UK AI Regulation in 2026: What's in Force, What's Coming, and What Your Business Should Do

Last updated: 18 June 2026

In short: There is no single "UK AI Act", and there probably won't be one for the foreseeable future. Instead, AI in the UK is governed through five existing regulatory regimes, led by the UK GDPR and the Data (Use and Access) Act 2025. The compliance work is real and growing, but it's distributed across the regulators you already deal with. This guide sets out what's in force in 2026, what's coming over the next 12 to 18 months, and the five practical moves an operational leader should make now.

If you've been holding off on AI governance until "the UK AI Act" lands, you can stop holding off. It isn't coming this year, probably not next year, and the shape it might eventually take is more uncertain now than at any point so far.

Is that good news? We're not sure it is. The UK hasn't done nothing on AI. It has chosen, deliberately, not to consolidate the rules into a single statute, and instead to push the work down to the regulators you already deal with. For operationally complex businesses, in manufacturing, logistics and customs, legal, laboratory, and the public sector, the compliance surface area is real, it's growing, and it's spread across the regulators that already govern your sector.

This piece sets out what's actually in force, what's coming, and the practical questions an operational leader should be putting on the agenda now.

Is there a UK AI Act?

No. There is no UK AI Act, and there probably won't be one soon.

The government committed some time ago to "appropriate legislation" for the most powerful AI models, but that bill has not been introduced and the legislative timetable has slipped without it appearing. In February 2025 the government said publicly that most AI systems should be regulated at the point of use, and that existing expert regulators are best placed to do that work. That was a clear pivot back to the sector-led framework set out in the 2023 AI white paper.

Ministerial signals through 2026 have confirmed the direction. The UK's pitch is now about being the country that sets standards for how AI is deployed, working with like-minded nations on shared standards. The language has shifted from "safety" to "growth", a shift underlined by the renaming of the AI Safety Institute to the AI Security Institute.

The practical implication for an operational leader is straightforward. Stop planning around a future statute called "AI". Focus the rules that already apply to you.

What AI rules are in force in the UK right now?

Five regimes do the real work in the UK today. Most businesses sit inside three or four of them at once.

1. UK GDPR and the Data (Use and Access) Act 2025

This is the single most important AI regime in the UK, and it's widely under-recognised as such. Section 80 of the DUAA replaced Article 22 of the UK GDPR with new Articles 22A to 22D, in force from 5 February 2026. The reform expanded the circumstances in which solely automated decisions about individuals are lawful, while tightening the safeguards around them.

The default has effectively flipped from "not permitted unless" to "permitted provided". The compliance task is now to evidence safeguards rather than to argue an exception. If your AI system makes or materially influences decisions about staff, customers, candidates, or service users, this is the regime you are operating under.

2. The ICO Code of Practice on AI, and new ADM guidance

Two things are happening here on different tracks, and it's worth keeping them apart.

First, the regulations requiring a statutory code (SI 2026/425) came into force on 12 May 2026, placing the Information Commissioner under a duty to prepare a code covering both the development and use of AI, with a mandatory children's data component. That code has not yet been drafted, and no consultation timeline for it has been announced. Once it lands, it will carry significant evidential weight in enforcement.

Second, and already available, the ICO opened a consultation on 31 March 2026 on updated guidance on automated decision-making and profiling, its first detailed read on the Article 22A to 22D reforms. That consultation has now closed (it ran until 29 May 2026), and final guidance is expected over the summer of 2026. The draft is non-binding, but it's the clearest available signal of how the ICO is thinking, particularly on what counts as genuine human involvement (active review before a decision takes effect, not a token sign-off) and on decision-specific transparency that goes beyond what sits in a privacy notice.

Plan for both: the guidance now, the code later.

3. Sector-specific regulator guidance

The FCA's Consumer Duty, the MHRA's medical devices framework, OFGEM's ethical AI guidance for the energy sector, OFCOM's Online Safety Act enforcement, the SRA's work on legal sector AI, the CMA's expanded data and technology unit. Each is publishing increasingly prescriptive expectations. If you're in a regulated sector, your regulator's AI guidance is the rulebook for you, regardless of what happens with any future AI bill.

4. The Online Safety Act 2023

OFCOM has issued enforcement against AI-powered services and opened investigations into AI character companion services and chatbots. If your business is user-facing and AI-mediated, the OSA is part of your operating environment.

5. The EU AI Act (by extraterritorial reach)

This catches more UK businesses than people realise, because the test is EU market impact, not corporate domicile. If your AI systems are used by, or produce outputs affecting, individuals in EU member states, the Act likely applies. For UK manufacturers selling into Europe, or logistics and customs operators whose systems touch EU shipments and EU citizens' data, this is not a theoretical concern.

