Skip to content

UK AI Regulation Tracker

Last updated 12 June 2026 · 28 entries · every row dated and sourced

The question every board asks first is which AI law applies to it. In the UK the honest answer is not one statute but a stack of duties you already answer to. The UK chose not to legislate a single AI Act. Instead, five voluntary principles are applied by the regulators you already report to, on top of binding law that never mentions AI by name yet reaches it anyway: UK GDPR, the Data (Use and Access) Act 2025, the Equality Act 2010, and sector standards from the Regulator of Social Housing to the FCA.

This tracker holds that stack in one place. Each row names the instrument or duty, the regulator who applies it, the sectors it bears on, and what it actually requires of AI in service. Where a commencement date or status is settled, the row says so. Where guidance is still draft, the row says that too, because building a control regime around unfinished wording is its own risk.

Two disciplines keep it useful. Every row carries the date we last checked it against its source, and the changelog below records what changed and when. Nothing here is speculation: each entry is drawn from the official source linked in the row or from the duties set out on our sector pages.

Use it the way a company secretary would: filter to your sector, take the rows that apply, and ask which of them your board could evidence today. If the answer is unclear, the Board AI Scorecard is the two-minute way to find out where the gaps sit.

The duties, by sector and regulator.

28 of 28 entries

  • UK pro-innovation AI principles (2023 White Paper)

    Regulator
    DSIT and existing regulators
    Applies to
    All sectors
    What it requires of AI
    Five cross-cutting principles, applied by the regulators you already answer to (the ICO, FCA, CMA, Ofcom, MHRA and others) within their existing remits: safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; contestability and redress. The principles are voluntary and deliberately abstract; they describe the outcomes a regulator will look for, not the controls that get you there.
    Status
    Non-statutory. Confirmed in the government response of 6 February 2024. As of May 2026 there is still no comprehensive UK AI Act.

    Last reviewed 12 June 2026 · Source for UK pro-innovation AI principles (2023 White Paper)

  • UK GDPR and Data Protection Act 2018

    Regulator
    Information Commissioner's Office
    Applies to
    All sectors
    What it requires of AI
    Wherever AI processes personal data, the ICO is the lead regulator. The organisation, as data controller, must show a lawful basis, fairness, and a completed Data Protection Impact Assessment for profiling, and remains accountable for AI outcomes including in third-party vendor systems.
    Status
    In force.

    Last reviewed 12 June 2026 · Source for UK GDPR and Data Protection Act 2018

  • Data (Use and Access) Act 2025 (Articles 22A to 22D)

    Regulator
    Information Commissioner's Office
    Applies to
    All sectors
    What it requires of AI
    Reforms the rules on solely automated decisions: where a decision is significant, individuals must be told it was made, can make representations, obtain human intervention and contest the outcome. The old Article 22 near-prohibition is relaxed where no special category data is involved.
    Status
    Section 80 in force 5 February 2026. The ICO's updated automated decision-making guidance is still draft, with final guidance expected summer 2026; other provisions commence by regulations.

    Last reviewed 12 June 2026 · Source for Data (Use and Access) Act 2025 (Articles 22A to 22D)

  • EU AI Act (Regulation (EU) 2024/1689)

    Regulator
    EU authorities (extraterritorial)
    Applies to
    All sectors
    What it requires of AI
    Binding, risk-based and extraterritorial: it catches UK organisations that place AI systems on the EU market or whose AI output is used in the EU, regardless of where they are established. Credit scoring and certain insurance uses fall within its high-risk tier.
    Status
    High-risk application dates moved to 2 December 2027 (stand-alone systems) and 2 August 2028 (systems embedded in regulated products) under the 2026 Digital Omnibus; those amendments were still completing the EU legislative process as of late May 2026.

    Last reviewed 12 June 2026 · Source for EU AI Act (Regulation (EU) 2024/1689)

  • Artificial Intelligence (Regulation) Bill [HL]

    Regulator
    Parliament (proposed)
    Applies to
    All sectors
    What it requires of AI
    Imposes nothing today. A watch-list item only: a Private Member's Bill reintroduced in the Lords on 4 March 2025 without government backing. Any government Bill that does land is expected to be narrow.
    Status
    Not law. No government backing.

    Last reviewed 12 June 2026 · Source for Artificial Intelligence (Regulation) Bill [HL]

  • ISO/IEC 42001:2023 (AI management systems)

    Regulator
    None (voluntary standard)
    Applies to
    All sectors
    What it requires of AI
    The first international AI management system standard, published December 2023: policies, roles, risk registers, impact assessments and continual-improvement evidence on a Plan-Do-Check-Act structure. It maps cleanly onto the UK's five principles, and only a UKAS-accredited certification body can certify against it.
    Status
    Voluntary, certifiable.

    Last reviewed 12 June 2026 · Source for ISO/IEC 42001:2023 (AI management systems)

  • NIST AI Risk Management Framework 1.0

    Regulator
    None (voluntary framework)
    Applies to
    All sectors
    What it requires of AI
    A voluntary risk structure published in January 2023, US in origin, that has become the common language for AI risk between UK, EU and US teams. Its Govern, Map, Measure, Manage structure maps onto the UK accountability principle and sits comfortably inside an ISO/IEC 42001 management system.
    Status
    Voluntary.

