Services AI Law Cross-Border AI Compliance
AI Law

Cross-Border AI Compliance: EU AI Act, UAE, and UK in One Framework

You’re registered in Dubai or Singapore. Your clients are in Frankfurt and London. Your model is hosted in the US. The EU AI Act applies to you — right now. We map your obligations across EU, UK, UAE, and Singapore, resolve conflicts between regimes, and build one compliance framework that works globally without parallel processes for each market.
4–8 weeks
Typical engagement
EU · UAE · UK · SG · KZ
Jurisdictions covered
SaaS · Fintech · Platforms
Who we work with

Multiple regimes, one product

EU AI Act reaches further than you think
The EU AI Act applies to any company whose AI system outputs are used in the EU — regardless of where the company is based, where the model is hosted, or where development happens. US and UAE companies with EU clients are in scope. Many don't know it yet.
The UK took a different approach
Post-Brexit, the UK chose a principles-based, sector-led framework rather than the EU's risk-classification model. The same AI product faces different obligations depending on whether it's deployed in Frankfurt or London — and those differences are not always obvious from the regulatory text.
UAE is building fast
The UAE is developing its own AI regulatory framework, with different requirements for government, financial services, and technology sectors. Companies entering the Gulf market are working with incomplete and rapidly evolving rules — and need to build compliance that can adapt.
Singapore and Kazakhstan are moving too
Singapore’s Model AI Governance Framework and MAS guidance are evolving into binding obligations for financial services AI. Kazakhstan’s AIFC is developing AI-specific rules for fintech and capital markets. Companies expanding into APAC and Central Asia are building compliance on top of EU and UAE frameworks — and need to understand where the regimes interact.

EU AI Act vs UK vs UAE vs Singapore vs Kazakhstan: key differences

A side-by-side overview of the three frameworks your AI product is likely subject to.
Dimension EU AI Act UK Framework UAE Regulation Singapore (MAS / PDPC) Kazakhstan (AIFC) Practical implication
Approach Risk-based, mandatory regulation Principles-based, sector-led guidance Sector-specific, developing framework Principles-based, sector guidance (MAS FEAT, Model AI Governance) Sector-specific, AIFC jurisdiction EU sets the compliance floor for all three
Territorial scope Extraterritorial — applies if output used in EU UK market / UK-established companies UAE market and regulated sectors Singapore market and MAS-regulated entities AIFC-registered entities and fintech Non-EU/UK companies may still be in scope
Enforcement AI Office + national competent authorities Existing sectoral regulators (FCA, ICO, CMA) TRA, CBUAE, HCAI and sector regulators MAS, PDPC AFSA, AIFC Court Different regulators, different risk priorities
High-risk obligations Annex IV documentation, conformity assessment, registration No equivalent — handled through existing sector rules Sector-dependent, less formalised No mandatory Annex IV equivalent; MAS guidance for financial services Developing; fintech AI rules most advanced EU Annex IV documentation is the de facto gold standard
Transparency Mandatory disclosure of AI use (chatbots, deepfakes) Recommended, not mandatory Developing — government and regulated sectors prioritised Recommended for financial services AI Developing EU rules are strictest; others developing
Timeline Enforcement phased 2024–2027 Ongoing, no fixed deadline Actively developing; some sectors already live Developing; MAS binding rules expected Actively developing EU deadlines most urgent
The most efficient approach for most companies: build to EU AI Act standard as the compliance baseline. UK and UAE requirements are typically satisfied within that framework, with targeted local additions where needed.

