The EU AI Act entered force August 2024 with phased application through 2027. UK organisations deploying AI in EU markets, AI vendors serving EU customers, and UK-headquartered firms with EU subsidiaries are in scope. The UK AI Regulation Bill (currently in development) will align selectively. This is the practical IT-team guide.
The 4 risk tiers
Unacceptable risk — banned. Social scoring by governments, untargeted facial-recognition scraping, real-time biometric ID in public spaces (with narrow exceptions).
High risk — heavily regulated. AI in critical infrastructure, education / training, employment / HR, essential private + public services (credit scoring, insurance), law enforcement, migration / border control, democratic processes.
Limited risk — transparency obligations. Chatbots must disclose they're AI. Generative AI outputs must be labelled.
Minimal risk — most AI uses. No specific obligations beyond general GDPR + product law.
High-risk AI deployment obligations
Risk management system — documented + maintained throughout the AI lifecycle.
Data governance — training data quality, bias detection + mitigation, documentation of data sources.
Technical documentation — instructions for use, system architecture, performance metrics.
Logging — automatic logging of system events sufficient to enable post-market monitoring.
Human oversight — appropriate human-in-the-loop measures.
Accuracy, robustness + cybersecurity — appropriate level of accuracy + cybersecurity throughout lifecycle.
Conformity assessment — internal or third-party assessment before market deployment.
General-Purpose AI (GPAI) model obligations
Foundation models (GPT-4, Claude, Gemini, Llama) face specific obligations — particularly models trained with >10^25 FLOPS computational resources.
Most UK organisations consume GPAI rather than develop it — your obligations relate to your specific AI deployment (high-risk classification) rather than the underlying model.
Phased application timeline
August 2024 — Act enters force.
February 2025 — Prohibitions on unacceptable-risk AI apply.
May 2025 — Codes of practice for GPAI ready.
August 2025 — GPAI obligations apply.
August 2026 — High-risk AI obligations apply.
August 2027 — Full Act application including AI integrated into regulated products.
UK position
UK Government published AI Regulation White Paper (2023) advocating principles-based, regulator-led approach rather than EU-style horizontal legislation.
UK AI Regulation Bill (in development as of 2026) likely lighter-touch than EU AI Act but with selective alignment.
UK organisations deploying AI in EU markets must comply with EU AI Act regardless of UK approach.
What Servnet does
Servnet supports UK organisations with AI governance + technical controls. We don't provide legal advice but we deploy the technical infrastructure (logging, audit, model monitoring, bias detection tooling) that AI Act compliance requires — across NVIDIA DGX clusters, Supermicro GPU systems, and SIEM-based audit pipelines.
See our on-prem AI cluster build guide and NVIDIA accelerator compare for the platform layer. Pair with our ISO 27001:2022 Annex A mapping for the broader compliance scaffold.