The 2026 AI Regulation Map

Most of what is written about AI regulation is either a news roundup or a panic. Neither helps you decide what to do this quarter. So this is something different: a dated, practical map you can locate your own business on. It tells you what is actually enforceable, when, and what each milestone means if you have AI in production or close to it.

It is current as of 15 June 2026. We refresh it every quarter, because the dates keep moving, and the firms that get caught out are usually working from a deadline that has already changed.

There is one point worth making before the detail. The regulation is not the reason to get your AI estate governed and into production. It is the deadline. The work, mapping where AI is making decisions, building the supervisory layer, proving you can show an auditor what is running, is the same work whether the regulator arrives or not. The regulation just sets the clock. That is the lens we read every milestone below through.

The single most important row is the one most boards have wrong. We come back to it below.

GPAI enforcement is live in August. It was not deferred.

The milestone that lands this summer is the one for providers of general-purpose AI models, the foundation models that sit underneath most enterprise AI.

The obligations themselves have applied since 2 August 2025. What changes on 2 August 2026 is enforcement: from that date the European Commission can enforce those obligations against GPAI providers and levy fines. That date is real, it is weeks away as you read this, and crucially it was not touched by the simplification package that softened other parts of the Act.

If you build on a frontier model, this matters even though the primary obligation sits with the model provider. Your provider's compliance posture (the documentation they give you, the transparency information you can pass downstream) becomes a live question the moment enforcement begins. Procurement and risk teams should already be asking model vendors for their GPAI compliance position rather than assuming it.

The Digital Omnibus: what got deferred, and what did not

In November 2025 the Commission proposed a “Digital Omnibus” to simplify the AI Act. On 7 May 2026 the Council and Parliament reached a provisional political agreement on it. This is the change almost everyone has heard about and almost everyone has half-right.

What it defers: the obligations for high-risk AI systems. Standalone high-risk systems listed in Annex III (the kind used in recruitment, credit scoring, essential services and similar) now move to 2 December 2027. High-risk AI embedded in regulated products under Annex I moves to 2 August 2028. The original dates were 2 August 2026 and 2 August 2027 respectively, so this is a meaningful extension, more than a year in each case.

What it does not defer: the GPAI enforcement that begins on 2 August 2026. The simplification touched the high-risk timeline, not the general-purpose model timeline.

There is also a new prohibition being added to Article 5, covering AI-generated non-consensual intimate imagery and child sexual abuse material. And one procedural caveat that matters for planning: the Omnibus is a provisional agreement. It takes legal effect only once it is formally adopted and published in the Official Journal, which is expected before 2 August 2026. Until then, the letter of the law still reads August 2026 for high-risk, even though the political direction is settled. Plan to the agreed dates, but know the formal switch has not flipped yet.

The trap in one sentence

Automated decision-making: the rules already changed

On 5 February 2026, section 80 of the Data (Use and Access) Act 2025 came into force and replaced Article 22 of the UK GDPR. This is the rule that governs decisions made about people by automated means, exactly the territory most production AI operates in.

The reform widens where you can rely on solely automated decisions, but it ties that to a defined set of safeguards for any decision with legal or similarly significant effect: telling the individual the decision was automated, letting them make representations, letting them contest it, and giving them a route to human intervention. Explicit consent is no longer required for significant automated decisions unless special category data (health, ethnicity and the like) is involved.

The practical reading is simple. If you have an AI system making or materially shaping decisions about people (employment, credit, access to a service), the UK has just told you what the guardrails around it must look like, and that rule is already in force. Not coming. In force since February.

The ICO ran a consultation on updated automated decision-making guidance that closed on 29 May 2026, with final guidance expected over the summer. That guidance is the detail organisations have been waiting for, and it is worth tracking, because it will set the ICO's expectations on what “meaningful human involvement” and an effective challenge route actually require in practice.

The complaint-handling duty

On 19 June 2026, a new statutory complaint-handling duty comes into force for data controllers, inserted as a new section 164A of the Data Protection Act 2018 by the Data (Use and Access) Act.

It requires controllers to have a clear, effective process for receiving and handling data protection complaints directly from individuals, to accept complaints however they arrive (including over social media), and the ICO's draft guidance proposes resolving them within a month, and within three months at the outside. This is not AI-specific, but it lands directly on AI-driven processing, because the complaints most likely to test it are exactly the “why did your system decide this about me” complaints that automated decision-making generates. If your AI touches customers or staff, your complaints process needs to be ready for it by 19 June 2026.

