Field notes
The EU AI Act readiness check for small UK businesses
3 June 2026
On this page
I had a call last month with a seven-person lettings agency in Leeds. They use an AI tool to screen rental applications, score affordability, and draft offer letters. They had never heard of Annex III. When I mentioned the EU AI Act, the director said: "That's for Google, isn't it?"
It is not.
The Act has been applying in stages since February 2025. If your business touches EU residents, EU data, or EU markets in any way, the territorial scope question is worth thirty minutes of your time now rather than a compliance notice later.
Nothing in this post is legal advice. The EU AI Act is complex legislation with sector-specific nuance. If you believe your systems may fall under high-risk or prohibited categories, get qualified legal counsel. This post is a practical orientation for small business owners, not a substitute for a compliance review.
The Act is not scoped to companies headquartered in the EU. Article 2 captures any AI system "placed on the market or put into service in the Union," regardless of where the provider or deployer is based. A UK agency using an AI screening tool that processes applications from EU nationals, or a UK marketing operator running AI-generated content campaigns for EU clients, is potentially in scope.
The obligations rolled out in phases:
- February 2025: Prohibited practices (Article 5). Banned outright. Social scoring, subliminal manipulation, real-time biometric surveillance in public spaces by law enforcement, certain emotion-recognition uses.
- August 2025: General-purpose AI (GPAI) obligations. Transparency, copyright compliance, technical documentation for frontier models.
- August 2026: High-risk system obligations under Annex III. This is where most small agencies sit if they are in scope at all.
The August 2026 deadline feels distant. It is fourteen months away. For a three-person workflow team with no dedicated compliance resource, fourteen months is about twelve months of inaction followed by two months of panic.
You do not need a legal team to run a first-pass check. You need honest answers to five questions.
1. Do you process data belonging to EU residents?
This includes job applicants, tenants, clients, or campaign contacts based in EU member states. If you run a UK lettings agency with EU-national tenants, or a marketing agency with EU-based clients, the answer is probably yes.
2. Do any of your AI use cases appear in Annex III?
Annex III lists the high-risk categories. The ones most likely to catch small agencies and workflow operators:
- CV screening or candidate filtering (employment, 8(b))
- Creditworthiness or affordability scoring (access to essential services, 5(b))
- Biometric categorisation or emotion recognition
- Education or vocational assessment
- Access to essential public or private services
If you are using an AI tool to rank rental applicants, score mortgage affordability, or filter CVs, you are looking directly at Annex III.
3. Are you the provider or the deployer?
This matters for obligation allocation. If you built the AI system or fine-tuned a model for your specific use case, you are likely a provider and carry heavier obligations including conformity assessments and technical documentation. If you are using an off-the-shelf tool (say, a third-party tenant-screening platform), you are more likely a deployer. Deployers still have obligations: transparency to affected individuals, human oversight, logging, and cooperating with providers on compliance.
4. Are you generating AI content that reaches end users without disclosure?
Article 50 requires that AI-generated content be disclosed as such in certain contexts. Deepfakes, synthetic media, and AI-generated text designed to appear human-authored all carry transparency obligations. If you are producing AI-generated property listings, marketing copy, or client-facing reports without any disclosure, this is worth reviewing now regardless of your Annex III status.
5. Have you documented your AI systems at all?
High-risk system obligations include maintaining technical documentation, logs, and human oversight records. If you have no documentation of what your AI tools do, what data they process, and who reviews their outputs, you are not ready for August 2026. You are also probably not ready for a GDPR audit, which is a separate but related problem.
The Annex III categories are written in regulatory language, but the real-world use cases are mundane. An AI tool that ranks rental applications by "suitability" is doing affordability and creditworthiness scoring. An AI recruitment tool that filters CVs before a human sees them is doing employment-related screening. These are not exotic enterprise deployments. They are the kinds of tools a seven-person agency finds on a SaaS marketplace and starts using inside a week.
