EU vs UK AI Regulation: What It Means for Governance & Risk

Artificial intelligence has evolved faster in the past two years than most organisations’ governance frameworks can keep up with. As AI continues to reshape business operations, regulators across major economies are responding by defining new guardrails for safe and trustworthy use.

Two of the most influential approaches come from the European Union, through Regulation (EU) 2024/1689 on Artificial Intelligence (European Parliament and Council of the European Union, 2024), and the United Kingdom, through its A Pro-Innovation Approach to AI Regulation whitepaper (Department for Science, Innovation and Technology, 2023). Both aim to protect users, promote trustworthy AI, and reduce systemic risk—yet they diverge sharply in philosophy and execution.

At SureCloud, we help organisations operationalise governance. So the real question is not which approach is “better” but what these models mean for organisations trying to adopt, govern, and scale AI safely.

Adopted in June 2024, the EU AI Act is the first standardised legal framework governing the safe development and use of AI across the European Union (Kilian, Jäck and Ebel, 2025). Its aim is ambitious: harness AI’s societal and economic potential while protecting human autonomy, fairness and safety (Visengeriyeva, 2025).

The Act applies to AI providers, manufacturers, importers, distributors and deployers, including non-EU organisations whose systems operate within the Union. Defence, security and military applications remain out of scope (European Parliament and Council of the European Union, 2024).

At the heart of the Act is a risk-based classification model (European Commission, 2025):

1. Unacceptable risk: prohibited systems, such as social scoring, predictive policing or intrusive biometric surveillance.

2. High risk: systems used in healthcare, employment, critical infrastructure and law enforcement, subject to strict transparency and governance requirements.

3. Limited risk: systems such as chatbots requiring disclosure that users are interacting with AI.

4. Minimal risk: video games, filters and other low-impact systems.

This framework increases oversight where risks to safety and rights are greatest and maintains space for innovation where risks are low (European Parliament and Council of the European Union, 2024, Art. 138).

A practical example for GRC teams

For a UK-based GRC provider such as SureCloud:

1. An AI-driven vendor risk scoring tool could be classified as high risk, as it may influence decisions relating to areas listed in Annex III.

2. A system ranking individuals or vendors by “trustworthiness” using behavioural or online data would fall under the unacceptable-risk category and be prohibited under Article 5(1)(c).

The Act took effect on 1 August 2024, with obligations phasing in through to 2027 (European Commission, 2025). Many organisations are now racing to assess system inventories, data provenance and model documentation.

The UK, by contrast, has opted not to introduce a single statutory AI law. Instead, its Pro-Innovation Approach sets out five high-level principles for regulators to apply within their sectors (Department for Science, Innovation and Technology, 2023):

1. Safety, security and robustness

2. Appropriate transparency and explainability

3. Fairness

4. Accountability and governance

5. Contestability and redress

This gives regulators such as the FCA, ICO, CMA and MHRA significant discretion. The approach enables rapid innovation but risks inconsistency as different regulators interpret principles in different ways.

Both frameworks share a common objective: safe, trustworthy AI adoption.
Europe emphasises consistency and accountability; the UK emphasises agility and growth.

But the divergence means organisations, especially those operating across borders, must build governance that can withstand both models.

Researchers including Killian, Jäck and Ebel (2025) highlight the practical challenges facing EU regulators and organisations: tight implementation timelines, limited SME support and uncertainties around technical standardisation.

Meanwhile, the UK’s distributed model may create fragmentation across sectors unless organisations establish strong internal governance models to harmonise expectations.

Whether operating under EU rules, UK principles or both, organisations will need to:

1. Understand where each AI system sits on a risk spectrum.

2. Maintain visibility across the AI supply chain—providers, datasets, model updates and subprocessors.

3. Prepare for documentation, auditability and transparency requirements.

4. Build continuous oversight instead of relying on annual reviews.

Delivering this requires operational tools and frameworks that provide:

1. AI system inventories

2. Classification and tiering

3. Change logs and audit trails

4. Supplier visibility and subprocessor mapping

5. Continuous assurance workflows

At SureCloud, we believe AI governance must be:

1. Practical: adoptable without heavy overhead

2. Flexible: spanning jurisdictions and regulatory styles

3. Evidence-based: ready for audit or inquiry

4. Continuous: reflecting real-time change in AI models and suppliers

While regulators diverge, the direction of travel is clear: organisations must align AI innovation with strong accountability, transparency and resilience.

Those who embed governance early will innovate faster, and with greater confidence, than those who react later.

The EU’s risk-based AI Act and the UK’s pro-innovation framework represent two different paths toward the same objective: advancing AI safely and responsibly. The future of AI governance will hinge on striking a balance between innovation and protection, creating conditions where technology can grow while upholding fairness, accountability and public trust.

Artificial Intelligence Act 2024. European Parliament and Council of the European Union. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689 (Accessed: 17 October 2025).

Killan, R., Jäck, L. and Ebel, D. (2025) ‘European AI Standards – Technical Standardisation and Implementation Challenges under the EU AI Act’, European Journal of Risk Regulation, pp. 1 – 25. Available at: https://doi.org/10.1017/err.2025.10032 (Accessed: 18 October 2025).

Secretary of State for Science, Innovation and Technology (2023) A pro-innovation approach to AI regulation: Government response to consultation. London: HM Government. Available at: https://www.gov.uk/government/consultations/ai-regulation-a-pro-innovation-approach-policy-proposals/outcome/a-pro-innovation-approach-to-ai-regulation-government-response (Accessed: 17 October 2025)

Visengeriyeva, L. (2025) What Is the EU AI Act?. 7^th edn. O’Reilly Media, Inc. Available at: https://learning.oreilly.com/library/view/what-is-the/9798341621268/ch01.html (Accessed: 18 October 2025).

European Comission. (2025) Shaping Europe’s digital future. Available at: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai (Accessed: 17 October 2025).