    Last reviewed 12 June 2026 · Source for NIST AI Risk Management Framework 1.0

  • NCSC Cloud Security Principles

    Regulator
    National Cyber Security Centre
    Applies to
    Local authorities, Universities and colleges
    What it requires of AI
    The 14 cloud security principles are the common vocabulary UK public-sector security teams use to assess a hosted AI service. A Senior Information Risk Owner will expect each principle addressed, from data in transit to separation between consumers and supply-chain security.
    Status
    Guidance, not law.

    Last reviewed 12 June 2026 · Source for NCSC Cloud Security Principles

  • RSH proactive inspections and governance grading

    Regulator
    Regulator of Social Housing
    Applies to
    Housing associations
    What it requires of AI
    The RSH runs proactive inspections and can downgrade a governance grade. The board must show that AI in service delivery, across arrears, repairs and allocations, still meets regulatory outcomes.

    Last reviewed 12 June 2026

  • Governance and Financial Viability Standard

    Regulator
    Regulator of Social Housing
    Applies to
    Housing associations
    What it requires of AI
    Requires effective board control, risk oversight and assurance over how the organisation is run. AI deployed without board-level oversight or risk testing is a direct compliance gap against the standard.

    Last reviewed 12 June 2026

  • Consumer standards (Social Housing (Regulation) Act 2023)

    Regulator
    Regulator of Social Housing
    Applies to
    Housing associations
    What it requires of AI
    The Safety and Quality, Transparency, and Neighbourhood and Community standards mean AI-driven services must treat tenants fairly and stay accountable, with the board able to evidence both.

    Last reviewed 12 June 2026

  • Charities Act 2011 trustee duties and CC3 guidance

    Regulator
    Charity Commission
    Applies to
    Charities
    What it requires of AI
    The statutory anchor for board accountability: acting in the charity's best interests, with reasonable care and skill, and reporting serious incidents. The Commission's trustee-duties guidance (CC3) expects boards to apply those existing duties to any AI they deploy rather than wait for AI-specific rules.

    Last reviewed 12 June 2026

  • Charity Governance Code

    Regulator
    Sector code (apply or explain)
    Applies to
    Charities
    What it requires of AI
    On an apply-or-explain basis, the Code now recommends that boards adopt AI and technology policies covering staff, volunteers and third parties acting in the charity's name.

    Last reviewed 12 June 2026

  • Code of Fundraising Practice and AI guidance

    Regulator
    Fundraising Regulator
    Applies to
    Charities
    What it requires of AI
    Holds trustees accountable for AI used in fundraising, including by third-party suppliers acting in the charity's name, and calls for an agreed AI policy with proportionate human oversight.

    Last reviewed 12 June 2026

  • Privacy and Electronic Communications Regulations (PECR)

    Regulator
    Information Commissioner's Office
    Applies to
    Charities
    What it requires of AI
    Governs electronic marketing to donors and supporters, including AI-assisted targeting. The ICO enforces PECR alongside UK GDPR over donor and beneficiary data, including the soft opt-in available to charities for their own charitable purposes.
    Status
    In force.

    Last reviewed 12 June 2026

  • Public Sector Equality Duty (Equality Act 2010, s.149)

    Regulator
    Equality and Human Rights Commission
    Applies to
    Local authorities, Universities and colleges
    What it requires of AI
    Requires due regard to eliminating discrimination, so any AI in casework, eligibility, admissions or risk-flagging must be shown not to embed bias against protected groups. The duty sits with the public body as decision-maker and cannot be discharged by a supplier; the EHRC can investigate and enforce where AI-driven services discriminate.

    Last reviewed 12 June 2026

  • Algorithmic Transparency Recording Standard (ATRS)

    Regulator
    DSIT (cross-government standard)
    Applies to
    Local authorities
    What it requires of AI
    Expects public bodies to publish standardised records of the algorithmic tools that affect residents: what the tool does, the data it uses, who is accountable by role, and the human's part in any decision it informs.
    Status
    Mandatory for central government departments and arm's-length bodies since 2024, with the scope and exemptions policy published in December 2024; the de facto expectation for other public bodies.

    Last reviewed 12 June 2026 · Source for Algorithmic Transparency Recording Standard (ATRS)

  • SRA Standards and Regulations (Codes of Conduct)

    Regulator
    Solicitors Regulation Authority
    Applies to
    Professional services
    What it requires of AI
    The Codes of Conduct impose competence, confidentiality and supervision duties on AI-assisted legal work, and the SRA's Risk Outlook confirms solicitors stay personally accountable for AI outputs. Responsibility cannot be passed to a tool.

    Last reviewed 12 June 2026

  • ICAEW Code of Ethics

    Regulator
    ICAEW
    Applies to
    Professional services
    What it requires of AI
    Binds chartered accountants to competence, due care, confidentiality and objectivity, and requires a member to judge whether an AI tool and its data are sufficient before relying on the output.

