AI Regulation: What UK Companies Need to Know
About the UK and EU Frameworks

Artificial intelligence is already being used across recruitment, healthcare, research, customer services, compliance, contracting and operational decision-making. In many organisations, however, governance frameworks have not yet caught up with deployment.

For UK businesses, one of the challenges is that AI regulation does not sit within a single legal regime. Depending on the use case, organisations may need to navigate data protection law, discrimination law, sector-specific regulation, product liability, procurement obligations and contractual risk allocation – often simultaneously.

The UK has so far adopted a principles-led and regulator-driven approach rather than introducing a standalone AI Act. By contrast, the EU has introduced a detailed horizontal framework under the EU AI Act, with potentially significant implications for UK organisations whose AI systems, services or outputs reach into the EU market.

This article provides a practical overview of the current UK landscape and highlights where the EU framework may become relevant for UK organisations, particularly those operating internationally or collaborating across borders.

This article focuses primarily on the UK position as at May 2026. References to the EU AI Act and related EU legislation are included for general informational purposes only. I am not an EU law adviser and organisations potentially within scope of the EU AI Act should seek advice from appropriately qualified EU counsel.

What Do We Mean by “AI” – and What Is Not AI?

Before mapping the regulatory landscape, it is worth being precise about what we mean by artificial intelligence. Regulators in both the UK and EU have deliberately avoided rigid statutory definitions to prevent rules from becoming technologically obsolete, but there are working frameworks that help draw the line.

The EU AI Act, Regulation (EU) 2024/1689, provides the most detailed current definition. Under Article 3(1), an “AI system” is a machine-based system that:

• is designed to operate with varying levels of autonomy;
• may exhibit adaptiveness after deployment; and
• for explicit or implicit objectives, infers from the input it receives how to generate outputs — such as predictions, content, recommendations, or decisions – that can influence physical or virtual environments.

The core concepts are inference, autonomy, and adaptiveness. An AI system learns, adapts, and draws conclusions from data rather than simply executing pre-programmed instructions.

In the UK, the Department for Science, Innovation and Technology (DSIT) has not adopted a single statutory definition. Government guidance broadly describes AI as computer systems able to perform tasks normally requiring human intelligence – such as visual perception, speech recognition, decision-making, and language translation. The regulatory focus is on systems that demonstrate meaningful autonomy and adaptiveness, rather than the technology itself.

What Is Generally Not AI

The following categories generally fall outside the definition of AI in both the UK and EU:

• simple rule-based or “if-then” logic systems with no learning or inference capability;
• basic statistical methods and deterministic calculations;
• systems requiring full manual human involvement for every decision;
• keyword-only search or filtering tools without natural language understanding or ranking by inference;
• traditional workflow automation software that executes fixed sequences without learning from data; and
• standard database lookups and reporting tools.

Practical illustration: A spreadsheet formula that flags CVs containing the words “Python” or “Java” is not AI. A machine learning model trained on historical hiring data that scores CVs by predicted interview success, adapts to recruiter feedback over time, and ranks candidates accordingly – that is AI.

The UK Regulatory Landscape: No Single AI Law

The UK has deliberately chosen not to enact a standalone AI Act. As at May 2026, there is no single statute that comprehensively governs AI across all sectors. Instead, the government’s approach – set out in the March 2023 White Paper A Pro-Innovation Approach to AI Regulation – is sector-based and principles-led.

The Five AI Principles

DSIT has established five cross-cutting principles that existing regulators are expected to apply within their own remits:

• safety, security, and robustness;
• appropriate transparency and explainability;
• fairness;
• accountability and governance; and
• contestability and redress.

These principles do not create direct legal obligations. They guide how regulators interpret and apply existing law to AI systems.