What's included

Cross-jurisdiction use-case and obligation mapping (EU / UK / UAE)
EU AI Act extraterritorial scope analysis — does it apply to you?
Provider / deployer / distributor / component supplier status per jurisdiction
Conflict and gap analysis across applicable regulatory regimes
Single compliance framework design (core baseline + regional overlays)
Jurisdiction selection analysis for AI company structuring
Product documentation and contract updates for each target market
Sales and legal team playbook (jurisdiction-specific requirements matrix)
Go-to-market compliance roadmap (phased by jurisdiction and risk level)
Regulatory dialogue preparation for national competent authorities
Ongoing monitoring framework for regulatory developments across jurisdictions
Internal FAQ and position papers for cross-border deals
ℹ️ We work with non-EU companies assessing their EU AI Act exposure, EU companies expanding into UAE and UK markets, and established multi-market platforms that need to systematise their cross-border compliance approach.

How it works

Step 01
Jurisdiction and scope mapping
Week 1
We identify which jurisdictions your AI systems are in scope for — including EU AI Act extraterritorial reach — and determine your role in each (provider, deployer, or component supplier). We map your current compliance posture against each applicable framework.
Step 02
Conflict and gap analysis
Weeks 2–3
We identify where the three frameworks conflict, where they overlap, and where you have genuine gaps. We assess which obligations are hard requirements and which are soft law or developing guidance.
Step 03
Unified framework design
Weeks 3–5
We design the compliance architecture: an EU AI Act-aligned core baseline that satisfies UK principles and UAE requirements, with targeted regional additions. We produce the documentation, contract templates, and internal guidance for each market.
Step 04
Rollout and playbook
Weeks 5–8
We deliver the internal playbook for legal, sales, and product teams — jurisdiction-specific requirement matrices, deal-level guidance, and regulatory dialogue positions. We support rollout and answer follow-up questions.

How we've helped clients

AI SaaS · USA
Unified EU/UK/UAE compliance framework for a global AI platform
Context
US-based AI SaaS platform hosting its own and third-party models, with clients in the EU, UK, and Middle East. EU AI Act applies extraterritorially because outputs are used in the EU. Three separate compliance approaches were creating deal friction.
Extraterritorial EU AI Act scope confirmed and obligations mapped
Single compliance framework: EU AI Act core + UK and UAE regional overlays
Internal guidance: jurisdiction-specific configuration and documentation by market
Sales matrix: compliance requirements per deal, no custom work per transaction
⏱ 5–7 weeks Outcome: unified framework, reduced sales friction
Fintech · UK/UAE
Jurisdiction structuring and compliance mapping for EU/UK/UAE market entry
Context
Fintech startup with London legal entity and Dubai tech hub, planning simultaneous launch of an ML/LLM scoring product in EU, UK, and UAE banking markets. Needed pre-launch clarity on regulatory structure and compliance obligations.
EU AI Act extraterritorial analysis: applies despite UK/UAE-based operations
Comparative obligations matrix: EU high-risk requirements vs UK principles vs UAE fintech rules
Jurisdiction structuring options: optimal legal entity configuration for AI operations
Phased market entry plan with compliance milestones per jurisdiction
⏱ 4–6 weeks Outcome: informed structuring, compliance built in
B2B Platform · Netherlands
Systematic cross-border compliance for an established AI platform
Context
EU-based B2B AI platform (LLM APIs, ML modules) with clients across EU, UK, and UAE. Fragmented, deal-by-deal compliance approach. Needed systematic mapping and a unified model for international operations.
Full cross-border use-case inventory and role mapping per jurisdiction
Obligation map: mandatory vs soft law vs developing requirements across all three regimes
EU AI Act as core baseline — UK and UAE requirements mapped as overlays
Internal playbook: legal, sales, and product FAQ for cross-border deals
⏱ 6–8 weeks Outcome: systematic compliance, EU AI Act as single source of truth

