ISO/IEC 42001 by region

ISO/IEC 42001 in the United Kingdom

The UK chose a sector-led, principles-based path — no single AI Act — so AI compliance is spread across the ICO, FCA, MHRA, Ofcom and other regulators, on top of EU AI Act exposure for firms selling into Europe. ISO/IEC 42001 gives UK organisations one coherent, certifiable AI management system that answers them together.

The regulatory landscape

UK — sector-led, principles-based

No single AI Act — oversight by existing regulators

As of 2026 the UK has deliberately avoided one comprehensive AI statute; the government's position is that AI is best regulated "at the point of use" by the expert regulators already overseeing each sector. Cross-cutting expectations come from the Data (Use and Access) Act 2025 — which sets safeguards for automated decisions about individuals from February 2026 — and a forthcoming ICO code of practice on AI. Sector regulators add their own rules on top, and UK firms with EU market impact also fall under the EU AI Act.

What's driving it

The rules and pressures that matter

Data (Use and Access) Act 2025

Automated decisions about individuals need documented safeguards — meaningful human review and transparency — from February 2026.

The ICO AI code of practice

A statutory duty (in force May 2026) for the ICO to produce AI guidance, with updated automated-decision guidance following.

Sector regulators

The FCA (Consumer Duty), MHRA (medical devices), Ofcom (Online Safety Act), Ofgem, SRA and CMA each set AI expectations for their industries.

EU AI Act reach

UK firms affecting the EU market must also meet EU high-risk obligations, now applying from December 2027.

Procurement & trust

Enterprise buyers and public bodies increasingly ask suppliers for demonstrable AI governance.

How ISO/IEC 42001 fits

One system, every UK regulator

One framework, many regulators

A single management system whose evidence satisfies the ICO's safeguards and multiple sector regulators at once — instead of a separate response to each.

Oversight & transparency built in

The human-oversight, transparency and impact-assessment controls are exactly what the DUAA and the ICO expect.

EU-ready by default

The same AIMS covers your EU AI Act exposure — no parallel system to run.

Certifiable proof

An accredited certificate is credible evidence for customers, auditors and regulators alike.

Questions

UK — quick answers

Is there a UK AI Act I need to comply with?

Not a single one. As of 2026 the UK regulates AI through existing regulators plus the Data (Use and Access) Act 2025 and a coming ICO code of practice. ISO/IEC 42001 gives you one management system that answers them collectively.

We sell into the EU from the UK — does the EU AI Act apply?

Yes, extraterritorially where you affect the EU market; high-risk obligations apply from December 2027. A single ISO/IEC 42001 AIMS covers both your UK and EU exposure.

Does ISO/IEC 42001 satisfy the ICO?

No certificate makes you automatically compliant, but the standard's oversight, transparency and impact-assessment controls map directly onto the ICO's automated-decision expectations and give you the documented safeguards it looks for.

Related

Keep reading

One AI management system for the UK — and the EU

The toolkit delivers the oversight, transparency, impact and audit controls that satisfy UK regulators and your EU AI Act exposure in one go.