AI law in the United Kingdom · and how it differs from the EU
There is no British AI Act and there is unlikely to be one. That does not mean your AI is unregulated. It means the regulation is scattered.
Britain chose not to write a single statute. It regulates AI through the laws you were already subject to — data protection, equality, online safety, product liability, consumer law, criminal law — enforced by the regulators you already report to. The question is never “what does the AI law say”. It is which of the dozen already reaches you.
Already binding
None of these mentions artificial intelligence in its title. Every one applies to it, and has for years. Select any one to see how it bites.
The clearest example
If you want one case study in how differently the two jurisdictions think, this is it. The same harm — AI used to strip the clothes off someone who never consented — and two completely different legal architectures pointed at it.
Britain reached for criminal law and made the act an offence. Europe reached for product regulation and banned the tool from the market. Both arrived within eighteen months of each other, and neither is a substitute for the other.
Section 66E is deliberately broad: asking for the image is the offence, whether or not anything is generated. That is a legislative choice about where harm begins, and it reaches the person typing a prompt into a general-purpose tool, not just the operator of a dedicated app.
The offence covers an image that appears to depict a real, identifiable adult in an intimate state, even though it is not actually of them. It does not matter that the pixels are synthetic. It does not matter that the model never saw them undressed. The resemblance is the harm.
If your product can be prompted into this, you are now upstream of a criminal offence in the UK and a prohibited practice in the EU. Whether the Crime and Policing Bill reaches you as a supplier is a live question. Whether your safety filters would survive scrutiny is one you can answer today.
The pattern generalises, which is why this sits here rather than in a news feed. Where the EU writes an AI-specific regulation, the UK amends a general one. Both end up covering the ground. Only one of them tells you where to look.
Who enforces it
The 2023 white paper set out a pro-innovation approach: no new AI regulator, no new AI statute. Instead, five cross-cutting principles for existing regulators to apply within their own remits — safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress.
The consequence is the thing people find disorienting. There is nobody to ask. Your AI regulator is whichever regulator you already had.
The closest thing the UK has to a general AI regulator, because almost all AI touches personal data. Automated decision-making, fairness, transparency, impact assessments, and the sharp end of the Data (Use and Access) Act 2025's changes to Article 22.
Enforces the Online Safety Act, including where generative AI produces illegal content on a regulated service. Fines reach £18 million or 10% of qualifying worldwide revenue, whichever is greater.
No AI rulebook, and that is deliberate. The Consumer Duty, the Senior Managers regime and existing model risk expectations already reach AI. A named individual is accountable, which changes the conversation entirely.
AI as a medical device. Software that diagnoses, triages or recommends treatment is regulated as a product, with conformity assessment, clinical evidence and post-market surveillance.
The Equality Act reaches algorithmic decisions. Indirect discrimination does not require anyone to have intended it, which is precisely the exposure a model trained on historic data creates.
Competition and consumer protection, plus the sector regulators — Ofgem, the ORR, the HSE, the professional bodies. If your sector has a regulator, it has an opinion about your AI, whether or not it has published one.
Two architectures
Understanding the difference matters more than memorising either. It tells you what to expect next, and which questions your lawyer cannot answer from the statute alone.
No AI Act. Five principles handed to existing regulators to apply in their own domains. General statutes amended where a specific gap appears — as the Sexual Offences Act was, for deepfakes.
Advantage: flexible, fast to patch, no new bureaucracy, and it adapts as the technology moves.
Cost: nobody can tell you what compliance looks like, because there is no single thing to comply with. You assemble the answer from a dozen sources, and small organisations simply cannot.
A single horizontal act classifying AI by risk, with prohibitions, obligations on high-risk systems, transparency duties, conformity assessment and CE marking. It treats AI as a product placed on a market.
Advantage: you can read it. There is a document, a tier, a set of obligations and a route to demonstrating conformity.
Cost: heavy, slow to change, and dependent on standards that were not ready — which is why the high-risk rules were deferred. The full picture ›
The practical trap: British organisations read the UK's lighter touch as a lighter burden. It is not a lighter burden. It is the same burden, undocumented — and if you sell into the Union, you carry both.