Key Regulators and their AI Mandates

Different regulators apply different frameworks depending on the sector and function involved:

1. Information Commissioner’s Office (ICO): The lead regulator where AI processes personal data. The ICO applies UK GDPR and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025 (DUAA). Following changes introduced by the DUAA, which took effect in February 2026, the rules on solely automated decision-making have been updated – organisations now have greater flexibility to use AI for significant decisions provided specific safeguards are implemented. The ICO published a package of materials on automated decision-making in March 2026 (including the “Recruitment Rewired” report) and a consultation on updated draft guidance that ran until May 2026. The ICO’s guidance makes clear that nominal human involvement in AI-assisted decisions is insufficient – human oversight must be genuine and capable of affecting the outcome.
2. Equality and Human Rights Commission (EHRC): Applies the Equality Act 2010 to AI systems. Employers and service providers remain liable for discriminatory outcomes caused by AI tools they deploy, even where the AI was built by a third party.
3. Medicines and Healthcare products Regulatory Agency (MHRA): Regulates AI as a Medical Device (AIaMD). The MHRA’s AI Airlock sandbox pilot concluded in March 2025. A dedicated AIaMD regulatory framework is expected in 2026, alongside findings from the National Commission into the Regulation of AI in Healthcare, launched in December 2025. New post-market surveillance regulations came into force in June 2025.
4. Financial Conduct Authority (FCA): Applies existing frameworks – including the Consumer Duty and the Senior Managers and Certification Regime – to AI in financial services. The FCA has committed to publishing comprehensive AI guidance by end of 2026.
5. Competition and Markets Authority (CMA): Monitors the impact of AI on market competition and consumer outcomes.

Upcoming UK AI Legislation

The UK government has confirmed it will not introduce a standalone, comprehensive AI law. Instead, AI governance is being layered through cross-cutting and sector-specific legislation.

In the King’s Speech of May 2026, the government introduced the Regulating for Growth Bill, which establishes cross-economy regulatory sandboxes – referred to as AI Growth Labs – enabling companies to test AI systems in real-world conditions under time-limited, supervised pilots with targeted modifications to existing rules.

The Cyber Security and Resilience Bill, introduced to Parliament in November 2025 and continuing through its legislative stages, includes powers to designate data centre operators as operators of essential services and to mandate security measures for critical AI data centre infrastructure.

The expectation of a dedicated AI Bill has been further delayed by domestic disputes over copyright law – specifically, how training data is sourced for AI models and what rights creators retain. Following consultation, the government stepped back from its preferred option of a broad text and data mining exception, and the legislative framework for AI and copyright remains under active consideration.

Practical Contracting and Procurement Issues

For many organisations, AI risk arises not from developing AI systems internally, but from procuring third-party tools.

AI procurement raises a number of important legal and governance questions that are often overlooked during commercial negotiations.

Organisations procuring AI systems should consider:

• allocation of responsibility for inaccurate, biased, or hallucinated outputs;
• transparency around training data and model limitations;
• audit and testing rights;
• cybersecurity and confidentiality obligations;
• permitted use of customer data for model training;
• intellectual property ownership and infringement risk allocation;
• human oversight responsibilities and operational governance;
• regulatory cooperation obligations;
• record retention and logging capabilities; and
• exit rights if regulatory requirements or risk assessments change.

In practice, many organisations remain heavily reliant on vendor assurances while having limited visibility into how AI systems were trained, validated, or tested.

UK Regulatory Lens: Two Worked Examples

Example A: A UK Recruitment Agency Using AI to Review CVs and Shortlist Candidates

A UK recruitment agency integrates a third-party AI tool into its hiring workflow. The tool ingests CVs, extracts information from them, scores each candidate against a vacancy specification, and produces a ranked shortlist. A recruiter reviews the shortlist before making contact decisions.

