The short answer: No UK AI Act exists. The Labour government has continued the sector-led approach adopted by the previous administration, stating that "most AI systems should be regulated at the point of use" by existing specialist regulators. But this does not mean UK businesses using AI are operating in a regulatory vacuum. Five overlapping regimes apply today — and the EU AI Act, despite Brexit, applies to any UK business that exports to or processes data from EU citizens.
Regime 1 — UK GDPR (applies now, to most businesses)
The UK General Data Protection Regulation governs how personal data is processed, including when AI tools are involved. If you use AI to process customer data, employee data, or any personally identifiable information, UK GDPR applies. Key obligations relevant to AI use include: the right to explanation (for automated decisions with significant effect), data minimisation (only processing data necessary for the specified purpose), and transparency (telling customers when AI is involved in decisions that affect them).
For most UK service businesses, the practical question is: does the AI tool you use store or process your customers' personal information? If so, check that your AI vendor has a Data Processing Agreement in place and review whether their data handling meets UK GDPR standards. Most major AI providers (OpenAI, Anthropic, Google, Microsoft) have GDPR-compliant enterprise agreements available — but you need to use those enterprise tiers, not consumer accounts, when processing personal data at scale.
Regime 2 — FCA Consumer Duty and AI guidance (financial services businesses)
If your business provides financial services, advice, or products regulated by the FCA, the Consumer Duty (in force since July 2023) requires that AI tools used in customer interactions meet the standard of "good outcomes" for customers. The FCA issued specific AI guidance in 2025 clarifying that firms must understand, test, and monitor AI tools used in consumer-facing decisions. Using AI to generate advice, assess creditworthiness, or determine product suitability without appropriate oversight creates Consumer Duty risk.
Regime 3 — EU AI Act: extraterritorial scope (applies to UK exporters and EU data processors)
The EU AI Act has extraterritorial scope — it applies to UK businesses that deploy AI systems to EU users or that process EU citizen data, even though the UK has left the EU. EU AI Act prohibitions (on prohibited AI practices such as social scoring and biometric mass surveillance) have been enforceable since February 2025. High-risk AI obligations — covering AI in hiring, education, credit decisions, law enforcement, and critical infrastructure — apply from December 2027. If your business has any EU customer base, supplier relationships, or EU data processing, you are within scope of the EU AI Act. This is not a future consideration — the prohibition layer is already in force.
Regime 4 — UK cross-sector AI principles (voluntary but expectations are shifting)
The UK government has published cross-sector AI principles covering: safety and security, transparency and explainability, fairness, accountability and governance, and contestability and redress. These are currently voluntary for most businesses, but the regulatory expectation is shifting: the government has indicated these principles will increasingly be enforced by existing regulators (ICO, FCA, CMA, HSE) through their existing powers rather than through a new AI-specific law.
The practical implication for UK service businesses is to document your AI use now, while the documentation requirements are minimal. If you can show that you have considered these principles — that you reviewed whether your AI tools are fair, that you have a human in the loop for consequential decisions — you will be in a much stronger position when enforcement activity increases in 2027.
Regime 5 — Sector-specific rules (varies by industry)
Several UK sectors have sector-specific AI obligations overlapping with the general regimes above. The health sector (CQC, MHRA) has specific rules on AI medical devices and clinical decision support. The legal sector (SRA) has guidance on AI use in legal practice. The education sector has data protection and safeguarding requirements that apply to AI tools used with children. Regardless of sector, if you are regulated, assume your regulator has or will have guidance on AI — check their website before deploying AI in any customer-facing or professional context.
What is NOT yet in force (but will be)
The high-risk AI obligations under the EU AI Act — requiring conformity assessments, registration, and human oversight for AI systems in certain sensitive domains — do not apply until December 2027. This is the part of the EU AI Act that most affects businesses deploying AI in consequential decisions. If your current AI use is limited to drafting, summarising, or administrative support, you are not in the high-risk category and the December 2027 deadline is not immediately material. If your AI use involves hiring decisions, credit assessments, or health outcomes, take professional advice now.
Operator action: Q3 AI compliance checklist for UK service businesses
This week — create a simple AI use log. Spreadsheet or document: tool name, what data it touches, what decisions it informs. Takes 30 minutes. This is your starting point for any compliance conversation.
This month — review your AI vendors' data agreements. If you use AI tools for anything involving customer personal data, confirm you have a signed Data Processing Agreement with the vendor and that they are UK GDPR compliant.
This quarter — assess EU exposure. Do any of your customers or suppliers operate in the EU? If yes, review the EU AI Act prohibitions to confirm none of your AI tools fall into a prohibited category (social scoring, biometric surveillance, subliminal manipulation). For most UK service businesses the answer will be no — but the check itself takes less than an hour and protects you.
By December 2027 — for high-risk AI users only. If you use AI in hiring, credit decisions, or health contexts, get specialist advice before the high-risk obligations apply. Start the conversation in Q4 2026.