One further wrinkle. The EU AI Act reaches outside the Union: Article 2 catches providers placing systems on the Union market wherever they are established, and providers and deployers outside the Union where the system's output is used in the Union. A British company with no EU entity can be in scope because of where its answers are read.
The bridge
Regulators write requirements; they do not write technical detail. So they point at standards instead. In the EU that pointing is formal — Article 40 makes a harmonised standard a presumption of conformity. In the UK it is informal, and paradoxically that makes standards more important, not less: with no statute to comply with, an international standard is the only shared reference a regulator can accept and a buyer can check.
Which is why the British answer to “prove your AI is governed” is usually ISO/IEC 42001, and why UK firms often end up implementing a standard while their EU customers implement an act.
Durable
Law moves, and a page about law you cannot verify is worth very little. This section is method rather than fact, so it does not expire.
A great deal of British legislation sits on the statute book unstarted, waiting for a commencement order. Section 138 of the Data (Use and Access) Act 2025 received assent in 2025 and only came into force on 6 February 2026 — eight months in which it was law and bound nobody.
legislation.gov.uk is free and authoritative. Check the commencement information, not the headline.
The Crime and Policing Bill is a Bill. It creates no offences and binds nobody until it receives Royal Assent and is commenced. Parliament's Bills tracker shows exactly which stage a Bill has reached and in which House.
Ministerial announcements are not law either. Neither is a press release about an announcement.
British AI law mostly works by amendment: one Act inserts sections into another. The offence you care about lives in the Sexual Offences Act 2003, but it was put there by the Data (Use and Access) Act 2025. Search the amended Act, not the amending one — legislation.gov.uk shows the text as amended.
Because the UK has no AI statute, the operative guidance is the regulator's. The ICO, Ofcom, the FCA and the MHRA all publish AI guidance, and it is the closest thing to a rulebook you will get. It is also free, and better written than most commentary about it.
This page was last reviewed on 17 July 2026. If you are reading it much later, treat the dates and statuses above as claims to verify rather than facts to rely on. Where this page and legislation.gov.uk disagree, legislation.gov.uk is right and this page is wrong.
BSI and ISO AI committees
In a country with no AI statute, the operative question is not what the law says but what counts as evidence that you took AI seriously. That answer comes from standards, and Matthew is a member of the BSI and ISO committees that write them — contributing through BSI's ART/1, the UK national mirror committee for ISO/IEC JTC 1/SC 42.
He was sub-editor of ISO/IEC 8183, the data life cycle framework. He is not a lawyer and does not pretend to be one. What he can tell you is which standard answers the question your regulator, your insurer or your customer is actually asking — and what good looks like when nobody has written it down.
Questions
Yes, extensively — just not by anything called an AI Act. The UK chose a pro-innovation, principles-based approach: no new statute and no new regulator, with five cross-cutting principles for existing regulators to apply in their own domains.
In practice your AI is reached by the UK GDPR and Data Protection Act 2018, the Equality Act 2010, the Online Safety Act 2023, consumer and product liability law, the Sexual Offences Act 2003 as amended, and whatever your sector regulator already expects. The regulation is real. It is just scattered, which is a different problem.
In England and Wales, yes — and since 6 February 2026 it has been an offence even if you never share the result. Section 138 of the Data (Use and Access) Act 2025 inserted new sections 66E to 66H into the Sexual Offences Act 2003, criminalising creating, or requesting the creation of, a purported intimate image of an adult without their consent or a reasonable belief in it.
Two features matter. The offence is complete at the request — you commit it by asking, whether or not an image is ever produced. And “purported” means it catches images that merely appear to depict a real, identifiable person, however synthetic the pixels are. Sharing or threatening to share was already an offence under sections 66A and 66B, inserted by the Online Safety Act 2023.
Using one to create a non-consensual intimate image of an adult is an offence. Supplying the tool is the subject of the Crime and Policing Bill, which would create a new offence aimed at companies providing tools designed to produce such images — targeting the problem at source rather than at the user.
At the time of writing that is a Bill, not an Act. A Bill creates no offences and binds nobody until Royal Assent and commencement. Check Parliament's Bills tracker rather than the announcement.
