EU AI Act
14/08/2025

We left the EU several years ago.  Surely I don’t need to be concerned about European legislation any more?

Maybe. Maybe not.  If you have a base somewhere in the EU, or if you have a subsidiary in the EU then you’ll be caught.  You’ll also need to be aware of it if you have employees who are EU residents, or if you recruit employees from EU countries.  If you use AI systems which affect EU nationals or residents then the EU AI Act will apply to you.

So if you have nothing to do with any EU citizen, and do not use any AI system which may affect them then you’re fine.  Otherwise, its worth knowing that the EU AI Act exists and that it could apply to you.

Ah yes, but we don’t use AI? 

Are you sure?  The Act regulates all AI systems, and that definition is very wide.  It also specifically captures general purpose AI models, such as Chat GPT and Copilot. Many organisations are in the dark as to what AI systems they are actually using, so it’s worth taking a pause and considering who may be using what, and for what purpose.  Oh, and if you’re not using AI now, the chances are that you will be soon.

And what’s the EU going to do about it?

They could fine you.  Remember the GDPR and its €17million fines?  The EU AI Act goes beyond that, with maximum fines of €35million in some cases, or 7% of global turnover if higher.  We’re not sure how the EU will seek to impose fines on organisations that have no presence in an EU member state, but why take the risk?

OK, so if I get an AI system then I’ll have a read through the EU AI Act.  Just give me the highlights now.  What do I need to do?

First you need to assess your AI systems and decide their level of risk.  There are four levels.

Some AI systems are now prohibited.  This is the highest risk category and meant that certain types of AI were effectively banned from use within the EU from February 2025.  This includes emotion recognition systems used in the workplace, for example.  

I don’t use anything like that.  This is all science fiction nonsense

Perhaps.  But there are companies who have developed and are marketing this technology.  AI regulation is a very new legal field, and there are many different attitudes to it.  What may be regarded as acceptable in Silicon Valley may look very different to what is acceptable in Paris or Madrid.

OK, noted, but other than that I’m ok, yes?

No.  The Act heavily regulates high-risk AI systems.  Most workplace uses of AI are regarded as high-risk, including recruitment tools (systems used to identify candidates, CV filtering tools, and tools used in interview analysis, for example) and work management tools, which includes performance monitoring tools, workload assignment/allocation tools, and systems that assist or make decisions relating to promotion or dismissal.  Remember – many of these are now standard features on more sophisticated HR management systems, so you may have these installed without realising it.

So what do I have to do with my high-risk tools?

The provisions relating to these come into force in August 2026, so you have time to prepare, and many of the obligations apply only to the providers of the systems (see below), but there will be obligations on you as a deployer (or user) of a high-risk system.  This includes an obligation only to use the system in accordance with its instructions for use; to ensure the quality of input data; to monitor its operations; to make sure that your organisation has a degree of AI literacy; and to ensure that you can effectively intervene in the operation of the system where necessary.

Most importantly make sure that you document all of the above, so that you can demonstrate to a regulatory authority that you have complied with your obligations.

Also, remember that UK GDPR presents a number of further obligations when processing high-risk personal data and you will also need to take these obligations into account.

You mentioned that I would be a “deployer” of AI systems.  What else could I be?

A provider.  In short, providers are the developers of AI systems.  The most onerous obligations fall on providers. 

Phew! I’m glad I’m not one of those

Yes, but be careful.  It is possible to become a provider inadvertently.  For example, if you become heavily involved in the technical development of the system and modify it for your own purposes then you could be classed as a provider; or if you rebrand a system that you introduce with your own branding then, again, you may end up as a provider.    

You can also become a provider if you significantly modify a general purpose AI system (such as Chat GPT) for a high-risk purpose.

Eek, I’ll be careful.  Maybe we should just steer clear of all AI

That’s increasingly difficult to do, and unnecessary.  The Act classifies certain AI systems as limited-risk, for example a customer chatbot.  The requirements on these systems are much less onerous and largely relate to obligations to be transparent with users about their use. 

Some AI system are regarded as minimal-risk.  Many firewalls, for example, incorporate a degree of AI, and these are not regulated at all.

You mentioned GDPR.  Why does this apply?

Because AI systems – particularly those used in the workplace – process personal data, so they are caught by data protection legislation.  In the UK this is the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).  The UK does not have any stand-alone AI legislation, and so the GDPR has developed as the main source of AI regulation.  In the EU the EU AI Act will sit by the side of the EU GDPR, and any national rules that are in place.

What about elsewhere in the world?

The picture is patchy and complex.  If you have operations elsewhere then it is important to understand local policies on AI use and the status of domestic legislation.  Some countries have only very light regulation, because of fears that it will inhibit AI development.  Others are following the much more heavy-handed EU AI Act approach.

What are my next steps?

Start putting an AI governance framework in place.  You can read via the following links, our articles on Understanding AI Governance in HR, Minimum Viable AI Governance: Why HR Can’t Afford and From Guardrails to Growth: Building Minimum Effective AI Governance for HR

Contact Us

For help on any of the matters raised in this article, please contact Matthew Cole.

Related Articles

Article

Agentic AI: what HR and data protection teams need to know about the ICO’s latest report

Posted on: 13/01/2026

Matthew Cole

Article

Agentic AI in the workplace – the next governance headache

Posted on: 16/10/2025

Matthew Cole

Article

How quickly is AI reshaping the HR and employment landscape?

Posted on: 16/10/2025

Maria Spencer

Conveyancing Quality Scheme Accreditation
Galexy International
Lexcel Accreditation Logo
Family Mediation Accredited
Best Employers Eastern Region Gold 2023
Chambers Ranked 2025 logo
Suffolk New College Industry Partner
FIPS