UK AI regulation confuses a lot of businesses — partly because there’s no single law to point to. Here’s a complete, plain-English overview for 2026, cited to official sources. (dgm implements osFoundry as an independent partner. General information, not legal advice.)
The model: principles, not a statute
The UK regulates AI through existing cross-cutting law applied via five principles, not a bespoke AI Act (see our dedicated guide, “Is there a UK AI Act?”). The 2023 pro-innovation white paper set the five principles — safety/security/robustness; transparency/explainability; fairness; accountability/governance; contestability/redress — which existing regulators apply within their sectors.
The backbone: data protection
For most businesses, AI compliance starts with data protection:
- UK GDPR + Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025;
- the ICO is the cross-sector regulator.
Key obligations when AI touches personal data: a lawful basis, DPIAs for high-risk processing, transparency, and the rebuilt automated decision-making safeguards (new Articles 22A–22D under the DUAA). We cover these in dedicated guides on UK GDPR and AI and automated decision-making.
Sector regulators set the detail
- FCA (financial services) — principles-based; has declined to introduce AI-specific rules, relying on Consumer Duty, SM&CR and operational resilience.
- MHRA (medical devices) — AI used for a medical purpose is a regulated medical device, with a dedicated framework expected in 2026.
- Ofcom (online safety) — the Online Safety Act can catch user-facing chatbots.
- CMA — watches AI foundation-model markets.
These coordinate through the Digital Regulation Cooperation Forum (DRCF) — the main vehicle for joined-up UK AI regulation.
The EU AI Act still reaches UK firms
If you place AI systems on the EU market or your AI output is used in the EU, the EU AI Act applies extraterritorially — classify against its risk tiers and meet the deadlines (prohibited practices live since Feb 2025; GPAI since Aug 2025; high-risk deferred toward late 2027/2028 under the Digital Omnibus). See our EU AI Act for UK businesses guide.
The recurring theme: human in the loop
Across NHS, SRA, ICAEW, RSH, DfE and the ICO, one expectation recurs: human oversight and accountability. Whatever you build, design so a human can understand, contest and override significant AI decisions.
Where osFoundry and dgm fit
dgm implements AI with these controls designed in: data control (self-host in your own cloud or an EU region — osFoundry publishes US/EU/JP regions, not a UK one), audit logging, and human-in-the-loop review. dgm is an independent integration partner with zero integrations so far, and not a law firm — take qualified legal advice for compliance decisions. To scope a compliant AI project, book a consultation with dgm.