theLLMs

Last checked: 2026-05-28

Scope: UK. Sources checked as of 2026-05-28. EU and US regulatory references included only for comparison.

AI draft model: gemma4:26b

AI review model: deepseek-r1:32b

Hero image for UK AI governance sources: ICO, NCSC, CMA and DSIT in one map

UK AI governance sources: ICO, NCSC, CMA and DSIT in one map

Short answer: The UK does not have a single AI law. Instead, a patchwork of existing regulators — ICO (privacy), NCSC (cybersecurity), CMA (competition/consumer), and DSIT (innovation policy) — each publish AI guidance relevant to their remit. If you deploy LLMs in the UK, you need to track at least four regulatory sources. Here is what each covers and how to watch them without a compliance team.

TL;DR

The UK does not have a single AI law. Instead, existing regulators — ICO (privacy), NCSC (cybersecurity), CMA (competition/consumer), and DSIT (innovation policy) — each publish AI guidance within their remit. Teams deploying LLMs in the UK need to track at least these four sources. The approach is principles-based and regulator-led, unlike the EU’s single AI Act, and the absence of a unified statute does not mean an absence of enforceable obligations under existing data protection, consumer, and cybersecurity law.

What it means

The UK government’s stated approach is “pro-innovation, pro-safety” — no single AI Act like the EU, but guidance from existing regulators tailored to their domains. The AI Opportunities Action Plan (published 2025) and the government’s response to the 2023 AI regulation white paper set the policy direction, but the actual regulatory guidance comes from individual bodies.

For teams deploying LLMs in the UK, the four most relevant sources are:

RegulatorRemitWhat they publish about AI
ICO (Information Commissioner’s Office)Data protection, privacyAI and data protection guidance, AI fairness framework, generative AI data protection expectations, transparency guidance
NCSC (National Cyber Security Centre)CybersecurityAI security guidance, LLM security principles, prompt injection warnings, secure AI system design
CMA (Competition and Markets Authority)Consumer protection, competitionAI foundation models review, consumer protection in AI products, competition in AI markets
DSIT (Department for Science, Innovation and Technology)AI policy, innovationAI regulation white paper, AI Opportunities Action Plan, government AI use guidance, AI Safety Institute reports

Where teams misuse it

“There is no UK AI law, so we do not need to worry about compliance.” The absence of a single AI Act does not mean the absence of regulation. GDPR (via the ICO) applies to every LLM system processing personal data. Consumer protection law (via the CMA) applies to AI products sold to consumers. The UK’s approach is existing law, enforced — not a regulatory gap.

“We only need to track the ICO for AI guidance.” The ICO covers data protection, but AI systems touch many regulatory domains. Cybersecurity guidance from NCSC is directly relevant to LLM deployment (prompt injection, data leakage). Consumer protection from the CMA matters if your AI feature makes claims or recommendations to users. DSIT sets the overarching policy direction.

“UK AI regulation is the same as EU regulation post-Brexit.” The UK is not following the EU AI Act. The UK approach is regulator-led and principles-based rather than a single comprehensive law. This means different obligations, different timelines, and different enforcement mechanisms. UK teams serving EU users need to track both frameworks.

“The AI Safety Institute’s reports are just academic.” The UK AI Safety Institute (AISI), part of DSIT, publishes safety evaluations of major models. These reports are not regulation, but they inform government policy and set expectations for responsible deployment. Ignoring them means missing the direction of travel.

Practical decision check

For each LLM feature deployed in or to the UK:

  • Does it process personal data? → ICO guidance applies. Check the ICO’s AI and data protection toolkit and generative AI expectations.
  • Does it handle sensitive information or make automated decisions? → ICO guidance on automated decision-making and AI fairness may apply. Transparency requirements always apply.
  • Could a security vulnerability affect users or systems? → NCSC guidance on LLM security, prompt injection, and secure AI deployment is relevant.
  • Does the feature make claims about products, prices, or services? → CMA consumer protection law applies. CMA has issued specific warnings about AI-generated claims and AI-driven pricing.
  • Does it involve a foundation model from a major provider? → DSIT/AISI model evaluations may be relevant for understanding capability and safety assessments.

How to track UK AI governance without a full-time compliance role

  1. Subscribe to regulator newsletters — ICO AI mailing list, NCSC threat reports, CMA digital markets updates, DSIT AI policy announcements. A 10-minute scan per month covers the main movements.
  2. Bookmark the guidance pages — each regulator publishes a dedicated AI guidance page. Check every quarter for updates.
  3. Use the AISI model evaluations — check whether the AI Safety Institute has published an evaluation for models you use. Their findings on safety-relevant capabilities, vulnerabilities, and refusal behaviour are directly useful for your own risk assessment.
  4. Keep a simple regulatory register — one row per AI feature, listing which regulators’ guidance applies and the date you last checked for updates.
  5. Separate UK and EU obligations — if you serve users in both markets, maintain separate compliance checklists. The requirements are converging in some areas (transparency, risk assessment) but diverging in others (conformity assessment, enforcement).

Methodology

  • Data checked: 2026-05-28
  • Sources consulted: Official UK regulator websites (ICO, NCSC, CMA), UK government policy publications (DSIT, AI Opportunities Action Plan, AI regulation white paper response), and UK AI Safety Institute evaluation reports.
  • Assumptions: This guide assumes the UK’s current regulator-led approach remains in place. A formal UK AI Bill, if enacted, could change the regulatory structure. Specific guidance pages may be updated by regulators without notice.
  • Limitations: This is a regulatory map, not legal advice. It covers the four most relevant UK regulatory sources for LLM deployment but does not cover every sector-specific regulator (e.g. FCA for financial services, MHRA for medical devices). Guidance from UK regulators does not have the force of statute but carries significant weight in enforcement.
  • Jurisdiction: UK. EU and US regulatory references included only for comparison.

Source list

Trust Stack

  • Last checked: 2026-05-28
  • Corrections: Contact us to report errors

Change log

  • 2026-05-28: full editorial review — added Editor’s Notes, Trust Stack, slugified heading IDs, formal Methodology and Source list sections, fixed scope from “Global” to “UK”, renamed “Short answer” to “TL;DR” header (editor)
  • 2026-05-25: initial draft published