Data (Use and Access) Act 2025
Automated decisions about individuals need documented safeguards — meaningful human review and transparency — from February 2026.
ISO/IEC 42001 by region
The UK chose a sector-led, principles-based path — no single AI Act — so AI compliance is spread across the ICO, FCA, MHRA, Ofcom and other regulators, on top of EU AI Act exposure for firms selling into Europe. ISO/IEC 42001 gives UK organisations one coherent, certifiable AI management system that answers them together.
The regulatory landscape
As of 2026 the UK has deliberately avoided one comprehensive AI statute; the government's position is that AI is best regulated "at the point of use" by the expert regulators already overseeing each sector. Cross-cutting expectations come from the Data (Use and Access) Act 2025 — which sets safeguards for automated decisions about individuals from February 2026 — and a forthcoming ICO code of practice on AI. Sector regulators add their own rules on top, and UK firms with EU market impact also fall under the EU AI Act.
What's driving it
Automated decisions about individuals need documented safeguards — meaningful human review and transparency — from February 2026.
A statutory duty (in force May 2026) for the ICO to produce AI guidance, with updated automated-decision guidance following.
The FCA (Consumer Duty), MHRA (medical devices), Ofcom (Online Safety Act), Ofgem, SRA and CMA each set AI expectations for their industries.
UK firms affecting the EU market must also meet EU high-risk obligations, now applying from December 2027.
Enterprise buyers and public bodies increasingly ask suppliers for demonstrable AI governance.
How ISO/IEC 42001 fits
A single management system whose evidence satisfies the ICO's safeguards and multiple sector regulators at once — instead of a separate response to each.
The human-oversight, transparency and impact-assessment controls are exactly what the DUAA and the ICO expect.
The same AIMS covers your EU AI Act exposure — no parallel system to run.
An accredited certificate is credible evidence for customers, auditors and regulators alike.
Questions
Not a single one. As of 2026 the UK regulates AI through existing regulators plus the Data (Use and Access) Act 2025 and a coming ICO code of practice. ISO/IEC 42001 gives you one management system that answers them collectively.
Yes, extraterritorially where you affect the EU market; high-risk obligations apply from December 2027. A single ISO/IEC 42001 AIMS covers both your UK and EU exposure.
No certificate makes you automatically compliant, but the standard's oversight, transparency and impact-assessment controls map directly onto the ICO's automated-decision expectations and give you the documented safeguards it looks for.
Related
The toolkit delivers the oversight, transparency, impact and audit controls that satisfy UK regulators and your EU AI Act exposure in one go.