EU AI Act · UK AI Regulation · SME-Priced

Your AI tools may already
be breaking the law.
August 2026 is your deadline.

If you use AI in hiring, lending, diagnostics, or any regulated process, the EU AI Act may apply to you — even as a UK business post-Brexit. Most SMEs have no documentation, no risk assessment, and no governance in place.

Rojaf makes AI compliance affordable and accessible for the businesses enterprise platforms ignore. Our Safety Workshop starts at £495. Our assessments start at £1,500. Both are designed for businesses that don't have a Head of AI Governance on the payroll.

Book a Free Consultation See Our Services

Aug '26

High-risk AI Act enforcement deadline

£495+

Safety Workshops from

€30m

Maximum penalty for non-compliance

3 wks

Typical time to full documentation

Why this is urgent

The EU AI Act is not theoretical. It's law — and the clock is running.

The EU AI Act entered into force in August 2024. For high-risk AI systems — which includes most AI tools used in hiring decisions, credit assessments, and healthcare support — the compliance obligations must be met by August 2026. That is less than 18 months away.

For UK businesses, Brexit does not provide an exemption. If you have customers, candidates, or patients in the EU — or if your AI tools process personal data about EU residents — the Act applies to you. And client due diligence requests citing AI governance obligations are already arriving at UK businesses today.

Building compliance from scratch under time pressure is expensive. Building it now, while you have runway, is not.

Start with a Free Call

⚠️

Already seeing due diligence requests?

Enterprise clients are issuing AI governance questionnaires to suppliers. If you can't answer them, you risk losing contracts.

📋

Using third-party AI tools?

Deploying someone else's AI tool in a high-risk application still makes you a "deployer" with your own obligations under the Act.

🔍

ICO enforcement is increasing

The ICO has signalled it will act on automated decision-making in employment and financial services. UK obligations exist independently of the EU Act.

Enforcement timeline

August 2026

Deadline for compliance with EU AI Act obligations for high-risk AI systems under Articles 9–15. Penalties up to €30m or 6% of global annual turnover for providers. Up to €15m or 3% for deployers.

AI systems used in hiring and employment management → High risk
AI tools used in credit scoring and financial decisions → High risk
AI in medical device support and healthcare → High risk
AI in candidate screening and ranking → High risk
AI used in insurance underwriting → High risk
Chatbots presenting as human → Transparency obligation
Emotion recognition in workplace settings → High risk

Sectors we serve

Three sectors where the compliance exposure is clearest — and most often unaddressed.

Recruitment

Recruitment Agencies

High-risk under EU AI Act

AI tools used in CV screening, candidate ranking, interview assessment, or any automated hiring decision fall under the high-risk classification in Annex III of the EU AI Act. If you use these tools — even through a third-party platform — you have deployer obligations. Client due diligence requests citing AI governance are already reaching UK recruitment firms.

Risk classification of all AI hiring tools in use
Bias testing and explainability documentation
Candidate transparency notices and consent flows
Supplier due diligence for third-party AI platforms
Human oversight process documentation
Data Use and Access Act 2025 alignment

Medical & Aesthetic

Medical & Aesthetic Clinics

High risk · MHRA + CQC + EU AI Act

Clinics using AI in diagnostics, patient triage, consultation support, or treatment planning face a convergence of obligations from the MHRA, CQC, and EU AI Act. The overlapping regulatory requirements are complex — but the practical steps to meet them are manageable. We map your specific tools to the relevant obligations and tell you exactly what you need to document and implement.

AI diagnostic and support tool risk classification
Clinical AI governance policy drafting
Patient consent and transparency framework
CQC-aligned incident logging and audit trails
Indemnity provider compliance documentation
Practitioner training on AI obligations

Financial Services

High risk · FCA + EU AI Act

AI tools used in credit scoring, fraud detection, insurance underwriting, or customer-facing advice fall under the high-risk classification and are subject to both EU AI Act obligations and FCA model risk management expectations. We bridge both frameworks so you're not running two separate compliance programmes — and help you meet Consumer Duty expectations for AI-driven products.

