AI Governance by Industry in the UK: FCA, ICO, CQC, and Sector-Specific Requirements

The UK's pro-innovation AI approach means sector regulators lead on AI governance. This industry-by-industry guide covers financial services (FCA), healthcare (CQC/MHRA), legal, education, and the cross-sector ICO framework.

Key Takeaways

The FCA's Consumer Duty (fully in force July 2023) is the primary AI governance framework for UK financial services — it requires AI to produce fair outcomes for consumers, not just technical compliance.
The MHRA regulates AI in medical devices under the UK Medical Devices Regulations — post-Brexit divergence from EU MDR means UK-specific regulatory pathways for clinical AI.
The ICO's AI and data protection guidance is the cross-sector baseline — all UK organisations using AI that processes personal data must comply, and the ICO's bias guidance creates obligations beyond discrimination law.
The CMA (Competition and Markets Authority) is increasingly active on AI in markets — algorithmic pricing, AI in platform competition, and AI in financial services are active CMA investigation areas.
The UK AI Safety Institute (AISI) focuses on frontier AI safety rather than everyday commercial AI governance — but its work informs the broader UK regulatory approach and is relevant for companies developing advanced AI systems.

"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."

How UK AI governance actually works — there is no single AI law

The UK has chosen a deliberately different path from the EU. Unlike the EU AI Act, which is a single comprehensive regulation applying uniformly across all sectors, the UK applies AI governance through existing sector regulators using their existing statutory powers. The 2023 White Paper "A Pro-Innovation Approach to AI Regulation" set out five non-statutory principles — safety/security/robustness, appropriate transparency, fairness, accountability, and contestability — and asked existing regulators (ICO, FCA, Ofcom, CMA, MHRA, EHRC, and others) to apply them within their own statutory frameworks.

The practical consequence: the regulatory requirements that apply to your AI system depend on what the AI does, who it affects, and which sector it operates in. There is no single regulator you register with and no universal risk classification scheme. A comprehensive UK AI Bill is expected in the second half of 2026, but its scope and timing remain uncertain. Until then, sector-by-sector compliance is the operating reality.

The sector regulators and what they cover

ICO (Information Commissioner's Office) — the de facto lead regulator for AI. Where an AI system processes personal data — which covers most consumer-facing and HR AI applications — the ICO has jurisdiction. The Data (Use and Access) Act 2025 (Royal Assent 19 June 2025) replaced UK GDPR Article 22 with new Articles 22A-D, modifying the automated decision-making framework. Solely automated decisions are now permitted with safeguards (informing the individual, right to make representations, right to contest), with the strongest restrictions reserved for decisions based on special category data. The ICO leads the Digital Regulation Cooperation Forum (DRCF) coordination with FCA, Ofcom, and CMA. Maximum fines: £17.5 million or 4% of global turnover.

FCA (Financial Conduct Authority) — financial services AI. The FCA has been explicit: there will be no AI-specific rulebook. Instead, AI governance flows through the Consumer Duty (from July 2024), the Senior Managers and Certification Regime (SM&CR), and operational resilience requirements. The Mills Review (launched January 2026) categorises AI in retail financial services into assistive, advisory, and autonomous categories; recommendations due summer 2026. The FCA AI Lab provides testing environments (Supercharged Sandbox, AI Live Testing Cohort 2 commencing April 2026).

MHRA (Medicines and Healthcare products Regulatory Agency) — AI as medical devices. AI as a Medical Device (AIaMD) and Software as a Medical Device (SaMD) must comply with the Medical Devices Regulations 2002 (UKCA) and post-market surveillance requirements. On 18 December 2025, the MHRA launched a call for evidence informing the National Commission into the Regulation of AI in Healthcare; the call closed 2 February 2026 with recommendations due in 2026. Non-compliance is a criminal offence with unlimited fines.

Ofcom (Office of Communications) — online content and broadcasting AI. AI is governed under the Online Safety Act 2023 (OSA) where it interacts with online services. Ofcom has published an open letter to online service providers on how the OSA applies to generative AI and chatbots, plus specific guidance on AI chatbots under the OSA. Ofcom is also working with the CMA, ICO, and FCA through the DRCF on agentic AI. Sir Ian Cheshire was named as the government's preferred candidate for Ofcom Chair on 8 April 2026, succeeding Lord Grade from 1 May 2026.

CMA (Competition and Markets Authority) — AI competition and consumer protection. The CMA addresses AI through its competition and consumer law powers. CMA CEO Sarah Cardell is the current Chair of the DRCF. The DRCF's October 2025 call for views on agentic AI sought input on practical challenges and regulatory uncertainties businesses face when deploying autonomous AI systems.

EHRC (Equality and Human Rights Commission) — algorithmic discrimination. The EHRC applies the Equality Act 2010 to AI systems that produce discriminatory outcomes. Indirect discrimination from AI tools — particularly in employment, recruitment, and access to services — is within the EHRC's enforcement scope. The EHRC has issued AI and employment guidance and has formal investigation powers.

HSE (Health and Safety Executive) — workplace AI safety. AI systems used in workplace operations, including AI-enabled monitoring and AI-driven safety-critical decisions, fall within HSE's jurisdiction under the Health and Safety at Work Act 1974.

Ofgem (Office of Gas and Electricity Markets) — AI in energy. Ofgem issued additional AI guidance in May 2025 to complement the existing regulatory framework for the energy sector, building on its 2024 strategic approach to AI.

Ofqual — AI in qualifications. Ofqual regulates AI use in qualifications, assessment, and exams.

The Digital Regulation Cooperation Forum (DRCF) — coordination across regulators

The DRCF brings together the ICO, Ofcom, FCA, and CMA to coordinate on cross-cutting issues including AI. Under Sarah Cardell's chairship in 2025/26, the DRCF's work plan focuses on developing regulators' understanding of how their respective regulatory regimes apply to AI and resolving points of conflict. The October 2025 call for views on agentic AI signalled that coordinated guidance on autonomous AI systems is forthcoming. For multi-sector organisations, the DRCF is the primary indicator of where coordinated UK regulatory thinking is heading.

Cross-cutting obligations that apply regardless of sector

UK GDPR (administered by the ICO) applies to any AI system processing personal data, regardless of sector. Articles 22A-D govern solely automated decisions; Articles 13-15 require transparency about automated processing; Article 35 requires Data Protection Impact Assessments for high-risk AI processing. The Equality Act 2010 (administered by EHRC) prohibits direct and indirect discrimination from AI systems. UK Copyright law applies to AI training data — commercial training on UK-protected works without a licence is infringement, and no statutory exception is currently in force. Consumer Rights Act 2015 applies to AI-powered consumer products and services.

What this means for compliance planning

Map every AI system in your organisation to the relevant sector regulator(s) and assign a named compliance owner for each regulatory relationship. Treat the five White Paper principles as the operative normative standard — each deployed AI system should have documented evidence of how each principle is addressed. Audit AI systems against UK GDPR Article 22A-D and the DUAA 2025 framework. Monitor sector-specific guidance: regulators are issuing increasingly prescriptive expectations rather than just principles to interpret. Multi-sector firms (financial services + healthcare, retail + technology, education + employment) face the most complex compliance burdens because multiple regulatory regimes apply simultaneously to the same AI systems.