Compliance for SaaS with AI features.

If any EU user can access your product, you’re in scope. The AI Act regulates where AI has impact, not where it’s built.

Yes. You’re the deployer, which carries Article 26 obligations.

An AI Acceptable Use Policy, an AI Literacy Policy, and Article 50 transparency disclosures on any AI-powered feature.

The Digital Omnibus political agreement reached in May 2026 narrowed and clarified scope in several places, eased some technical compliance burdens for general-purpose AI providers, and pushed the substantive obligations for most Annex III high-risk AI systems to December 2027. What it did not change: the Article 4 AI literacy obligations, the Article 50 transparency obligations, the prohibited-use rules, and the governance and documentation expectations that bite from 2 August 2026. For UK SMEs deploying AI tools, the baseline policy framework you need is essentially unchanged — only the deadline for high-risk system technical conformity has moved.

Yes — the political agreement pushes the substantive technical and conformity obligations for most Annex III high-risk AI systems to December 2027, giving providers more time to complete conformity assessments and CE marking. However, transparency obligations (Article 50), AI literacy obligations (Article 4), prohibited-use rules, governance structures, and the documentation expected of deployers all remain due from 2 August 2026. In practice the policy framework — Acceptable Use, AI Literacy, Article 50 disclosures, oversight SOPs, vendor registers — must be in place before August 2026 even if you are also a high-risk system provider with a 2027 conformity deadline.

No. The Omnibus extended one specific deadline — substantive conformity for most Annex III high-risk systems — to December 2027. It did not extend the 2 August 2026 enforcement date for transparency, literacy, governance, or deployer documentation. If your business uses AI tools (ChatGPT, Copilot, an internal copilot, an AI chatbot, AI-assisted recruitment or marketing), the obligations that apply to you almost certainly bite in August 2026, not 2027. Waiting risks both regulatory exposure and PI questionnaire failure at renewal.

Annex III lists categories of AI systems treated as high-risk because of where they are used, not because of the underlying technology. These include AI used in: biometric identification and categorisation; critical infrastructure (water, gas, electricity, transport); education and vocational training (admissions, grading, proctoring); employment (recruitment, CV screening, performance evaluation, task allocation, termination); access to essential private and public services (credit scoring, insurance pricing, benefits eligibility, emergency dispatch); law enforcement, migration and border control; and administration of justice and democratic processes. If your AI sits in any of these workflows — even if it only assists a human decision — you are likely a high-risk deployer.

Yes. The Act applies extraterritorially. A UK business is in scope if it places an AI system on the EU market, if the output of its AI system is used in the EU, or if it employs or serves people in the EU or EEA. Brexit did not remove EU regulatory reach over UK businesses whose AI touches EU users, staff, or customers — much as UK GDPR continues to interact with EU data protection law for cross-border processing.

Enforcement begins immediately on 2 August 2026 — there is no grace period for transparency, literacy, governance, and deployer obligations. National regulators (in the UK, the ICO and sector regulators acting in cooperation with EU authorities) can investigate, request your documentation, and refer matters for fines. Penalties reach €15 million or 3% of global annual turnover (whichever is higher) for breaches of deployer and transparency obligations, and €35 million or 7% of global turnover for the most serious prohibited-use breaches. PI insurers are already asking for documented AI policies at renewal; missing the deadline can affect cover as well as expose you to enforcement.