AI Compliance Regulations: UK & EU Guide 2026

1. EU AI Act Article 5 prohibitions applied from 2 February 2025. Prohibited practices include AI systems using subliminal manipulation, social scoring by public authorities, and most real-time remote biometric identification in publicly accessible spaces.
2. High-risk AI system obligations under the EU AI Act (Articles 16-29) apply from 2 August 2026. Categories include AI used in employment decisions, credit scoring, access to essential services, and law enforcement.
3. EU AI Act penalties for violations of prohibited AI provisions reach EUR 35 million or 7% of global annual turnover. High-risk AI failures carry fines up to EUR 15 million or 3% of global annual turnover.
4. UK GDPR Article 22 applies to any AI system making solely automated decisions that produce legal or similarly significant effects on individuals. At least one of three conditions must be satisfied: contract necessity, explicit consent, or a legal basis with suitable safeguards.
5. ISO 42001:2023, published in December 2023, is the first international standard specifically designed for AI management systems. It applies to any organisation using AI, any sector, any size.

Who Must Comply?

The EU AI Act, Regulation (EU) 2024/1689, entered into force on 1 August 2024. It applies to providers that place AI systems on the EU market, deployers that use AI systems within the EU, importers and distributors, and product manufacturers incorporating AI systems. UK-based organisations that sell AI products into the EU market or use AI within EU operations fall within scope regardless of where they are headquartered.

The Act uses a risk-based classification: prohibited AI is banned outright; high-risk AI is subject to extensive pre-market obligations; limited-risk and minimal-risk AI carries lighter or voluntary requirements; and General Purpose AI (GPAI) models have their own obligations under Title VIII, applicable from August 2025.

Prohibited AI Systems (applicable from 2 February 2025)

Article 5 of the EU AI Act prohibits a defined set of AI practices with effect from 2 February 2025. These include AI systems that use subliminal or manipulative techniques to impair rational decision-making; AI that exploits vulnerabilities related to age, disability, or social situation; social scoring systems operated by public authorities; and most real-time remote biometric identification in publicly accessible spaces.

Any AI system falling within these categories should have been identified and withdrawn from EU use before 2 February 2025. Organisations deploying AI that touches these categories should have conducted a classification review and documented the outcome, regardless of whether they concluded the system is prohibited.

General Purpose AI (GPAI) Models (applicable from 2 August 2025)

Title VIII of the EU AI Act introduces obligations for providers of GPAI models: AI models trained on large amounts of data and capable of performing a wide range of tasks. The practical scope includes providers of large language models (LLMs) and other foundation models. Obligations include technical documentation, compliance with EU copyright law, and transparency about training data. GPAI models presenting systemic risk (those trained above a certain compute threshold) face additional requirements including adversarial testing and serious incident reporting.

Organisations that build applications on top of GPAI models are deployers rather than providers under this title. Their obligations relate to the high-risk classification of the application, not the underlying model.

High-Risk AI Systems (applicable from 2 August 2026)

High-risk AI systems are defined in Annex III of the EU AI Act. The categories that most commonly affect regulated organisations include:

1. Biometric identification and categorisation systems
2. AI used in critical infrastructure management (energy, water, transport)
3. AI used in education and vocational training that affects access or assessment outcomes
4. AI used in employment decisions: recruitment, selection, promotion, performance monitoring, and task allocation
5. AI used in access to essential private services: credit scoring, insurance underwriting, risk assessment
6. AI used by public authorities in benefits eligibility, law enforcement, migration and asylum processing, and administration of justice

For deployers of high-risk AI systems, the key obligations under Articles 26 and 29 are: conduct a fundamental rights impact assessment where required; use AI systems in accordance with accompanying instructions; implement human oversight; maintain logs; and report serious incidents to providers and market surveillance authorities.

For providers, obligations under Articles 16-17 include establishing a quality management system; maintaining technical documentation; ensuring logging capabilities; and registering in the EU database for high-risk AI systems before placing the system on the market. Conformity assessment (either self-assessment or third-party review, depending on the category) is required before EU market entry.

Financial Penalties for Non-Compliance

Penalties under the EU AI Act are tiered by infringement type. Violations of prohibited AI provisions (Article 5) carry fines of up to EUR 35 million or 7% of global annual worldwide turnover, whichever is higher. Non-compliance with high-risk AI obligations carries fines up to EUR 15 million or 3% of global annual worldwide turnover. Providing incorrect, incomplete, or misleading information to national authorities carries fines up to EUR 7.5 million or 1% of global annual worldwide turnover.

National market surveillance authorities have enforcement powers within their jurisdictions. The European AI Office oversees enforcement in relation to GPAI models.

Current Regulatory Expectations

The FCA regulates AI through existing frameworks rather than primary AI legislation, publishing extensive guidance clarifying how existing obligations apply to AI-assisted activities. The core principle is consistent across all its guidance: firms remain fully accountable for AI-assisted outcomes regardless of the opacity of the underlying model.

