In November of last year, the European Commission published a paper called the Digital Omnibus. Buried in it was a proposal that would delay the most consequential parts of the EU AI Act by almost eighteen months. Last Thursday, after months of trilogue negotiations, EU lawmakers reached a provisional agreement to do exactly that.
The headline date that AI compliance officers across Europe had circled in red ink, 2 August 2026, has gone.
In its place, the rules governing high-risk AI systems will now apply from 2 December 2027. For high-risk AI embedded in regulated products, the date moves further still, to 2 August 2028. The agreement is provisional. It still needs formal adoption by the Parliament and the Council, expected within weeks. But the direction of travel is now clear.
What is the EU AI Act, and why does any of this matter for businesses sitting outside the EU?
A brief tour, then the implications.
The Act, which formally entered into force on 1 August 2024, takes a risk-based approach. It sorts AI systems into four tiers.
The first tier is unacceptable risk. Systems that fall here are simply banned. Social scoring of citizens by governments. Subliminal manipulation. Exploiting vulnerabilities of children or people with disabilities. Real-time biometric identification in public spaces, with narrow law-enforcement exceptions. Predictive policing based purely on profiling. These prohibitions came into force on 2 February 2025 and are already binding on every business that operates in the EU.
The second tier is high risk. This is the big one. It captures AI used in critical infrastructure, education, employment, essential services like credit scoring and life insurance underwriting, law enforcement, border control, and the administration of justice. Operating a high-risk AI system means a long list of obligations. A documented risk management system. Robust data governance. Detailed technical documentation. Automatic logging. Human oversight. Conformity assessments. Registration in an EU database. The CE marking that some of you will recognise from physical product compliance. These are the rules whose start date has just shifted from August next year to December 2027.
The third tier is limited risk. Chatbots, deepfakes, AI-generated content. The obligation here is transparency. The user must be told they are interacting with AI, or that what they are seeing is artificially generated.
The fourth tier is minimal risk. The majority of AI applications sit here. No new obligations.
The penalties are large by any standard. Prohibited uses can attract fines of up to seven percent of global annual turnover, or thirty-five million euros, whichever is higher. Lower-tier breaches start at one or three percent of turnover. For a serious offender, this is GDPR-level money.
So where does the UK sit in all this?
In two places at once.
Domestically, the UK has its own approach. The 2023 AI White Paper set out five principles, not laws. Safety, security and robustness. Appropriate transparency and explainability. Fairness. Accountability and governance. Contestability and redress. The FCA and Bank of England published their joint strategic approach to AI in April last year, mapping these five principles onto existing UK regulation. The FCA has been explicit that, for the foreseeable future, there will be no AI-specific rulebook in financial services. AI is being regulated through Consumer Duty, the Senior Managers and Certification Regime, and existing model risk management expectations.
If that were the whole story, UK businesses could read about the EU AI Act with mild academic interest and get on with their day.
It is not the whole story.
The EU AI Act is extraterritorial. It applies to UK businesses with no presence in the EU at all, in two main scenarios. The first is if you place an AI system on the EU market. The second, and the one that catches most people out, is if the output of your AI system is used in the EU. A UK mortgage broker using AI tools to score affordability for a UK client is not in scope. A UK SaaS company whose AI-driven product is licensed to a single client in Dublin is.
This mirrors the structure of GDPR, and the consequences are the same. Brexit does not exempt you. Neither does the fact that you have no EU office, no EU server, and no EU staff. What matters is where the AI output is consumed.
For UK financial services firms, three practical questions are worth sitting with.
The first is supply chain. Many of the AI tools UK firms are buying are built by EU vendors, or have significant EU operations. Those vendors will, eventually, have to comply with the Act for their EU customers. They will pass the cost, the controls, and the documentation expectations down to you. The delay simply shifts the timeline.
The second is the FCA’s direction of travel. The Financial Conduct Authority has said it will publish comprehensive AI guidance for firms by the end of this year. That guidance is being written in a UK that does not have an AI Act, but where the FCA’s own staff are reading the EU text closely. Practical convergence is already visible in the work the ICO and FCA are doing jointly on automated decision-making. The UK rules will not look identical to the EU rules. They will not be unrecognisably different either.
The third is judgement, not compliance. If your firm uses AI to decide who gets a mortgage, who gets advice, or who triggers a fraud alert, you will eventually have to answer to someone for those decisions. Whether the question comes from a regulator or a customer, the test is similar in shape: can you explain what the system is doing, can a human override it, and do you know when it goes wrong?
The delay is real, and it is welcome to firms that were not going to be ready. But it is also a reminder. Regulation of AI is being written right now, in real time, while the systems themselves are being built. The companies that wait for the final wording will be at a permanent disadvantage to the ones that prepare for the direction.
Eighteen months is not a long time when you are building governance for a technology that did not exist five years ago.
Sources: European Council press release on the provisional AI Omnibus agreement, 7 May 2026. European Commission Digital Omnibus proposal, 19 November 2025. EU AI Act, Regulation 2024/1689. FCA and Bank of England Strategic Approach to AI, April 2024.