Licentium

AI Regulation Hub

United Kingdom

The UK has no horizontal AI Act. It uses a regulator-led, sector-based framework built on five cross-sector principles (safety, transparency, fairness, accountability, contestability), enforced through existing data-protection, financial, healthcare, consumer, online-safety, competition and equality regulators.

Key provisions

Five cross-sector AI principles

In force

Safety, security and robustness; transparency and explainability; fairness; accountability and governance; contestability and redress. Implemented through existing regulators.

ICO data-protection AI guidance

In force

Covers how UK data-protection principles apply to AI, how to explain AI-assisted decisions, and biometric and AI data-protection risks. Under review following the Data (Use and Access) Act 2025.

Sector-specific regulation

In force

Healthcare AI via medical-device rules; financial AI via FCA expectations; consumer-facing AI via consumer, competition, online-safety and equality law.

National Commission on Healthcare AI

Draft

UK Commission advising the MHRA on a future healthcare-AI regulatory framework.

Council of Europe AI Convention implementation

Draft

UK has signed the Convention; once domestically implemented it may add a human-rights, democracy and rule-of-law layer to UK AI governance.

Detailed overview

The United Kingdom does not currently have a single horizontal AI Act equivalent to the EU AI Act. The UK follows a regulator-led and sector-based framework. This means AI is regulated through existing legal regimes and regulators, depending on the sector, data involved, use case and risk profile.

Five cross-sector principles

The UK Government's AI framework is based on five cross-sector principles: safety, security and robustness; transparency and explainability; fairness; accountability and governance; and contestability and redress. These principles are implemented through existing regulators rather than through one central AI regulator.

Compliance by sector

In practice, UK AI compliance starts with the sector and the legal effect of the system. AI that processes personal data is regulated under UK data-protection law and ICO guidance. AI used in healthcare may fall under medical-device or healthcare regulation. AI used in financial services may be subject to financial-regulatory expectations. AI used in consumer services may trigger consumer-protection, competition, online-safety or equality-law issues.

ICO and data protection

The UK Information Commissioner's Office provides guidance on AI and data protection, including how UK data-protection principles apply to AI, how to explain decisions assisted by AI, and how to assess biometric and AI data-protection risks. The ICO notes that its AI and data-protection guidance is under review following the Data (Use and Access) Act 2025, so organisations should monitor changes to ICO guidance when using AI with personal data.

Healthcare AI

Healthcare AI is a specific area of UK development. The UK has created a National Commission into the Regulation of AI in Healthcare to advise the Medicines and Healthcare products Regulatory Agency on a future healthcare AI regulatory framework.

Penalties

There is no single UK AI fine table. Penalties depend on the legal regime involved. Data-protection breaches are enforced under UK data-protection law. Financial AI may be enforced by financial regulators. Healthcare AI may be enforced under healthcare or medical-device rules. Consumer-facing AI may be assessed under consumer, competition, online-safety or equality laws.

Council of Europe AI Convention

The UK has also signed the Council of Europe AI Convention. Once implemented domestically, the Convention may add a human-rights, democracy and rule-of-law layer to UK AI governance.

Practical requirements & details

Drawn from official UK sources: the DSIT White Paper "A pro-innovation approach to AI regulation" (2023) and 2024 consultation response, UK GDPR / Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025, and AI guidance from sectoral regulators (ICO, MHRA, FCA, CMA, Ofcom).

Five cross-sector AI principles (DSIT)

  • Safety, security and robustness — robust, secure and safe operation across the lifecycle; continuous risk identification, assessment and management.
  • Appropriate transparency and explainability — appropriate disclosure about how AI systems work, decisions made, and limitations.
  • Fairness — must not undermine legal rights, discriminate unfairly, or create unfair commercial outcomes.
  • Accountability and governance — clear lines of accountability across the AI lifecycle and effective oversight measures.
  • Contestability and redress — users and affected third parties can contest AI decisions or outcomes that cause material harm.

ICO — AI and personal data (UK GDPR + DPA 2018)

  • Identify the lawful basis at every AI lifecycle stage (training, fine-tuning, inference); for special-category data also satisfy an Art. 9 condition.
  • Carry out a Data Protection Impact Assessment (DPIA) before high-risk AI processing (Art. 35 UK GDPR + ICO list).
  • Apply data minimisation, storage limitation and purpose limitation — including for training datasets and inference logs.
  • Provide Article 13/14 information to data subjects, adapted for the AI use case.
  • Respect Article 22 rights on solely automated decisions with legal or similarly significant effects (narrowed but not removed by the Data (Use and Access) Act 2025; safeguards still required).
  • Biometric AI for unique identification: explicit consent or another Art. 9(2) condition plus a DPIA.
  • Apply data protection by design and by default (Art. 25).
  • ICO fines: up to £17.5 million or 4% of worldwide annual turnover for serious UK GDPR breaches.

Healthcare AI — MHRA

  • AI that diagnoses, monitors, predicts, prognoses, treats or alleviates disease can qualify as a medical device under the UK Medical Devices Regulations 2002.
  • As a medical device, requires UKCA marking (or CE under transitional arrangements) with risk-class-proportionate conformity assessment.
  • MHRA Software and AI as a Medical Device Change Programme plus the AI Airlock regulatory sandbox for novel AI medical devices.

Financial services — FCA + PRA

  • Firms remain accountable for AI-driven decisions under the Senior Managers and Certification Regime (SM&CR) — a senior manager must own material AI use.
  • Customer-facing AI is covered by the FCA's Consumer Duty (PRIN 2A): good outcomes, no foreseeable harm, support for vulnerable customers.
  • FCA/PRA FS2/23 sets supervisory expectations on governance, model risk, fairness and operational resilience.

Online safety, competition, equality

  • The Online Safety Act 2023 applies to platforms hosting AI-generated illegal/harmful content (including deepfake intimate-image abuse); duties to assess risk and take proportionate mitigations.
  • The CMA has set principles for foundation models (accountability, access, diversity, choice, flexibility, fair dealing, transparency).
  • The Equality Act 2010 applies to AI decisions in employment, services, education and public functions (direct + indirect discrimination).

AI Security Institute + CoE Convention

  • The AI Security Institute (AISI) runs voluntary safety evaluations of frontier models; participation framed by Bletchley/Seoul/Paris Summit commitments.
  • UK signed the Council of Europe Framework Convention on AI (5 Sept 2024); domestic implementation legislation needed.

Penalties — by sector

  • No single AI fine table. Notable caps:
  • ICO — up to £17.5M or 4% worldwide turnover.
  • Ofcom (Online Safety Act) — up to £18M or 10% qualifying revenue; senior-manager criminal liability for certain failures.
  • CMA — up to 10% worldwide turnover (Competition Act); enhanced powers under the Digital Markets, Competition and Consumers Act 2024.
  • MHRA — enforcement notices, recalls, suspensions and criminal sanctions.

Ready to launch without the regulatory guesswork?

Book a 30-minute consultation. We'll map your AI or licensing path and tell you exactly what's required, in plain language.

Get Started