Regulación de IA en el Reino Unido
Resumen ejecutivo
Why «the UK has not regulated AI» is the wrong reading
The most common framing of UK AI regulation describes it as light-touch, slow, or absent. «The UK has not passed an AI Act» is the headline that travels. The reading is technically correct and structurally misleading. The UK has not regulated AI through a comprehensive horizontal statute. It has spent the same window doing something that the European Union, with its statute-first approach, has not done at the same depth: building state technical capacity to evaluate frontier AI before legislating it.
The dominant narrative reads the UK approach as procrastination dressed as pragmatism, or as ideological deference to industry. The reading misses the institutional logic. The UK government chose, deliberately and on the public record, to invest in the AI Safety Institute (now AI Security Institute) as a state capability for frontier model evaluation before designing the statute that would tell that capability what to enforce. The sequence is unusual. Most jurisdictions legislate first and build technical capacity second; the UK is doing the reverse.
What the UK approach actually is, then, is evidence-based regulation under construction. The current state is not the endpoint. The five principles in the 2023 White Paper are a placeholder while the technical evaluation infrastructure matures, while sectoral regulators integrate AI into existing oversight, and while the government decides which subset of frontier AI activity warrants statutory intervention. The Labour government that took office in July 2024 inherited this architecture and has, after eighteen months of public deliberation, narrowed the question from «should there be an AI Act» to «on which specific frontier AI capabilities should the AISI have statutory power.»
The political tension is real and worth naming honestly. Critics argue that the absence of binding statute leaves significant categories of AI risk — employment screening, automated decision-making in public services, generative content harms, algorithmic discrimination — without enforceable protection beyond what existing data protection and equality law already covers. Supporters argue that the AISI’s technical evaluations, sectoral regulator AI guidance, and the standards ecosystem (ISO/IEC 42001, ISO/IEC 23894, ISO/IEC 24029) together produce a more responsive regulatory regime than horizontal legislation would. Both readings have force. The UK has chosen the second; the choice is now visibly stress-testing as frontier AI capability evolves faster than anticipated, and as the December 2025 AISI Frontier AI Trends Report flagged that some capabilities required for AI models to evade human control are improving.
The operational reality is that the UK is, by May 2026, a jurisdiction with one of the most technically credible state AI evaluation capabilities in the world, no comprehensive AI Act, a Frontier AI Bill in advanced political design, and a sectoral regulator architecture absorbing AI into existing law. It is the most distinctive of the major national approaches.
What is currently in force
The UK AI regulatory regime as of May 2026 has four interlocking parts.
The five cross-sector principles. Articulated in the 2023 White Paper and confirmed in the February 2024 government response. Non-binding. Sectoral regulators are expected to integrate them into existing oversight. The principles are: safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; contestability and redress. Each principle is interpreted by individual regulators in their domain rather than by a central AI authority.
Sectoral regulator action. The Information Commissioner’s Office (ICO) has published its strategic approach to AI under the UK GDPR and Data Protection Act 2018, with attention to automated decision-making, AI in employment, and generative AI privacy risk. The Financial Conduct Authority (FCA) has issued guidance on AI in financial services. The Competition and Markets Authority (CMA) conducted an initial review of AI Foundation Models with attention to market concentration. Ofcom integrates AI within the Online Safety Act regime. The MHRA addresses AI medical devices. The Equality and Human Rights Commission integrates AI into existing equality law. None of this is AI-specific statute; it is integration of AI into pre-existing sectoral regulation.
The AI Security Institute (AISI). A directorate of DSIT, established as AI Safety Institute in November 2023 and rebranded to AI Security Institute in February 2025. Initial £100m investment. AISI conducts technical evaluation of frontier AI models, with focus areas including capability evaluation (what models can do), alignment research (whether models reliably behave as intended), security research (whether models can be misused for cyberattacks, biosecurity threats, or weapons development), and societal resilience research. AISI has formal relationships with leading frontier AI developers and conducts pre-deployment model evaluations on a voluntary basis. It published its first Frontier AI Trends Report on 18 December 2025, which noted that some capabilities required for AI models to evade human control are improving.
Adjacent statutory instruments. The Data (Use and Access) Act 2025 brings AI-relevant changes including: a new regime for automated decision-making moving from prohibition with exceptions to permission with safeguards (effective in 2026); requirements for the Secretary of State to report on the use of copyright works in AI training and on the economic impact of policy options proposed in the copyright and AI consultation paper (deadline 19 March 2026); related data protection reforms relevant to AI processing. Pre-existing instruments — UK GDPR, Data Protection Act 2018, Equality Act 2010, sectoral statutes — continue to apply to AI use cases that fall within their scope.
In parallel, the Central AI Risk Function (CAIRF), established within DSIT in autumn 2023, coordinates cross-government AI risk work alongside AISI.
What is on the legislative horizon
Three items shape the near-term legislative trajectory.
