Does the EU AI Act apply to Indian and UK companies?

Yes. Article 2 makes the Act extraterritorial. It applies to providers placing AI systems on the EU market regardless of where they are established, and to providers and deployers in a third country where the output of the system is used in the EU. An Indian SaaS firm or a UK studio with EU users is in scope, with no targeting or intent test required.

What exactly applies on 2 August 2026?

Under Article 113, the remainder of the AI Act becomes applicable on 2 August 2026, except Article 6(1) which follows on 2 August 2027. That remainder includes the transparency duties in Article 50, the high-risk obligations in Chapter III for Annex III systems, and the full penalty regime in Article 99. Note that the Digital Omnibus, provisionally agreed in May 2026 but not yet formally adopted, proposes to defer several of these dates.

What are the fines for non-compliance?

Under Article 99, breaching the Article 5 prohibitions can cost up to 35 million euros or 7% of worldwide annual turnover, whichever is higher. Most operator obligations, including the high-risk and transparency duties, carry up to 15 million euros or 3% of turnover. Supplying incorrect or misleading information to authorities carries up to 7.5 million euros or 1% of turnover.

Do I have to label chatbots and AI-generated content?

Yes, if you fall in scope. Article 50(1) requires providers to ensure people know they are talking to an AI unless it is obvious. Article 50(2) requires providers to mark synthetic audio, image, video or text in a machine-readable format. Article 50(4) requires deployers to disclose deepfakes and AI-generated text published on matters of public interest.

How is the UK's approach different?

The UK has no equivalent statutory AI Act as of mid-2026. It uses a principles-based, sector-led model where existing regulators such as the ICO, FCA, Ofcom and CMA apply five cross-sector principles within their own remits. If you sell only in the UK, the EU obligations do not bind you directly, but the moment your output reaches EU users the AI Act applies regardless of the lighter UK regime.

EU AI Act: The 2 August 2026 Deadline Builders Must Plan For

What you need to know

2 August 2026 is the next big milestone. Under Article 113, the remainder of the AI Act becomes applicable on that date, with one carve-out (Article 6(1), which follows on 2 August 2027).
It is extraterritorial. Article 2 binds providers and deployers outside the EU whenever a system is placed on the EU market or its output is used in the EU. Indian and UK builders shipping to EU customers are caught.
Three things land together: the high-risk obligations for Annex III systems, the transparency rules in Article 50, and the full penalty regime in Article 99.
The fines are real. Up to 35 million euros or 7% of worldwide turnover for the worst breaches; up to 15 million euros or 3% for most operator obligations.
One live caveat. The Digital Omnibus, provisionally agreed by EU negotiators in May 2026 but not yet formally adopted, proposes to defer several high-risk deadlines. Plan for the current law and track the amendment.

Watch out

"We are based in Bengaluru, so the EU rules do not apply to us" is the single most expensive misreading of this Act. Article 2 has no intent or targeting test. If a French or German customer uses the output of your model, you are in scope — and ignorance of that is exactly the kind of gap that attracts a regulator's attention once enforcement begins.

Why this date matters more than the headlines suggest

The AI Act entered into force on 1 August 2024, but it switches on in stages. The prohibited-practice bans and AI-literacy duties arrived on 2 February 2025. The rules for general-purpose AI models, the governance structures and the first penalty provisions started on 2 August 2025. The 2 August 2026 milestone is the one that touches the largest number of ordinary product teams, because it brings the high-risk regime and the everyday transparency duties into force at the same moment.

For an Indian fintech selling a credit-scoring API into the EU, or a London studio shipping a recruitment-screening tool to German employers, this is the date the abstract becomes operational. The duties stop being a policy debate and become something an auditor, a customer's procurement team, or a national market-surveillance authority can hold you to.

The risk tiers, and who each one hits

The Act sorts systems by risk, and the obligations scale accordingly. The table below maps the tiers that become live on 2 August 2026 to who they affect and what they demand. Treat it as a triage tool: find your system, then work outwards.

Risk tier	Core obligation	Who it hits	Applies from
Unacceptable (Article 5)	Outright ban — e.g. social scoring, certain biometric practices	Anyone, EU or not	Already live (2 Feb 2025)
High-risk (Annex III)	Risk management, technical documentation, logging, human oversight, conformity assessment, registration	Providers and deployers of in-scope systems	2 Aug 2026*
Limited-risk (Article 50)	Transparency: AI disclosure, synthetic-content marking, deepfake labelling	Providers and deployers of chatbots, generative and deepfake tools	2 Aug 2026*
Minimal-risk	No mandatory obligations; voluntary codes encouraged	Most everyday AI features	n/a

*The Digital Omnibus, provisionally agreed in May 2026 and awaiting formal adoption, proposes deferring stand-alone Annex III high-risk obligations to 2 December 2027 and reportedly adjusting the transparency timeline. Until that text is adopted and published in the Official Journal, 2 August 2026 remains the operative date.

If you build a high-risk system

Annex III lists the high-risk use cases: among them are systems used in employment and worker management, access to essential private and public services such as credit scoring, biometric identification, critical infrastructure, education, and law enforcement. If your product lands in one of those buckets, Chapter III of the Act imposes a stack of duties before you can lawfully place it on the EU market.

