June 23, 2026
ISO 42001 and the Evidence Problem: Why Good Intentions Don't Survive an AuditUK enterprises are caught by the EU AI Act whenever they place an AI system on the EU market, or where the output of their AI system is used in the EU, regardless of the UK's departure from the bloc. Brexit removed the UK from the EU's institutions; it did not move the EU market, and the Act reaches across borders to anyone serving that market. So the first thing a UK leadership team needs to know is that "we are not in the EU" is not an exemption. The second is that the timeline most people remember is now wrong, because the Act was significantly amended in 2026. This article sets out what actually applies to UK businesses, what changed, what did not, and how the UK's own divergent rules interact with all of it.
Yes, in defined circumstances. The Act applies extraterritorially. A UK provider that places an AI system or general-purpose AI model on the EU market is in scope. A UK deployer whose AI system's output is used within the EU is in scope. UK organisations in supply chains feeding EU products or services are frequently in scope through their customers. The practical test is not where your company is incorporated but whether your AI touches the EU market or EU residents. For most mid-to-large UK enterprises with European customers, suppliers, or operations, the honest answer is that some of their AI is in scope, even if not all of it.
This is why UK enterprises cannot treat the EU AI Act as someone else's regulation. It frequently sets the highest bar they have to clear, and clearing it tends to satisfy the UK's lighter requirements as a by-product.
For most of 2024 and 2025, organisations planned to a timeline that had the most consequential high-risk obligations applying from 2 August 2026. That timeline changed. Faced with technical standards and supporting infrastructure that were not going to be ready in time, the European Commission proposed the Digital Omnibus on AI in November 2025. After negotiations that nearly collapsed in late April 2026, the institutions reached political agreement on 7 May 2026, and the European Parliament endorsed it on 16 June, with formal adoption and publication expected to follow ahead of the original August milestone.
The headline change is a deferral of high-risk obligations. The most consequential requirements, covering standalone high-risk systems listed in Annex III, such as AI used in recruitment, credit scoring, education, and law enforcement, now apply from 2 December 2027 rather than 2 August 2026, a sixteen-month deferral. High-risk AI embedded in regulated products under Annex I, such as medical devices and machinery, moves to 2 August 2028. National regulatory sandboxes are deferred to 2 August 2027.
It is essential to read this as a deferral, not a dismantling. The Act's core architecture, its risk-based classification, its governance structure, and its fundamental obligations, remains intact. And the deferral is structured around a readiness and registration mechanism rather than being a simple pause, so the clock is being managed rather than stopped.
This is where the "the EU delayed the AI Act" headline becomes dangerously imprecise for anyone planning to it.
The transparency obligations under Article 50 were not deferred. From 2 August 2026, people must be told when they are interacting with an AI system, when content has been generated or manipulated by AI, and when they are subject to emotion-recognition or biometric-categorisation systems. A UK enterprise that read "delay" and eased off its transparency work has misread the position.
The obligations on general-purpose AI models, in force since August 2025, were untouched by the Omnibus.
And one near-term deadline was tightened, not relaxed. The grace period for labelling AI-generated content, watermarking and machine-readable disclosure of synthetic media, was shortened from a proposed six months to three, landing on 2 December 2026. If you ship any generative feature into the EU market, that is roughly the engineering runway you have to make labelling and detection operational. It is the nearest live obligation under the Act, and it moved closer.
The agreement also added a new prohibited practice under Article 5: AI systems that generate non-consensual intimate imagery or child sexual abuse material, the so-called nudifier tools, banned from 2 December 2026, with the maximum penalty tier attached. Any organisation operating image or audio generation needs a documented safeguard against this misuse before that date, with no "add it later" path.
While the EU operates a single, prescriptive, risk-based statute, the UK has deliberately taken a different road, and the gap between them widened in 2026.
As of mid-2026, the UK has no AI Act. It governs AI through existing sector regulators applying their existing remits, supplemented by a principles-based blueprint and regulatory sandboxes rather than a single law. The Financial Conduct Authority addresses AI through the Consumer Duty, model-risk expectations, outsourcing rules, and operational resilience, rather than an AI-specific rulebook. The Information Commissioner's Office governs AI that processes personal data, with a particular focus on automated decisions. Ofcom regulates AI within telecoms and online services and has begun enforcement, including against an AI nudification site under the Online Safety Act. The Medicines and Healthcare products Regulatory Agency is developing its approach to AI as a medical device. A private member's Artificial Intelligence (Regulation) Bill, proposing an AI Authority and a designated AI Responsible Officer, has been debated but lacks government backing and is not law.