The Artificial Intelligence (Regulation) Bill (Private Member’s Bill). Reintroduced into the House of Lords by Lord Holmes of Richmond on 4 March 2025 after failing to progress under the previous government. If enacted, the Bill would create an «AI Authority» to coordinate sectoral regulators and issue binding codes of practice, and would introduce an «AI Responsible Officer» role at organizational level. The Bill is not government-backed and is unlikely to pass in its current form. It signals the direction of statutory pressure rather than the substance of the eventual statute.
The comprehensive AI bill. In June 2025 the Guardian reported that the government had moved from a short AI bill in the 2024–26 session to a more comprehensive bill in the next session. On 3 December 2025, Secretary of State Liz Kendall told the House of Commons Science, Innovation and Technology Committee that the government was thinking about AI legislation «in terms of specific areas where we may need to act rather than a big all-encompassing bill.» The IAPP and other tracking sources expect any AI bill to be introduced in the second half of 2026 at the earliest. Likely scope: copyright in AI training, the most powerful AI models, and statutory grounding for the AISI.
The Frontier AI Bill. Announced as the legislative vehicle that would give AISI statutory powers. Expected provisions include potential pre-deployment model testing authority for the most capable systems, formal information-gathering powers, statutory grounding for AISI as an institution (replacing its current status as a DSIT directorate), and a duty on frontier developers to engage with AISI. Operational details remain in design. The January 2025 government response to the AI Opportunities Action Plan accepted the recommendation to establish AISI as a statutory body and committed to consultation on proposed legislation.
The UK AI Growth Lab, opened for consultation by DSIT on 21 October 2025, sits alongside the legislative work. The Growth Lab proposes cross-economy sandboxes to test AI innovations under targeted regulatory modifications, with successful pilots informing permanent reforms. The proposal envisages «red lines» — consumer protections, safety provisions, and fundamental rights — that would not be modified through sandbox pilots. The Growth Lab is an instrument for evidence generation feeding into the statutory work.
The AI Security Institute in operational terms
AISI is the institutional centerpiece of the UK approach. Understanding what it is and what it is not matters for any organization positioning AI work in the UK market.
What it is. A government technical evaluation capability focused on frontier AI safety and security, with research teams covering capability evaluation, alignment, security risks (cyber, biosecurity, weapons development), and societal resilience. AISI conducts pre-deployment evaluations of frontier models on a voluntary basis with leading developers. It publishes research, the annual Frontier AI Trends Report, and contributes to the international AI Safety Institute network that emerged from the Bletchley and Seoul Safety Summits.
What it is not. A regulator with enforcement powers. AISI cannot mandate evaluation submission, fine non-compliance, or prohibit deployment. Its current operational model is voluntary cooperation with frontier developers, with the explicit understanding that the Frontier AI Bill is intended to provide statutory grounding.
The February 2025 rebrand. The change from AI Safety Institute to AI Security Institute signaled a sharper focus on national security risks — misuse for cyberattacks, biosecurity threats, weapons development — and arguably narrowed attention away from ethics, bias, and rights concerns that some critics argued the original AI Safety framing had encompassed. The rebrand also aligned UK terminology more closely with US national-security framing of AI risk, particularly under the Trump administration’s January 2025 EO 14179 priorities.
The international network. The AI Safety Institute international network that emerged from Bletchley (November 2023) and Seoul (May 2024) Safety Summits, and continues through subsequent meetings, links AISI to counterparts in the US, Japan, the EU AI Office, and others. The network is informal but operationally important: it produces the cross-jurisdiction evaluation capacity that no individual national institute could sustain alone.
How sectoral regulators work AI into existing law
The UK’s choice to delegate AI oversight to existing sectoral regulators is the most distinctive feature of the regime. Five regulators carry the bulk of AI-relevant operational work.
Information Commissioner’s Office (ICO). The most operationally relevant regulator for most AI use cases. Applies UK GDPR and Data Protection Act 2018 to AI systems processing personal data, with detailed guidance on automated decision-making, AI in employment, generative AI privacy risk, and AI fairness. The ICO has issued a strategic approach to AI and integrates the five principles into its existing oversight.
Financial Conduct Authority (FCA). Applies financial services regulation to AI use cases in trading, credit decisions, fraud detection, customer service, and insurance. Has issued guidance on AI in financial services and integrates AI risk into existing prudential and conduct frameworks.
Competition and Markets Authority (CMA). Conducted an initial review of AI Foundation Models in 2024 examining market concentration, vertical integration, and the implications for competition policy. Active in monitoring AI-related M&A and partnerships.
Office of Communications (Ofcom). Integrates AI within the Online Safety Act regime, particularly on AI-generated content, deepfakes, and platform algorithmic transparency. Published its strategic approach to AI 2024/25.
Medicines and Healthcare products Regulatory Agency (MHRA). Regulates AI medical devices under existing medical device frameworks, with attention to AI as Software as Medical Device (SaMD).
Adjacent regulators — Equality and Human Rights Commission, Health and Safety Executive, sectoral regulators in transport and energy — apply AI to their domains. The model produces detailed sector-specific AI guidance but no central horizontal statute.
Intersections with other regimes
Five intersections shape how UK AI regulation operates within the broader international architecture.