The substantive requirements include a documented risk-management system (Article 9), technical documentation demonstrating compliance (Article 11), automatic record-keeping and logging so events can be traced (Article 12), meaningful human oversight built into the design (Article 14), and appropriate accuracy, robustness and cybersecurity. On top of those, providers carry the obligations in Article 16, must put the system through a conformity assessment before market entry, and must register it in the EU database for high-risk systems before deployment.

Pro tip

Start your classification this week, not in July. The hardest part of high-risk compliance is not the paperwork — it is establishing, with evidence, whether you are high-risk at all. Write a one-page memo per product that states the Annex III category you considered, why you do or do not fall into it, and who signed off. That memo is the first thing a customer's legal team will ask for, and the first thing that saves you if a regulator asks later.

If you build chatbots, generative or deepfake tools

Most builders will not be high-risk, but a very large share will be caught by the transparency duties in Article 50 — and these are deceptively easy to overlook because they apply to mainstream, everyday products.

Chatbot disclosure — Article 50(1). Providers of systems intended to interact directly with people must ensure users know they are dealing with an AI, unless that is obvious to a reasonably well-informed person. A support bot on an EU customer's site needs a clear notice.
Synthetic-content marking — Article 50(2). Providers generating synthetic audio, image, video or text must mark the output in a machine-readable format and make it detectable as artificially generated or manipulated. This is the watermarking and provenance-metadata obligation, and it falls on the provider of the generative system.
Deepfake and public-interest labelling — Article 50(4). Deployers must disclose deepfakes, and AI-generated text published to inform the public on matters of public interest, with carve-outs for clearly artistic or satirical work and for content under human editorial review.

The European Commission's draft transparency guidelines, published in 2026, make one point bluntly: a hidden watermark or buried metadata tag does not, on its own, discharge the duty to inform a person at the point of interaction. The Commission expects a combination — visible plain-language notices, audio cues, persistent indicators — alongside the machine-readable mark. If your only plan is an invisible watermark, that plan is incomplete.

Every article here is written by a Verified Builder. Want your name on the next one?

AI Tech Connect lists AI engineers, founders and researchers across India and the UK — and the people hiring browse it to find them. Adding your profile is free.

Become a Verified Builder →

The penalties: what non-compliance actually costs

Article 99 sets the fine ceilings, and they are tiered by the seriousness of the breach. They are deliberately high enough to matter to a multinational and ruinous to a startup.

Up to 35 million euros or 7% of worldwide annual turnover, whichever is higher, for breaching the Article 5 prohibitions.
Up to 15 million euros or 3% of turnover for non-compliance with most operator obligations — this is the band that captures the high-risk and transparency duties.
Up to 7.5 million euros or 1% of turnover for supplying incorrect, incomplete or misleading information to authorities or notified bodies.

The Act includes proportionality language for smaller firms, but a single early-stage company rarely has the cash buffer to treat even the lowest band as survivable. The practical lesson for an Indian or UK builder is that compliance here is not a tax on the large — it is existential for the small.

The UK contrast — and why it does not let you off

It is worth being precise about the UK position, because it is genuinely different. As of mid-2026 the UK has no comprehensive statutory AI Act. It runs a principles-based, sector-led model in which existing regulators — the ICO for data, the FCA for financial services, Ofcom for online safety, the CMA for competition — apply a common set of cross-sector principles within their own remits. The intent is a lighter, more flexible regime than the EU's prescriptive horizontal law.

That divergence is real, but it does not insulate a UK builder from the AI Act. The moment your system's output is used by someone in the EU, Article 2 pulls you into scope regardless of how light the UK regime is at home. The same is true in reverse for Indian builders, who face the DPDP framework domestically yet still inherit EU obligations the instant they sell across the channel. Dual-market builders end up running to the stricter of the two standards by default, which in practice means the EU AI Act sets your floor.

Recommended

Design to the EU standard once, then relax where a market allows it — rather than building to the UK or Indian minimum and retrofitting for the EU later. Transparency notices, audit logs and a documented oversight process are cheap to design in and expensive to bolt on. Build the strict version first; it travels everywhere.

Your next-seven-weeks checklist

Seven weeks is enough time to get the foundations right if you start now. Work through these in order.

Classify every system. For each product, decide: prohibited, high-risk (check it against Annex III), limited-risk under Article 50, or minimal. Write the reasoning down and have someone sign it.
Map your role. Are you the provider (you build and place it on the market) or the deployer (you use someone else's system under your own authority)? The obligations differ, and many teams are both for different products.
Build the documentation spine. For high-risk systems, stand up a risk-management file, technical documentation, and automatic logging now — these take the longest and cannot be faked at the deadline.
Wire in human oversight. Make sure a person can understand, override and intervene in high-risk decisions, and document how. This is a design requirement, not a policy line.
Add transparency labelling. Ship chatbot disclosures, synthetic-content marking and deepfake labels for anything in Article 50 scope, with a visible notice, not just hidden metadata.
Prepare for conformity assessment and registration. If you are high-risk, scope the conformity assessment route and the EU-database registration before market entry, and budget the time a notified body may need.
Track the Digital Omnibus. Assign one person to watch whether the deferral text is formally adopted and published, and adjust your dates only when it is law, not when it is reported.

Primary sources worth bookmarking: the official implementation timeline at artificialintelligenceact.eu/implementation-timeline, the Article 50 text at artificialintelligenceact.eu/article/50, and the penalties in Article 99. For the binding text, cross-check against EUR-Lex and the European Commission's AI Act service desk.