EU AI Act for SMBs: what applies, what doesn't

The EU AI Act for SMBs: what applies, what doesn't

The European Union's Artificial Intelligence Act (AI Act) is a landmark piece of legislation. It aims to regulate AI systems based on their potential to cause harm, moving beyond the traditional tech-agnostic data protection laws. For small and medium-sized businesses (SMBs) in the UK, the prospect of new regulations can be daunting. You might be wondering if you need to overhaul your entire AI strategy, or perhaps even abandon your AI plans altogether. The good news is that for most UK SMBs, the direct impact of the EU AI Act will be limited. However, it's not something you can entirely ignore.

This article cuts through the noise, clarifying what aspects of the EU AI Act truly matter to UK SMBs, and where you can focus your attention instead.

The Extraterritorial Effect: Why it Matters (Sometimes)

The first point to understand is the "extraterritorial effect" of EU law. While the UK is no longer a member of the EU, if you offer goods or services to customers within the EU, or if your AI system's output is used in the EU, then aspects of the AI Act might apply to you.

Consider these scenarios:

• **You develop and deploy an AI system for customers in France:** If your UK-based company creates and sells an AI-powered inventory management system to a French retail chain, and that system falls under one of the Act's classifications (e.g., high-risk), then you, as the provider, would likely need to comply with the relevant provisions.
• **An EU company uses your AI tool:** If your UK company develops a general-purpose AI tool-such as a content generation engine or a coding assistant-and an EU-based company integrates it into their high-risk AI application, then while the EU company bears the primary responsibility for the high-risk application, you, as the provider of the general-purpose AI, might still have certain obligations, such as transparency requirements.
• **Your AI system impacts EU citizens:** Even if your direct customers are not in the EU, but your AI system processes data or makes decisions that significantly affect individuals within the EU, the Act could potentially apply. This is a broader reach and less likely for many SMBs, but it's worth noting.

For many UK SMBs that operate solely within the UK, without EU customers or significant interactions, the direct application of the EU AI Act will be minimal.

Understanding the Risk-Based Approach

The EU AI Act categorises AI systems into different risk levels, with stricter regulations for higher-risk applications. This is crucial for understanding compliance:

• **Unacceptable Risk:** These are AI systems considered a clear threat to fundamental rights. Think social scoring by governments or manipulative subliminal techniques. These are banned outright. Frankly, it's highly improbable any legitimate UK SMB would be dabbling in these areas.
• **High-Risk:** This is where the bulk of the regulation lies. High-risk systems include AI used in critical infrastructure, elements of safety components of products, employment and worker management, law enforcement, migration control, and democratic processes. Examples might include AI used for recruitment decisions, credit scoring, or determining access to public services. If your AI solution falls into one of these categories *and* is used in the EU, then you have significant obligations regarding risk management, data governance, oversight, transparency, and conformity assessments.
• **Limited Risk:** These AI systems have specific transparency requirements. For instance, if your AI generates "deepfakes" or relies on emotion recognition, users must be informed it's an AI system they're interacting with. This is relevant if you provide AI chatbots or similar interactive tools to EU customers.
• **Minimal or No Risk:** The vast majority of AI systems, including spam filters, recommendation engines, and many AI-powered analytics tools, fall into this category. They are largely unregulated under the Act, though general consumer protection laws still apply.

Most UK SMBs using AI internally-for example, an AI tool to summarise internal documents or automate marketing email drafts-will find their systems fall into the minimal risk category, meaning the specific requirements of the EU AI Act will not directly apply.

What to Watch: UK's Own Approach to AI Regulation

While the strictures of the EU AI Act might not directly apply to you, it would be a mistake to assume AI governance is irrelevant for UK SMBs. The UK government is pursuing its own, distinct approach to AI regulation, aiming for a more "pro-innovation" ecosystem.

Key aspects of the UK's approach include:

• **Sector-Specific Regulation:** Rather than a single overarching law, the UK intends for existing regulators (e.g., ICO for data, FCA for financial services, Ofcom for communications) to interpret and apply a set of cross-sectoral AI principles within their specific domains.
• **Five Principles:** These guiding principles for safe and responsible AI include safety, security, and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress.
• **Voluntary Adoption (for now):** Initially, adherence to these principles is expected to be more voluntary, with a focus on guidance rather than immediate legislation. However, expect this to evolve, especially for high-impact AI uses.

The implication for UK SMBs is that while you might not have to comply with the EU AI Act's specific technical standards, you *will* increasingly be expected to demonstrate responsible and ethical use of AI within the UK's developing regulatory framework. This aligns quite closely with good business practice anyway.

Practical Steps for UK SMBs

So, what should a UK SMB do in light of the EU AI Act and the UK's evolving landscape?

• **Assess your EU footprint:** Honestly evaluate if your current or planned AI solutions have any significant interaction with or impact on customers or individuals within the EU. Be realistic, but don't overstate it.
• **Understand your AI's risk profile:** Even if the EU AI Act doesn't apply, understanding whether your AI is "minimal," "limited," or potentially "high-risk" (using the EU classifications as a helpful framework) is good practice. If you use AI for tasks like recruitment or critical decision-making, you should be especially diligent.
• **Embrace UK AI principles:** Familiarise yourself with the UK's five principles for AI regulation. Even if not legally mandated yet, adhering to them demonstrates good governance and mitigates future risks.
• **Focus on robust AI governance:** Implement internal policies and procedures for how you select, deploy, monitor, and update AI systems. This includes:
• **Data Governance:** Ensuring the data used to train and operate your AI is fair, unbiased, accurate, and compliant with UK GDPR.
• **Transparency:** Being clear with employees or customers when AI is being used, especially if it makes significant decisions.
• **Human Oversight:** Maintaining clear avenues for human review and intervention, particularly for critical AI-driven processes.
• **Security:** Protecting your AI systems from security breaches and manipulation.
• **Stay informed:** AI regulation is a rapidly moving target. Keep an eye on announcements from the UK government and relevant sector-specific regulators like the ICO.

In short, for most UK SMBs, directly complying with the intricacies of the EU AI Act will not be a pressing concern. However, adopting its risk-based thinking, combined with a proactive embrace of the UK's emerging AI principles, is a sensible strategy. By doing so, you're not just preparing for future regulations; you're building trust, fostering innovation responsibly, and safeguarding your business.

If you're keen to understand how these evolving regulations might specifically impact your business, particularly if you're embracing tools like Microsoft Copilot, reach out to us. We can help you navigate the landscape and ensure your AI adoption is both efficient and compliant.