2025 has seen a bewildering onslaught of initiatives, reports, consultations and funding announcements related to the UK's technology market – how to develop it, how to achieve growth (and eventual world domination) and, of course, how to regulate it. So what do we expect in 2026?
We'll get an AI Bill, but not as you know it
In our 2025 predictions for tech and digital regulation, our first prediction was that the UK would get AI legislation in 2025. Clearly that did not happen. You can see where we were coming from given AI legislation has been presumed imminent since before the 2024 general election. Despite the Conservative government's AI White Paper advocating a sector approach to regulating AI, it was also rumoured that the outgoing Conservative government had been working on draft legislation given the UK's active role in setting up the first in a planned series of AI Safety Summits, and that this would form the basis of a Labour Bill.
The current government announced an AI Bill in the King's Speech of 17 July 2024. The proposed Bill was described as "seek[ing] to establish the most appropriate legislation to place requirements on those working to develop the most powerful AI models”. It was widely assumed that any proposed legislation would be far less comprehensive than the EU's AI Act but would focus on safety of frontier systems. Patrick Vallance later suggested regulation would deal with 'future AI', so Artificial General Intelligence, rather than the existing LLMs.
Is there still going to be a UK AI Bill and if so, what will it cover? We're now approaching the end of 2025 and, while there has been a consultation on AI and copyright (results pending – see our copyright predictions for more [link to Gregor/Louise article]), there has been nothing on an AI Bill itself and reports suggest nothing will be published until a decision has been taken on whether to include an AI Bill in the spring 2026 King's Speech.
Arguably more noteworthy than the delay though is the distinct shift in tone from the government. The focus appears to have moved away from AI safety in favour of growth and national security – a direction of travel it is hard not to associate with a similar shift in the US focus under the Trump administration.
Perhaps a clue lies in the government's Blueprint for AI regulation announced on 21 October 2025 alongside a call for views on an AI Growth Lab (for which responses are requested by close on 2 January 2026). The AI Growth Lab is envisaged as a cross-economy sandbox which will oversee deployment of AI-enabled products and services that are currently impeded by exiting regulation. The government proposes using supervised regulatory sandboxes to test AI in real-world conditions in healthcare, professional services, transport and advanced manufacturing. The model will enable time-limited, closely supervised modifications to specific regulatory requirements, under a licensing scheme with safeguards such as stopping testing and imposing fines if terms are breached or risks emerge.
With the launch of yet another AI initiative but no Bill, there is an argument to suggest that the government may be trending back to a sector approach. It also seems likely that the government will move away from its initial proposal to move to an opt-out regime for the use of copyright materials for AI training so no legislation will be forthcoming in that area. Having said that, we do still expect some form of AI legislation next year, but it seems increasingly unlikely that it will introduce onerous safety obligations. Legislation is more likely to be needed to remove any statutory barriers to the AI Growth Lab sandbox environments and any eventual AI Bill may be more limited in scope than initially envisaged.
Data will get smarter and safer
The government passed the Data (Use and Access) (DUA) Act in 2025, but much of it needs to be implemented under secondary legislation. Perhaps the least controversial elements are the provisions reforming the UK GDPR which are expected to be brought in in January 2026. Even the European Data Protection Board isn't too troubled by them, as it didn't raise any objections to renewal of the EU-UK data adequacy decision. There will be additional compliance points and some minor adjustments but there has been plenty of time to prepare (see more about the DUA Act).
Of more impact may be the changes proposed to the EU GDPR, the ePrivacy Directive and the Data Act in the Digital Omnibus proposal which will shift the EU data regime. In some cases, the changes to the GDPR are in line with those made by the DUA Act but, of course, it's not as simple as that and we may be in the unusual position of UK legislation being less flexible than the corresponding EU version. In particular, the EC's plans to introduce a legitimate interest lawful basis for developing and operating AI, may prompt the Secretary of State to take advantage of powers to introduce new recognised legitimate interests to bring in parallel provisions under the UK regime (see here for more on the Digital Omnibus), even though those power have been a source of concern to the European Commission and the European Data Protection Board.
Arguably of more interest in relation to the DUA Act than the GDPR elements will be what the government plans to put in place in terms of data sharing and smart data schemes. The powers are in place for the Secretary of State to introduce secondary legislation which we expect to see in 2026.
Alongside this, the Cyber Security and Resilience Bill, introduced to Parliament in November, will bring the UK's digital resilience framework up to date along similar lines to the EU's NIS2 Directive. In particular, managed service providers, certain data centres, and large load controllers will be in scope, the Secretary of State has significantly extended powers, including to expand the regime under secondary legislation, to designate critical suppliers, and to make directions regarding national security. There are reframed incident reporting provisions and increased sanctions (read more). We'd expect the passage of this legislation to be fairly smooth and complete during 2026.
We'll be going quantum or going home
The AI race may still have a long way to run, but the quantum race is hotting up – both in terms of developing and using quantum computing, and in transitioning to post-quantum cryptography. The UK government made significant commitments to quantum technology development during 2025, including setting up a Quantum Regulators' Forum in April, comprising nine key regulators including those from the DRCF, IPO, MHRA, Office for Product Safety and Standards, Civil Aviation Authority, and Ofgem. This is designed to coordinate oversight and address regulatory gaps in emerging quantum technologies. The government also announced £121 million in quantum technology investment, with a primary focus on applications for tackling crime, fraud and money laundering.
