What EU AI Act requirements apply to Irish and UK-based organisations?

What are the EU AI Act requirements for organisations in Ireland and the UK?

The EU AI Act (Regulation (EU) 2024/1689) is a risk-based regulation that applies directly in Ireland and across the EU. It sorts AI systems into four tiers: prohibited practices under Article 5 (banned since 2 February 2025), high-risk systems under Article 6 with Annex I and Annex III (carrying the heaviest obligations), limited-risk systems with transparency duties under Article 50 (applying from 2 August 2026), and minimal-risk systems with no additional obligations. In the United Kingdom the Act does not apply domestically, but UK organisations must comply when they place AI systems on the EU market or when their system's output is used in the EU.

What an organisation must actually do depends on its role for each system - provider or deployer - and on the system's risk tier. In Ireland, enforcement is distributed: eight national competent authorities were designated under S.I. No. 366/2025, including the Data Protection Commission (DPC), and an AI Office of Ireland is planned as the coordinating authority under the Regulation of Artificial Intelligence Bill 2026, which is not yet enacted. The UK has no AI Act equivalent and follows a principles-based, regulator-led approach through the ICO and sectoral regulators. In both jurisdictions, the GDPR continues to apply in full wherever an AI system processes personal data.

• Ireland: the Act applies directly. Eight national competent authorities were designated under S.I. No. 366/2025 - including the DPC, the Central Bank of Ireland, the CCPC, ComReg, the Health and Safety Authority and the HPRA - with five more announced in September 2025 awaiting formalisation, to be coordinated by a planned AI Office of Ireland.
• UK: there is no domestic AI Act equivalent. The UK follows a principles-based, regulator-led approach through the ICO and sectoral regulators, alongside the AI Safety/Security Institute - but the EU AI Act reaches UK firms extraterritorially under Article 2.
• Both jurisdictions: where an AI system processes personal data, GDPR duties continue in full - Article 30 records of processing and, for high-risk processing, an Article 35 DPIA - enforced by the DPC in Ireland and the ICO in the UK.
• Already applying: the Article 5 prohibitions and the Article 4 AI literacy duty since 2 February 2025, and general-purpose AI model obligations since 2 August 2025.

What is the first EU AI Act compliance step for Irish and UK organisations?

The first step is to create an AI inventory that records each AI system, purpose, owner, vendor, user group, data inputs, output use, geography, role, risk tier, evidence and review status.

For most Irish organisations, that inventory supports scope, role and risk classification under the EU AI Act. For UK-based organisations, it helps identify whether an EU market, EU use or EU-output link brings the system into scope.

• System name and owner.
• Business purpose and user group.
• Whether the organisation is provider, deployer, importer, distributor or another operator.
• Whether the system is internal, vendor-supplied or customer-facing.
• Whether the system may fall into prohibited, high-risk, limited-risk or minimal-risk categories.
• Whether Article 50 transparency duties may apply.
• What evidence exists for human oversight, policies, testing, monitoring and approvals.
• When the system must be reviewed again.

The risk-based framework: four tiers of obligation

The Act regulates by risk, not by technology. The same underlying model can sit in different tiers depending on what the system is used for, and the obligations attach to the use case. Classification is therefore the first compliance task: every AI system in scope needs a documented tier decision before the organisation can know which duties apply to it.

The four tiers, and the headline obligation attached to each, are set out below.

• Prohibited practices (Article 5): banned outright, applying since 2 February 2025.
• High-risk systems (Article 6, with Annex I and Annex III): permitted but subject to the Act's core compliance regime - providers must complete a conformity assessment before placing the system on the EU market, and deployers carry use, oversight and, in some cases, fundamental rights impact assessment duties.
• Transparency-risk systems (Article 50): systems that interact with people, generate or manipulate content, or perform emotion recognition or biometric categorisation carry disclosure duties from 2 August 2026.
• Minimal-risk systems: no additional obligations beyond the cross-cutting Article 4 AI literacy duty, which has applied to providers and deployers across all tiers since 2 February 2025.

