EU AI Act for UK SaaS founders: extraterritorial application

Extraterritorial scope of the EU AI Act

Article 2(1)(c) of the EU AI Act explicitly applies to providers and deployers established outside the EU where the output of the AI system is used in the EU. For UK SaaS, this means: if any EU resident interacts with your AI features, generates content from them, or relies on their outputs, the Act's obligations attach. Article 50 transparency, Annex III high-risk classification, Article 25 GPAI inheritance, and Article 73 incident reporting all apply.

The UK AI Bill and parallel obligations

The UK is developing its own AI Bill that takes a sector-specific, principles-based approach rather than the EU's horizontal regulation. The UK approach assigns AI oversight to existing regulators (ICO, FCA, MHRA, Ofcom, CMA) rather than creating a single AI authority. For UK SaaS, this creates dual compliance: UK regulators expect sector-appropriate AI accountability, and the EU AI Act adds horizontal obligations when EU users are involved.

Practical compliance for UK SaaS with EU exposure

If your UK SaaS has any EU users, treat the EU AI Act as binding from 2 August 2026. Conduct the standard triage: Provider versus Deployer determination, Annex III check, Article 5 screening, Article 50 disclosure design. The geographic boundary does not reduce the obligation. The only adjustment is procedural: you may need to appoint an authorised representative in the EU under Article 25(6) if you ship AI products from outside the EU.

ICO and UK enforcement of UK-side AI rules

The UK Information Commissioner's Office (ICO) has issued AI-specific guidance under UK GDPR. Key documents: Guidance on AI and data protection (2020, updated), Explaining decisions made with AI (joint with Alan Turing Institute), and the AI Toolkit. UK enforcement under these rules is generally proportionate but increasingly active. For UK SaaS, ICO compliance is necessary but does not satisfy EU AI Act obligations for the EU-exposed portion of your business.

UK procurement and EU AI Act attestations

UK public procurement (Crown Commercial Service, NHS Supply Chain, local authorities) does not yet require EU AI Act attestation - but EU subsidiaries of UK companies often do require it from suppliers. Large UK enterprises with EU operations (Vodafone, HSBC, BP, GSK, Unilever) increasingly request EU AI Act compliance evidence as part of vendor risk assessments, regardless of supplier headquarters.

Frequently asked questions

Does the EU AI Act apply to UK companies?

Yes - extraterritorially, where the output of your AI system is used in the EU. This is established by Article 2(1)(c) of Regulation 2024/1689.

Do I need an EU authorised representative?

Possibly - Article 25(6) requires providers established outside the EU to appoint an authorised representative in the EU for certain AI Act obligations. The detail depends on whether your product is high-risk.

What is the UK AI Bill?

A parallel UK regulatory framework that takes a sector-specific, principles-based approach. Existing regulators (ICO, FCA, MHRA, Ofcom, CMA) handle AI oversight in their domains rather than a single AI authority.

Does ICO compliance equal EU AI Act compliance?

No - ICO compliance covers UK GDPR-related AI obligations. EU AI Act adds horizontal obligations (transparency, high-risk classification, conformity assessment) that ICO compliance does not address.

How do UK enterprise customers handle EU AI Act?

Large UK enterprises with EU operations increasingly require EU AI Act attestation from suppliers, even though UK itself does not. The procurement standard is becoming dual: ICO/UK rules plus EU AI Act evidence for any EU-exposed component.

Sources

• https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/
• https://www.gov.uk/government/publications/ai-regulation-a-pro-innovation-approach