Last updated: 2026-04-11

AI Compliance Overview

A plain-English guide to AI regulation and what it means for your business.

AI regulation is coming. Some of it is already here. If your business uses AI tools — and most do now — you need to understand what's required of you. This guide explains it without the legal jargon.

The Big Picture

Two major pieces of regulation affect UK businesses using AI:

  • The EU AI Act — already law, enforcement starting August 2026. Applies if you serve EU customers or operate in the EU, even if you're a UK company.
  • The UK AI Bill — currently in development. Expected to introduce sector-specific requirements overseen by existing UK regulators.

On top of these, existing laws already apply to AI use: GDPR (data protection), the Equality Act (discrimination), consumer protection law, and sector-specific regulations (FCA for finance, SRA for legal, etc.).

Why Should I Care?

Three reasons:

  1. Fines. The EU AI Act can impose fines up to €35 million or 7% of global annual turnover, whichever is higher. Even for SMBs, fines are proportionate but real.
  2. Liability. If an AI system you deploy causes harm — discriminatory hiring decisions, incorrect financial advice, data breaches — your business is liable. 'The AI did it' is not a defence.
  3. Trust. Customers and partners increasingly want to know that you use AI responsibly. Demonstrable compliance is becoming a competitive advantage.

Am I a 'Deployer' or a 'Provider'?

This is the most important distinction in AI regulation. It determines what you're required to do.

RoleDefinitionExample
ProviderYou build and supply AI systems to othersYou've built an AI chatbot product that other businesses use
DeployerYou use AI systems built by others within your businessYour team uses ChatGPT, Claude, or Copilot for daily work
BothYou use AI tools internally AND supply AI productsYou use Claude internally and also sell an AI-powered product

Most UK SMBs are deployers — you use AI tools built by OpenAI, Anthropic, Google, etc. Your obligations are lighter than providers, but they're not zero.

Risk Tiers Explained

The EU AI Act categorises AI systems by risk level. Your obligations depend on which tier your usage falls into.

Risk LevelExamplesWhat's Required
Unacceptable (banned)Social scoring, real-time biometric surveillance in public spaces, manipulation of vulnerable groupsProhibited. Cannot be used.
High riskAI in hiring/recruitment, credit decisions, insurance, education assessment, law enforcementFull compliance: risk assessments, human oversight, transparency, logging, accuracy monitoring, data governance
Limited riskChatbots, AI-generated content, emotion recognitionTransparency: users must be told they're interacting with AI
Minimal riskSpam filters, AI-assisted scheduling, search recommendationsNo specific requirements beyond existing law
Most business AI use is limited or high risk

If you use AI chatbots (limited risk) or AI in hiring, lending, or customer scoring (high risk), you have specific obligations. 'We just use ChatGPT' doesn't mean minimal risk — it depends on what you use it for.

What Do I Actually Need to Do?

At a minimum, every business using AI should:

  1. Know what AI tools your organisation uses and what for (an AI inventory)
  2. Understand the risk level of each use case
  3. Tell people when they're interacting with AI (transparency)
  4. Track what AI is costing you and how it's being used (visibility)
  5. Keep records of AI usage for audit purposes (logging)
  6. Have a human who can intervene in AI-driven decisions (oversight)
  7. Monitor AI outputs for bias or errors (quality)

SpendLil helps with items 1, 4, and 5 today. Items 3, 6, and 7 are on the roadmap.

Timeline

DateWhat Happens
February 2025EU AI Act: prohibited practices take effect
August 2025EU AI Act: general-purpose AI rules, governance structure
August 2026EU AI Act: high-risk system obligations take full effect
TBCUK AI Bill: expected to introduce UK-specific requirements
🚨 August 2026 is the deadline for high-risk compliance

If your business uses AI for hiring, lending, insurance, or other high-risk decisions, you need to be compliant by August 2026. That's not far away.

Next Steps

  • Use the Obligation Checker to find out what applies to your business
  • Read the EU AI Act deep dive for detailed requirements
  • Read the UK AI Bill overview for upcoming UK-specific obligations
  • See what SpendLil covers today and what's coming
  • Download the SMB Compliance Checklist