No, the UK does not have an AI Act. Here is what you actually need to know in 2026.

Most SME leaders I talk to are working off a slightly inaccurate mental model of UK AI regulation. They have heard about the EU AI Act and the US executive order on AI, they have read a headline about Singapore or California, and they have reasonably assumed the UK must have something equivalent. So they ask whether they need to “comply with the UK AI Act.” The short answer: as of April 2026 there is no UK AI Act, and the current government has signalled future legislation only for the developers of the most powerful frontier models — not a general-purpose statute that would apply to a 30-person professional services firm rolling out Copilot. The UK is doing something different, and it is worth understanding what, because it affects you even if it does not look like a statute. There are three things to actually track.

1. UK GDPR is still the rulebook (and it changed in 2025 — most recently on 5 February 2026)

The single most important thing to know is that the existing data protection regime — UK GDPR, with the Data Protection Act 2018 alongside it — is still the operational rulebook for almost everything an SME does with AI that touches personal data. The ICO is the regulator, and the ICO’s guidance on AI and data protection sits at the centre of the picture. What changed in 2025 is the Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025 and has commenced in stages through 2025 and 2026. The tranche that matters most for AI adoption — the majority of Part 5’s data protection provisions, including the rules on automated decision-making — commenced on 5 February 2026 via SI 2026/82 (the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026).

The most relevant adjustment is in automated decision-making. Section 80 of DUAA substituted the single Article 22 UK GDPR with a four-Article framework — Articles 22A-22D (commenced 5 February 2026 via SI 2026/82) — that governs significant decisions taken about individuals on a solely-automated basis. Article 22A introduces two threshold tests: a decision is “based solely on automated processing” if there is no meaningful human involvement in taking it, and a decision is “significant” if it produces a legal effect on the person or has a similarly significant effect. Article 22B sets the lawful-basis rules. Article 22C sets the non-negotiable safeguards: information about the decision, the ability to make representations, the ability to obtain human intervention, and the ability to contest the outcome. Article 22D gives the Secretary of State regulation-making powers to fill in detail around those tests.

The practical effect of the change — as the ICO summarises — is that an organisation may now rely on any of the lawful bases apart from the new “recognised legitimate interest” route (introduced by DUAA Schedule 4 as Article 6(1)(ea)) when it makes significant automated decisions about people. The exclusion of recognised legitimate interest for ADM is explicit in Article 22B(4) and is the single most important “do-not-assume” point of the 5 February 2026 commencement: the new annex does not open a shortcut for solely-automated decision-making. Standard legitimate interests under Article 6(1)(f) remains available for non-special-category data with the usual legitimate-interests assessment. For special category data (Article 9(1) UK GDPR), the narrow pre-existing gateways are retained: explicit consent, or contract necessity combined with Article 9(2)(g) (substantial public interest in UK law with safeguards). An SME deploying a CV-screening tool, an automated credit decision, or any process where an AI decides something about an identified person without a reviewer who can meaningfully override is in Articles 22A-22D territory and should treat the lawful-basis choice and the Article 22C safeguards as a documentation and design discipline.

Two other DUAA-era points are worth knowing. Data Protection Impact Assessments (DPIAs) typically remain necessary for new AI deployments that are likely to result in a high risk — which captures most novel processing of personal data at scale. And the Article 28 controller/processor regime still applies when a third-party AI vendor processes personal data on your behalf: a written data processing agreement is expected, and the substance of those obligations remains intact post-commencement. The ICO is publishing and updating guidance on the new framework on a rolling basis during 2026 — including guidance for specific applications such as automated decision-making in recruitment — so the detail sitting underneath Articles 22B and 22C may be refined by subsequent ICO publications in the months after 5 February 2026. For more detail on the post-5-February-2026 position and the canonical source material, see the UK Regulatory Overlay. For binding interpretation in any specific case, a qualified solicitor is the right call, not an article on the internet.

2. DSIT’s five principles are not law — but they are the map

There is no UK AI Act. What there is, instead, is a set of five cross-sectoral principles published by the Department for Science, Innovation and Technology (DSIT) in the 2023 pro-innovation White Paper, reaffirmed in the February 2024 Government Response, and developed further in the AI Opportunities Action Plan published in January 2025. The principles are guidance to existing regulators, not legislation. There is no DSIT-level enforcement mechanism. The Labour government, since July 2024, has reaffirmed the pro-innovation, light-touch posture and has signalled future legislation only for the developers of the most powerful frontier models — not a general AI Act that would apply broadly to UK businesses.

