Artificial intelligence | UK Regulatory Outlook May 2026

UK updates 

King's Speech 2026: AI aspects 

King Charles III opened Parliament on 13 May 2026 with the announcement of 37 bills his ministers would like to pass in this parliamentary session.  

While there is no mention of any plans for further regulation of AI (including in respect of the continuing debate around AI and copyright), the new Regulating for Growth Bill will put regulatory "sandboxes" onto a statutory footing to allow businesses across the economy, through the temporary relaxation of existing rules, to test innovative AI products and other emerging technologies safely, in a real-world setting.  

The Police Reform Bill will deliver reforms to policing by, among other things, "equipping the police with the technology and skills [they need]". This includes the introduction of a new legal framework governing the use of facial recognition and similar technologies. The framework will set out the situations in which the use of these technologies is justified and create a single, expert independent regulatory body to provide independent oversight and advice. 

See this Insight for more on these and other announcements in the King's Speech.  

Crime and Policing Act 2026: AI-related provisions  

The Crime and Policing Bill received Royal Assent on 29 April, becoming the Crime and Policing Act 2026 (CPA). It contains several provisions in relation to AI and online safety:  

• Power to amend the Online Safety Act 2023 (OSA) in relation to AI. The CPA amends the OSA to give the secretary of state powers to make regulations to minimise or mitigate the risks of harm presented by "illegal AI-generated content" and the use of "AI services" (an internet service capable of producing AI-generated content, which would encompass AI chatbots) for the commission or facilitation of "priority offences" under the OSA. The secretary of state is required to present a report by 31 December 2026 on the progress made towards making such regulations, unless draft regulations have already been laid before Parliament by then. 
• Priority offences under the OSA. The existing offences of creating purported intimate images of an adult and requesting the creation of such images (including AI-generated deepfakes) are made priority offences under the OSA. Regulated online platforms will be required not only to remove such content from their services when they become aware of it, but also to take steps to prevent such content from appearing in the first place. 
• Child sexual abuse (CSA) image-generator offence. The CPA creates a new criminal offence of making, adapting, possessing, supplying or offering to supply "CSA image-generators". A CSA image-generator is a tool which is "made or adapted for use for creating, or facilitating the creation of, CSA images", including AI models that have been optimised to create CSA material (CSAM) While AI-generated CSAM is already illegal to make, possess and distribute in the UK, these fine-tuned models are not currently illegal. This offence applies to corporate bodies as well as individuals. 
• Purported intimate image generator. The CPA creates a new offence of making adapting, supplying or offering to supply a "thing" (including a program, information in electronic form and a service) for use as a "generator of purported intimate images", which is defined as a "thing for creating, or facilitating the creation of, purported intimate images of a person". This covers AI deepfakes. Again, this offence applies to corporate bodies. 
• "Paedophile manuals" offence. The CPA amends the existing "paedophile manuals" offence, which prohibits the possession of any item that contains advice or guidance about the sexual abuse of children, to include pseudo-photographs and prohibited images. This aims to ensure consistency between the approach taken for "real" CSAM and AI-generated abuse imagery, which can also feature real children. 

ICO sets out five steps to combat AI-powered cyber threats 

In a blog post, the Information Commissioner's Office (ICO) has set out five steps for organisations to strengthen their resilience to AI-powered cyber threats. 

• Horizon scanning. Key AI-powered risks include: AI-enhanced phishing, deepfake social engineering, automated vulnerability scanning and exploitation, AI-powered malware, credential stuffing, data poisoning and indirect prompt injection attacks. 
• Cyber basics. Layered defences are essential for AI powered threats, and robust patching processes should be maintained given the speed at which AI exploits known vulnerabilities. 
• Access control and supply chain. Where AI is integrated into access control, the privacy and security implications of behavioural and identity data must be understood. Organisations should map what third-party suppliers can access and hold them to appropriate security standards, including through contractual requirements and proportionate due diligence. 
• Security monitoring and incident response. AI can be a powerful defensive tool by flagging and containing threats at speed but should operate within a framework of human oversight and accountability. 
• Protecting personal data. AI-powered attacks increasingly target personal data and the UK GDPR requires appropriate technical and organisational measures to protect it. Measures could include: data minimisation, data audits, staff training on AI-powered threats, data protection impact assessments for high-risk AI processing and adherence to the AI Cyber Security Code of Practice. 