Frequently asked questions

Does the EU AI Act apply to my company if we are based outside the EU? +
Yes, in many cases. The EU AI Act has extraterritorial scope similar to the GDPR. It applies to providers who place AI systems on the EU market or put them into service in the EU, regardless of where the provider is established. It also applies to deployers of AI systems located in the EU. Practically, this means a US or UAE company whose AI product is used by EU clients — even via an API or SaaS interface — is likely in scope. The key trigger is whether the outputs of your AI system are used in the EU, not where your company is headquartered.
How is the UK AI framework different from the EU AI Act? +
The UK took a deliberately different approach. Rather than creating a new AI-specific law, the UK government assigned responsibility for AI oversight to existing sectoral regulators — the FCA for financial services, the ICO for data protection, the CMA for competition. These regulators apply principles (safety, transparency, fairness, accountability, contestability, explainability) through their existing powers. There are no Annex IV documentation requirements, no mandatory risk classification, and no centralized AI Act-equivalent. The UK approach is more flexible but also less predictable — guidance is still developing and enforcement varies by sector.
What AI regulations apply in the UAE? +
The UAE does not yet have a single comprehensive AI law equivalent to the EU AI Act. Regulation is developing through a combination of: the UAE AI Strategy 2031 (policy framework); sector-specific rules from the Telecommunications and Digital Government Regulatory Authority (TDRA), Central Bank of UAE, and Health sectors; Abu Dhabi-specific regulations for ADGM and ADIO; and Dubai's Smart Government initiatives. For financial services AI, CBUAE and DFSA guidance is most relevant. The framework is developing rapidly and companies entering the UAE AI market should expect ongoing regulatory evolution.
Can I use one compliance framework for all three jurisdictions? +
Yes — and this is the most efficient approach. The EU AI Act is the most demanding of the three frameworks in terms of documentation, risk classification, and procedural requirements. A company that builds to EU AI Act standard will typically satisfy UK principles-based requirements within that framework, since the EU's substantive standards (transparency, human oversight, risk management) align with UK principles. UAE requirements add some sector-specific considerations but generally fit within an EU-aligned baseline. The architecture is: EU AI Act as the core, with UK and UAE regional overlays for jurisdiction-specific requirements.
We are based in the UK — does the EU AI Act still apply to us? +
Post-Brexit, UK companies are not automatically subject to EU law. However, the EU AI Act applies based on where your AI system's outputs are used, not where you are based. If your AI product is used by EU clients, deployed by EU-based deployers, or places your system on the EU market, the EU AI Act applies to you regardless of your UK establishment. Many UK AI companies with EU customers are in scope and need to comply as non-EU providers — which carries the same substantive obligations as EU-based providers.
What does "placing an AI system on the EU market" mean? +
Placing on the EU market means making an AI system available to users in the EU for the first time — whether through a direct sale, a SaaS subscription, an API, or a licensing arrangement. It does not require a physical presence in the EU. A US company that sells its AI SaaS product to EU businesses has placed it on the EU market. A UAE company whose AI module is integrated into an EU client's product may also have placed it on the market, depending on the arrangement. We assess this question as part of our extraterritorial scope analysis.
How do we handle conflicts between EU AI Act requirements and UAE or UK rules? +
Genuine conflicts are rare — the frameworks address different aspects of AI governance with different tools. Where conflicts do arise (for example, different data localisation requirements, different transparency obligations, or conflicting definitions of high-risk), the practical approach is to identify the most demanding requirement and comply with it globally, unless there is a compelling reason to maintain separate standards by jurisdiction. We document conflicts, assess their materiality, and recommend positions that minimise regulatory exposure across all three regimes.
How often do cross-border AI compliance frameworks need to be updated? +
Frequently. The EU AI Act's implementing acts, guidance from the AI Office, and delegated regulations are still being developed. UK sectoral AI guidance is evolving. UAE regulation is actively developing. We recommend a structured review at least annually, and immediately when: a new use-case is launched in a new market; a significant regulatory update occurs in any of your target jurisdictions; or your AI supply chain changes materially. We can support ongoing monitoring on a retainer basis or train your in-house team to track developments independently.

Your AI product is live in multiple markets. Is your compliance framework keeping up?

We map your cross-border exposure in one call — EU AI Act scope, UAE and UK obligations, Singapore and Kazakhstan where relevant. Unified framework from 4 weeks.
Or email us directly: info@wcr.legal