The FCA Consumer Duty, which came into force in July 2023, is particularly relevant for AI in retail financial services. Firms must demonstrate that AI-driven outcomes deliver good outcomes for retail customers: fair value, comprehensible information, and products and services that meet customer needs. An AI system that systematically produces outcomes the firm cannot explain or justify in consumer terms creates Consumer Duty exposure.

The SM&CR (Senior Managers and Certification Regime) extends personal accountability to AI governance. Where a Senior Manager has responsibility for a business area that uses AI to influence regulated activities, that Senior Manager is personally accountable for the governance of those AI systems. The FCA expects firms to be able to name the Senior Manager responsible for each significant AI use.

Model Risk Management

The FCA's expectations for model risk management apply to AI models in the same way they apply to statistical and quantitative models used in regulated activities. The core requirements are independent model validation, documentation of model assumptions and limitations, monitoring of model performance post-deployment, and clear escalation procedures when model outputs diverge from expected behaviour.

The PRA (Prudential Regulation Authority), which supervises banks and insurers, has published supervisory statements on model risk management that set out expectations for model governance frameworks. Firms should treat FCA AI guidance as a live document: the FCA has indicated an active programme of AI-specific regulatory development, and the position at time of publication should be confirmed.

AI Used in Financial Crime Detection

The FCA and Financial Intelligence Unit have published guidance on the use of AI in financial crime detection. Machine learning models used in transaction monitoring, name screening, and fraud detection are subject to the same governance expectations as other AI models in regulated activities: documented validation, explainability sufficient to support Suspicious Activity Report (SAR) decisions, and accountability for false positive and false negative rates.

The FCA has indicated willingness to engage with firms piloting AI in financial crime prevention through its regulatory sandbox. Firms should maintain documentation of the governance decisions taken for financial crime AI that is sufficient to demonstrate regulatory compliance if challenged.

UK GDPR and Automated Decision-Making

The ICO is the UK's data protection regulator. Its AI guidance applies UK GDPR to AI systems that process personal data of UK residents, regardless of where processing takes place. The central obligation for AI systems is UK GDPR Article 22, which applies to solely automated decisions that produce legal or similarly significant effects on individuals.

Compliance with Article 22 requires one of three conditions: the processing is necessary for a contract with the individual; it is authorised by law with suitable safeguards; or the individual has given explicit consent. Where Article 22 applies, individuals must be given the right to obtain human review of the decision, to express their point of view, and to contest the decision.

AI systems that contribute to decisions alongside human reviewers may still engage Article 22 where the human element is perfunctory. The ICO has indicated that rubber-stamping an AI recommendation without genuine review is treated as solely automated decision-making for regulatory purposes.

Data Protection Impact Assessments for AI

UK GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) where processing is likely to result in high risk to individuals. The ICO has confirmed that automated processing, large-scale processing of special category data, and systematic monitoring all trigger the DPIA requirement. Most AI systems that process personal data at scale will require a DPIA before deployment.

A DPIA for an AI system must assess the necessity and proportionality of the processing, the risks to individuals, and the measures taken to address those risks. The ICO's AI auditing framework sets out what it expects to see in a DPIA for an AI system: documentation of the data used to train and validate the model, the decisions the system influences, the individuals affected, and the human oversight arrangements in place.

Processing Biometric Data: Heightened Obligations

AI systems that process biometric data (capable of uniquely identifying an individual from physical or behavioural characteristics) process special category data under UK GDPR. Processing special category data for AI training or operation requires an explicit lawful basis under Article 9, a DPIA, and, in most cases, explicit consent from individuals.

Facial recognition and voice recognition AI systems are high-risk under both UK GDPR and the EU AI Act's Annex III biometric categorisation provisions. Organisations using these systems face obligations from both regulators simultaneously, and should document compliance with each framework separately.

The UK government has taken a different path from the EU AI Act's prescriptive, horizontal regulatory model. The approach established under the previous administration, and maintained by the Labour government elected in July 2024, relies on existing regulators applying existing frameworks to AI, supplemented by sector-specific guidance rather than primary AI legislation.

The AI Opportunities Action Plan, published in January 2025, set out the government's ambition to position the UK as a leading AI adopter without introducing prescriptive horizontal regulation. AI safety work is centred on the AI Safety Institute. Organisations should confirm the current legislative position at time of publication, as government policy in this area continues to develop.

In practice, UK AI regulation is delivered through sectoral guidance. The FCA, ICO, PRA, CMA, and Ofcom each apply their existing frameworks to AI within their remits. The advantage of this approach is regulatory flexibility. The practical challenge is fragmentation: a financial services firm using AI in credit, fraud, and customer communications faces guidance from the FCA, ICO, and potentially the CMA, each applying its own framework to different aspects of the same AI deployment.

