AI features are now table stakes, and every founder adding them asks the same nervous question: “Is there a law I’m about to break?” The EU AI Act is the big one people have heard of. Here’s a plain-English guide for UK founders — what it is, whether it even applies to you, and the short list of things that actually matter. As a UK app and SaaS development studio that builds AI features for a living, this is the framing we walk clients through. (This is general information, not legal advice — for anything high-stakes, take proper counsel.)
Does it even apply to you as a UK company?
Brexit didn’t put you out of reach. The EU AI Act applies extraterritorially: if you place an AI system on the EU market, or the output of your AI is used by people in the EU, you can be in scope even from the UK — the same logic that made GDPR matter to UK startups. Practically:
- UK-only users? The EU Act doesn’t apply. (UK data protection law still does — see below.)
- EU users, or planning to expand there? Assume it’s in scope and design for it now — retrofitting compliance later is the expensive path.
The four risk tiers — and where most apps land
The Act is risk-based. What you must do depends entirely on which tier your use of AI falls into:
| Risk tier | Examples | What it means for you |
|---|---|---|
| Unacceptable | Social scoring, manipulative or exploitative AI | Banned outright — don’t build it |
| High | Recruitment, credit scoring, biometric ID, some medical/critical uses | Heavy obligations: risk management, documentation, human oversight |
| Limited | Chatbots, AI assistants, generated images/audio | Transparency: tell users it’s AI; label AI content |
| Minimal | Spam filters, recommendations, most everyday AI | No specific obligations |
The good news: the vast majority of startup apps — chat, search, drafting, summarising, recommendations — sit in limited or minimal risk. If you’re building a recruitment screener, a credit decision tool, or biometric identification, that’s the moment to get specialist legal advice.
What limited-risk actually requires: transparency
For most founders, compliance comes down to being honest with users:
- Disclose AI interactions. If a user is chatting with a bot, make it clear it’s a bot, not a human.
- Label AI-generated content. Synthetic images, audio, video and “deepfake”-style content should be marked as AI-generated.
- Be clear about what the AI does with the user’s input, in plain language.
Done well, this is also just good product design — users increasingly expect it.
The timeline (roughly)
The Act is phasing in over several years. In broad strokes: bans on unacceptable-risk uses applied first, obligations for general-purpose AI models followed, and the heavier high-risk obligations phase in later into 2026–2027. For a limited-risk app, the transparency expectations are the part to act on now — and they’re cheap to build in from the start.
What about the UK’s own rules?
The UK has taken a lighter, principles-based route — guiding existing regulators rather than passing one big AI act (though that could evolve). Crucially, UK data protection law (UK GDPR) still applies to any AI that processes personal data, including rules around automated decision-making and profiling. So even for a UK-only app, “no EU AI Act” doesn’t mean “no rules.” Our GDPR guide for app developers covers that groundwork.
A practical checklist for founders
- Map where your users are (UK-only vs EU) and whether you plan to expand.
- Classify each AI feature by risk tier — most will be limited/minimal.
- Add clear AI disclosure and content labelling to limited-risk features.
- Keep a short record of what data your AI uses and why (privacy + governance).
- If any feature touches recruitment, credit, biometrics or health — get legal advice before launch.
- Build these in from day one; retrofitting is far more expensive.
Frequently asked questions
I’m pre-launch — do I really need to worry about this now?
The heavy obligations only hit high-risk systems, which most startups aren’t building. But transparency and sensible data handling cost almost nothing to design in early and are painful to bolt on later — so bake them into your MVP rather than treating them as a later problem.
Does using OpenAI or Anthropic’s API make me compliant?
No — the model provider handles obligations for the model itself, but your product’s obligations (transparency to your users, how you use their data, your risk tier) are yours. Building on a reputable provider helps, but it doesn’t transfer your responsibilities.
The bottom line
For most UK founders adding AI in 2026, the EU AI Act is far less scary than the headlines suggest: classify your features, be transparent with users, handle data responsibly, and get advice for the genuinely high-risk cases. If you’d like AI features built with transparency and data governance baked in from the start, that’s exactly how we approach AI app development — start with a free discovery call.