It bans the product rather than prosecuting the person. The Digital Omnibus adds AI systems generating non-consensual intimate imagery and child sexual abuse material to Article 5 of the AI Act — the list of prohibited practices — applying from 2 December 2026. It catches providers placing such systems on the market and deployers using them for those purposes.
That contrast is the whole difference in miniature. The UK amends criminal law and prosecutes an individual; the EU amends product regulation and removes the tool from the market. Same harm, two architectures — and if you operate in both, you are subject to both.
There is no government Bill for a comprehensive AI act, and the stated approach remains principles-based and regulator-led. Private members' bills have been introduced and have not progressed. Targeted intervention where a specific gap appears — as with deepfakes — has been the pattern, and it is a deliberate one.
Planning on the basis that a UK AI Act will arrive and tell you what to do is a poor bet. Planning on the basis that your existing regulator will ask you to evidence responsible AI is a very good one.
Frequently. Article 2 catches providers placing AI systems on the Union market or putting them into service there, irrespective of establishment — and, more sharply, providers and deployers outside the Union where the output produced by the system is used in the Union.
A UK company with no EU entity and no EU contract can be in scope because of where its output is read. Even outside direct scope, EU customers push the Act's requirements down their supply chains by contract, usually well before their own deadlines.
Article 22 governs decisions based solely on automated processing that produce legal or similarly significant effects. The Data (Use and Access) Act 2025 reworked this area substantially, easing the general prohibition for most data while keeping tighter controls for special category data, and putting weight on safeguards — meaningful information, human intervention, and the ability to contest.
Two practical points survive whatever the drafting. “Solely” is doing enormous work: a human who rubber-stamps is not meaningful intervention. And the ability to explain a decision is not optional just because your model is complex.
Yes, and this is the most underrated exposure in British AI law. The Equality Act 2010 does not care whether a human or a model made the decision, and indirect discrimination requires no intent at all — a neutral practice that puts a protected group at a disadvantage is unlawful unless it is a proportionate means of achieving a legitimate aim.
A model trained on historical decisions learns historical discrimination. Nobody has to have wanted that for it to be unlawful, “the algorithm did it” is not a defence, and discrimination awards in the employment tribunal are uncapped.
Whichever one already regulates you. That is the design, not an oversight. The ICO for anything touching personal data — which is nearly everything. Ofcom for online safety. The FCA and PRA in financial services, through the Consumer Duty and the Senior Managers regime rather than an AI rulebook. The MHRA where AI is a medical device. The EHRC for equality. Plus every sector regulator you already report to.
There is no AI regulator to ring and no single AI licence. This disorients people, and it is why the standards route matters so much in the UK.
They carry more weight here than in the EU, not less — which is counterintuitive until you see why. In the EU, Article 40 makes a harmonised standard a formal presumption of conformity with a statute. In the UK there is no statute to be presumed conformant with, so a standard becomes the only shared, checkable reference a regulator can accept and a buyer can test you against.
In practice that means ISO/IEC 42001. It is the certifiable AI management system standard, and it is the usual British answer to “prove your AI is governed”. Our ISO/IEC 42001 guide ›
Almost none, and the exception is instructive: the Automated Vehicles Act 2024, which builds an authorisation and liability regime around self-driving vehicles. It is narrow, sector-specific and product-shaped — much closer to the European style than anything else on the British statute book.
That is the pattern. Where the UK does legislate for AI, it legislates for one use of it, not for the technology.
legislation.gov.uk, free and authoritative. Two habits will save you: check commencement rather than Royal Assent, because a great deal of British legislation sits unstarted waiting for a commencement order; and search the amended Act rather than the amending one, because UK AI law works largely by inserting sections into older statutes.
For the EU, EUR-Lex. For what a regulator expects of you in practice, the regulator's own guidance — which is free, and better written than most commentary about it.
Next
That is the hard part of British AI regulation. There is no document to read, no licence to apply for and no regulator to ring. There is only the question your customer, your insurer or your regulator will eventually ask — show us how you govern this — and the evidence you either have or do not. That is judgement, and it is what these three do.