Is There a UK AI Act? UK AI Regulation in 2026

Is there a UK AI Act?

No. The Conservative Government White Paper of 2023 set out a pro-innovation framework based on existing law and existing regulators. Labour, eighteen months on, has not deviated. The European Union passed an AI Act in 2024; the United Kingdom has not, and as of May 2026 no AI Bill sits before Parliament. That leaves the existing law and the existing regulators doing the work: the UK GDPR (as amended by the Data (Use and Access) Act 2025) enforced by the ICO, Ofcom under the Telecoms Security Act 2021 and the Online Safety Act 2023, and the FCA under the FSMA framework and Consumer Duty. The Department for Science, Innovation and Technology sets policy direction across government but does not enforce against firms.

So how is AI regulated in the UK?

In contrast to the EU, the UK has no AI Act, existing regulators regulate AI within their remits, and DSIT writes (non-binding) policy.

The ICO regulates AI on the personal-data side, using its UK GDPR and the Data Protection Act 2018 powers as amended by DUAA 2025 (in force 5 February 2026) and a statutory duty from 12 May 2026 to produce a single Code of Practice on AI and automated decision-making under SI 2026/425. Its AI work now spans an AI and biometrics strategy, a foundation-model engagement programme with eleven major developers, a live facial recognition audit of five police forces, and draft guidance on automated decision-making under new UK GDPR Articles 22A to 22D.

Ofcom regulates AI in telecoms networks under the Telecoms Security Act 2021 and in online services under the Online Safety Act 2023. Its April 2026 open letter to communications providers put frontier AI cyber risk inside the TSA security perimeter and confirmed what the TSA security duty now requires of network operators on AI.

The FCA regulates AI in financial services through the regimes it applies to everything else: Consumer Duty under PRIN 2A, SYSC 8 outsourcing rules where the model is hosted by a third party, the SS1/23 model risk principles for PRA-regulated banks, fair treatment obligations under PRIN, and operational resilience under SYSC 15A where the AI sits inside an important business service. The FCA and ICO joint statement of April 2026 sets out the data-protection mechanics of AI-driven targeted support.

DSIT coordinates AI policy across government, runs the AI Security Institute and signs the international agreements on AI safety. It issues guidance. It does not enforce.

Outside these regulators and DSIT, other sector regulators apply their own rules to AI inside their remits: the Competition and Markets Authority in its DMCCA 2024 digital markets work, the Medicines and Healthcare products Regulatory Agency on AI used as a medical device, the Solicitors Regulation Authority on AI in legal services, and others through their existing rules. AI deployed inside a regulated sector answers to that sector’s regulator first.

Does the EU AI Act apply to my UK business?

For most UK firms with EU customers, yes. The EU AI Act reaches outside the EU on three grounds: where an AI system is placed on the market in the EU (including by a UK provider selling, licensing or providing a service to EU customers), where the AI system’s output is used in the EU, and where the system affects EU residents in employment, public service or other regulated contexts. Any UK business with EU customers, EU employees or EU users will fall within at least part of the Act. The general-purpose AI rules have applied from August 2025; the high-risk obligations commence in August 2026. A UK firm cannot work out which tier applies without mapping each AI use case against the four risk tiers and the prohibited-practice list in Article 5.

What changed in 2026?

The Data (Use and Access) Act 2025 came into force in stages from 5 February 2026 (SI 2026/82). Section 80 rewrote the UK GDPR rules on automated decisions, replacing old Article 22 with new Articles 22A, 22B, 22C and 22D. Old Article 22 worked as a near-prohibition on solely automated decisions with legal or similarly significant effects. The new framework permits those decisions, subject to safeguards: meaningful information about the logic, the right to obtain human review and the right to contest. The threshold for “meaningful human involvement” now sits in statute rather than ICO guidance, which forces firms to document the review more thoroughly than the old guidance demanded. Schedule 4 introduced “recognised legitimate interests” at Article 6(1)(ea): a narrow set of five public-interest purposes (Article 6(1)(e) disclosures, national security and defence, emergencies, crime, safeguarding vulnerable individuals) where the legitimate interests balancing test does not apply.

