KI-Governance im Vereinigten Königreich: Pro-Innovations-Ansatz, ICO, FCA und Brexit
Das UK setzt auf sektorspezifische, prinzipienbasierte KI-Regulierung. Sechs Regulatoren mit KI-Befugnissen, und EU-KI-Verordnung gilt trotzdem für UK-Unternehmen mit EU-Kunden.
Key Takeaways
The UK has deliberately chosen not to enact a comprehensive AI law, instead allowing sector-specific regulators (ICO, FCA, CMA, Ofcom, MHRA) to apply existing powers to AI in their domains.
The ICO's guidance on AI and data protection — including the Explaining Decisions Made with AI guidance — sets out how UK GDPR applies to automated decision-making, profiling, and AI systems processing personal data.
The FCA is actively supervising AI in financial services. Its joint paper with the Bank of England on AI in UK financial services (2022) and ongoing engagement with industry signal increasing regulatory attention.
UK companies with EU customers are subject to the EU AI Act's extraterritorial reach. Brexit does not protect UK organisations from EU AI Act obligations — if your AI affects EU citizens, you are in scope.
The UK AI Safety Institute (now part of the AI Security Institute) focuses on frontier AI safety research. It represents the UK's approach to regulating powerful AI systems outside the sector-by-sector framework.
"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."
The UK's deliberate regulatory choice
When the EU was developing the AI Act, the UK government was making an explicit choice to go in a different direction. The 2023 AI White Paper articulated a "pro-innovation" approach: rather than enacting prescriptive horizontal AI legislation, the UK would rely on existing sector regulators to apply their domain expertise and existing powers to AI, guided by five cross-sector principles — safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress.
This approach reflects a genuine philosophical difference from the EU's risk-based classification framework. The UK's position is that sector regulators are better placed to assess AI risks in their domains than a central legislative framework. Whether this proves correct depends significantly on how effectively sector regulators adapt their frameworks to AI's distinctive characteristics.
ICO: UK GDPR and AI
The Information Commissioner's Office is the most active UK regulator in AI governance, both because UK GDPR applies broadly to AI systems processing personal data and because the ICO has invested significantly in developing AI-specific guidance. The ICO's Explaining Decisions Made with AI guidance — developed in partnership with the Alan Turing Institute — addresses the UK GDPR's Article 22 requirements for automated decision-making, providing practical guidance on what meaningful explanation looks like in AI contexts.
UK GDPR's Article 22 (retained from EU GDPR) gives individuals the right not to be subject to solely automated decisions that produce legal or similarly significant effects. The ICO has been active in enforcing data protection requirements in AI contexts and has brought enforcement action against several organisations for algorithmic practices that breached UK GDPR. For any organisation using AI in significant decisions affecting UK individuals — credit, insurance, employment, healthcare — ICO's AI guidance should be treated as the baseline compliance expectation.
FCA: AI in financial services
The Financial Conduct Authority has engaged extensively with AI governance in financial services. The FCA's 2022 joint discussion paper with the Bank of England, Prudential Regulation Authority, and Payment Systems Regulator on AI and machine learning identified the key governance challenges and signalled regulatory expectations. The FCA's Consumer Duty (effective 2023) creates obligations for good consumer outcomes that interact directly with AI governance — AI-driven systems that lead to poor consumer outcomes, through design or error, are a Consumer Duty concern regardless of whether they were AI-driven.
The FCA has been pragmatic about AI adoption in financial services, recognising its potential for beneficial outcomes alongside governance risks. Its approach has been to engage with industry on AI governance through initiatives like the Digital Sandbox and regulatory sandbox, while making clear that existing regulatory obligations apply to AI as to other means of delivering financial services.
The EU AI Act problem for UK organisations
One consequence of Brexit that UK organisations sometimes underestimate is the EU AI Act's extraterritorial reach. The Act applies to providers who place AI systems on the EU market or put them into service in the EU, operators who use AI systems in the EU, providers and operators outside the EU where the output of their AI system is used in the EU. UK organisations with EU customers are within scope of the EU AI Act regardless of the UK's own regulatory approach. This means that while UK-based organisations are not subject to UK AI legislation, they may simultaneously be subject to EU AI Act obligations for their EU-facing activities. Managing this dual environment — UK GDPR and ICO for domestic activities, EU AI Act for EU-facing activities — is the practical governance challenge for many UK organisations.