Key regulatory considerations in the UK:

1. UK GDPR and the Data Protection Act 2018 (as amended by the DUAA): Candidates’ CVs contain personal data. The agency needs a lawful basis for processing under UK GDPR and must ensure its privacy notice describes AI use. Automated decision-making rules are particularly important: if the AI tool is producing a shortlist that the recruiter simply approves without substantive review, this may constitute solely automated decision-making within the meaning of the UK GDPR. The ICO’s “Recruitment Rewired” report (March 2026) found that many employers using AI in recruitment were, in practice, engaging in solely automated decision-making without realising it. The DUAA has introduced greater flexibility for automated decisions, but only where the organisation implements appropriate safeguards – including transparency with candidates, the right to request human review, and meaningful human oversight. A Data Protection Impact Assessment (DPIA) is mandatory before deploying high-risk AI of this kind.
2. Equality Act 2010: AI models trained on historical hiring data can encode and amplify existing biases across protected characteristics – age, disability, sex, race, and others. If the tool systematically disadvantages candidates with a protected characteristic, the agency faces liability for indirect discrimination, regardless of whether the bias originated in the vendor’s algorithm. Regular bias audits, review of training data provenance, and human review of borderline decisions are practical safeguards.
3. DSIT guidance: DSIT has published “Responsible AI in Recruitment” guidance that sets out ethical risks and assurance mechanisms for organisations procuring and deploying AI in hiring. It reinforces the five AI principles and expectations around accountability.
4. Transparency: Candidates should be informed that AI is used in the recruitment process. The ICO’s guidance confirms this is part of the transparency obligation under UK GDPR.

Summary for Example A: The primary UK regulatory concerns are data protection (including the DPIA and automated decision-making rules), discrimination law, and transparency obligations. There is no single AI-specific law that applies, but the combined effect of UK GDPR, the DUAA, and the Equality Act creates a substantive compliance framework.

Example B: A UK Research Institute Using AI to Process Clinical Samples and Associated Clinical Data

A UK research institute is running an observational study into the effectiveness of a treatment for a disease. It is using an AI tool to analyse clinical samples alongside associated clinical data (including patient diagnoses, treatment records, and outcomes) to identify patterns relevant to treatment effectiveness.

Key regulatory considerations in the UK:

1. UK GDPR and the Data Protection Act 2018: Health data is special category personal data under UK GDPR Article 9. Processing requires both a lawful basis and an additional condition for special category data – such as explicit consent, or substantial public interest in scientific research (Schedule 1, DPA 2018). The ICO’s guidance on health research data applies. Given the scale and sensitivity of processing, a DPIA is mandatory.
2. Research ethics governance: Clinical research using patient data requires approval from a Research Ethics Committee (REC) and, in many cases, review by the Health Research Authority (HRA). Where identifiable patient data is used without consent for research purposes, review by the Confidentiality Advisory Group (CAG) may be required under section 251 of the National Health Service Act 2006.
3. NHS Data Security: Where the research accesses NHS data or systems, compliance with the NHS Data Security and Protection Toolkit is expected. Data sharing agreements with NHS organisations need to reflect the applicable governance requirements.
4. ICO guidance on AI and health data: The ICO’s guidance on AI and data protection emphasises data minimisation, purpose limitation, and the need for robust anonymisation where full identifiability is not necessary for the research purpose.

Summary for Example B: The UK regulatory framework for this example is complex and multi-layered — data protection law, research ethics governance, and NHS-specific requirements all interact. The application of AI does not create an entirely new regulatory category; instead, it adds complexity to an already demanding governance framework.

The EU AI Act: A Different Approach

Whereas the UK has opted for a sector-based, principles-led approach, the EU has enacted a horizontal, risk-based regulation: Regulation (EU) 2024/1689, the EU AI Act, which entered into force on 1 August 2024.