1. Know where your AI makes decisions, and make sure your people understand it. Both regimes assume you hold an inventory of where AI makes or shapes decisions and what data each system touches. The EU AI Act goes further and makes AI literacy a legal duty: since February 2025, Article 4 requires providers and deployers to ensure the staff who operate or rely on AI understand its capabilities, limits and risks. You cannot govern, or defend, a system nobody has mapped.
2. Keep a human in charge of significant decisions. Article 26 requires deployers of high-risk systems to assign human oversight to people with the competence and the authority to override or stop the system, through a control that is genuinely accessible. The UK reaches the same place through data protection law: since 5 February 2026 the DUAA permits a solely automated decision with legal or similarly significant effect only if you tell the person, let them make representations, let them contest the outcome, and give them a route to human intervention.
3. Log it, and be able to prove what happened. Article 26 requires deployers to keep the system's automated logs for at least six months. GDPR Article 35 requires a Data Protection Impact Assessment wherever processing is likely to be high risk, which covers most production AI that touches personal data. The test a regulator, an auditor or a customer will apply is blunt: show me the decision, the data behind it, and the record.
4. Protect personal data by design, not after the fact. This is the obligation most enterprises are exposed on. GDPR Article 25 requires data protection by design and by default, and names pseudonymisation and data minimisation explicitly. An employee pasting a customer record into a frontier model is the precise opposite of that. The lawful pattern is to minimise and pseudonymise personal data before it reaches a model you do not control.
5. Do due diligence on the model underneath you. Under the EU's General-Purpose AI Code of Practice, model providers must give deployers an information package: capabilities and limits, safe-use instructions, known biases, and any restrictions on use. The 2026 market norm is to put this in the contract: documentation pass-through, cascading incident notification, and training-data provenance warranties. If you build on a frontier model, request that package before 2 August, when GPAI enforcement begins.
6. Be transparent that AI was involved. From 2 August 2026, Article 50 requires deployers to disclose AI-generated or manipulated content, including deepfakes and AI-written text published to inform the public. The UK ADM rules require you to tell a person when a significant decision about them was made by a machine.
7. Handle complaints properly. From 19 June 2026, the new section 164A duty requires every UK controller to run a clear, effective process for data-protection complaints, and the complaints most likely to test it are exactly the AI-driven ones.
8. Hold it together with a management system. None of the above sticks as a one-off project. ISO 42001, the first AI management system standard, gives you the repeatable structure (governance, risk assessment, oversight, continual improvement) that turns scattered controls into something you can certify and an auditor will accept. The UK's own statutory code of practice on AI and ADM, in force from 12 May 2026, points the same way.

1. Map your AI decisions. One page: where AI makes or shapes a decision, what personal data it touches, who owns it. Nothing else works without this, and it is a week of effort, not a programme.
2. Stand up a personal-data redaction layer. This is the fast win, deployable in weeks rather than quarters. Redact on the way out, rehydrate on the way in: before a prompt leaves your perimeter, every name and identifier is swapped for a consistent token, so the model reasons on the structure and never learns who the person is, and the real values are restored inside your walls when the answer comes back. It satisfies Article 25 data-protection-by-design directly, and it lets your people keep using the best frontier models without leaking regulated data into them. For most regulated businesses this is the single highest-value control to put in place now.
3. Put oversight and a challenge route on significant decisions. A named human who can override, and a clear path for an affected person to contest. Required by both regimes, and sensible regardless.
4. Turn on logging at the point of decision. Capture who or what authorised each decision, the data it used, and the outcome, with at least six months retained.
5. Run a DPIA on your highest-risk processing. Not everything, just the handful of systems making significant decisions about people.
6. Do the vendor due diligence. Request the GPAI documentation package from your model providers and get pass-through and incident-notification clauses into the contract, before 2 August.
7. Stand up the section 164A complaints process. This one has a hard date: 19 June. Make sure AI-driven complaints route into it.
8. Wrap it in an AI management system. Align to ISO 42001 so this is repeatable and certifiable, not a one-time scramble.

Do these and two things happen at once. You are demonstrably ready for every date on the map, and you have built exactly the foundations that move a pilot from proof-of-concept to production. Compliance and production are not two projects. They are one, and this is the list.

Last updated 15 June 2026. This is general information, not legal advice. Verify specific obligations against the primary sources and your own advisers before acting.