Charity Digital primer: EU AI Act’s extra-territorial reach for UK charities

TL;DR:

  • Charity Digital has published a UK third-sector primer on the EU AI Act, the world’s first comprehensive AI law, due for full implementation by August 2028.
  • The Act is built on four risk tiers — unacceptable, high, limited, minimum — with extra-territorial scope that can pull in UK charities acting as AI “deployers” in the EU even though the UK isn’t bound directly.
  • CAST’s 2026 AI Survey shows UK charities are themselves asking for “regulation, accountability and slowing down or stopping” — a counterpoint to the assumption that civil society universally wants permissive AI rules.

The Charity Digital piece, written by Mary Wessel, is a useful counter to the assumption that EU AI rules are someone else’s problem for UK organisations. Where the Act bites is on UK charities whose AI-enabled operations touch EU beneficiaries, partners or service users — for example via recruitment platforms, AI-powered chatbots or service-eligibility decisioning.

Context and Background

The European Parliament passed the AI Act in August 2024 with full enforcement phased in by August 2028. Its risk-based architecture is now well-rehearsed: prohibited systems (social scoring); high-risk (recruitment, law enforcement, banking); limited-risk (chatbots, AI-generated images, subject to transparency obligations); and minimum-risk (spam filters). Penalties for breaches at the unacceptable-risk tier sit in the EU’s significant-fines tier.

The UK position is more fragmented. There is no single AI statute; instead AI is regulated through existing sectoral frameworks — FCA and Bank of England for financial services, GDPR for data, plus five non-statutory governance principles (safety, transparency, fairness, accountability, and contestability and redress). For UK organisations, this leaves the practical question of which set of rules to align with on AI projects that span both jurisdictions.

Charity Digital’s recommendation — audit your current AI use, identify your risk category, and act on it regardless of jurisdiction — is sensible third-sector advice, but it generalises. The same audit-first logic applies to UK SMEs, public bodies and regulated firms. The piece notes Trilligent’s view that most nonprofits sit outside the high-risk bracket, with the exception of those making decisions on health, education or service eligibility — the same exception that will catch a lot of public-sector AI work in the UK too.

Looking Forward

UK charities should treat this as a useful nudge to audit AI use and document supplier-level AI dependencies through 2026, ahead of full EU enforcement in 2028. Resultsense expects UK third-sector funders — particularly those with EU partners or EU-based beneficiaries — to start asking about AI governance posture in grant due diligence within the next 12 months, even where there is no direct EU AI Act obligation.