UK AI regulation: how it works

The UK does not have a single AI law. Unlike the EU, which passed the AI Act as a comprehensive horizontal regulation, the UK has chosen a principles-based, sector-specific approach. Existing regulators — the ICO, FCA, Ofcom, CMA, MHRA, HSE, and others — apply their existing powers to AI systems within their domains.

This means there is no single regulator you register with and no universal risk classification system. Instead, the regulatory requirements that apply to your AI system depend on what it does, who it affects, and which sector it operates in.

The government set out this approach in its 2023 white paper A pro-innovation approach to AI regulation and reinforced it in the 2024 response to consultation. The AI Bill announced in the July 2025 King's Speech is expected to place the five principles on a statutory footing, but the sector-specific model remains the foundation.

The five AI principles

UK AI regulatory principles

The five cross-cutting principles that existing sector regulators are expected to apply to AI within their remits, as established in the March 2023 AI White Paper and confirmed in the February 2024 government consultation response.

The UK government's AI regulatory framework is based on five cross-cutting principles that existing sector regulators must apply within their remits. These principles were established in the March 2023 White Paper and confirmed in the February 2024 consultation response.

The principles are not currently on a statutory footing. Regulators are expected to apply them but are not legally required to do so. The government has announced that a comprehensive AI Bill (expected second half of 2026) may place these principles on a statutory basis.

Principle 1: Safety, security and robustness — AI systems should function in a robust, secure and safe way throughout their lifecycle
Principle 2: Appropriate transparency and explainability — people should be able to access information about AI systems that affect them
Principle 3: Fairness — AI systems should not undermine legal rights, discriminate unfairly, or create unfair market outcomes
Principle 4: Accountability and governance — governance measures should ensure effective oversight with clear lines of accountability
Principle 5: Contestability and redress — people should be able to contest AI outcomes where rights have been violated or harm has occurred
Statutory basis: Non-statutory (regulators expected to apply, not legally required)
White Paper published: 29 March 2023
Consultation response: 6 February 2024
DSIT regulator support funding: 10 million GBP to boost regulator AI capabilities

These five principles are currently non-statutory. Regulators are expected to interpret and apply them within their existing frameworks, adapting them to the specific risks and contexts of their sectors. The ICO, for example, maps the principles to UK GDPR requirements for automated decision-making. The FCA applies them through its existing rules on algorithmic trading and consumer outcomes.

The government has indicated that the forthcoming AI Bill will place a duty on regulators to have regard to these principles, giving them a firmer legal basis without creating a rigid compliance regime.

Which regulators cover AI

UK regulators with AI remit

Which UK regulators have jurisdiction over AI systems and what aspects they cover, including the Digital Regulation Cooperation Forum cross-regulator coordination body.

The UK does not have a single AI regulator. Instead, existing sector regulators apply the five AI principles within their remits. The key regulators with AI jurisdiction are listed below.

ICO (Information Commissioner's Office): AI and data protection — lawful basis, DPIAs, automated decision-making, transparency. Developing statutory AI code of practice. Max fine: 17.5 million GBP or 4% of global turnover
FCA (Financial Conduct Authority): AI in financial services — Consumer Duty, SM&CR senior manager accountability, operational resilience, model risk management. Max fine: unlimited
CMA (Competition and Markets Authority): AI and competition — foundation models review, Strategic Market Status regime for AI platforms, merger investigations for AI deals. Max fine: 10% of global turnover (digital markets)
Ofcom (Office of Communications): AI and online safety — AI-generated content duties, algorithmic recommendation transparency, AI chatbot regulation under Online Safety Act. Max fine: 10% of qualifying worldwide revenue
MHRA (Medicines and Healthcare products Regulatory Agency): AI medical devices — AI as Medical Device (AIaMD) and Software as Medical Device (SaMD) registration and post-market surveillance. Max fine: unlimited (criminal offence)
EHRC (Equality and Human Rights Commission): AI and equality — algorithmic discrimination under Equality Act 2010, AI bias in recruitment, Public Sector Equality Duty for AI
HSE (Health and Safety Executive): AI workplace safety — risk assessments for AI systems, Market Surveillance Authority for AI products under PRMA 2025. Max fine: unlimited
DSIT (Department for Science, Innovation and Technology): Central AI policy coordination, AI Opportunities Action Plan, AI and copyright report obligation
AI Security Institute: Frontier AI model safety evaluations (voluntary), security risk research, Inspect testing platform. Directorate of DSIT
DRCF coordination: ICO + CMA + Ofcom + FCA coordinate on cross-cutting AI issues via the Digital Regulation Cooperation Forum

The sector-based model means that multiple regulators may apply simultaneously to a single AI system. An AI-powered recruitment tool, for instance, falls under ICO oversight for data protection, EHRC scrutiny for discrimination, and potentially Ofcom regulation if it operates on an online platform.

