No UK AI Act? Don't Mistake That for No Rules

SMEs and AI Rules, UK AI Act?
SMEs and AI Rules, UK AI Act?

There's a lot of confusion about AI and the rules right now — and it isn't just small business owners feeling it. In one recent survey of 230 compliance, legal and IT professionals by VinciWorks, more than a quarter said they were still working out which rules even apply to them. If the people paid to know this are unsure, it's no wonder a busy SME owner feels in the dark.

That uncertainty has a cost. Among UK small businesses not planning to use AI, many point to data privacy and security worries, and some are held back by ethical concerns — in other words, a fog of "is this even allowed?" is stopping real businesses from using tools that could help them.

So let's clear some of that fog. Starting with the thing almost everyone gets wrong: there is no single UK AI law. No standalone AI Act you're meant to be complying with, no single AI rulebook you've failed to read.

But "no single AI law" doesn't mean "no rules" — and one big piece of European law can reach a UK business in ways most owners don't expect. The businesses that get caught out aren't usually the ones who break some dramatic new AI statute. They're the ones who assumed none of it applied to them.

Here's what actually applies, in plain English.

There is no "UK AI Act" — but that doesn't mean no rules

Let's start with the myth, because a lot of people believe it.

There is no single UK law governing artificial intelligence in the same way the EU now has the EU AI Act. The UK has not passed a standalone AI-specific statute. An AI Bill may come in a future parliamentary session, but as of mid-2026 it is not law.

Instead, the UK regulates AI through the laws and regulators it already has. UK AI regulation works through existing law — UK GDPR enforced by the ICO, Ofcom under the online safety and telecoms rules, and the FCA in financial services.

So there's no scary new AI rulebook to learn — but the obligations you already have, especially around data protection, apply just as much when there's an AI tool in the mix.

One genuinely new development is worth knowing about. The Data (Use and Access) Act 2025 received Royal Assent in June 2025, with changes coming into force in stages. One important area for AI is automated decision-making, where changes applying from February 2026 altered how solely automated decisions with significant effects are handled.

If you use AI to make decisions about people — who to hire, who to offer credit to, or who qualifies for a service — those rules matter. For most small businesses, though, the headline is simpler: your existing data protection duties are the main thing AI touches.

What if I use a recruitment agency that uses AI?

This is a common one.

Say you hire through an agency, and that agency uses AI to produce a shortlist before sending you the candidates. Where do you stand?

In many cases, the regulatory risk is lower if a person genuinely reviews the shortlist and makes the final decision themselves — but only where that review is real, informed and capable of changing the outcome.

If you're not simply rubber-stamping the AI's recommendations, you're more likely to be making a human decision informed by AI rather than a solely automated one. That distinction is important because the law treats purely automated decisions differently from decisions where meaningful human involvement is present.

But it's worth asking the agency three straightforward questions:

  • How does your AI shortlisting work, and has it been assessed for bias or unfair outcomes?
  • Are candidates told that AI is being used in the recruitment process?
  • Is a real person genuinely reviewing candidates, or are the AI's recommendations usually accepted without challenge?

The reason this matters is simple: the AI may already have screened out candidates before you ever see them, and using an agency does not necessarily remove all of your responsibilities.

You don't need to become an expert. You just need to know enough to ask the right questions and expect sensible answers. If the arrangement is significant to your business, this is a good area to get tailored professional advice on

Why an EU law can still reach a business in the West Midlands

This is the part that surprises people, so it's worth slowing down on.

You might assume that because the EU AI Act is an EU law, and you're a UK business, it simply doesn't apply to you. That's the assumption that catches firms out.

The EU AI Act can apply to organisations outside the EU where they place AI systems on the EU market, put them into service within the EU, or produce AI output that is intended to be used in the EU. Post-Brexit status creates no automatic exemption — the practical test is EU market impact, not just where your company is registered.

If that sounds familiar, it should. It's similar in spirit to the way GDPR already reaches some non-EU businesses.

In practice, the question is whether your AI activity is aimed at, used in, or has an intended effect in the EU — for example, if you sell AI-enabled services to EU customers, provide an AI system into the EU market, or use AI to screen applicants based in the EU.

For most local UK businesses serving UK customers, this simply won't apply. But if you trade across the channel even occasionally, it's worth knowing you may be in scope.

What's changed, and what still applies

If you've seen recent headlines about the EU softening its AI rules, here's the plain version.

In mid-2026, the EU confirmed a delay to obligations for some "high-risk" AI systems — things like recruitment and credit scoring — by over a year, pushing the main deadline to December 2027. For the typical small business, that means breathing room. Not a reason to forget about it, but no need to panic either.

Two things, though, haven't been pushed back and are worth having on your radar.

Transparency

The expectation to be open about AI remains on track for August 2026.

The clearest cases are chatbots, where people should know when they're talking to a machine, and synthetic images, audio or video that could pass for real.

For ordinary written content that a human researches, edits and stands behind, the obligation is lighter — though the exact line between "AI helped" and "AI generated" is still being worked out.

A simple principle serves you well: be honest about how AI is used in anything customer-facing, and make sure a real person owns what you publish.

AI literacy

Since early 2025, there has been an expectation — with no size threshold — that if your staff use AI tools, they understand the basics of how those tools work and where they fall short.

For a small business, that doesn't have to mean expensive training courses. It means people aren't blindly trusting AI output they don't understand.

And it's a real gap: one recent survey found roughly four in five organisations lack effective AI training.

A two-minute self-check

Run through these. Each "yes" points to a sensible next step, not a cause for alarm.

Do you use AI to make or heavily influence decisions about people, such as hiring, credit or eligibility?

Keep a human genuinely in the loop.

Does any AI you use place systems on the EU market, support EU customers, or produce output intended to be used in the EU?

The EU AI Act may apply to those activities.

Do customers interact with AI on your site without being told?

Plan to be upfront about it.

Do your staff use AI tools with no guidance at all?

That's the most common gap, and the easiest to close.

"No" to all four? You're in good shape — keep an eye on developments and carry on.

"Yes" to any? None of it is an emergency, but it's worth a small, deliberate step.

If you want to test your own situation in more detail, the European Commission now has an official AI Act Compliance Checker and there are also independent tools that can help you think through whether the Act may apply.

The calm, sensible thing to do this month

Whatever the rules end up being, and whenever they land, the single most useful thing a small business can do costs nothing and puts you ahead of most: write down how your staff should use AI.

A one-page policy — what's acceptable, what isn't, how to handle customer data, and the simple principle that a human checks anything that matters — closes the most common gap of all.

It means that when a rule does apply, a customer asks, or a member of staff isn't sure, there's an answer in writing rather than a shrug.

The rules aren't as frightening, or as immediate, as the headlines suggest. But "no panic" isn't "no action."

One small step now keeps you ahead of whatever comes next.

To make that first step easy, I've put together a free one-page template you can adapt for your own business — it's yours when you subscribe free below.


This is general guidance, not legal advice — AI regulation is moving quickly, so check your specifics with a qualified professional.

A note on how this blog is made: I choose the topics, shape the message, and decide what matters for UK SMEs. I use AI as a working tool to support research, structure and drafting — but the judgement, interpretation and final sign-off are mine. Every post is reviewed, edited and approved by a real person before it is published.