On 13 May 2025, the government published a UK Quantum Skills Taskforce report. The report made recommendations to support and inform future quantum programmes and policy development including attracting international talent and carrying out a landscape review of publicly funded PhD-level quantum skills activities.
The government's Science and Technology Framework, published on 28 April 2025, identified quantum technologies as one of the critical technologies for support within its industrial strategy, with the Regulatory Innovation Office playing a key role in helping quantum businesses enter the market. International collaboration has also been prioritised through the US-Tech Prosperity Deal Memorandum of Understanding signed on 18 September 2025, which enhances bilateral cooperation specifically in quantum technologies alongside AI, civil nuclear energy, and fusion.
In June, £670m of funding was announced to accelerate the impact of quantum computers and new projects were announced in November totalling over £14 million launched to support efforts putting quantum to work.
In short, the government is ramping up on quantum and trying to ensure it lays the groundwork required to place the UK as a world-leader in the technology as it develops.
If you build it, people will come – data centres will proliferate
There's no achieving the government's ambitions in AI and quantum without data centres.
A feature of the US-UK Tech Prosperity Deal MoU was a commitment to collaborate on AI infrastructure including data centres, and a large part of the investments announced in the MoU related to inbound investment by the US tech giants in building AI infrastructure and data sites in the UK.
A potential stumbling block to these plans is the UK's hidebound planning law, reform of which is a target for the government. In October 2025, the government tabled legislation to designate certain data centre projects as Nationally Significant Infrastructure Projects, allowing for a streamlined planning route. The government also opened bids for AI Growth Zones in spring 2025 to fast track AI-enabled data centres, with three designated so far. On 13 November 2025, the government published a policy paper on Delivering AI Growth Zones (AIGZs). A new AI Growth Zone Delivery Unit will oversee implementation of policies to address the main challenges which are focused on accelerating grid connections, bringing down energy prices, reducing planning barriers, and fostering investment.
Of course, all the data needs to be held securely and in November, the government also announced that OpenAI will begin hosting data in the UK so that British businesses an be assured their data is protected. In addition, as mentioned above, certain data centres will come within scope of the UK's cyber resilience regimes once the Cyber Security and Resilience Bill becomes law.
We expect to see the way paved (and the foundations dug) for data centres to multiply in 2026 and beyond. Check out our Data Centre Series of webinars for more.
Subscription traps will be a think of the past but you may get tired of the notifications
The majority of the Digital Markets Competition and Consumers Act 2024 (DMCCA) came into force during 2025, but notably, the subscription regime, originally intended to commence by spring 2026, has now been pushed back to autumn 2026. This is apparently because the government needs more time to consider the responses to its consultation on the regime which closed in February 2025 (read more). Businesses have pushed back on elements of the plans as being too complex and likely to annoy customers given the number of customer notifications required (although these were simplified down from the original proposals before the DMCCA was enacted as discussed here). It remains to be seen quite how the subscription elements of the DMCCA will be implemented but that will come during 2026, even if it will now come closer to the end of the year than initially expected.
There will be fines
With the final stages of the Online Safety Act (OSA) and DMCCA set to come into effect in 2026, we're also expecting to see some regulatory muscle flexed over the course of the year. The CMA made its first strategic market status (SMS) designations under the DMCCA this year with more designations and potential conduct requirements and interventions to follow in 2026, but it also has direct enforcement powers (including to impose fines of up to 10% of annual global turnover and daily penalties) in relation to both competition and consumer protection law for the first time.
On 18 November 2025, the CMA launched investigations into eight businesses in relation to their use of fees, misleading time-limited offers, and/or the practice of automatically opting consumers in for optional charges. It sent a further 100 letters to businesses following a compliance sweep, asking 11 sectors including live event ticketing, online vouchers, fashion and food and drink delivery companies, asking them to review their practices around additional fees and online sales tactics. The CMA also published its final price transparency guidance (CMA209) and guidance on getting consent for additional charges when selling online. We expect the CMA will conclude these and other investigations in 2026 and that fines may well follow as a result.
Ofcom similarly has extensive enforcement powers under the OSA, including to impose fines up to the higher of 10% of global turnover or £18m. It has already begun a comprehensive enforcement programme which we expect to continue in 2026 (see our predictions on online safety here) and has imposed fines for failure to respond to information requests and, most recently, fined a nudification app publisher £50,000 for failing to use age checks to protect children online.
While financial penalties are the 'backstop' of enforcement, the regulators are likely to want to show they mean business and take swift action in relation to egregious non-compliance under both the DMCCA and the OSA and we expect to see some significant penalties issued next year.
2026 – the year of delivery?
Looking back at our predictions for 2025, it's striking how similar the priorities are for next year. This is arguably because while progress has been made (notably with the enactment of the DUA Act, and the OSA and DMCCA starting to bite), we'd expect 2026 will focus more on delivery. There's been a lot of planning and now it's time for the action.