Council of Europe Framework Convention on AI (CETS 225). UK is initial signatory and an early ratifier; the Convention entered into force on 1 November 2025. The UK satisfies its Convention obligations through a combination of existing sectoral regulation, the AISI’s evaluation function, and the eventual AI bill. The Convention’s rights-based floor applies to UK AI activity in the public sector directly and to the private sector through whatever measures the UK declares.
G7 Hiroshima Process. UK is G7 member and active participant. UK frontier AI developers are direct addressees of the Hiroshima Code of Conduct and are expected to engage with the OECD-hosted Reporting Framework. AISI’s evaluation work is complementary to the Hiroshima Reporting Framework: AISI produces technical evaluations of capability; Hiroshima produces public reports about practice.
EU AI Act. UK is a third country for AI Act purposes. UK-based AI providers placing systems on the EU market are subject to the AI Act regardless of UK regulatory status. UK organizations operating across UK and EU territory must satisfy both regimes. The asymmetry — EU horizontal statute, UK sector-led principles — creates a compliance translation burden that organizations active in both markets must manage.
OECD AI Principles. UK adheres to the Principles. The UK definitional approach is broadly consistent with the OECD definition of AI system. UK regulatory work is coordinated with the OECD Policy Observatory and the broader OECD.AI ecosystem.
International AI Safety Institute network. Bletchley (UK, November 2023), Seoul (May 2024), Paris AI Action Summit (February 2025), and subsequent meetings. UK AISI is the institutional anchor of this network. The Paris Summit was politically notable: UK and US declined to sign the declaration promoting «inclusive and sustainable» AI endorsed by 60 other countries. The non-signature reflected the UK government’s caution about AI declarations whose substantive content might constrain frontier AI work, and aligned UK with the US position under the Trump administration’s reframing of AI policy priorities.
## ⚖️ How Zertia operates within the UK AI regulatory regime
>
> > ### Built for UK AI compliance from day one
>
> Accreditations and memberships: 🎖️ ANAB-accredited (US) · 🎖️ UKAS process (UK) · 🎖️ ENAC process (EU) · 🏛️ IAPP member · 🏛️ INCITS member · 🏛️ UKAI member · 📜 EU AI Pact signatory
>
> Zertia is an ANAB-accredited AI management system certification body, with offices in Boston, Madrid, and London, and an active accreditation process with UKAS (United Kingdom Accreditation Service). The UK approach to AI regulation — principles-based, sector-led, with active reliance on international AI standards — makes accredited certification and standards-based assurance operationally central to how UK organizations demonstrate AI accountability.
>
> Certification — ISO/IEC 42001, AIUC-1, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 22301. The 2023 UK White Paper and subsequent government work explicitly recommend international AI standards as practical tools for governance and assurance. ISO/IEC 42001 certification operationalizes the five UK principles — safety, transparency, fairness, accountability, contestability — into a management system structure that sectoral regulators recognize. AIUC-1 provides agent-level technical assurance for frontier-adjacent UK organizations engaging with AISI evaluation work or deploying AI agents in regulated UK markets. Zertia’s London presence supports UK clients seeking accredited certification anchored in the European certification ecosystem.
>
> Regulatory frameworks — EU AI Act Conformity Assessment, NIST AI RMF Attestation, ISO/IEC 23894 Risk Assessment, Algorithmic Impact Assessment, Pre-Certification Assessment. UK organizations operating across UK and EU markets benefit from coordinated regulatory positioning that satisfies both the AI Act and the UK five-principles framework. Algorithmic Impact Assessments are structured to support both ICO data protection requirements and broader UK contestability and accountability principles.
>
> Audit — AI Management System audits, High-Risk AI System audits, AI Model audits, EU AI Act audits, NIST AI risk audits. Independent audits structured to support sectoral regulator engagement (ICO, FCA, CMA, Ofcom, MHRA), AISI voluntary evaluation engagement for frontier-adjacent organizations, and the eventual statutory AI regime.
>
> Training — AI Governance, Data Governance, Privacy Governance through Zertia Academy. Programmes treat the UK regime explicitly, including the sectoral regulator architecture, the AISI’s technical role, and the trajectory toward the Frontier AI Bill and comprehensive AI legislation. Particularly relevant for UK-based legal, compliance, and risk teams positioning AI governance work for the regulatory environment as it evolves.
>
> Zertia operates from Boston, Madrid, and London, with ANAB accreditation in the United States and active accreditation processes with UKAS (United Kingdom) and ENAC (Spain/EU). Member of IAPP, INCITS, and UKAI. Signatory to the EU AI Pact.
>
> ### 🎯 Take action
>
> | 🔍 Diagnose your gap | 📊 Build the assurance backbone |
> |—|—|
> | Pre-Certification Assessment → | ISO/IEC 42001 Certification → |
> | Independent diagnosis against the UK pro-innovation framework, ICO AI Auditing Framework, and DUAA 2025 obligations. | The accredited management system standard that operationalises principles-based UK regulation through ICO, FCA, MHRA, and CMA expectations into an auditable backbone. |
>
Regulación que entiendes es regulación que puedes convertir en ventaja competitiva.
¿No estás seguro de si este marco aplica a tu organización? Hablemos.