The other common gap is Article 50 disclosure. I see this constantly in property marketing. Agencies run AI tools to generate listing descriptions, social copy, and email sequences, and nothing in the output indicates it was AI-generated. For B2C contexts involving EU consumers, that is a transparency obligation, not just a style choice.
The process problem underneath all of this is the same one I wrote about in why most AI pilots fail: tools get adopted faster than governance catches up. The AI Act is, in part, a regulatory response to exactly that pattern.
Run this against every AI tool currently in use in your business.
eu_ai_act_readiness_check:
version: "2026-05"
business_profile:
size: "3-15 person agency or workflow operator"
jurisdiction: "UK (extraterritorial scope applies)"
gate_1_territorial_scope:
question: "Do you process personal data belonging to EU residents?"
if_yes: "Continue to Gate 2"
if_no: "Low direct exposure. Monitor for client or partner scope."
gate_2_prohibited_practices:
deadline: "February 2025 (already in force)"
checks:
- "No social scoring systems in use"
- "No subliminal or manipulative AI techniques targeting users"
- "No real-time biometric surveillance"
- "No emotion recognition in workplace or education contexts"
if_any_flagged: "Stop. Take immediate legal advice."
gate_3_annex_iii_high_risk:
deadline: "August 2026"
categories_to_check:
- use_case: "CV or application screening"
annex_ref: "III 4(b)"
flag: true
- use_case: "Creditworthiness or affordability scoring"
annex_ref: "III 5(b)"
flag: true
- use_case: "Biometric categorisation or emotion recognition"
annex_ref: "III 1"
flag: true
- use_case: "Education or vocational assessment"
annex_ref: "III 3"
flag: true
- use_case: "Access to essential services decisions"
annex_ref: "III 5"
flag: true
if_flagged:
- "Determine: are you provider or deployer?"
- "Request documentation from tool vendor"
- "Establish human oversight and logging process"
- "Begin conformity or deployer compliance review"
gate_4_article_50_transparency:
deadline: "August 2026 (some obligations earlier)"
checks:
- "AI-generated content disclosed where required"
- "Deepfakes or synthetic media labelled"
- "Chatbot or AI interaction disclosed to users"
if_flagged: "Add disclosure language to content workflows now"
gate_5_documentation:
checks:
- "Inventory of all AI tools in use"
- "Data processed by each tool documented"
- "Human review steps recorded"
- "Vendor compliance status requested in writing"
status: "If none of the above exist, start here"You do not need a compliance programme. You need a list and thirty minutes.
- Write down every AI tool your team uses. Include the ones that came in through individual subscriptions, not just the ones IT (if you have IT) approved.
- For each tool, note what data it processes and whether any of that data belongs to EU residents.
- Flag any tool that screens, scores, ranks, or categorises people in the Annex III categories above.
- Email your flagged vendors and ask: "What documentation do you have for EU AI Act compliance, and are you the provider of record under Article 2?"
- Add a disclosure line to any AI-generated content that goes to EU consumers.
That is not a compliance programme. It is a first-pass map. You cannot build the compliance programme without the map, and most small agencies do not have the map.
The same principle applies to AML and GDPR, which I covered in the AML workflow post for estate agents: the documentation gap is usually the first thing an auditor finds, and it is almost always avoidable.
Every compliance deadline I have watched arrive in the property and agency sector has been preceded by the same phrase: "that's for the big firms." Section 21 reform, Money Laundering Regulations, GDPR in 2018. The small operators who sorted their workflows early spent a few hours on it. The ones who waited spent a few thousand on retrospective fixes, or worse.
The EU AI Act follows the same pattern. The prohibited-practice obligations are already in force. GPAI obligations landed in August 2025. High-risk obligations are fourteen months out. The question is not whether this applies to you. The question is whether you find out now or in August 2026.
If you want a structured look at where your AI workflows sit relative to these obligations, the AI Workflow Audit is designed exactly for this: mapping what you are running, what it touches, and where the process gaps are before they become compliance gaps.