.

The ACT | App Association survey found that nearly 30% of EU and UK businesses directly affected by regulatory delays have already lost clients as a result: a clear signal of the commercial consequences that poor AI governance readiness can trigger in global markets.

For Australian founders building for global markets, the EU AI Act is rapidly becoming part of the commercial environment, not just the legal one. Meeting its standards is increasingly the price of entry to European enterprise deals.

Increasingly, strong AI governance is becoming not only a compliance issue, but a competitive differentiator in enterprise procurement and investment decisions.

EU AI Act Compliance: Where to Start

For most technology businesses outside the EU, compliance is not a single project with a clear endpoint:  it is an ongoing discipline that needs to be integrated into product development, commercial agreements, and governance structures.

A few practical starting points:

Establish whether you are in scope

The threshold question is whether your AI system is placed on the EU market, put into service within the EU, or whether its outputs are used within the EU. If the answer is yes, the next question is which risk category it falls into. Both questions have meaningful legal and operational consequences.

Understand your role under the Act

The EU AI Act draws important distinctions between providers (those who develop or place AI systems on the market), deployers (those who use AI systems in a professional context), and importers and distributors. Your obligations depend significantly on which role, or roles, you occupy.

Review your contracts

Commercial agreements drafted before the EU AI Act entered force may not adequately address training data rights, output responsibilities, IP ownership, and liability allocation. These gaps are increasingly surfacing in deal negotiations and due diligence processes.

Many AI contracts drafted before 2024 are structurally outdated for current AI risk allocation. We are increasingly seeing negotiations focus on training data rights, model output ownership, AI output accuracy, hallucination-related liability, regulatory cooperation obligations, and allocation of responsibility between providers and deployers under emerging AI laws.

AI governance is also becoming a due diligence issue in investment and M&A transactions. Investors and acquirers are increasingly scrutinising training data provenance, regulatory exposure, open-source model usage, and internal AI governance maturity as part of technology due diligence.

Document your data practices

Regulators and enterprise buyers are both asking about training data provenance. A clear, credible account of where your training data came from and why you had the right to use it is becoming a baseline expectation. For teams deploying AI systems that process personal data, a Data Protection Impact Assessment is increasingly expected as a matter of course, and in some cases required.

Build lightweight governance

The Littler survey found that even among organisations that feel prepared, only 29% have assigned internal ownership for AI compliance. Yet governance does not need to be heavy to be effective. An internal register of AI use cases, a defined approval process for new AI features, and a named owner for AI risk are often sufficient to satisfy regulatory expectations and build buyer confidence.

Boards and investors are also increasingly treating AI governance as an enterprise risk issue rather than solely a technical or compliance function. For larger organisations, AI oversight is beginning to sit alongside cyber security and data governance within broader operational risk frameworks.

Many organisations are also grappling with the rise of ‘shadow AI’: employees adopting generative AI tools outside approved governance frameworks. In practice, some of the most significant AI risks now arise not from formally deployed enterprise systems, but from informal employee use of public AI tools involving confidential information, customer data or commercially sensitive material.

Our final thoughts

The EU AI Act is the most significant AI regulation in force anywhere in the world. Its reach is global, its penalties are substantial, and its implementation timeline is moving whether organisations are ready or not. For technology businesses in the UK, United States and Australia, the question is not whether the Act is relevant: it is how quickly you can establish your position under it.

Although AI regulation remains fragmented internationally, there is increasing convergence around core themes: transparency, accountability, human oversight, governance and data provenance. Businesses that establish credible governance frameworks early are likely to be better positioned as regulatory expectations continue to evolve across jurisdictions.

The data is clear: the gap between feeling prepared and being prepared is wide.

At Biztech Lawyers, we advise founders, executives and in-house legal teams navigating AI regulation across multiple jurisdictions. If you would like to understand how the EU AI Act applies to your business and what a proportionate response looks like, book a call with our team.

Biztech Lawyers provides the material on its web pages for information purposes only, not as legal advice. We do not intend these web pages to create an attorney-client relationship with you, and you should not assume such a relationship or act on any material from these pages without seeking professional counsel. This website is considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome. In Australia, liability limited by a scheme approved under Professional Standards Legislation.