Then, in February 2026, the UK actively diverged on one of the most AI-relevant points. The Data (Use and Access) Act 2025 replaced Article 22 of the UK GDPR with new Articles 22A to 22D, inverting the default for significant automated decisions on ordinary personal data from prohibition to permission subject to safeguards. The EU, by contrast, retains a prohibition-first stance under its Article 22, and the EU's own Digital Omnibus is not expected to align the two. The result is a genuine, deliberate divergence: a UK-compliant approach to automated decision-making will not automatically satisfy EU requirements, and vice versa.
Pulling the threads together, the practical position for a UK enterprise with any EU exposure is as follows.
Re-baseline your high-risk roadmap to December 2027, and spend the recovered time on the parts that genuinely take time: conformity assessment, technical documentation, and human-oversight design. Understand the grandfathering effect, systems placed on the market before the new dates can avoid the full high-risk obligations until substantially modified, which rewards getting governed deployments out the door but resets the clock the moment you materially change them.
Keep the August 2026 transparency work on schedule, because it did not move. Treat the December 2026 watermarking and synthetic-content disclosure deadline as the live obligation it is. Settle your position on the new Article 5 prohibition if you operate any image or audio generation.
Decide your divergence strategy. For automated decision-making, you can either run a single, stricter, EU-aligned approach across both jurisdictions for simplicity, or operate distinct UK and EU frameworks to take advantage of the UK's lighter regime. Most enterprises with meaningful EU exposure find a single higher-bar approach cheaper to operate than two parallel ones, but the choice should be deliberate rather than accidental.
And recognise where the two jurisdictions converge despite their different forms. Whether your obligation is the EU AI Act's logging and human-oversight requirements, or a UK regulator's expectation of ongoing outcome monitoring and operational resilience, or the new UK requirement that automated-decision safeguards actually function, they all point at the same underlying capability: knowing what AI you run, classifying it by risk, controlling how it behaves in production, and keeping the evidence. The forms differ. The work is the same.
It is tempting to treat regulatory change as a series of dates to manage. The deeper point is that both the EU's prescriptive statute and the UK's principles-based regime are converging on continuous, demonstrable control of AI in production. The EU AI Act asks for logging and oversight. UK financial regulators ask for ongoing monitoring of outcomes. The UK's new automated-decision safeguards have to work in real time. None of these is satisfied by a document filed at deployment. They are satisfied by governance that operates where AI risk is realised, which is at run-time, for as long as the system is live.
For UK enterprises, the strategic conclusion is to stop chasing each regulatory deadline in isolation and build the underlying capability once, to the higher bar, so that whichever obligation applies, EU or UK, current or imminent, you are already meeting it. The Omnibus changed some dates. It changed none of that.
Does the EU AI Act apply to UK businesses after Brexit?Yes, where a UK business places an AI system or general-purpose AI model on the EU market, or where its AI system's output is used in the EU. The Act applies extraterritorially, so UK location is not an exemption.
Did the EU AI Act get delayed in 2026?Partly. The Digital Omnibus deferred most high-risk obligations: Annex III standalone systems to 2 December 2027 and Annex I embedded systems to 2 August 2028. But Article 50 transparency obligations still apply from 2 August 2026, watermarking obligations apply from 2 December 2026, and a new prohibition on nudifier tools applies from 2 December 2026.
Is there a UK AI Act?No. As of mid-2026 the UK has no single AI statute. It regulates AI through existing sector regulators (FCA, ICO, Ofcom, MHRA and others) applying their existing remits, alongside a principles-based blueprint and sandboxes. A private member's bill proposing an AI Authority exists but is not law.
Do UK and EU automated-decision rules now differ?Yes. From 5 February 2026 the UK's Data (Use and Access) Act 2025 made significant automated decisions on ordinary personal data permitted subject to safeguards, inverting the previous prohibition. The EU retains a prohibition-first approach. A UK-compliant strategy does not automatically satisfy EU requirements.
What should a UK enterprise do now?Determine which of your AI is in EU scope, re-baseline high-risk work to December 2027 while keeping August and December 2026 obligations on schedule, decide whether to run one higher-bar approach or separate UK and EU frameworks, and build the underlying capability, inventory, risk classification, run-time control, and evidence, that satisfies both regimes.
Aligne is an AI governance advisory, consulting and implementation partner for UK enterprises and an IBM Gold partner. We help UK organisations build governance to the higher bar once, rather than chasing each regulatory deadline in isolation.
Stay Informed: Engage with our Blog for Expert Analysis, Industry Updates, and Insider Perspectives



let’s design the governance framework your AI strategy deserves
.webp)
Let's Talk