Model risk registers and algorithmic decision documentation
FCA Consumer Duty alignment for AI-driven products
Explainability and transparency requirements
Third-party AI vendor due diligence
Staff training and accountability mapping
Ongoing regulatory monitoring and updates

Services & pricing

Three levels of engagement. Start where you are.

Many clients start with a Safety Workshop, understand what they actually need, and move into an Assessment. Others come to us already behind a deadline and need to move fast. Both routes work.

AI Safety Workshop

Best starting point · Half day

A structured half-day session for you and your leadership team. We map every AI tool in your business, classify each against the EU AI Act risk tiers, identify your most urgent obligations, and leave you with a clear, prioritised action plan — written up and delivered the same day.

Ideal if you're not sure where you stand and want an expert view before committing to something larger. Most clients who run a workshop either proceed to an Assessment or find the action plan is sufficient for their current level of AI use.

Full AI tool inventory and risk classification
Prioritised obligations list specific to your sector
Written action plan delivered same day
Q&A with your compliance advisor throughout
30-minute follow-up call within two weeks

£495+

Per session · Half day

Book a Workshop

AI Compliance Assessment

Full audit · 2–3 weeks

A full structured audit of your AI systems, data practices, and governance processes. We review everything against the specific obligations that apply to your sector and tools, produce a risk-rated findings report, and deliver a package of policy templates, data flow documentation, and a remediation roadmap.

Designed to withstand client due diligence requests, regulatory examination, insurance underwriting queries, and CQC or FCA review. The deliverables are written for use — not filed and forgotten.

Full AI system inventory with risk classifications
Gap analysis against your sector's specific obligations
Risk-rated written findings report
Policy templates ready for immediate use
Candidate / customer transparency documentation
Prioritised remediation roadmap
Presentation walkthrough on delivery

£1,500+

2–3 weeks · Written report

Request Assessment

AI Governance Retainer

Ongoing · Stay ahead

AI regulation is not a one-time event. Between now and 2028, the EU AI Act, UK AI frameworks, FCA guidance, ICO enforcement, and sector-specific rules will all continue to evolve. Our retainer gives you dedicated ongoing support to stay compliant as the landscape changes.

Includes a monthly advisory session, access to your dedicated advisor for ad-hoc questions, quarterly governance reviews, new tool assessments when you adopt new AI, staff training sessions, and policy updates when regulations change. Rolling contract — cancel anytime.

Monthly advisory session with your dedicated advisor
Quarterly governance reviews and policy updates
New AI tool risk assessments as you adopt them
Staff training sessions (up to 2/year)
Regulatory monitoring and change alerts
Priority response for compliance queries

£300/mo+

Rolling · Cancel anytime

Discuss Retainer

How it works

From first call to compliance documentation — usually within a month.

Free discovery call

30 minutes. We ask about your business, the AI tools you use, and your current level of documentation. You get an honest view of your exposure and what we'd recommend — before any commitment.

Scoped proposal

A written proposal outlining which service is right for your situation, what it covers, the timeline, and the cost. No ambiguity. You decide in your own time.

Assessment or workshop

We do the work. Your advisory team reviews your tools, maps your obligations, and produces the documentation. You're available for questions — we handle the heavy lifting.

Delivery and handover

A full walkthrough of findings and documentation. Everything explained in plain English. Ongoing support via a retainer if you want us to stay involved as regulation evolves.

Case studies

What compliance engagement looks like in practice.

Recruitment Agency · London

Specialist Financial Services Recruiter · 8 consultants

Passing a client AI audit they previously had no answer to

A specialist financial services recruitment firm had been using an AI-powered CV screening platform for 18 months. A major institutional client issued an AI governance questionnaire as part of their supplier review. The firm had no documentation, no bias testing record, no candidate disclosure process — and one week to respond.