From 12 May 2026 the Information Commissioner has a statutory duty to produce a single Code of Practice on AI and automated decision-making (SI 2026/425). The Code itself has not been published. The ICO’s draft ADM guidance consultation closes on 29 May 2026; final ADM guidance is expected in summer 2026; the Code itself is likely to follow in 2027.

In financial services, the FCA Consumer Duty applies to AI products in the same way it applies to any other product. The FCA and ICO joint statement of April 2026 sets out what FCA-regulated firms must do under data protection law when they rely on AI to deliver targeted support.

Ofcom’s April 2026 open letter put frontier AI cyber risk inside the TSA 2021 security perimeter. Network operators must build AI threats into their security strategy and document the position.

If we deploy AI in the UK, what rules apply?

Which rules apply depends on what the AI does, not on the fact that AI is involved. Start from the use case and work out which existing law it engages.

Recruitment platforms running shortlisting or rejection decisions through a model are now squarely inside Articles 22A to 22D wherever the decision is solely automated. The ICO will expect a DPIA on file, a human review architecture that does more than confirm the model’s output, and clear candidate-facing information. Volume hiring is the most exposed segment.

A customer service chatbot engages three regimes at once: the UK GDPR on the personal data it processes, consumer protection law on the answers it gives, and the relevant sector rules where the customer is buying a regulated product. The transparency question the ICO will reach for is whether the customer knows they are talking to a machine; the answer needs to be obvious from the interface, not buried in a privacy notice.

Marketing personalisation falls under the UK GDPR and the Privacy and Electronic Communications Regulations. Schedule 4 recognised legitimate interests do not cover direct marketing, so the lawful basis remains Article 6(1)(f) ordinary legitimate interests with the balancing test, or Article 6(1)(a) consent. The cookie regime sits on top.

Agentic AI is the least settled area in 2026. The ICO has begun draft guidance under Articles 22A to 22D. The open commercial questions on consent, contracting, payment-rail liability and indemnity allocation are unresolved, and the firms moving first will set the contractual norms for everyone else.

What about training models on UK data?

The Government stepped back from a proposed copyright training exception in early 2026. There is no UK law that explicitly permits AI developers to train on copyrighted works without a licence; the existing copyright framework applies. Training on third-party text or images therefore needs a licence, a defensible claim under an existing exception (such as the text and data mining exception for non-commercial research), or a fair-dealing argument that neither the regulator nor the courts have yet tested.

On personal data, training is processing under the UK GDPR and a lawful basis is required. For commercial AI training, legitimate interests under Article 6(1)(f) remains the realistic route, with the three-part assessment run in full and the balancing test taking reasonable expectations into account. Schedule 4 recognised legitimate interests do not assist; Parliament drafted them narrowly and training models is not one of the five purposes. Training at any volume, or training that touches special-category data, requires a DPIA. The ICO’s foundation-model engagement programme makes training-data provenance documentation a hard requirement, not an aspiration.

What is the practical compliance picture?

In our experience advising telecoms operators, payments firms and fintechs on data governance, operational compliance turns on six questions:

1. Most large organisations cannot answer the question “what AI is in use here” with confidence; a meaningful share of AI risk sits in systems nobody has classified as AI. The starting move is an inventory that records what each system does, the data it touches, who owns it and who can switch it off.
2. AI risk, AI ethics and AI compliance need a single senior accountable executive at board or executive-committee level, not inside IT. Without that allocation, decisions slow and accountability fragments.
3. The human review architecture is the operational decision Articles 22A to 22D will most often turn on. The new test asks whether there is meaningful human involvement in the decision, not whether someone glanced at it. A reviewer who routinely waves through an algorithmic output is not meaningful involvement, however thorough the audit trail. A defensible review gives the reviewer sight of the inputs, the model output, the confidence signal and the reasons; gives them the training, time and authority to disagree; and records an independent decision. The documentary trail needs to show who reviews, what they review, how they were trained and how often they reach a different conclusion from the model. Get this wrong and the use case sits inside the Article 22B and 22C constraints whether you intended it to or not.
4. DPIA discipline matters more on inspection than at the point of drafting. The ICO has signalled through its foundation-model engagement output that it will test rigour, not existence.
5. Procurement contracts have to pull through training-lawfulness representations, model-update notification, audit rights and indemnities. Output and IP clauses with customers have to allocate risk where it can be managed. The information asymmetry between AI vendor and AI deployer is uncomfortable; the contract has to compensate for it.
6. EU AI Act exposure forces a single strategic choice: run a UK regime and an EU regime in parallel, or harmonise upwards to the EU position for the global product and accept the operational cost.

