The short version: EU lawmakers recently pushed back enforcement of high-risk AI rules by 16 months, to December 2027. That was widely reported as "the EU AI Act deadline has moved." It has not. The August 2, 2026 general provisions deadline stands. The high-risk category delay is relevant to medical devices, employment AI, and critical infrastructure operators. For most UK small businesses using AI for customer communications, content generation, or operational automation, the August date is the one to plan for.

What changed — and what did not

High-risk rules delayed to December 2027. General provisions still apply 2 August 2026.

In May 2026, EU lawmakers provisionally agreed to push back enforcement of high-risk AI system requirements — covering AI in employment, biometrics, critical infrastructure, education, migration, and credit scoring — to December 2, 2027, with safety-component systems extended to August 2028. This was a significant concession to businesses struggling with the technical complexity of the high-risk framework.

However, the general provisions of the EU AI Act — transparency obligations, prohibited practice bans, and general AI system requirements — remain on schedule for 2 August 2026. These apply to any AI system used in an EU-facing context, including:

  • AI-generated customer communications (emails, chatbot responses, marketing copy)
  • Automated decision-making in customer-facing processes
  • AI tools that process personal data of EU residents
  • Any AI system marketed or deployed to EU customers

Why UK businesses are affected despite Brexit

Brexit removed the UK from the EU's regulatory jurisdiction, but it did not remove UK businesses from their obligations when they operate in the EU market. The principle is the same as GDPR: if you are a UK business with EU customers, EU employee data, or EU-facing digital services, EU regulation applies to that activity.

The EU AI Act has extraterritorial reach — the same way GDPR did.

A UK chimney sweep with no EU customers and no EU-facing online presence is not directly affected. A UK marketing agency running AI-generated email campaigns for an EU-based client is. A UK software company selling an AI-powered tool to EU businesses is. The test is whether EU residents or EU-based businesses are affected by your AI use — not where your business is registered.

What the general provisions require

The August 2 general provisions focus on three areas:

  • Transparency: Users must know when they are interacting with an AI system. AI-generated content for public consumption must be identifiable as such. Chatbots must identify themselves as AI when a user sincerely asks.
  • Prohibited practices: AI systems that manipulate people through subliminal techniques, exploit vulnerability, or conduct untargeted scraping of facial images are banned outright.
  • Literacy obligations: Organisations deploying AI systems must ensure staff have sufficient AI literacy to use them appropriately. This is a soft requirement but a real one — particularly relevant for businesses that have deployed AI tools without training.

What UK businesses should do in the next six weeks

For most small businesses, compliance with the general provisions is achievable without legal counsel if you act now:

Six-week compliance checklist

Week 1–2 — Inventory: List every AI tool your business uses. Note which ones interact with EU customers or process EU customer data. This does not need to be formal — a spreadsheet is fine.
Week 2–3 — Transparency review: For each customer-facing AI use (emails, chatbot, content generation), check: is it identifiable as AI-assisted? Add a footer note, a disclosure line, or an "AI-assisted" label where needed.
Week 3–4 — Chatbot check: If you use a chatbot on your website, confirm it identifies itself as AI when asked directly. Most reputable chatbot platforms (including GHL) do this by default — but verify.
Week 4–6 — Staff awareness: Brief your team (or yourself) on what AI tools are being used and the basic principle: AI-generated customer content should be identifiable. No elaborate training needed — a 30-minute conversation and a written note is sufficient for a small team.
Ongoing: Keep the inventory updated as you add AI tools. This is also your GDPR data processing record for AI — two compliance tasks, one document.

If your business has EU customers and uses AI in any customer-facing capacity, the six weeks between now and 2 August is a reasonable amount of time to achieve basic transparency compliance without specialist legal support. If you are operating at scale in a high-risk category (employment decisions, credit, biometrics), legal advice is appropriate — but those are the categories where the deadline has already been extended to 2027.