UK AI governance sources: ICO, NCSC, CMA and DSIT in one map
Short answer: The UK does not have a single AI law. Instead, a patchwork of existing regulators — ICO (privacy), NCSC (cybersecurity), CMA (competition/consumer), and DSIT (innovation policy) — each publish AI guidance relevant to their remit. If you deploy LLMs in the UK, you need to track at least four regulatory sources. Here is what each covers and how to watch them without a compliance team.
What it means
The UK government’s stated approach is “pro-innovation, pro-safety” — no single AI Act like the EU, but guidance from existing regulators tailored to their domains. The AI Opportunities Action Plan (published 2025) and the government’s response to the 2023 AI regulation white paper set the policy direction, but the actual regulatory guidance comes from individual bodies.
For teams deploying LLMs in the UK, the four most relevant sources are:
| Regulator | Remit | What they publish about AI |
|---|---|---|
| ICO (Information Commissioner’s Office) | Data protection, privacy | AI and data protection guidance, AI fairness framework, generative AI data protection expectations, transparency guidance |
| NCSC (National Cyber Security Centre) | Cybersecurity | AI security guidance, LLM security principles, prompt injection warnings, secure AI system design |
| CMA (Competition and Markets Authority) | Consumer protection, competition | AI foundation models review, consumer protection in AI products, competition in AI markets |
| DSIT (Department for Science, Innovation and Technology) | AI policy, innovation | AI regulation white paper, AI Opportunities Action Plan, government AI use guidance, AI Safety Institute reports |
Where teams misuse it
“There is no UK AI law, so we do not need to worry about compliance.” The absence of a single AI Act does not mean the absence of regulation. GDPR (via the ICO) applies to every LLM system processing personal data. Consumer protection law (via the CMA) applies to AI products sold to consumers. The UK’s approach is existing law, enforced — not a regulatory gap.
“We only need to track the ICO for AI guidance.” The ICO covers data protection, but AI systems touch many regulatory domains. Cybersecurity guidance from NCSC is directly relevant to LLM deployment (prompt injection, data leakage). Consumer protection from the CMA matters if your AI feature makes claims or recommendations to users. DSIT sets the overarching policy direction.
“UK AI regulation is the same as EU regulation post-Brexit.” The UK is not following the EU AI Act. The UK approach is regulator-led and principles-based rather than a single comprehensive law. This means different obligations, different timelines, and different enforcement mechanisms. UK teams serving EU users need to track both frameworks.
“The AI Safety Institute’s reports are just academic.” The UK AI Safety Institute (AISI), part of DSIT, publishes safety evaluations of major models. These reports are not regulation, but they inform government policy and set expectations for responsible deployment. Ignoring them means missing the direction of travel.
Practical decision check
For each LLM feature deployed in or to the UK:
- Does it process personal data? → ICO guidance applies. Check the ICO’s AI and data protection toolkit and generative AI expectations.
- Does it handle sensitive information or make automated decisions? → ICO guidance on automated decision-making and AI fairness may apply. Transparency requirements always apply.
- Could a security vulnerability affect users or systems? → NCSC guidance on LLM security, prompt injection, and secure AI deployment is relevant.
- Does the feature make claims about products, prices, or services? → CMA consumer protection law applies. CMA has issued specific warnings about AI-generated claims and AI-driven pricing.
- Does it involve a foundation model from a major provider? → DSIT/AISI model evaluations may be relevant for understanding capability and safety assessments.
How to track UK AI governance (without a full-time compliance role)
- Subscribe to regulator newsletters — ICO AI mailing list, NCSC threat reports, CMA digital markets updates, DSIT AI policy announcements. A 10-minute scan per month covers the main movements.
- Bookmark the guidance pages — each regulator publishes a dedicated AI guidance page. Check every quarter for updates.
- Use the AISI model evaluations — check whether the AI Safety Institute has published an evaluation for models you use. Their findings on safety-relevant capabilities, vulnerabilities, and refusal behaviour are directly useful for your own risk assessment.
- Keep a simple regulatory register — one row per AI feature, listing which regulators’ guidance applies and the date you last checked for updates.
- Separate UK and EU obligations — if you serve users in both markets, maintain separate compliance checklists. The requirements are converging in some areas (transparency, risk assessment) but diverging in others (conformity assessment, enforcement).
Evidence and caveats
- Sources:
- Date checked: 2026-05-25. UK AI policy is evolving. The AI Opportunities Action Plan sets direction but specific regulatory guidance may still be in development.
- Caveats: This is a regulatory map, not legal advice. Guidance from UK regulators does not have the force of statute but carries significant weight in enforcement and investigation. Regulators may update guidance without notice. The UK’s approach could change with government priorities or international developments.
- What would update this: A formal UK AI Bill (discussed but not yet enacted), new sector-specific regulatory guidance, or convergence/divergence decisions in post-Brexit AI regulation.
Change log
- 2026-05-25 — Initial audit revision. Added direct source URLs to evidence section; changed source listing from named-only references to linked citations. No material changes to claims or guidance.