EU AI Act After the Omnibus:
What UK Businesses Actually
Need to Do Now

In May 2026, the EU AI Act Omnibus reached provisional political agreement. One headline dominated: high-risk AI obligations pushed to December 2027. Many UK businesses heard "deadline moved" and filed it away. That's a mistake.

The Omnibus moved one category of deadline. The general obligations — the ones that apply to most businesses using commercial AI tools — haven't moved. August 2026 is still live. And the preparation work for the December 2027 requirements needs to start now if you want to have any hope of meeting it.

What the Omnibus Actually Changed

The EU AI Act has always had tiered timelines. The Omnibus adjusted two of them:

• Standalone high-risk AI systems (Annex III — HR tools, credit scoring, law enforcement, education): obligations pushed from August 2026 to 2 December 2027
• High-risk AI embedded in products (machinery, medical devices, vehicles): pushed to 2 August 2028

What didn't change: the obligations themselves. The technical requirements, risk management documentation, human oversight structures, post-market monitoring, and conformity assessment procedures are all identical. The Omnibus bought time. It didn't reduce the workload.

What's Still Live in August 2026

The general-purpose AI model obligations came into force in August 2025 and are already enforceable. More relevant for most businesses: the general obligations framework — the rules that apply to any organisation deploying AI systems — applies from 2 August 2026. This has not moved.

For UK businesses with EU exposure — serving EU clients, employing EU staff, operating in the EU, or running software that processes EU residents' data — this means:

• AI literacy obligations: You must ensure staff using AI systems have sufficient understanding of how those systems work, their limitations, and when not to rely on them. This is an organisational requirement, not just a training suggestion.
• Prohibited AI practices: Already enforceable since February 2025. If you're using AI for social scoring, real-time biometric surveillance in public, or subliminal manipulation techniques — stop immediately.
• Transparency obligations for certain AI: AI systems that interact with humans (chatbots, AI assistants in client-facing roles) must disclose they are AI. This applies now.

Does the EU AI Act Apply to UK Businesses?

Post-Brexit, UK businesses are not automatically subject to EU law — but the AI Act has extraterritorial scope. It applies if:

• You place AI systems on the EU market (sell software to EU clients)
• You put AI systems into service in the EU (operate AI that affects EU users)
• The output of your AI system is used in the EU

For professional services firms — UK law firms with EU clients, accountancies with European offices, recruitment agencies placing EU candidates — the Act is directly relevant. The "we're UK-based" answer doesn't provide the exemption many businesses assume it does.

Why the December 2027 Deadline Requires Action Now

The high-risk AI obligations for Annex III systems are technically demanding. Meeting them by December 2027 requires work that cannot be compressed into the final few months. Specifically:

• AI system inventory: You need to know which of your AI systems qualify as high-risk under Annex III. CV screening tools, automated credit assessments, and AI-assisted employee performance systems all qualify. This inventory takes time to build accurately — vendor contracts need reviewing, embedded AI in SaaS tools needs identifying.
• Technical documentation: High-risk providers need a technical file covering the system's purpose, architecture, training data provenance, risk management process, accuracy metrics, and human oversight mechanisms. For third-party AI tools, this means getting documentation from vendors — many of whom are not ready to provide it.
• Risk management system: Not a document — an ongoing process. The AI Act requires a continuous risk management system throughout the AI lifecycle. Establishing that takes months.
• Conformity assessment: Some high-risk systems require third-party conformity assessment. The pool of accredited assessors is limited. Queue times are already growing.

Firms that begin this work in late 2027 will not meet the December deadline. The window to start is now.

The Practical Starting Point

For most UK professional services firms, the right sequence is:

1. Complete an AI inventory. Every AI tool in use — including third-party software with embedded AI features. Note which handle personal data and which involve consequential decisions about individuals.
2. Classify against Annex III. For each tool, assess whether it falls into a high-risk category. If uncertain, err on the side of assuming it does — the cost of preparing unnecessarily is lower than the cost of a missed obligation.
3. Implement August 2026 obligations now. AI literacy programme for staff, transparency disclosures for client-facing AI, prohibited practice audit. These should already be in progress.
4. Begin technical documentation for high-risk systems. Start with the systems most clearly in scope. Request documentation from vendors. Flag gaps.

The Real Competitive Risk

The businesses most exposed to EU AI Act enforcement are not the ones that made a deliberate decision to ignore it. They're the ones that heard "deadline moved to 2027," relaxed, and then discovered eighteen months later that they need six months of work completed in three.

Penalties under the Act reach €35 million or 7% of global annual turnover for the most serious violations. For a professional services firm of any size, that is an existential number. The August 2026 general obligations — the ones that haven't moved — carry penalties up to €15 million or 3% of turnover.

The Omnibus was not a reprieve. It was a deadline adjustment for one tier of a multi-tier regulation. The work hasn't reduced. The risk hasn't reduced. The calendar just has more visible room in it — which tends to make the work feel less urgent than it is.