Good Transformer
The EU AI Act's August deadline: does it reach your firm?
A lot of noise about an August EU AI Act deadline. The scope test most UK firms skip, the one place it bites in recruitment, and what to do this month.
If your inbox has filled with warnings about an EU AI Act deadline on 2 August, here is the short version before you reorganise the quarter around it. For most firms working from the UK, that date is not your deadline, because the Act reaches you only where you place an AI system on the EU market or the output of your AI is used inside the EU. The one place it genuinely bites for this audience is recruitment, where AI that screens or ranks candidates is treated as high-risk. And the date itself is moving. So the question worth an hour this week is whether any of this reaches you at all, and that you can settle quickly.
The reason the deadline talk is loud is that several things are happening at once. The G7 data protection authorities meet in Paris from 23 June to coordinate AI enforcement, the Évian leaders' summit put AI on the front page, and compliance vendors have an obvious interest in a countdown. None of that tells a UK leader whether the rules are theirs. The scope test does.
Start with scope, not the calendar
The EU AI Act applies beyond the EU's borders, but not to everyone. Two triggers matter for a firm based here. The first is acting as a provider that places an AI system on the EU market. The second is being a provider or deployer outside the EU whose AI output is used in the EU. A practice serving UK clients, with work that stays in the UK, usually meets neither. An EU client logging in, or an AI-produced result being relied on by someone in the EU, is the kind of fact that pulls you in.
So the first job is a one-line audit, not a compliance programme. Where does AI touch a real decision in the firm, and does that decision or its output cross into the EU. Most leaders can answer that over a coffee. The answer sorts you into "in scope for this part" or "not our duty", and almost everything else follows from it.
It also helps to be clear about home ground. The UK has no statutory AI Act. The duties already on your desk are UK GDPR and the Data Protection Act 2018, the Equality Act 2010 on discrimination, and the ICO's guidance on AI and data protection. When a US state law or an EU regulation lands in the headlines, the question for you is always whether it genuinely reaches you, never whether it exists.
The date is genuinely in flux
Even for firms that are in scope, treating 2 August as a fixed wall is a mistake. The high-risk obligations carry that date in the text of the Act. But on 7 May the Council, Parliament and Commission reached a provisional agreement to simplify the rules and extend deadlines, pushing the use-based high-risk obligations under Annex III out to December 2027.
The catch is that the deferral only takes legal effect once it is formally adopted and published in the Official Journal, which is expected before August but is not done. Until then the original date technically stands. The honest posture sits between the two camps shouting at each other: do not rebuild your firm around an August guillotine, and do not treat the likely delay as permission to ignore the question. Establish scope now, because the scope answer does not change whichever way the date settles.
Where it actually bites: recruitment
For this audience the cleanest in-scope case is hiring. Annex III lists AI used in employment, including systems that place targeted job adverts, filter applications, and evaluate or rank candidates, as high-risk. A recruiter using AI to screen or score applicants for roles based in the EU, or whose AI output is used by an employer in the EU, is a deployer of a high-risk system.
The duties that follow are less exotic than the label suggests. A deployer keeps a human in genuine oversight of the AI's output, tells candidates that AI is being used, keeps records, and runs the tool within the provider's instructions. The reassuring part is that most of this is already expected of you at home. The Equality Act 2010 already makes you answerable for a screening process that quietly disadvantages a protected group, whether a person or a model did the sorting. A recruiter who can already explain an AI-assisted shortlist and stand behind it is most of the way to the EU standard, because the EU standard is mostly good hiring practice written down.
What to do this month
The work is short and it is yours to lead, not a project to outsource.
Find where AI touches a consequential decision in the firm: hiring, eligibility judgements, advice, anything client-facing. For each one, ask the nexus question, does this involve the EU market or EU-used output. That single pass sorts the firm into what is in scope and what is not.
If you are in scope, almost always through EU-facing recruitment, run the AI screen the way a careful deployer would. A named human signs the shortlist, candidates are told AI is in the process, you can show your working if asked, and you hold the vendor's documentation rather than trusting the demo. If you are not in scope, your real duties are still UK GDPR, the Equality Act and ICO guidance, and they point at the same habits: a human in charge of any consequential call, an explanation you could give out loud, and an eye on bias. The two paths converge, which is why this is worth doing properly once.
This is the kind of judgement the Good Transformer Lessons for Leaders sessions are built around: turning a noisy regulatory week into a clear answer about your own firm, and a workflow your team can keep to. The point is not to become a compliance department. It is to know, in plain terms, which rules are yours and which are someone else's, and to put one person in charge of the answer rather than a committee or a panic.
If that is worth an hour for your firm, book a discovery call.
FAQ
Does the EU AI Act apply to UK companies?
Only where there is an EU connection. The Act reaches a UK firm if it places an AI system on the EU market, or if the output of its AI system is used in the EU. A firm serving UK clients with no EU-used output is generally outside it. The UK has no statutory AI Act of its own, so the live duties at home are UK GDPR, the Data Protection Act 2018, the Equality Act 2010 and ICO guidance.
When is the EU AI Act deadline for high-risk AI systems?
The date written into the Act for high-risk obligations is 2 August 2026. A provisional agreement reached on 7 May 2026 would defer the use-based obligations under Annex III to 2 December 2027, but only once it is formally adopted and published. Until then the original date stands, so the sensible plan is to settle whether the rules reach you rather than bet on the delay.
Is AI recruitment software high-risk under the EU AI Act?
Yes, where it is used in connection with the EU. AI used to filter applications or to evaluate and rank candidates is listed in Annex III as high-risk. A firm using such a tool for EU roles is a deployer, with duties including human oversight, telling candidates AI is in use, record-keeping, and using the system as the provider instructs.
What are the UK's own rules on AI in hiring?
There is no single AI statute. A UK recruiter is bound by the Equality Act 2010 against discrimination, by UK GDPR and the Data Protection Act 2018 on personal data and automated decisions, and by ICO guidance on using AI fairly and transparently. In practice these already require a human in charge of a screening decision and the ability to explain it.