Risk Tiers Under the EU AI Act

The Act organises AI systems into four tiers:

1. Unacceptable risk (prohibited): These AI practices have been banned entirely. The prohibition has applied since 2 February 2025 and covers: AI-based social scoring by public authorities; real-time remote biometric identification in public spaces (with narrow law enforcement exceptions); emotion recognition in the workplace and educational institutions (with limited exceptions for medical or safety purposes); biometric categorisation systems that infer sensitive characteristics; subliminal manipulation techniques; and exploitation of vulnerabilities. A provisional political agreement reached on 7 May 2026 (the “AI Omnibus” simplification) also adds a prohibition on AI used to generate non-consensual intimate imagery or child sexual abuse material.
2. High-risk AI systems: Subject to the most demanding obligations. High-risk AI falls into two categories:
   • AI systems that are safety components of products regulated under EU harmonisation legislation – such as medical devices (under the EU Medical Device Regulation or IVDR), machinery, and vehicles. Compliance obligations for this category apply from 2 August 2028.
   • Standalone high-risk AI systems listed in Annex III of the Act – including biometric identification, critical infrastructure, education, employment and HR tools (including recruitment, selection, and promotion), essential services (credit scoring, health insurance), law enforcement, border control, and judicial administration. The original compliance deadline for this category was 2 August 2026, but the AI Omnibus agreement of 7 May 2026 has extended this to 2 December 2027. Note that this is a provisional political agreement pending formal adoption; the exact timetable could shift.
3. General-purpose AI (GPAI) models: Large-scale foundation models (such as advanced language models and image generators) that underpin AI tools and services across the market. Obligations for GPAI providers have applied since 2 August 2025. These include transparency about training data and copyright compliance obligations. GPAI models assessed as posing systemic risks face additional requirements including adversarial testing and incident reporting.
4. Limited and minimal risk: Chatbots and AI systems generating synthetic content must disclose their AI nature to users – obligations for AI-generated content labelling apply from 2 December 2026. Spam filters and similar minimal-risk systems face no AI-specific obligations.

What High-Risk AI Obligations Require

For providers (organisations that develop or place a high-risk AI system on the market) and deployers (organisations that use a high-risk AI system in a professional capacity), the Act creates distinct obligations.

Providers must:

• establish and maintain a documented risk management system throughout the AI lifecycle;
• implement data governance standards ensuring training and validation data is accurate, representative, and appropriate;
• prepare and maintain comprehensive technical documentation;
• design the system to automatically record events (logging) throughout its operation;
• provide transparent information to deployers about the system’s capabilities, limitations, and intended use;
• design in effective human oversight mechanisms enabling monitoring and intervention;
• achieve appropriate accuracy, robustness, and cybersecurity standards;
• implement a quality management system;
• conduct a conformity assessment before placing the system on the market, and register it in the EU AI database; and
• obtain CE marking.

Deployers must:

• use the AI system in accordance with the provider’s instructions for use;
• assign competent personnel with genuine authority to oversee the AI system’s outputs and override or disregard them where necessary;
• monitor performance and retain operational logs for at least six months;
• inform workers’ representatives and affected individuals (such as job candidates) that a high-risk AI system is being used;
• conduct a fundamental rights impact assessment where required; and
• carry out a DPIA under GDPR (which can be coordinated with the fundamental rights impact assessment).

The EU AI Act’s Reach Beyond EU Borders

The Act has significant extraterritorial scope under Article 2. It applies to:

• providers that place AI systems on the EU market or put them into service in the EU – regardless of where the provider is established;
• deployers that are established or located in the EU; and
• providers and deployers established outside the EU where the output of the AI system is used in the EU.

That third trigger – the “output trigger” – is significant for UK businesses. Even if an organisation operates entirely from UK servers and processes UK data, if its AI system’s outputs are used by EU entities, the Act may apply.

Non-EU providers subject to the Act must appoint an authorised representative established in the EU.

Other Relevant EU Legislation

EU GDPR

UK companies that process the personal data of individuals located in the EU are subject to the EU General Data Protection Regulation 2016/679 alongside their UK GDPR obligations. This applies to automated decision-making, profiling, and the processing of special category data. The EU adequacy decisions for the UK were renewed in December 2025 and run until December 2031, meaning EEA-to-UK data flows can continue without additional transfer mechanisms, but UK businesses sending EU resident data to other jurisdictions must consider appropriate transfer safeguards.