For UK organisations, regulatory exposure from a poorly governed AI system runs through existing enforcement frameworks: FCA enforcement under Consumer Duty and SM&CR, ICO enforcement under UK GDPR, and CMA competition enforcement where AI influences pricing or market behaviour. A sector-led approach creates fragmentation: the same AI deployment may face separate governance questions from the FCA, ICO, and CMA simultaneously.

ISO 42001:2023 is the first international standard specifically designed for AI management systems. Published in December 2023, it applies to any organisation using AI systems, whether as provider or deployer, across any sector and size. Its structure follows the ISO Annex SL management system format, making it compatible with existing ISO 27001 (information security) and ISO 9001 (quality) implementations.

Key Clauses and Their Regulatory Relevance

Clause 4 (Context of the organisation) requires organisations to define the scope of their AI management system and understand the interests of relevant parties. For a financial services firm, this includes mapping the AI systems in scope and identifying FCA, ICO, and EU AI Act obligations as relevant external requirements.

Clause 6 (Planning) requires organisations to identify AI-specific risks and opportunities and plan actions to address them. This maps directly to the fundamental rights impact assessments and risk classifications required under the EU AI Act, and to the model risk management documentation expected by the FCA.

Clause 8 (Operation) covers AI system impact assessments and the operational controls needed to manage AI risks throughout the system lifecycle. This includes the bias testing, explainability requirements, and human oversight protocols that satisfy both EU AI Act deployer obligations and ICO expectations for automated decision-making.

Clause 9 (Performance evaluation) requires organisations to monitor and measure AI system performance, conduct internal audits, and undertake management review. Clause 10 (Improvement) requires organisations to address nonconformities and continually improve the system. Together, these clauses create the ongoing monitoring and audit trail that regulators expect to see.

ISO 42001:2023 and Regulatory Compliance

ISO 42001:2023 certification evidences a structured AI management system covering governance processes, risk assessment, and audit documentation. The EU AI Act's conformity assessment for high-risk AI, and the FCA's model risk management expectations, are distinct requirements addressed separately. What certification provides is a structured framework that maps to all of these regulatory requirements and makes compliance demonstration more straightforward. SureCloud's ISO 42001:2023 framework resource provides a detailed implementation guide for organisations building towards certification.

The table below maps the four frameworks by scope, obligation, and enforcer.

For a UK-headquartered financial services firm operating in the EU, all four frameworks apply simultaneously. The EU AI Act applies where the firm places AI systems on the EU market or within EU operations (including SaaS delivered to EU customers); FCA guidance applies to all AI in regulated UK activities; and UK GDPR applies wherever personal data of UK residents is processed. ISO 42001:2023 provides a single governance framework that maps to all three, though each regulation's compliance requirements remain separately applicable.

The practical implication is that compliance planning should start with the most demanding applicable framework (the EU AI Act for organisations in scope) and map those controls outward. An organisation that builds its AI governance programme to EU AI Act standards will find that most FCA model risk management and ICO DPIA requirements are already addressed within that framework, with targeted additions needed for UK-specific obligations.

Managing four overlapping regulatory frameworks manually creates the workstream duplication problem the Expert View identifies: separate teams, separate evidence, separate audit trails for obligations that share the same underlying control requirements. Gracie AI Agents with Personas and Skills addresses this directly. On SureCloud's compliance management platform, a single AI risk register maps control requirements across EU AI Act obligations, FCA expectations, and ICO requirements simultaneously. Evidence collected once maps to multiple frameworks, and continuous monitoring means control gaps surface before they become regulatory findings.

Several areas remain uncertain and require active monitoring as the regulatory position develops.

The EU AI Office is developing technical specifications, codes of practice, and classification guidance for high-risk AI systems and GPAI models. The status of these implementing acts at time of publication should be confirmed, as the guidance was in active development as at early 2025.

The UK government's long-term legislative intentions remain uncertain. The current sector-led approach may evolve if specific AI-related harms materialise in ways that existing regulatory frameworks cannot address adequately. Organisations should monitor parliamentary activity and regulator consultations for signals of legislative intent.

The interaction between the EU AI Act and sector-specific EU financial services regulation is an area of active clarification. DORA (the EU Digital Operational Resilience Act) applies to ICT third-party risk and operational resilience, and its requirements for ICT risk management interact with EU AI Act obligations for AI systems used in financial services. Organisations subject to both should map the overlap to avoid duplicating compliance work. See SureCloud's DORA guidance for a detailed breakdown of those obligations.

Enforcement by national supervisory authorities under the EU AI Act remains nascent. Member states are required to designate national competent authorities and market surveillance authorities. The consistency of enforcement across member states, and the interaction between national authorities and the European AI Office, will shape how the Act operates in practice.