AI regulation – a legal overview for businesses

It is no secret that Artificial Intelligence (AI) is reshaping the way organisations of all sizes and across all industrial sectors operate; however, what is less well known are the challenges it presents to existing legal and regulatory frameworks. From data protection to intellectual property, AI raises questions that governments across the world are now addressing. As the first in our series, this article outlines the key regulatory developments in the UK, the European Union (EU), and internationally, to demystify how businesses can prepare, implement and adapt to a rapidly evolving legal, regulatory and compliance environment.

The UK’s approach to AI regulation

Unlike the EU, the UK has so far resisted adopting a single, comprehensive piece of AI-specific legislation. Instead, the UK Government has taken a more flexible route, relying on existing legal frameworks such as data protection, tort, and contract law. There has been a decentralised existing regulator-led model implemented thus far: guidance has been issued by regulators including the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA), covering matters such as AI and data, foundation models, and ethical practices.

The UK Government has not been completely idle; it issued an AI White Paper (March 2023), laying out a non-binding regulatory framework constructed on five core principles:

• Safety, security, and robustness
• Appropriate transparency and explainability
• Fairness
• Accountability and governance
• Contestability and redress.

In order to strengthen this framework, there is an increasing recognition of the need to introduce binding obligations that are directly tied to these non-binding principles. The government is therefore considering legislative measures that would require organisations developing or deploying high-impact AI systems to demonstrate compliance with these core principles through mandatory reporting, risk assessments, and independent audits. This shift aims to ensure that adherence to these principles moves beyond voluntary guidance into enforceable legal requirements.

However, the UK has recently signalled a shift in this policy. In response to recommendations from a range of industry and advisory bodies, the Government is now considering legislation for high-impact AI systems. Regulatory institutions are expected to play a growing role in shaping sector-specific rules.

The EU AI Act: a structured regulatory model

The EU has taken a more structured approach. The EU Artificial Intelligence Act, which came into force on 1 August 2024, sets out obligations based on the perceived risk of different types of AI systems. The Act applies across industrial sectors and will be fully operational by 2026.

AI systems are classified into categories such as high risk or unacceptable risk, with each category attracting various levels of oversight. For example, high risk systems must comply with requirements around transparency, data governance, and human oversight. The Act also restricts the use of AI in certain sensitive areas, such as social scoring whereas unacceptable risks systems are being prohibited, (e.g. social scoring systems and manipulative uses of AI).

Although it does not create entirely new legal rights for individuals, the AI Act builds on existing laws such as the GDPR and aims to prevent harm by imposing obligations at the development and deployment stages.

Global and Regional Collaboration

On the global stage, regulators and policymakers are beginning to coordinate their efforts. Key developments include:

• The United Nations’ 2024 report on AI governance, which recommends filling regulatory gaps and enhancing international cooperation
• The OECD’s Hiroshima Process and its voluntary Code of Conduct for developers of advanced AI systems
• The EU AI Pact, which encourages early compliance with the AI Act by industry stakeholders
• Ongoing state-level regulation in countries like the United States, where there is no unified federal AI law but significant state-led activity
• Multilateral frameworks, such as the Council of Europe’s Framework Convention on AI, also reflect a growing consensus around responsible and ethical AI development.

AI regulation is progressing at different speeds across jurisdictions. Businesses operating in the UK should monitor international developments while preparing for forthcoming domestic legislation. In the meantime, organisations should ensure that their use of AI aligns with current legal standards and governmental guidance. Legal advisors have a critical role to play in helping clients anticipate changes and assess risks, to implement and update robust governance measures.

Our experienced team can help ensure your commercial agreements evolve with your business needs while maintaining robust legal protection. Contact us to discuss how we can support your contract review and optimisation strategy for 2025 and beyond.