Where is this going next?

The Labour Government has signalled a UK AI Bill but the 2026 legislative slot looks tight, and the more probable route for the next twelve months is rule-making by regulator rather than primary legislation. The AI Security Institute will keep growing. The ICO’s next material actions are likely to cover generative AI, agentic AI, AI in the workplace and AI explainability. Ofcom will publish AI-specific telecoms security guidance under the TSA 2021 perimeter set by its April 2026 open letter. The FCA will continue to address AI through the Consumer Duty framework and through targeted joint statements with the ICO rather than through a standalone AI rulebook.

Commercial planning has to assume continued rule-making by regulators, not a single UK AI Act, for the next twelve to eighteen months. Firms with EU exposure will keep running two compliance programmes in parallel until the EU AI Act phasing completes in August 2026, and the strategic call on whether to harmonise upwards or run them separately should be made this year rather than next.

Frequently asked questions

Is there a UK AI Act?

No. The UK has not passed an AI-specific statute. UK AI regulation works through the existing laws and regulators. An AI Bill may come in the next session, but as of May 2026 it is not law.

Which UK regulator regulates AI?

Three regulators enforce the law on AI in telecoms, data and payments: the Information Commissioner’s Office on personal data, Ofcom on telecoms and online services, and the Financial Conduct Authority on financial services. The Department for Science, Innovation and Technology coordinates policy and issues guidance across government but does not enforce. Other sector regulators (the Competition and Markets Authority, the Medicines and Healthcare products Regulatory Agency, the Solicitors Regulation Authority and others) cover their own areas.

Does the EU AI Act apply to UK firms?

Often yes. The EU AI Act applies if you place an AI system on the EU market, if your AI system’s output is used in the EU, or if your AI affects EU residents. Most UK firms with EU customers or EU employees should expect at least part of the Act to apply.

What about copyright and AI training?

There is no UK exception for training AI on copyrighted works without permission. The Government dropped that proposal in early 2026. Train on third-party content with a licence, an existing exception (such as text and data mining for non-commercial research) or a defensible claim under fair dealing.

How does the DUAA change AI rules?

The Data (Use and Access) Act 2025 came into force from 5 February 2026 (SI 2026/82). Section 80 replaced Article 22 of the UK GDPR with new Articles 22A, 22B, 22C and 22D. Solely automated decisions are now permitted, subject to statutory safeguards (information about the logic, human review, right to contest). Schedule 4 added Article 6(1)(ea) recognised legitimate interests, a narrow set of five public-interest purposes where the legitimate interests balancing test does not apply.

Do we need to register an AI system in the UK?

Not as such. There is no UK AI registration regime. You may have to register as a data controller with the ICO if you process personal data, and any sector-specific notification or material-outsourcing rules in your industry continue to apply. There is no general AI register.

Viewpoint

Treating AI as a separate compliance workstream is the most common mistake I see at executive committee level. The UK position rewards firms that fold AI into the legal, governance, contracting and risk frameworks they already run, and penalises firms that build a parallel AI programme detached from the rest of the operating model. The headline regime will keep changing. The practical compliance picture will not.

Related reading

The Bratby Law practice-area page on AI and automated decision-making takes the Articles 22A to 22D analysis further. The Data Protection pillar landing places that analysis in the broader UK GDPR picture.