    Last reviewed 12 June 2026

  • RICS Responsible Use of AI professional standard

    Regulator
    RICS
    Applies to
    Professional services
    What it requires of AI
    Requires human oversight, professional scepticism, disclosure of AI use to clients in writing, and documented AI governance including risk registers. The member remains professionally responsible for the output.
    Status
    Published September 2025; in effect.

    Last reviewed 12 June 2026 · Source for RICS Responsible Use of AI professional standard

  • SRA Indemnity Insurance Rules and Minimum Terms

    Regulator
    Solicitors Regulation Authority
    Applies to
    Professional services
    What it requires of AI
    Require qualifying professional indemnity cover on minimum terms, so the firm must ensure AI-driven errors and disclosed AI use fall within adequate and appropriate cover.

    Last reviewed 12 June 2026

  • OfS conditions of registration

    Regulator
    Office for Students
    Applies to
    Universities and colleges
    What it requires of AI
    Statutory conditions of registration on quality and student outcomes mean the governing body must show that AI in teaching and assessment does not erode the integrity of qualifications.

    Last reviewed 12 June 2026

  • UK Quality Code and Academic Integrity Charter

    Regulator
    Quality Assurance Agency
    Applies to
    Universities and colleges
    What it requires of AI
    The QAA is custodian of the UK Quality Code and the Academic Integrity Charter, which shape how AI is allowed into marking, proctoring and assessment design.

    Last reviewed 12 June 2026

  • Keeping Children Safe in Education 2025

    Regulator
    Department for Education
    Applies to
    Universities and colleges
    What it requires of AI
    Statutory safeguarding duties extend to college provision for under-18s, so AI chatbots, monitoring and content tools must not create online-safety harms.

    Last reviewed 12 June 2026

  • FCA Principles for Businesses and SYSC

    Regulator
    Financial Conduct Authority
    Applies to
    Financial services
    What it requires of AI
    Technology-neutral and outcomes-focused: the FCA applies its Principles and SYSC governance rules to AI, expecting the board to evidence that AI-driven decisions are fair, transparent and accountable, whether the decision is made by a person, a spreadsheet or a model.
    Status
    In force. The FCA and PRA reaffirmed the technology-agnostic stance on 1 April 2026.

    Last reviewed 12 June 2026 · Source for FCA Principles for Businesses and SYSC

  • FCA Consumer Duty (PRIN 2A)

    Regulator
    Financial Conduct Authority
    Applies to
    Financial services
    What it requires of AI
    Constrains AI in pricing, advice, credit and collections so it cannot exploit vulnerability, embed unfair bias or produce outcomes customers cannot understand. The firm must be able to reconstruct, after the fact, why a particular customer received a particular outcome.

    Last reviewed 12 June 2026

  • Senior Managers and Certification Regime (SM&CR)

    Regulator
    FCA and PRA
    Applies to
    Financial services
    What it requires of AI
    Makes a named Senior Management Function holder personally accountable for AI risk and model governance, mapped through their Statement of Responsibilities. Accountability does not evaporate into the model when AI takes over a function.

    Last reviewed 12 June 2026

  • PRA Supervisory Statement SS1/23 (model risk)

    Regulator
    Prudential Regulation Authority
    Applies to
    Financial services
    What it requires of AI
    Sets model risk governance and independent validation expectations that explicitly extend to AI and machine-learning models in capital, pricing and risk. Firms are now extending it to generative and agentic systems.

    Last reviewed 12 June 2026

This tracker is general information, not legal advice. It reflects our reading of the sources linked in each row at the date shown. Confirm commencement dates with your own advisers before relying on them.

Questions boards ask.

Is there a UK AI Act?
No. The UK has no single AI statute and no dedicated AI regulator. Five voluntary cross-cutting principles, confirmed in the government response of 6 February 2024, are applied by existing regulators within their remits. A Private Member's Bill was reintroduced in March 2025 but has no government backing.
Which laws already bind AI in the UK?
UK GDPR and the Data Protection Act 2018 bind any AI that processes personal data, with the ICO as lead regulator. The Data (Use and Access) Act 2025 reformed the rules on significant automated decisions from 5 February 2026. Sector regimes such as the FCA's Consumer Duty, SM&CR and the RSH consumer standards reach AI without naming it.
Does the EU AI Act apply to UK organisations?
It can. The EU AI Act is extraterritorial: it catches UK organisations that place AI systems on the EU market or whose AI output is used in the EU. The high-risk application dates were moved to 2 December 2027 and 2 August 2028 under the 2026 Digital Omnibus, subject to final adoption.
How is this tracker maintained?
Each row records the date it was last reviewed against the linked official source, and the changelog on this page records every addition or change. The page-level date shows when the tracker as a whole last changed.

Changelog.

  • Tracker created: 26 entries covering the cross-sector regimes (UK principles framework, UK GDPR, the Data (Use and Access) Act 2025, the EU AI Act) and the sector duties for housing associations, charities, local authorities, professional services, education and financial services.

Could your board evidence these duties today?

The Board AI Scorecard asks ten questions across accountability, policy, risk, data and capability, and shows you where the gaps sit. It takes about two minutes.

Take the Board AI ScorecardBook a governance review

Free · no sign-up to see your score.