The UK is not bound by the EU AI Act as domestic law; however, due to its extraterritorial reach, UK businesses operating in the EU may still be subject to its provisions. Its scope is determined by the use of the AIsystem’s outputs, rather than the location of the provider’s business. In practical terms, a UK-based company may fall within the scope of the EU AI Actif it provides AI-enabled software to EU customers or employees located in the EU, or if it processes personal data from customers located in the EU.

Find below examples of when a UK business is subject to the EU AI Act:

Example A:
A UK-based company places an AI system on an online marketplace that generates photographs of individuals, and the system can be used by customers located in the EU who upload their own photos and produce images through the AI tools.

Example B:
A UK-based company hires an AI system developed by a US-based company to measure employee performance, some of whom are located within the EU.

Example C:
A UK-based company hires a China-based company to provide HR services that use AI systems for the initialscreening of applicants, including individuals based in the EU who can apply for positions with the UK company using the AI system, if they wish to do so.

Example D:
A UK-based company manufacturescars equipped with AI-enabled onboard systems and sells them to the EU market.

‍

What compliance requirements does the EU AI Act establish?

The EU AI Act adopts a risk-based framework, classifying AI systems into four categories: unacceptable risk (prohibited practices), highrisk, limited risk, and minimal risk. Each category is subject to distinct obligations depending on the level of risk involved. This article will focus on AI systems classified as presenting unacceptable and high risk.

Unacceptable risk (prohibited AI practices).

The EU AI Act expressly identifies a category of prohibited AI practices considered to present an unacceptable level of risk. These are systems deemed to pose a clear threat to individuals’ safety, livelihoods, or fundamental rights and are therefore subject to an outright ban.

Prohibited practices include, among others, AI systems that manipulate human behaviour, engage in the indiscriminate scraping of facial images, or profile individuals based on behavioural patterns or socio-economic status.

By way of illustration, the following are examples of AI systems classified as presentingan unacceptable risk and therefore prohibited:

• AI systems designed to infer orpredict an individual's behaviour on the basis of their race would fall within the scope of prohibited practices.
  ‍
• AI systems that scrape datafrom the internet to build facial recognition databases.
  ‍
• AI systems intended to detector infer a person's emotions in the workplace or in educational institutions.

High-Risk AI

Much of the EU AI Act is dedicated to setting out the obligations applicable to high-risk AI systems. Unlike prohibited AI systems, such systems are permitted to be placed on the EU market, provided they comply with a range of specified requirements.

This category focuses on how AI is used within specific fields which include, but are not limited to, the following:

• Critical infrastructure: AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating or electricity.
  ‍
• Education and training: AI systems intended to be used for the purpose of assessing the appropriate level of education that an individual will receive or will be able to access.
  ‍
• Employment: AI systems intended to be used for the recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates.
  ‍
• Essential services: Access to and enjoyment of essential private services and essential public services and benefits.
  ‍
• Credit evaluation: AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud.

What are the obligations for high-risk AI systems under the EU AI Act?

The EU AI Act sets out different obligations for each role of the stakeholders in the AI value chain. In this article, I will address the obligations that the EU AI Act establishes for providers and deployers.

• Provider: means a natural or legal person, publicauthority, agency or other body that develops an AI system or a general-purposeAI model or that has an AI system or a general-
  purpose AI model developed andplaces it on the market or puts the AI system into service under its own nameor trademark, whether for payment or free of charge.
  ‍

• Deployer: means a natural or legal person, publicauthority, agency or other body using an AI system under its authority exceptwhere the AI system is used in the course of a personal non-professionalactivity.

Key obligations for providers of high-risk AI systems

The obligations established by the EU AI Act include, but are not limited to, the following:

Risk Management System: A risk management system must be established, implemented, documented, and maintained by providers. This system should operate as a continuous and iterative process, planned and carried out throughout the entire lifecycle of a high-risk AI system, and subject to regular, systematic review and updates.

Data Governance: Providers are required to implement appropriate measures to identify, prevent,and mitigate potential biases. Therefore, they must ensure the use of high-quality datasets for training, validation, and testing, given that the outputs of such systems are determined by the quality of the data used.

Demonstrate compliance with the EU AI Act: Upon a reasoned request of a competent authority, providers must demonstrate compliance with the EU AI Act. Accordingly, it is essential to ensure robust AI governance.

Key obligations for deployers of high-risk AI systems

The obligations established by the EU AI Act include, but are not limited to, the following:

Instructions for use: Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensurethey use such systems in accordance with the instructions for use accompanying the systems.

Human oversight: Deployers shall assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support.

Logs retention: Deployers are subject to retention obligations with regard to the logs generated by the AI system in an automatic and documented manner, for a period appropriate to the intended purpose of the high-risk AI system.

What are the penalties for failing to comply with the EU AI Act?

For non-compliance with prohibited AI practices, fines can reach up to 35 million Euros or 7% of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Breaches of high-risk AI system requirements can incur fines up to EUR 15 million or 3% of the total worldwide annual turnover for the preceding financial year, whichever is higher.

Takeaways and Practical Steps for Businesses

‍

• Create an AI Inventory
  Conduct a comprehensive audit of all AI systems and tools used or developed across the organisation, including ad-hoc tools deployed by employees (e.g. LLMs or plugins)—commonly referred to as Shadow AI.
  ‍
• Determine Risk Tiers
  Assess whether your AI systems fall into high-risk categories under the EU AI Act.
  ‍
• Identify Your Role
  Determine whether your business is a Provider or a Deployer.
  ‍
• Create an AI Usage Policy
  Establish clear guidelines governing the approved use of AI tools within your organisation.

As AI and digital regulation constitute an evolving legal framework, we invite you to stay informed by receiving our articles and updates on this field, where we compare EU and UK legislation. If you would like to receive these materials, please send an emailto laura.gallego@scornik.com and we will keep you updated.