When do the obligations apply? The EU AI Act timeline

Application is staged. Several tranches already apply, the Article 50 transparency date of 2 August 2026 is settled, and the high-risk dates are the one moving part. Under current law, high-risk obligations apply from 2 August 2026 for Annex III systems and from 2 August 2027 for high-risk AI embedded in Annex I regulated products.

The 'Digital Omnibus' package, provisionally agreed on 7 May 2026 but not yet in force, would move those high-risk dates to 2 December 2027 and 2 August 2028 respectively. Until the Omnibus is formally adopted, organisations should plan against the current statutory dates and treat the later dates as provisional.

Who must do what: provider duties vs deployer duties

The Act assigns obligations by role. A provider develops an AI system or places it on the EU market under its own name; a deployer uses an AI system under its own authority. Most organisations in Ireland and the UK are deployers of vendor-supplied AI for most of their systems, and deployer duties are lighter than provider duties - but they are real, and some have applied since February 2025.

The same organisation can hold both roles at once: a deployer of a procured HR screening tool can simultaneously be the provider of an AI feature it builds into its own product. The role decision therefore has to be made system by system and recorded.

• Providers: must not place prohibited systems on the market; must complete a conformity assessment for high-risk systems before placing them on the EU market; providers of Annex III high-risk systems must register them in the EU database under Article 49; GPAI model providers carry the model obligations applying since 2 August 2025; and Article 50 transparency duties apply from 2 August 2026.
• Deployers: must not use prohibited systems; carry the Article 4 AI literacy duty (since 2 February 2025); meet Article 50 transparency duties for in-scope systems from 2 August 2026; carry use and oversight duties for high-risk systems when the high-risk regime applies; and certain deployers must complete an Article 27 fundamental rights impact assessment before first use of a high-risk system.
• Scope limit on registration: merely using a vendor-supplied high-risk tool does not require a deployer to register it in the EU database - only deployers that are public authorities register their use.
• Both roles, both jurisdictions: where the system processes personal data, the GDPR applies in parallel - Article 30 records and, for high-risk processing, an Article 35 DPIA.

Registration under Article 49: most organisations do not register

Registration in the EU database under Articles 49 and 71 is far narrower than many buyers assume. Providers of Annex III high-risk AI systems must register those systems in the EU database, and deployers that are public authorities must register their use of such systems. A company that merely uses a high-risk tool supplied by a vendor does not register it, and limited-risk and minimal-risk systems are never registered.

The practical consequence is that for most Irish and UK organisations the registration duty simply does not arise. What does remain worthwhile is an internal AI inventory with a documented tier and role decision for each system - not because Article 49 requires it of deployers, but because it is the evidence base every other obligation in this guide depends on.

• Must register: providers of Annex III high-risk AI systems, in the EU database.
• Must register their use: deployers that are public authorities using Annex III high-risk systems.
• Do not register: private organisations merely using a vendor-supplied high-risk tool.
• Never registered: limited-risk (Article 50) and minimal-risk systems.

Which systems are high-risk? The Annex III areas

Annex III lists eight areas in which AI systems are classified as high-risk under Article 6. The list is use-case based, and the European Commission can amend it, so classification should be treated as a living judgement that is revisited as the list and the organisation's systems change. The eight areas are:

• Biometrics.
• Critical infrastructure.
• Education and vocational training.
• Employment and worker management.
• Access to essential private and public services, including creditworthiness assessment and life and health insurance pricing.
• Law enforcement.
• Migration, asylum and border control.
• Administration of justice and democratic processes.

Article 27: who must complete a fundamental rights impact assessment (FRIA)?

Article 27 requires certain deployers to complete a fundamental rights impact assessment before first use of a high-risk AI system. The duty falls on deployers that are public bodies or private operators providing public services, and on deployers of certain Annex III systems - specifically systems used for credit-scoring and for risk-pricing in life and health insurance.

The FRIA complements rather than replaces a GDPR Article 35 DPIA, so where a high-risk AI system processes personal data both assessments can apply, and evidence can be reused across them. For a side-by-side comparison of the DPIA and the FRIA, see the DPIA tools comparison guide in the related research below.