The five principles, named verbatim from the White Paper, are:

1. Safety, security and robustness — AI systems should function in a robust, secure and safe way throughout their life cycle, with risks identified, assessed, and managed.
2. Appropriate transparency and explainability — AI systems should be sufficiently transparent and explainable, with the level of transparency proportionate to the use case.
3. Fairness — AI systems should not undermine the legal rights of individuals or organisations, discriminate unfairly, or create unfair commercial outcomes.
4. Accountability and governance — Governance measures should be in place to ensure effective oversight of AI systems, with clear lines of accountability across the AI life cycle.
5. Contestability and redress — Where appropriate, people affected by AI decisions should be able to contest an outcome that is harmful or creates a material risk of harm.

The architecture point that matters most for SMEs is this: because the principles are not law, an SME asking whether its AI use is “in conformance with” the DSIT principles is asking the wrong question. The right question is: which of the existing sector regulators apply to us, and how have they interpreted the principles within their own statutory powers? DSIT does not enforce. The ICO, Ofcom, the CMA, the FCA, the MHRA, the HSE, and the EHRC do — each within its own remit. The principles are the direction of travel that all of them are now expected to follow. An SME that builds its internal AI governance against the five principles will find itself well-positioned regardless of which sector regulator eventually publishes binding guidance in its space. The proportionality embedded in the principles is especially important: a 25-person professional services firm is not expected to operate the same controls as a national bank.

3. Your sector regulator will have more to say

The third thing to know is that the UK approach is deliberately fragmented across sector regulators, and your sector regulator will eventually have the most specific things to say about AI in your domain. A few worth knowing: Ofcom is the regulator if you are a telecoms provider, a broadcaster or on-demand programme service, or operate an online service in scope of the Online Safety Act — Ofcom published its strategic approach to AI for 2025/26 on 6 June 2025 and identified synthetic media, personalisation, and security and resilience as its top three AI risk categories. The FCA regulates financial services and has published its own AI strategy alongside work with the Bank of England. The MHRA regulates AI used in medical devices. The EHRC has equality and discrimination expectations where AI affects people’s access to goods, services, or employment.

The UK has decided not to have a single “AI rulebook,” so the question “what AI rules apply to us?” cannot be answered generically — it depends on your sector and which regulators have statutory power over your activities. The right move is to list the regulators that already apply to you and check each one’s most recent AI-specific publications. For most non-regulated SMEs in the 5-to-500 employee range, the ICO is the only regulator whose AI guidance directly applies day-to-day.

What to do about it (practically)

Five concrete actions that come out of all of the above. None of these require a legal team or a six-figure programme.

1. Inventory every AI processing activity that touches personal data, including the ad-hoc and shadow uses by employees. You cannot document a lawful basis for processing you cannot see.
2. Document the lawful basis for each activity, and separately for any significant solely-automated decision path within it. For the solely-automated path, the basis must not be the new “recognised legitimate interest” route introduced by DUAA Schedule 4 — Article 22B(4) explicitly excludes it. Standard legitimate interests under Article 6(1)(f) remains available for non-special-category data, with a documented legitimate-interests assessment. Special category data retains the narrow gateways: explicit consent, or contract necessity with Article 9(2)(g).
3. Build meaningful human involvement into any AI-driven decision path that materially affects customers, employees, or other individuals. The post-5-February-2026 threshold test in Article 22A(1)(a) is “no meaningful human involvement” — the design discipline is to make sure there is some. A reviewer who has capacity to query, override, or halt a model’s output — and whose review is not a rubber stamp — keeps the process outside Articles 22B-22C territory and satisfies the contestability principle from DSIT in the same move.
4. Nominate a single AI governance owner. Even in a small SME, designate one named person accountable for AI governance decisions. The accountability principle does not work if the answer to “who owns this” is a shrug.
5. Watch ICO guidance through 2026. The ICO is publishing rolling guidance against the new Articles 22A-22D framework — including for specific applications such as automated decision-making in recruitment. When a piece of ICO guidance lands that touches an AI use case you actually run, re-check the specifics in this article and revisit the corresponding UK Regulatory Overlay entry. A six-monthly calendar reminder is a sensible minimum.

A note on what this article is, and is not

This is informational and does not constitute legal advice. UK AI regulation as of 2026 is a moving target — the Data (Use and Access) Act 2025 is in phased commencement, the ICO’s substantive AI guidance is under review, and several sector regulators are publishing or revising AI-specific material on a rolling basis. Anything in this article that is more than six months old at the point you are reading it should be re-checked. For binding interpretation in any specific case, the right move is to consult a qualified solicitor — and if you would like an introduction to one I trust, ask. For a structured, non-legal walk through your AI readiness and governance posture against the SAFE-AI Framework, the free AI Readiness Scorecard is the cheapest place to start, and the AI Readiness Assessment is the next step up if you want a written report and a 90-day plan. Neither is legal advice, both are diagnostic.