Legislation and regulation
A rundown of the key legislative and regulatory standards and frameworks around AI use.
Introduction
As of early 2026, the United Kingdom does not have a single, standalone "AI Act" nor a dedicated, general-purpose AI regulator. Instead, it operates under a pro-innovation, sector-led regulatory framework. This approach tasks existing regulators such as the Information Commissioner’s Office (ICO), the Competition and Markets Authority (CMA), and the Financial Conduct Authority (FCA) with applying AI governance within their specific domains, guided by five cross-sectoral principles: safety, transparency, fairness, accountability, and contestability. These principles currently remain non-statutory, relying on regulators to interpret and apply them using existing powers.
Significant legislative changes have recently come into force via the Data Use and Access Act 2025 (DUAA) which amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). These reforms expand the circumstances under which automated decision making is permitted, clarify that "scientific research" includes commercial technological development, and introduce new criminal offences for the non-consensual creation of deepfake intimate images.
Alongside these data-specific reforms, two legal statutes continue to provide critical safeguards for AI deployment. The Online Safety Act 2023 imposes strict duties on platforms hosting user-generated content, requiring them to mitigate illegal harms and protect children from harmful AI-generated material, with significant fines for non-compliance. Simultaneously, the Equality Act 2010 remains fully enforceable, serving as the primary legal mechanism to challenge algorithmic bias; organisations using AI in hiring, lending, or service delivery are legally liable if their systems result in discrimination against protected characteristics, regardless of the technology's complexity.
The EU has renewed its adequacy decision for the UK, facilitating data flows, but UK businesses serving the European market must still comply with the EU AI Act, whose high-risk provisions become fully effective in August 2026. The ICO is actively developing a statutory code of practice on AI and automated decision-making, expected in 2026, alongside updated guidance on profiling and the use of personal data in training generative AI.
Standards and Frameworks
There are standards around AI to which it is recommended that organisations refer and adhere. There is no legal requirement to be compliant, but it is good practice to at least be aware of them to help inform decision making and governance set up in your organisation.
- BS ISO/IEC 42001: Artificial intelligence management system
- ISO/IEC 23894: AI risk management (complementary to ISO 31000)
- IEEE guidance on AI ethics and governance
- UNESCO Recommendations on the Ethics of AI
- UK Government: Understanding Artificial Intelligence Ethics and Safety
- AI Standards Hub
UK AI Opportunities Action Plan
Launched in January 2025, the UK AI Opportunities Action Plan aims to position the UK as a global "AI superpower" through Foundations (five AI Growth Zones and expanded supercomputing), Adoption (rewiring public services), and Sovereign AI (£14 billion private investment). A central pillar is the AI Security Institute (AISI) - renamed from the AI Safety Institute in February 2025 to emphasise national security and tackle criminal misuse.
Devolved nation approach
The strategic landscape is multi-layered, with distinct approaches across devolved nations tailored to local priorities:
Scotland’s AI Strategy 2026–2031:
Published in March 2026, this strategy focuses on responsible, inclusive growth. It establishes AI Scotland to coordinate industry and academia, funds a £1 million SME AI Adoption Programme, and leverages renewable energy for green data centres in zones like Lanarkshire.
The Welsh Government’s plan prioritises public service transformation and social equity. It includes a dedicated Office for AI, a Strategic AI Advisory Group, and alignment with the Net Zero Just Transition Framework. A £2.1 million support package is available to boost business adoption, alongside Centres of Excellence developed with trade unions and education providers.
Northern Ireland’s AI Strategic Direction:
Published in late 2025, this framework targets productivity growth and skills development. It features an AI Advisory Panel, a proposed AI Observatory, and efforts to coordinate all-island initiatives with the Republic of Ireland to address common economic and ethical challenges.
Potential Future Developments
The regulatory environment is expected to shift from voluntary principles to statutory obligations later in 2026. The UK government has indicated that a comprehensive Artificial Intelligence (Regulation) Bill will likely be introduced in the second half of 2026.
Public Attitudes
It is important to note that public sentiment strongly favours a more rigorous regulatory approach than currently exists. Recent polling by the Ada Lovelace Institute (2025/2026) reveals that nearly 9 in 10 people in the UK support independent regulation of AI, with the vast majority prioritising safety and positive social impacts over speed of innovation or economic competition. The research highlights a significant "trust gap": 84% of the public fear that the government may prioritise partnerships with large technology companies over the public interest when regulating AI. Furthermore, 72% of respondents stated that specific laws and regulations would increase their comfort with AI technologies. These findings underscore growing public demand for the proposed AI Bill and the statutory empowerment of the AI Security Institute to ensure oversight is perceived as truly independent and robust.
Previous: Risks and considerations Next: Responsible AI governance