Government publishes response to AI and copyright report 

The House of Lords Communications and Digital Committee published its report on "AI, copyright and the creative industries" just before the government provided its update on AI and copyright in March 2026 (see this Regulatory Outlook). The government has now published its response to the Lords' committee report. 

The response does not significantly advance the position set out in the March update (and the creative industries sector plan), but it identifies the following focus areas for the coming months: 

• Consultation on digital replicas this summer. 
• Establishment of a taskforce on AI labelling, which will put forward proposals to the government on best practice for labelling AI-generated content, with an interim report expected to be published in the autumn. 
• Publication of a review of the mechanisms available for creators to control their works online, including standards, technical solutions and best practice on input transparency for AI model training. 
• Launching a working group on independent and smaller creative organisations, which will explore whether there is a role for government to support their ability to license their content. 
• Establishing the Creative Content Exchange intended to be a trusted online marketplace for licensing and facilitating permitted access to digitised cultural and creative assets. 

The government gives no indication of what action it will take on the copyright issue itself, stating that it "no longer has a preferred option." It understands "the strength of feeling on this issue and will not introduce reforms to copyright law unless or until it is confident that they will meet our objectives for the economy and for UK citizens." 

EU updates 

EU legislators reach provisional agreement on Digital Omnibus on AI 

On 7 May 2026, the European Parliament and the Council of the EU reached a provisional agreement on the Digital Omnibus on AI, proposal for a regulation seeking to simplify the implementation of certain harmonised rules under the EU AI Act. The key amendments to the European Commission's proposal include: 

• A fixed timeline for the delayed application of high-risk rules. 
• A new prohibition covering AI systems that generate non-consensual sexual or intimate content or child sexual abuse material. 
• Reinstatement of the obligation for providers to register AI systems in the EU database for high-risk systems where they consider their systems not to be classified as high-risk. 
• Reduction of the grace period to implement labelling requirements for AI-generated content from six months to three months, with the new deadline set for 2 December 2026.  

One of the central disputes in the negotiations concerned AI systems integrated into products already subject to sectoral EU product law, such as machinery, elevators and toys. The co-legislators agreed on a mechanism to limit the AI Act's application where sectoral law contains similar AI-specific requirements, through implementing acts. A specific exemption from direct applicability of the AI Act was agreed for the Machinery Regulation, with the Commission empowered to adopt delegated acts under the regulation adding health and safety requirements in respect of AI systems that are classified as high-risk under the AI Act.  

See more information in this Insight.  

The agreement remains provisional. The Parliament and the Council must now formally adopt it. Upon adoption, the amendments will be published in the Official Journal of the EU and enter into force three days later. The co-legislators intend to complete adoption before 2 August 2026, the date on which the EU AI Act's high-risk AI rules are currently due to come into effect.  

Commission consults on draft guidelines for the classification of high-risk AI systems under the EU AI Act  

The European Commission's draft guidelines are intended to assist providers and deployers of AI systems, as well as competent market surveillance authorities, in determining whether an AI system falls within the high-risk category and, if so, under which classification of high risk it falls. The guidelines contain practical examples of AI systems that should or should not be classified as high risk. They strive to cover all areas and use cases but are not intended to be exhaustive and may be updated over time. 

The consultation closes on 23 June 2026. 

Commission opens consultation on draft guidelines on AI transparency obligations under the EU AI Act 

The European Commission has opened a consultation on the draft guidelines on transparency obligations to help providers and deployers meet the transparency requirements for AI systems under Article 50 of the EU AI Act. The obligations are officially set to take effect on 2 August 2026, but this date is likely to change subject to the agreement on the Digital Omnibus on AI (see above). 

The Commission prepared these guidelines in parallel with the Code of Practice on marking and labelling of AI-generated content (final code expected in June 2026). According to the Commission, the guidelines will clarify the scope of the legal obligations and address aspects not covered by the code. 

The consultation closes on 3 June 2026.