Businesses developing or deploying AI should identify all the regulators whose remit covers their use case. The Digital Regulation Cooperation Forum (DRCF) coordinates between regulators to reduce duplication and provide joined-up guidance.

Key institutions

AI Security Institute overview

The UK AI Security Institute (formerly AI Safety Institute), its role, capabilities, and relationship to government.

The AI Security Institute (formerly the AI Safety Institute) is a directorate within DSIT that focuses on serious AI risks with security implications. It was renamed on 14 February 2025 at the Munich Security Conference.

The Institute conducts safety evaluations of frontier AI models (currently on a voluntary basis with AI developers), publishes research on AI capabilities and risks, and develops testing tools including the open-source Inspect evaluation platform.

Former name: AI Safety Institute
Renamed: 14 February 2025 (Munich Security Conference)
Organisational status: Directorate of DSIT (not an independent body)
Focus areas: Frontier AI model safety evaluations, chemical/biological weapons risk, cyber-attacks, fraud, child sexual abuse material (CSAM)
Model evaluations: Currently voluntary — AI developers agree to provide pre-deployment access
Government AI Bill: Expected to grant the AI Security Institute statutory independence

DRCF cross-regulator AI coordination

The Digital Regulation Cooperation Forum and how the four member regulators coordinate on cross-cutting AI issues.

The Digital Regulation Cooperation Forum (DRCF) is a voluntary alliance of four digital regulators that coordinates on cross-cutting AI issues to avoid regulatory gaps and conflicts.

Members: ICO, CMA, Ofcom, FCA
Formed: July 2020
AI and Digital Hub: Pilot service offering free, informal, non-binding advice to innovators navigating multi-regulator AI oversight
Agentic AI: Call for views on Agentic AI and regulatory challenges published October 2025
2025/26 Workplan: Published April 2025, focused on developing understanding of how regulatory regimes apply to AI

The AI Security Institute focuses primarily on frontier AI models — the most powerful systems developed by major AI laboratories. Most businesses deploying AI will not interact directly with the Institute unless they are developing or fine-tuning foundation models. The DRCF, by contrast, produces practical guidance relevant to any business using AI within a regulated sector.

What is coming next

UK AI regulation status

Current legislative status of AI regulation in the UK, including the absence of a single AI law and the planned government AI Bill.

As of February 2026, the UK has no single AI-specific law. AI is regulated through a patchwork of existing legislation applied by sector regulators.

The government announced in June 2025 that a comprehensive AI Bill will be introduced in the next parliamentary session (not before the second half of 2026). This bill is expected to cover AI safety, copyright, and making voluntary developer commitments legally binding.

Current approach: Pro-innovation, principles-based, sector-regulated (no single AI law)
Government AI Bill: Announced for next parliamentary session (second half of 2026 at earliest). Expected to cover AI safety, copyright, and making voluntary commitments binding
Private Members' Bill: Artificial Intelligence (Regulation) Bill [HL] re-introduced 4 March 2025 (Lord Holmes). Not a government bill, limited prospect of becoming law
Key enacted AI-relevant legislation: DUAA 2025 (automated decisions), OSA 2023 (AI content), DMCCA 2024 (digital markets), PRMA 2025 (AI products), Equality Act 2010 (discrimination), HSWA 1974 (workplace safety)

The legislative landscape is evolving rapidly. Key developments to monitor include:

AI Bill: Expected to place the five principles on a statutory footing and give regulators clearer mandates
ICO AI code of practice: The ICO is developing a statutory code under the Data (Use and Access) Act 2025 covering AI and automated decision-making
Copyright and AI: The government is considering how to balance AI training needs with creators' rights, following its 2024 consultation
International alignment: The UK is participating in the Hiroshima AI Process and the Council of Europe AI Convention, which may influence domestic regulation

Businesses should not wait for legislation to act. The regulators already have enforcement powers that apply to AI systems, and they are actively using them. Building compliance into your AI processes now will reduce the cost of adapting when statutory requirements arrive.

UK AI regulation: how it works

AI Regulation Framework

Which regulator covers your AI system

AI regulation timeline and key dates

Assess your AI compliance obligations

Set up an AI governance framework

The five AI principles

Which regulators cover AI

Key institutions

What is coming next

Official guidance and resources

Related guides in Compliance & Legal

The five AI principles

Which regulators cover AI

Key institutions

What is coming next

Official guidance and resources