The EU AI Act high-risk requirements take effect on 2 August 2026. With 100 days remaining, UK organisations need to understand what is required and take three practical steps now.

100 Days to the EU AI Act: What UK Organisations Need to Know Now

Veridio Regulatory Briefing | April 2026

1. The Countdown

On 2 August 2026, the EU AI Act's high-risk system requirements come into force. As of today, that is 100 days away.

For UK organisations, this date matters more than many realise. The EU AI Act has explicit extraterritorial scope. Article 2 makes clear that the regulation applies to any provider placing AI systems on the EU market, any deployer using AI systems within the EU, and any provider or deployer outside the EU whose AI system outputs are used within the EU. That final provision is the one UK organisations most commonly overlook.

The practical test is straightforward. If your AI systems affect anyone in the EU (customers, employees, partners, end users), the Act is likely to apply to some or all of your AI operations. Post-Brexit status provides no exemption.

This is not a theoretical risk. The penalties mirror GDPR in both structure and severity: up to 35 million euros or 7% of worldwide annual turnover, whichever is higher.

2. UK Regulatory Landscape Update

UK organisations waiting for a dedicated UK AI law before acting are making a strategic error. While comprehensive AI legislation has not yet been introduced, multiple UK regulators are already moving.

The ICO's statutory code on AI and automated decision-making is in active development. The Information Commissioner met with the Chancellor in March 2026 to agree commitments including a statutory code of practice for public and private sector organisations developing or deploying AI. This code will establish binding expectations on transparency, explainability, bias and discrimination, and individual rights. A public consultation is expected later this year.

The Data Use and Access Act 2025 has reformed the rules around automated decision-making under UK GDPR. The previous restrictions requiring consent for solely automated decisions have been broadened, and the ICO is updating its ADM guidance accordingly. The ICO published a report and draft guidance on automated decision-making in recruitment on 31 March 2026, drawing on evidence from more than 30 employers. The message was direct: human involvement in automated decisions must be active and genuine, not a rubber-stamping exercise.

The ICO's agentic AI report, published in January 2026, examined how AI agents making autonomous decisions (purchasing, negotiating, interacting with services) create new data protection challenges. This signals regulatory attention to a category of AI deployment that is expanding rapidly.

Ofgem published AI guidance for the energy sector in 2025, covering governance, risk management, and competencies for ethical AI adoption. Sector-specific regulators are not waiting for horizontal legislation.

A UK AI Bill is expected in the second half of 2026, likely following the King's Speech. Early indications suggest a focus on frontier AI models, but the scope may broaden as parliamentary scrutiny progresses.

The picture is clear. UK organisations face a regulatory environment where existing laws (UK GDPR, Equality Act, sector-specific rules), newly empowered regulators (ICO with statutory code powers), and forthcoming legislation are all converging on AI governance. Waiting for a single "UK AI Act" before taking action means falling behind regulators who are already acting.

3. EU AI Act: What Is Required by August

The obligations taking effect on 2nd August 2026 are substantial. For organisations deploying or providing high-risk AI systems with EU exposure, the requirements include:

AI system inventory and classification. Every AI system must be identified, documented, and classified against the Act's risk categories. Annex III lists the designated high-risk use cases, covering areas including recruitment, credit scoring, biometric identification, critical infrastructure, education, and law enforcement.

Risk management. Providers of high-risk AI systems must establish, implement, and maintain a risk management system that operates throughout the system's lifecycle. This is not a one-time assessment; it requires continuous monitoring and mitigation.

Technical documentation. Comprehensive documentation demonstrating compliance must be prepared and maintained before a high-risk system can be placed on the market. This includes system architecture, training data governance, performance metrics, and testing methodology.

Conformity assessment. High-risk systems listed in Annex III must undergo conformity assessment. For most systems, this is a self-assessment against the Act's requirements, though some categories (notably remote biometric identification) require third-party assessment by a notified body.

Human oversight. High-risk AI systems must be designed to allow effective human oversight. Deployers must assign competent individuals to oversee the system's operation, with the authority and capability to intervene.

Data governance. Training, validation, and testing datasets must meet quality criteria. Data governance practices must address relevance, representativeness, accuracy, and completeness.

Transparency and registration. Deployers of high-risk systems must inform individuals that they are subject to an AI system's decisions. High-risk systems must be registered in the EU database before deployment.

The European Commission proposed adjustments in late 2025 that could delay some high-risk obligations by up to 16 months for certain system categories. The Council agreed on its position in March 2026, and negotiations with the European Parliament are ongoing. Organisations should not plan around a delay that has not been confirmed. It is prudent to treat 2nd August 2026 as the deadline.

4. The Governance Gap

The most significant compliance risk for UK organisations is not among the companies that know they are building AI. It is among the companies that do not realise they are deploying it.

Every organisation using Microsoft 365 Copilot, ChatGPT via API, Salesforce Einstein, Google Gemini in Workspace, or similar embedded AI tools is, in regulatory terms, a deployer of an AI system. If any of those tools produce outputs that affect individuals in the EU, the deploying organisation has obligations under the EU AI Act.

Most of these organisations have no AI system inventory. They have no record of which AI tools are in use, by whom, for what purpose, or with what data. They have no risk classification. They have no human oversight mechanisms beyond whatever the vendor provides by default. They have no incident response procedures for AI-specific failures.

This is the "inadvertently exposed" organisation: a company that has never considered itself an AI company, has never engaged with AI governance, and is nonetheless within scope of the world's most comprehensive AI regulation because its staff use Copilot to draft emails that reach EU clients.

The gap between where these organisations are and where the regulation requires them to be is not something that can be closed in 100 days without structured support.

5. What to Do Now

Three practical steps, in order. Each can be started today.

Step 1: Know what AI you have.

You cannot govern what you cannot see. Start with a complete inventory of every AI system in use across the organisation, including embedded AI in existing software, third-party tools accessed via API, and any internal models or automations.

Veridio offers a free AI Inventory Tool designed for exactly this purpose. It provides a structured register covering system identification, risk classification, data types, and deployment status. No payment required, no obligation.

Download the free AI Inventory Tool at templates.veridio.co.uk/free-inventory-tool

Step 2: Understand your governance maturity.

Once you know what AI you have, the next question is whether your governance is adequate for the regulatory environment you operate in. This requires a structured assessment against a recognised framework, not a subjective self-evaluation.

Veridio's free 5-minute AI Governance Quick Check assesses your organisation against 10 foundational governance principles and provides an instant maturity indication. It takes five minutes, captures a baseline, and identifies the domains where your governance has the largest gaps.

Take the free Quick Check at assess.veridio.co.uk

Step 3: Start building your governance documentation.

Governance maturity is demonstrated through documentation: policies, registers, frameworks, and procedures that evidence how your organisation identifies, manages, and oversees AI. Regulators, investors, and enterprise clients all evaluate governance through documentation.

The Veridio Governance Starter Pack (four templates covering AI system register, governance framework, starter policies, and risk register) provides the foundational documentation structure most organisations need first.

View the Governance Starter Pack at templates.veridio.co.uk

This briefing covers developments up to 23 April 2026. The Veridio AI Governance Framework (VAGF) is mapped against 13+ regulatory instruments including the EU AI Act, ISO 42001, NIST AI RMF, UK GDPR, and the forthcoming ICO statutory code on AI and ADM.

For a comprehensive governance assessment covering 58 principles across 9 domains, visit assess.veridio.co.uk.

Subscribe for weekly regulatory briefings at learn.veridio.co.uk/briefings.