Accelerated Safety Workshop and three-week documentation sprint. Risk register, candidate transparency notice, supplier governance questionnaire template, remediation roadmap, and a plain-English obligations summary — all delivered before the client deadline. Audit passed.

3wks

To full documentation

Compliance gaps closed

✓

Client audit passed

"We had a week to respond to a governance questionnaire from one of our biggest clients and genuinely had no idea where to start. Rojaf turned it around incredibly quickly, explained everything clearly, and the documentation they produced was exactly what we needed."

Managing Director

Financial Services Recruitment Agency, London

Aesthetic Clinic · Bristol

Aesthetic Medicine Clinic · 3 practitioners

Clinical AI tools made safe, documented, and defensible

A growing aesthetic clinic was using an AI consultation support tool when a patient complaint raised questions about decision-making. The clinical director needed to understand their liability position, their MHRA and CQC obligations, and whether the tool's use could be defended. Their indemnity provider had also begun asking questions they couldn't answer.

Full compliance assessment covering EU AI Act risk classification, MHRA guidance alignment, CQC framework mapping, and a complete clinical AI governance policy. Practitioner training sessions and an incident response protocol. The documentation satisfied both the indemnity provider and a subsequent CQC query.

3wks

Assessment to policy

Practitioners trained

✓

Insurer satisfied

"After the complaint came in we were genuinely worried about where we stood. Rojaf were calm, clear, and thorough — they explained our position honestly and produced documentation that covered everything our insurer needed."

Clinical Director

Aesthetic Medicine Clinic, Bristol

See All Case Studies

FAQ

Common compliance questions.

Honest answers. No regulatory jargon.

Ask Us Directly

Does the EU AI Act apply to UK businesses post-Brexit? +

Yes, in many cases. If you provide AI-enabled products or services to customers in the EU, process personal data about EU residents, or use AI tools in applications covered by Annex III, you may have obligations under the Act. This is particularly relevant for recruitment agencies, financial services firms, and medical businesses with any EU exposure. We can assess your position in a Safety Workshop.

We use an off-the-shelf AI tool — are we still responsible? +

Yes. Under the EU AI Act, "deployers" — businesses that use an AI system in a professional context — have their own obligations, separate from those of the provider who built the tool. If you use an AI screening platform in recruitment, or an AI diagnostic tool in a clinical setting, you are a deployer and must meet the relevant requirements. This catches many businesses by surprise.

What happens if we're not compliant by August 2026? +

Penalties for providers of high-risk AI systems can reach €30m or 6% of global annual turnover. Deployers face up to €15m or 3%. Beyond regulatory penalties, the more immediate risk for most UK SMEs is client due diligence — large enterprise clients are already asking suppliers for AI governance documentation, and inability to provide it is increasingly a contract risk.

What's the difference between a Workshop and an Assessment? +

A Safety Workshop is a half-day diagnostic — it tells you where you stand, what your obligations are, and what to prioritise. It's the right starting point if you're not sure of your exposure. A Compliance Assessment is a full audit that produces the actual documentation — risk registers, policy templates, transparency notices, remediation roadmaps — that you need to actually be compliant. Many clients do both in sequence.

We're not using much AI yet. Should we still get a Workshop? +

Yes — particularly if you're planning to adopt AI tools in the next 12 months. Getting your governance framework in place before you adopt AI is significantly easier and cheaper than retrofitting it afterwards. A Workshop will also tell you which tools to evaluate carefully before adopting them.

Do you cover both UK and EU regulations? +

Yes. Our policy advisor tracks both UK AI frameworks (ICO guidance, FCA model risk management, sector-specific requirements) and EU AI Act obligations. For businesses with any EU exposure, we map both sets of requirements and identify where they diverge. You get one programme that covers both — not two separate workstreams.

Your AI tools may alreadybe breaking the law.August 2026 is your deadline.