UK AI compliance shifts to existing regulators

The UK has no single AI Act in force or bill before Parliament, with policy centered on existing regulators rather than a consolidated statute. In 2026, the main obligations come through the UK GDPR, the Data (Use and Access) Act 2025, sector regulators, the Online Safety Act 2023 and the EU AI Act where UK systems affect the EU market.

The DUAA changes to automated decision-making took effect on 5 February 2026, replacing Article 22 with Articles 22A to 22D and making solely automated decisions lawful in more circumstances where safeguards are documented. The ICO’s statutory AI code duty began on 12 May 2026, while final guidance on automated decision-making and profiling is expected over the summer of 2026 after a consultation that closed on 29 May 2026.

Businesses should build an AI register, map each system to applicable regimes, assign a named owner, scrutinize third-party AI in SaaS tools and prepare evidence-based governance for the ICO code. The EU AI Act remains relevant to UK operators, with high-risk obligations expected from 2 December 2027 for standalone systems and 2 August 2028 for AI embedded in regulated products, while transparency obligations still apply from 2 August 2026.