Revised EU Product Liability Directive

The revised EU Product Liability Directive (Directive (EU) 2024/2853) entered into force in December 2024. Member States must transpose it by early December 2026. Key changes relevant to AI include:

• software and AI systems are now explicitly covered as “products” subject to strict liability;
• cybersecurity vulnerabilities that compromise safety qualify as defects;
• compliance with the EU AI Act will serve as a benchmark for assessing whether a product is defective; and
• recoverable damage categories are extended to include medically recognised psychological harm and the destruction of personal data.

UK businesses placing AI-enabled products on the EU market after December 2026 will need to assess their exposure under this revised framework.

EU Medical Device Regulation and IVDR

AI systems that qualify as medical devices or in vitro diagnostic devices under EU MDR (Regulation (EU) 2017/745) or IVDR (Regulation (EU) 2017/746) are subject to those existing frameworks alongside the EU AI Act. For AI embedded in regulated medical products, compliance with both regimes is required; Notified Bodies are expected to incorporate AI Act assessments into MDR/IVDR conformity reviews. The compliance deadline for AI embedded in regulated medical products under the AI Act is 2 August 2028.

Why UK Companies Need to Care About the EU AI Act

A common misconception is that the EU AI Act is an EU problem for EU businesses. For many UK organisations, that is not so.

A UK company will be in scope of the EU AI Act if any of the following apply:

• it develops an AI system and places it on the EU market or into service in the EU – including by licensing the system to EU customers;
• it uses an AI system in a professional capacity and is established or located in the EU (relevant to UK companies with EU subsidiaries, branches, or operations);
• it operates an AI system from the UK whose outputs are used by EU entities – for example, processing EU client data and returning insights, scores, or recommendations that EU-based clients act upon; or
• it imports or distributes AI systems into the EU market.

Fines for non-compliance are structured in tiers: violations of the prohibited AI practices carry a maximum of €35 million or 7% of worldwide annual turnover; non-compliance with high-risk AI system obligations carries a maximum of €15 million or 3% of worldwide annual turnover; and providing incorrect or misleading information to authorities carries a maximum of €7.5 million or 1% of worldwide annual turnover – in each case, whichever is higher.

Questions to Ask About Your AI Systems Now

Regardless of sector, any UK organisation using or developing AI should be working through the following:

• What AI systems are we using, and where in our operations do inference, learning, or adaptive behaviour occur?
• Do any AI outputs reach individuals, customers, or organisations in the EU?
• For AI that touches employment, health, credit, education, or law enforcement decisions: have we identified the applicable UK regulator and reviewed current guidance?
• Have we conducted DPIAs for AI systems that process personal data at scale or in high-risk contexts?
• Is our “human oversight” of AI decisions genuinely meaningful – can the reviewer actually understand, challenge, and override the AI output?
• Do we procure AI tools from third-party vendors? If so, have we scrutinised the vendor’s terms, technical documentation, and bias testing?
• Are any of our AI systems using emotion recognition or biometric categorisation in employment or education contexts? If so, the EU prohibition has already applied since February 2025 for EU-scope activities.

Final Remarks

The legal and regulatory framework around AI continues to evolve rapidly in both the UK and EU.

However, many of the core legal risks associated with AI are not entirely new. Data protection, discrimination, governance, transparency, product safety, and accountability obligations already exist – AI often intensifies those risks rather than replacing them with an entirely separate legal category.

For UK businesses, one of the key challenges over the coming years will be managing the interaction between:

• the UK’s principles-led, regulator-driven approach; and
• the EU’s more prescriptive and risk-based framework.

Organisations that begin building practical governance structures now – including proper oversight, procurement controls, documentation, and accountability mechanisms – are likely to be better placed than those treating AI compliance purely as a future regulatory issue.

This article is a general summary of the law as at the date of publication and does not necessarily deal with every important topic or cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice and should not be relied on as a substitute for legal advice.

© MR&T Advisory, 18 May 2026