EU/UK AI compliance in 2025: mapping the ICO risk toolkit to EU AI Act deadlines for product teams

The EU AI Act is in force and phasing in over 2025–2027. If you already follow the UK ICO's AI & Data Protection Risk Toolkit, you're partway there: most Act obligations map to existing UK GDPR risk controls. This piece gives you the dates that matter and a practical mapping so product teams can ship compliant features without boiling the ocean.

The dates that actually matter (EU AI Act)

The Act entered into force on 1 Aug 2024. The key application dates for product teams: 2 Feb 2025 (prohibitions and AI literacy), 2 Aug 2025 (governance + GPAI), 2 Aug 2026 (most remaining obligations), and 2 Aug 2027 (some high-risk systems embedded in regulated products). (European Commission, digital-strategy.ec.europa.eu)

Milestones

• 2 Feb 2025 - Prohibited uses & AI literacy begin applying (e.g., untargeted scraping of facial images for recognition is banned). (digital-strategy.ec.europa.eu)
• 10 Jul 2025 - GPAI Code of Practice published by the Commission to help providers demonstrate compliance. Participation is voluntary but influential. (digital-strategy.ec.europa.eu)
• 2 Aug 2025 - Governance + GPAI obligations apply (documentation, transparency, copyright summaries, model evaluation for systemic-risk models). (digital-strategy.ec.europa.eu, Baker McKenzie)
• 2 Aug 2026 - Full application for most systems (risk management, data/tech docs, monitoring, incident reporting). (digital-strategy.ec.europa.eu)
• 2 Aug 2027 - Some high-risk, product-embedded systems gain an extended transition period. (digital-strategy.ec.europa.eu)

The UK anchor: the ICO AI & Data Protection Risk Toolkit

The ICO toolkit is a practical set of questions, controls, and templates aligned to UK GDPR. It's currently under review (post–19 Jun 2025 Data (Use and Access) Act), but the control themes remain stable and useful for EU AI Act prep. (ICO)

What the ICO toolkit covers (at a glance)

• Governance and accountability (roles, sign-offs, audit trails). (ICO)
• Data protection impact assessments (DPIA), lawful basis, and necessity tests. (ICO)
• Training data controls (quality, bias, security) and model monitoring. (ICO)
• Transparency to users, human oversight, and redress routes. (ICO)

Map: ICO toolkit → EU AI Act obligations

Use the ICO toolkit as your working checklist; add the AI Act-specific outputs noted below.

Governance & risk management

• ICO: assign owners, record decisions, keep an audit trail.
• AI Act add-ons: maintain a risk-management system per AI Act with documented hazard identification, evaluation, and mitigation; add AI literacy measures for staff by Feb 2025. (digital-strategy.ec.europa.eu)

DPIA and technical documentation

• ICO: DPIA for high-risk processing; link to assets and vendors.
• AI Act add-ons: keep technical documentation and logs sufficient for market surveillance authorities; ensure traceability of datasets and evaluation results by Aug 2026. (digital-strategy.ec.europa.eu)

Dataset quality, bias, and data governance

• ICO: document sources, lawful basis, minimisation, and quality checks.
• AI Act add-ons: for high-risk systems, implement data governance and management practices (relevance, representativeness, error handling) and post-market monitoring obligations. (digital-strategy.ec.europa.eu)

Human oversight & transparency

• ICO: define oversight points and user notices.
• AI Act add-ons: implement usable human-in-the-loop controls and end-user AI interaction disclosures where required; align to the prohibition list from Feb 2025. (digital-strategy.ec.europa.eu)

GPAI (foundation models) specifics

• ICO: general risk controls still apply.
• AI Act add-ons: if you provide a GPAI model, meet GPAI transparency (documentation, copyright data-summary) and, for systemic-risk models, perform model evaluation, adversarial testing, cybersecurity, and serious-incident reporting starting Aug 2025; legacy models placed pre-Aug 2025 may have until Aug 2027. Consider aligning with the GPAI Code of Practice (Jul 2025). (digital-strategy.ec.europa.eu, EY)

Ship list: concrete outputs product teams should produce

Core documents

• AI System Register (purpose, users, data, risks, owners, deployment status).
• Risk-Management File (hazards, mitigations, residual risk, sign-offs).
• Technical Documentation (architecture, data lineage, metrics, evals, logs).
• DPIA + UK/EU privacy notices keyed to specific features. (ICO)

Operational controls

• Human oversight SOPs (when to intervene, rollback, or escalate).
• Post-market monitoring plan (alerts, incident criteria, reporting channel).
• Evaluation harness (accuracy, bias, robustness, drift; release gates). (digital-strategy.ec.europa.eu)

For GPAI providers or heavy users

• Training-data summary for copyright transparency.
• Security & testing plan for systemic-risk models (red-team/adversarial tests).
• Participation decision on the GPAI Code of Practice (document rationale). (digital-strategy.ec.europa.eu)

90-day backlog (sequenced)

Days 0–15

• Inventory AI use cases; classify risk; identify any prohibited candidates; assign product owners. (digital-strategy.ec.europa.eu)

Days 16–45

• Complete DPIAs; draft system registers; define human oversight and rollback SOPs.

Days 46–75

• Stand up evaluation and logging; start post-market monitoring; capture AI literacy activities. (digital-strategy.ec.europa.eu)

Days 76–90

• Finalise technical docs; run a release-gate dry-run; prepare incident templates.

Common traps to avoid

Treating UK and EU as separate builds

• You can often meet both by using the ICO toolkit as the operational backbone and layering AI Act-specific documentation and timing on top. (ICO)

Ignoring GPAI dependencies

• Even if you don't provide a GPAI model, your vendors do. Track their Aug 2025 posture and Code-of-Practice participation. (digital-strategy.ec.europa.eu, Baker McKenzie)

Waiting for standards to "finish"

• Most obligations apply before all standards are final. Ship the docs and controls now; retrofit to future standards where needed. (digital-strategy.ec.europa.eu)

This article is operational guidance for product teams, not legal advice. Source dates and obligations are taken from European Commission materials and the ICO's published toolkit and overview pages; verify applicability to your organisation and model types. (digital-strategy.ec.europa.eu, European Commission, ICO)