The timeline has recently shifted. On 7 May 2026 the Council and European Parliament reached provisional political agreement on the Digital Omnibus on AI, which delays the most demanding obligations. High-risk obligations for standalone systems under Annex III (recruitment, credit scoring, education, law enforcement and similar) now apply from 2 December 2027, and high-risk AI embedded in regulated products under Annex I from 2 August 2028.

Two cautions on that. The agreement is provisional and awaits formal adoption, so the new dates only bind once the amending regulation is published. And the delay is narrow: transparency obligations still apply from 2 August 2026, watermarking of AI-generated content from 2 December 2026, and the existing prohibited-practice and general-purpose AI rules are untouched. A new prohibition on AI systems generating non-consensual intimate imagery and CSAM is also being added, due to take effect on 2 December 2026. Maximum fines remain at €35 million or 7% of worldwide turnover.

The practical message hasn't changed: a later deadline is not a reason to defer the hard part, which is inventorying and classifying every AI system you operate.

What AI regulation is coming in the next 12 to 18 months?

Three things to watch.

1. The AI Growth Lab is now live. The DSIT call for evidence closed in early January 2026, and the Lab launched on 8 June 2026, with legal services and conveyancing named as the first focus area. It's a cross-economy regulatory sandbox in which specific rules can be temporarily and conditionally relaxed for licensed firms testing AI deployments, under supervision and on time-limited terms. Further priority sectors flagged through the consultation include healthcare, professional services, transport, and advanced manufacturing, with sandboxes expected to spin up sector by sector through 2026 and 2027. Successful pilots can be made permanent through secondary legislation. This is the clearest signal of where UK AI policy is heading: not a comprehensive statute, but targeted, sector-by-sector regulatory flexibility under supervised conditions. If your sector is on the list, track when applications open.

2. The ICO statutory code. Once published, this becomes the practical compliance manual for any AI system processing personal data in the UK. Boards should plan for a documentation and governance uplift on the back of it.

3. Sector regulator AI plans. Following strategic guidance from government, regulators have been publishing annual plans for how they'll enable safe AI-powered innovation in their sectors. Read your regulator's plan. It's the closest thing you have to a forward map.

A note on copyright. The government's March 2026 report on copyright and AI confirmed that the broad text-and-data-mining exception is off the table, with no replacement legislated. This matters if you're training or fine-tuning models on third-party content. The lawful basis is, for now, narrower than many AI vendors claim.

What should businesses do about AI regulation now?

Five practical moves.

1. First, build an AI register. A single document listing every AI or ML system in active use across the business, including third-party tools embedded in SaaS products you already buy. Most organisations significantly underestimate this list. You can't govern what you haven't catalogued.

2. Second, map each entry to its actual regulatory regime. Not "AI regulation" in the abstract, but specifically: does this system make or influence decisions about people (UK GDPR / DUAA), is it inside a regulated sector (FCA, MHRA, OFGEM, others), does it touch the EU market (EU AI Act), is it user-facing content (OSA). Most systems land in two or three of these at once.

3. Third, name an owner. Not a committee. A named individual accountable for AI risk in the business, with the authority to stop a deployment. This is what regulators look for first when something goes wrong.

4. Fourth, put third-party AI on the same footing as bespoke AI. For most operationally complex businesses, the fastest-growing source of regulatory exposure isn't the AI they're building, it's the AI features being switched on inside the SaaS platforms they already pay for. Your vendor due diligence needs an AI lens, and your contracts need to catch up.

5. Fifth, plan for the ICO code. When it lands, you'll be expected to demonstrate evidence-based governance, not articulated good intentions. The work to produce that evidence takes months, not weeks.

The bottom line

The UK has chosen a regulatory model that's light on headlines and heavy on distributed obligation. There's no single AI law to read, and there probably won't be one for the foreseeable future. But the rules are accumulating, the regulators are specialising, and the EU AI Act is reaching across the Channel whether the UK legislates or not.

The businesses that will be ready are the ones that stopped waiting for clarity from above and started building governance from the ground up. The frameworks to do that exist today.

Frequently asked questions

Not sure which AI rules apply to your business? Scaffold builds operational software for regulated and complex sectors, and AI governance is part of how we build. If you want a clear view of the AI systems running across your operation and the regimes they fall under, our AI Rescue diagnostic gives you a fixed-fee assessment and a prioritised action plan.