High-risk AI obligations under the EU AI Act came into force in August 2026. Most UK businesses in regulated sectors — financial services, legal, HR, recruitment, healthcare — don't know whether their AI systems qualify as high-risk, or what documentation they'd need if a regulator came knocking.
This article is the plain-English guide we wish existed six months ago. No legal jargon. No vendor pitches. Just a practical breakdown of what the regulation requires, who it applies to, and what you need to do.
Important note: The EU AI Act applies to AI systems used within the EU. Post-Brexit, UK law does not automatically mirror it — but if your business serves EU clients, processes EU citizen data, or operates in EU markets, you are likely in scope. The UK is also developing its own AI regulation, and the EU AI Act is the template it's following.
What the EU AI Act actually does
The EU AI Act is a risk-based regulatory framework. It classifies AI systems into four risk tiers and applies different obligations to each:
- Unacceptable risk — banned outright. Includes social scoring systems and certain biometric surveillance tools.
- High risk — permitted but heavily regulated. Requires documentation, human oversight, and conformity assessments.
- Limited risk — transparency obligations only. Chatbots must disclose they're AI.
- Minimal risk — no specific obligations. Most AI tools fall here.
The August 2026 deadline specifically triggers the high-risk obligations. If your AI system falls into this category, you need to be compliant now.
What counts as high-risk AI?
This is where most businesses get confused. High-risk doesn't mean dangerous — it means the AI is used in a context where errors could have significant consequences for people. The Act lists specific sectors and use cases:
- AI used in recruitment, CV screening, or candidate assessment
- AI used in creditworthiness assessment or credit scoring
- AI used in insurance risk assessment
- AI used in access to essential services
- AI used in education or vocational training assessment
- AI used in law enforcement or border control
- AI used in administration of justice
The practical test: If your AI system influences a decision that materially affects a person's access to employment, finance, education, or essential services — it is likely high-risk. If you're using AI to screen CVs, assess loan applications, or score insurance risk, assume you're in scope until you've confirmed otherwise.
What high-risk AI systems must have
If your system qualifies as high-risk, the EU AI Act requires the following:
1. Risk management system
A documented, ongoing process for identifying and mitigating risks associated with the AI system throughout its lifecycle. This isn't a one-time exercise — it needs to be maintained and updated.
2. Data governance
Training, validation, and testing data must be relevant, representative, and free from errors. You need to document your data sources, data preparation methods, and any known limitations or biases.
3. Technical documentation
Detailed documentation of the system's design, development, and intended purpose. This needs to be sufficient for a regulator to assess compliance without accessing the system directly.
4. Record keeping and logging
Automatic logging of the system's operation to enable monitoring and audit. Logs must be retained for the period required by applicable law.
5. Transparency and user information
Users must be provided with clear information about the system's capabilities, limitations, and the nature of AI involvement in decisions.
6. Human oversight
Measures must be in place to enable human intervention, override, or shutdown of the system. You must be able to demonstrate that a human can meaningfully review and contest AI-generated outputs.
7. Accuracy, robustness, and cybersecurity
The system must meet appropriate levels of accuracy for its intended purpose and be resilient to errors, faults, and adversarial attempts to manipulate outputs.
What you should do right now
If you're a UK business in a regulated sector using AI, here's a practical starting point:
- Inventory your AI systems. List every AI tool your business uses — including third-party tools, Microsoft Copilot, embedded AI in your CRM or HR system, and any custom-built models.
- Classify each one. For each system, identify whether it influences decisions that affect people in the high-risk categories above.
- Check your supplier contracts. If you're using a third-party AI system that falls under high-risk, your supplier should be able to provide conformity documentation. If they can't, that's a red flag.
- Start your documentation. Even if you're not certain you're in scope, starting a risk log and technical documentation now puts you in a much stronger position.
- Establish human oversight processes. Review how your teams currently interact with AI outputs and formalise the oversight process in writing.
The honest reality: Most SMEs in regulated sectors are not fully prepared for these obligations. The good news is that regulators are not expecting perfection — they are expecting evidence of genuine effort, documented processes, and a credible compliance roadmap. Starting now, even imperfectly, is significantly better than not starting.
What happens if you're not compliant
Penalties under the EU AI Act can reach €30 million or 6% of global annual turnover for the most serious violations. For high-risk AI non-compliance, fines of up to €20 million or 4% of turnover apply.
For UK businesses operating in EU markets, enforcement risk is real. For UK-only operations, the more immediate risk is reputational — and the UK's own AI regulation is likely to follow a similar framework.
If you're unsure whether your AI systems are in scope, or you need help building the documentation and governance processes the Act requires, this is exactly what we do at Talos AI. Our EU AI Act Compliance Audit is a fixed-scope engagement that gives you a clear picture of your obligations and a prioritised roadmap to meet them.