The EU AI Act is moving from legislation to operational reality. For UK-based service providers selling AI systems into the EU, the most important date is August 2026, when the full rules for high-risk AI come into force.
A January 2026 update from K&L Gates highlights that high-risk AI systems in areas such as finance face the August deadline. There had been discussion of a Digital Omnibus that might delay some obligations, but providers should not bank on it. Preparing now is the safer course.
What counts as high-risk
The AI Act categories are broad. High-risk systems include AI used in recruitment, credit scoring, insurance pricing, biometric identification, medical devices, transport safety, law enforcement and certain public services. Many B2B software products that embed AI for decision support or automated processing will fall into this category.
If your product makes or supports decisions that affect an individual’s access to a job, credit, insurance, justice or essential services, you should assume it is in scope until you can prove otherwise.
What needs to be in place by August
High-risk AI systems must meet a range of requirements before they can be placed on the EU market. These include risk management, data governance, transparency, human oversight, accuracy, robustness, cybersecurity, and post-market monitoring. Providers also need technical documentation, quality management systems and conformity assessments.
For UK firms, the practical checklist includes:
- A CE marking process and an EU authorised representative.
- Clear records of training data, model validation and performance testing.
- Documentation showing how human oversight is implemented.
- Incident reporting procedures and a plan for post-market monitoring.
- Contracts that allocate AI Act responsibilities clearly between provider, deployer and distributor.
The authorised representative problem
Since Brexit, UK providers no longer have automatic EU market access through UK establishment. Most will need an authorised representative inside the EU to act as a local contact for regulators. Arranging this takes time, especially if you need to negotiate liability and reporting obligations with the representative.
This is not a box-ticking exercise. A regulator that wants to inspect documentation or investigate an incident will contact the authorised representative first. If they cannot produce the right records quickly, the product can be pulled from the market.
The bottom line
August 2026 is closer than it sounds for organisations that still need to map their products, update contracts, build documentation and secure EU representation. The Digital Omnibus may provide some relief on specific points, but relying on a possible delay is a poor strategy. The firms that start now will be in a position to keep selling; the firms that wait may find the door closed.