Penalties under Article 99

Article 99 sets three tiers of administrative fines, each expressed as a fixed amount or a percentage of total worldwide annual turnover. For SMEs and start-ups the Act softens the regime: each fine is capped at the lower of the fixed amount and the turnover percentage.

In Ireland these penalties will be applied through the designated national competent authorities. In the UK there are no domestic AI Act fines, but a UK organisation in scope under Article 2 faces the same EU penalty tiers for its EU-facing systems - and the ICO can separately enforce UK GDPR penalties where AI processing of personal data breaches UK data protection law.

• Prohibited practices (Article 5): up to EUR 35 million or 7% of total worldwide annual turnover.
• Most other obligations, including Article 50 transparency duties and deployer duties: up to EUR 15 million or 3% of total worldwide annual turnover.
• Supplying incorrect, incomplete or misleading information to authorities: up to EUR 7.5 million or 1% of total worldwide annual turnover.
• SMEs and start-ups: each fine is capped at the lower of the two amounts.

The GDPR overlay: RoPA and DPIA duties still apply

The EU AI Act does not displace the GDPR. In both Ireland and the UK, an AI system that processes personal data must appear in the organisation's Article 30 record of processing activities (RoPA), and where the processing is likely to result in a high risk to individuals, an Article 35 DPIA is required before the processing begins. The DPC enforces these duties in Ireland under the EU GDPR, and the ICO enforces them in the UK under the UK GDPR - and in the UK this GDPR layer applies even though the AI Act itself does not apply domestically.

For most organisations the GDPR record is the foundation the AI Act evidence builds on: the Article 30 entry establishes what the system processes and why, and the DPIA carries most of the personal-data risk analysis that an AI Act file needs. The RoPA and DPIA guides linked under related research and related tools below cover those obligations in detail.

• Article 30 RoPA: record the AI processing, its purposes, data categories, recipients, transfers and retention - in Ireland under the EU GDPR and in the UK under the UK GDPR.
• Article 35 DPIA: required where AI processing is likely to result in a high risk to individuals; AI-driven profiling and innovative technology commonly trigger it.
• Enforcement: the DPC (Ireland) and the ICO (UK) enforce the GDPR overlay in parallel with any AI Act duties.

Ireland vs the UK: a side-by-side comparison

The same AI system can carry materially different statutory duties depending on which side of the Irish Sea it is deployed. The table below summarises how the position differs for an organisation operating in both markets.

How Acompli supports EU AI Act readiness

Acompli supports EU AI Act readiness alongside GDPR workflows. The platform helps teams inventory AI systems, classify each one by role and risk tier with the rationale recorded, draft and structure assessment content, and route every output to a named reviewer for approval. The AI System Register, Member-State conformity templates and Article 27 FRIA sections are available on opt-in (early access), not as shipped guarantees for every organisation. The software assists, drafts, classifies and surfaces; a human always reviews and approves, and final legal calls rest with your DPO or legal advisers.

Because AI Act evidence and GDPR evidence share the same underlying facts, the practical goal is one connected record: AI systems linked to their Article 30 entries, DPIAs, risks and suppliers, so the organisation can show how each classification and transparency position was reached. This guide is general information for compliance teams comparing obligations across Ireland and the UK; it is not legal advice, and the obligations that apply to a specific system should be confirmed with your own legal advisers.

Primary sources

• Regulation (EU) 2024/1689 - the EU Artificial Intelligence Act (EUR-Lex)
• Council of the EU - Digital Omnibus on AI provisional agreement, 7 May 2026
• European Parliament - Digital Omnibus on AI legislative train
• European Commission AI Act Service Desk - implementation timeline
• Department of Enterprise, Tourism and Employment - EU Artificial Intelligence Act
• S.I. No. 366/2025 - designation of Irish national competent authorities for the EU AI Act (Irish Statute Book)
• Department of Enterprise, Tourism and Employment - General Scheme of the Regulation of Artificial Intelligence Bill 2026
• ICO - Artificial intelligence guidance hub (UK)

EU AI Act requirements FAQ