Businesses that deploy high-risk artificial intelligence systems face a compliance deadline of August 2026 under the European Union’s AI Act, a fast-approaching milestone that hospitality technology firm Lolly warns many organisations are ill-prepared to meet.
The EU AI Act, which entered into force on 1 August 2024, adopts a phased implementation schedule. Obligations for general-purpose AI models began applying in August 2025, but the most significant tranche – covering high-risk systems used in areas such as medical diagnosis and credit scoring – will come into full effect next year. Under the Act, AI systems are classified into four risk levels: minimal, limited, high and unacceptable. High-risk systems face stringent controls on risk management, transparency, data protection and human oversight.
Critically for UK companies, the legislation has extra-territorial scope. Any business that develops or deploys AI systems for the EU market, or whose AI outputs are used within the bloc, must comply regardless of whether it has a physical presence there. Non-compliance can trigger fines of up to 7% of global annual turnover.
Chris Brown, technology director at Lolly, said: “The EU AI Act isn’t a future problem, it is fast becoming a reality. By August 2026, businesses using high-risk AI systems will need to demonstrate robust risk management, transparency and ongoing monitoring, and I firmly believe that many won’t be prepared. The time to act is now.”
A proactive approach to compliance: ISO42001 certification
Against this regulatory backdrop, Lolly has positioned itself as an early mover by becoming the first UK hospitality technology company to secure ISO/IEC 42001 certification – the international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, ISO42001 provides a structured framework that covers AI risk assessment, data governance, human oversight and continuous monitoring. These elements closely align with the core requirements of the EU AI Act.
The certification signals that Lolly has embedded responsible AI controls into the design and deployment of its products, rather than scrambling to retrofit compliance after regulation has crystallised. Brown explained: “Our certification means we already have these controls built into how we design and deploy products. We embed responsible AI from the start, as opposed to putting ourselves in the position where we have to react to regulation later down the line and find ourselves in the position of playing catch-up.”
The standard is designed to help companies prepare for AI regulations globally, not just in the EU. Its benefits extend beyond regulatory alignment to include risk management – identifying and addressing bias, explainability and data misuse – as well as building stakeholder trust, streamlining governance through standardised processes, and offering a competitive differentiator in the market.
Central to Lolly’s approach is its proprietary LollySense methodology for responsible and practical AI in hospitality technology. The framework ensures AI solutions are purposeful and insight-led; practical and measurable; ethically governed; planet-conscious; and designed to enhance rather than replace human expertise.
Peter Moore, chief executive of Lolly, said: “AI is not optional for the future of our sector. This accreditation ensures our hospitality and retail customers can innovate with confidence, knowing governance, accuracy and ethical deployment sit at the heart of everything we build.” Moore, who co-founded the company in 2007 as Consolis before it rebranded to It’s Lolly in 2016, has a background in senior technology roles and a vision for integrating point-of-sale and payment technology with robust security. He has noted that 2026 will be defined by tangible outcomes in hospitality tech and that ethical considerations, particularly those driven by Generation Alpha, are growing in influence.
UK’s principles-based regulation mirrors international standards
Unlike the EU, the United Kingdom has not introduced a standalone AI Act. Instead, the government has adopted a “pro-innovation” and context-specific approach that relies on existing sector regulators interpreting five cross-sectoral principles: safety, transparency, fairness, accountability and contestability. These principles, set out in the UK’s AI Regulation White Paper from August 2023, closely mirror the requirements of ISO42001.
Although the framework is currently non-statutory, momentum is building toward a formal statutory structure, with broader AI legislation expected to be brought forward. The UK government has also encouraged the adoption of international standards such as ISO/IEC 42001 to bridge regulatory gaps, meaning Lolly’s certification aligns with both the EU Act and the likely trajectory of UK regulation.
Lolly’s proactive stance extends beyond AI governance to cybersecurity. The company employs robust cybersecurity practices to mitigate the risks posed by cyber attacks – a critical concern in the hospitality sector, which handles vast amounts of sensitive customer data. The average cost of a data breach in UK hospitality is estimated at £2.5 million, and the UK Government’s Cybersecurity Breaches Survey 2024 found that while 74% of larger businesses had experienced breaches or attacks in the previous 12 months, only 22% of hospitality firms had a board member assigned cybersecurity responsibility. Common attack methods include phishing, malware and ransomware, with vulnerabilities ranging from guest data exposure and operational downtime to human error, IoT device weaknesses and third-party supply chain risks.
Lolly, a hospitality technology specialist founded in 2009, delivers cloud-based point-of-sale, payment and smart data solutions to clients ranging from FTSE 100 companies to SMEs. Its end-to-end platform covers the full digital journey – from payments and EPoS to self-serve kiosks, loyalty programmes and pre-order applications – all integrated in real time with a back-office management system. The company’s mission is to make state-of-the-art technology accessible, simple and highly agile, allowing businesses to upgrade as they grow without costly installations. Lolly takes care of the technology, giving clients the tools to run their operations.
