When the EU published Regulation 2024/1689 in July 2024, the UK had already made a deliberate political choice not to follow. While the EU built a comprehensive, horizontally-applicable AI law with hard prohibitions, risk tiers, mandatory conformity assessments, and a new regulatory body, the UK chose a different path: no single binding AI law, existing sectoral regulators applying existing rules to AI, and a pro-innovation posture designed to attract AI investment post-Brexit.
For product teams building AI systems that serve both UK and EU users—or that are operated by companies with a presence in both markets—this creates a genuinely asymmetric compliance situation. You must comply with EU law for EU market access. You currently face no equivalent mandatory AI-specific obligations in the UK. But "currently" is doing a lot of work in that sentence, and treating UK compliance as optional forever would be a strategic mistake.
The Fundamental Regulatory Divergence
The philosophical difference between the two approaches is significant and shapes everything else:
| Dimension | EU AI Act | UK Framework |
|---|---|---|
| Legal instrument | EU Regulation (directly binding law) | Principles-based guidance; existing sectoral law |
| Approach | Horizontal, risk-tiered, prescriptive | Sector-led, principle-based, adaptive |
| Prohibitions | Yes — Article 5 absolute bans | No AI-specific prohibitions as of 2026 |
| Risk classification | Mandatory (Annex III + Article 6) | No mandatory classification framework |
| Conformity assessment | Required for high-risk systems | Not required by AI-specific law |
| Enforcement body | EU AI Office + national market surveillance authorities | Sector regulators (FCA, ICO, CMA, Ofcom, MHRA) |
| Foundation model regulation | Yes — Chapter V GPAI obligations | AISI voluntary commitments; no binding obligations as of 2026 |
| Fines | Up to €35M or 7% global turnover | Existing sector-specific powers (ICO: up to £17.5M or 4% turnover under UK GDPR) |
EU AI Office vs UK AI Safety Institute: Different Mandates
The EU AI Office, established within the European Commission, is a supervisory body with direct enforcement powers over GPAI model providers, and coordination powers over national market surveillance authorities. It can investigate, issue binding decisions, impose fines, and withdraw AI systems from the market. It maintains the EU AI Act database of high-risk systems and publishes technical guidance on implementation. Its mandate is explicitly regulatory.
The UK AI Safety Institute (AISI)—renamed the AI Security Institute in 2024—has a fundamentally different mandate. It is primarily a research and evaluation body focused on understanding and mitigating risks from advanced AI models, particularly frontier models. It conducts safety evaluations of AI models (with voluntary cooperation from major AI labs), publishes research, and advises government on AI safety policy. It does not have regulatory enforcement powers over AI products in the market. Its closest analogue in the EU system is not the AI Office but rather the scientific panel for GPAI models.
This difference matters enormously for product teams. If the EU AI Office investigates your GPAI model, you face potential fines and mandatory corrective measures. If the UK AISI evaluates your model, you face reputational risk and potential policy influence, but not direct legal sanction (as of 2026).
What the EU AI Act Requires for Cross-Market Products
The EU AI Act applies on a territorial basis: if your AI system is placed on the EU market, or its output is used in the EU, the Act applies—regardless of where you are incorporated. This extraterritorial reach mirrors GDPR's approach and is the most important jurisdictional fact for non-EU companies to understand.
For cross-market products targeting both EU and UK users, you must comply with all EU AI Act obligations applicable to your system's risk classification. There is no exemption or reduced obligation for systems also serving the UK market. The EU AI Act applies to the EU-facing aspects of your product; UK law (or the absence of binding AI-specific law) applies to the UK-facing aspects.
UK Requirements as of 2026
As of April 2026, there are no AI-specific mandatory requirements in UK law equivalent to the EU AI Act's high-risk system obligations. However, existing law applies to AI systems in the same way it applies to other products and services:
- UK GDPR and Data Protection Act 2018: AI systems that process personal data are subject to UK GDPR, including Article 22 restrictions on solely automated decision-making with significant effects on individuals, and DPIA requirements.
- Equality Act 2010: AI systems used in employment or service provision that produce discriminatory outcomes based on protected characteristics may breach the Equality Act.
- Consumer Protection from Unfair Trading Regulations: Misleading AI-generated content or deceptive AI-enabled practices may fall under existing consumer protection law.
- Sector-specific regulation: FCA-regulated firms using AI in financial services must comply with FCA principles and the Consumer Duty. MHRA-regulated medical devices incorporating AI must comply with UK MDR. Ofcom-regulated services must comply with Online Safety Act requirements.
- Product liability: AI systems embedded in products remain subject to UK product safety and liability law.
The UK government has indicated it intends to introduce binding AI obligations through primary legislation, but no bill had been introduced as of the time of writing. The AI Safety Institute's voluntary commitments framework (the Frontier Safety Policy) applies only to the largest frontier model providers and is not a substitute for mandatory compliance requirements.
What to Build Once for Both Markets
The good news for cross-market product teams is that the EU AI Act's documentation and governance requirements represent good practice that UK regulators and the AI Safety Institute would recognise and endorse—even if not mandating them. Building to EU AI Act standards effectively future-proofs your UK compliance position.
The following EU AI Act artefacts are directly transferable to UK good-practice expectations:
- Risk classification documentation: A documented risk assessment of your AI system maps naturally to the ICO's AI guidance on DPIA requirements and sector regulator expectations.
- Technical file and model card: The Annex IV technical documentation serves as a comprehensive model card that UK regulators, audit partners, and enterprise customers will expect for B2B AI products.
- Instructions for use (Article 13): Clear documentation of intended purpose, performance limits, and human oversight measures satisfies both EU transparency requirements and emerging UK sector guidance from the FCA, ICO, and CMA.
- Human oversight measures (Article 14): Documented human-in-the-loop design decisions align with UK regulator expectations on automated decision-making and are required for UK GDPR Article 22 compliance anyway.
- Bias and fairness testing: Required under EU AI Act data governance provisions (Article 10) and equally expected by UK equality law, sector regulators, and enterprise procurement due diligence.
- Incident reporting and post-market monitoring: EU AI Act post-market monitoring requirements align with financial services operational resilience requirements, MHRA vigilance requirements, and general due diligence expectations.
Where the Requirements Genuinely Differ
There are areas where EU and UK requirements are substantively different as of 2026, and where you cannot simply apply one framework to satisfy the other:
- Conformity assessment and CE marking: EU AI Act requires a formal conformity assessment procedure and EU declaration of conformity for high-risk systems. The UK has no equivalent mandatory conformity procedure for AI systems (though UKCA marking remains relevant for physical products).
- EU database registration: High-risk AI systems must be registered in the EU AI Act database before deployment. There is no UK equivalent.
- Real-time biometric identification: The EU AI Act imposes near-total prohibition on real-time remote biometric identification in public spaces by law enforcement (Article 5). UK law has no equivalent AI-specific prohibition, though surveillance uses are subject to the Surveillance Camera Code of Practice and the Human Rights Act.
- GPAI model obligations: Chapter V obligations (transparency documentation, copyright policy, systemic risk evaluation) apply to GPAI providers in the EU. No equivalent UK requirement exists.
- Notified body assessment: Some EU high-risk systems require third-party notified body assessment. UK has no equivalent mandatory third-party AI conformity assessment.
Practical Compliance Strategy for Cross-Market Products
The most efficient approach for teams serving both markets is to use EU AI Act compliance as the compliance baseline and add UK-specific considerations on top. In practice this means:
- Complete EU AI Act classification and comply with all applicable EU obligations by the relevant deadlines.
- Use the EU technical file and instructions for use as your canonical technical documentation. Share with UK enterprise customers, regulators, and procurement teams as evidence of governance maturity.
- Layer UK-specific obligations: ensure UK GDPR DPIA is completed for any AI processing personal data; check sector-specific FCA, ICO, MHRA, or Ofcom requirements that apply to your product category.
- Monitor UK AI legislation progress. The gap between UK and EU requirements is politically intended to remain for now, but the UK government has signalled that binding obligations for high-impact AI systems will follow. When legislation is introduced, the delta from EU AI Act compliance is likely to be small if you have built to EU standards.
- For enterprise sales in the UK: EU AI Act compliance documentation is an asset, not just a regulatory burden. UK enterprise procurement teams are increasingly demanding AI governance documentation aligned with EU or NIST frameworks, even though there is no legal requirement to provide it.