Legal and governance

Jurisdictional landscape

Not legal advice. Consult a qualified lawyer for your specific situation.

This is a snapshot of major AI regulations affecting small businesses in April 2026. Regulation is evolving quickly. Treat this document as a starting point, not a settled map.

European Union

EU AI Act (Regulation (EU) 2024/1689)

Phased enforcement:

  • Prohibited practices: enforced from 2 February 2025
  • Governance and GPAI models: enforced from 2 August 2025
  • High-risk systems and most other provisions: enforced from 2 August 2026 (THIS IS THE BIG ONE)

Who it affects: any organisation providing or deploying AI systems in the EU, including non-EU organisations with EU users.

Key obligations for deployers (Article 26):

  • Meaningful human oversight on high-risk systems
  • Logging and record-keeping of AI outputs
  • Transparency to affected persons
  • Risk assessments for high-risk deployments

Maximum penalties: EUR 35 million or 7% of global annual turnover for prohibited practices, EUR 15 million or 3% for most other violations, EUR 7.5 million or 1% for supplying incorrect information.

Small business considerations: the Act includes proportionality provisions, but these are limited. Even small companies face significant exposure on high-risk deployments.

Source: https://artificialintelligenceact.eu/

GDPR (Regulation (EU) 2016/679)

Still applies fully to any AI system processing personal data. Key concerns:

  • Lawful basis for AI training and inference on personal data
  • Article 22 rights around automated decision-making
  • Data subject access requests may include AI-generated outputs about the subject
  • Data processor and controller responsibilities for AI pipelines

United Kingdom

The UK has not enacted a unified AI Act as of April 2026. AI regulation operates through existing law and regulatory guidance:

Applicable existing law

  • UK GDPR and Data Protection Act 2018: processing personal data through AI
  • Equality Act 2010: discrimination liability for AI-driven decisions affecting protected groups
  • Employment Rights Act 1996: AI use in dismissal and disciplinary processes
  • Consumer Rights Act 2015: AI-driven product recommendations and services
  • Financial Services and Markets Act: AI in regulated financial services

Regulatory guidance (advisory, not binding)

  • ICO (Information Commissioner's Office): AI and data protection guidance
  • ACAS: workplace AI guidance on consultation, fairness, and due process
  • CIPD: professional HR guidance on AI integration
  • EHRC: equality implications of AI in employment
  • FCA: AI in financial services
  • Ofcom: AI in online services and deepfakes

Proposed UK framework

As of April 2026, the UK government has proposed a "pro-innovation" sector-by-sector approach rather than a unified Act. Monitor the Department for Science, Innovation and Technology (DSIT) for updates.

United States

No federal AI law as of April 2026. Regulation is a patchwork of state laws, agency guidance, and existing federal law applied to AI:

State laws

  • Illinois AI Video Interview Act (extended 2026): covers AI in hiring
  • Illinois AI Transparency Act (1 January 2026): requires notice when AI is used in employment decisions
  • Colorado AI Act (SB24-205): anti-discrimination requirements for high-risk AI, enforced 2026
  • New York Local Law 144: AI in hiring, requires bias audits
  • California AB 2013: AI training data transparency
  • Utah AI Policy Act: consumer protection in AI interactions

Federal guidance (non-binding unless cited by specific agency rule)

  • NIST AI Risk Management Framework
  • EEOC guidance on AI in employment decisions
  • FTC enforcement actions on deceptive AI claims
  • Executive Orders from successive administrations (subject to change)

Other major jurisdictions

  • Canada: AIDA (Artificial Intelligence and Data Act) progressing through Parliament
  • China: Algorithmic Recommendations Regulation, Deep Synthesis Regulation, Generative AI Measures
  • Japan: AI Governance Guidelines (soft law, 2026 update)
  • Australia: Voluntary AI Safety Standard, proposed mandatory framework
  • Brazil: Draft AI law in Congress
  • Singapore: Model AI Governance Framework (non-binding)

What this means for a small UK agency

If you are a UK small business with UK-only users:

  • UK GDPR and Equality Act are your primary concerns
  • ACAS and CIPD guidance should shape your workplace AI policies
  • Monitor DSIT for framework updates

If you are a UK small business with EU users:

  • EU AI Act applies to your EU-facing products from 2 August 2026
  • You must comply with the EU framework for those products
  • Getting compliance right costs money; getting it wrong costs more

If you are a UK small business with US users:

  • State-by-state analysis is required
  • Employment-related AI tools face the strictest rules (Illinois, New York, Colorado)
  • Monitor state legislative activity

Concrete recommendations

  1. Consult a lawyer at least once. Even a short engagement with a technology or employment lawyer to review your highest-risk AI uses is cheaper than a regulatory action.

  2. Document decisions. When you choose an AI architecture or deployment pattern, write down why. If a regulator asks, you need to show your working.

  3. Design to the strictest plausible regulation. For most small businesses, this means the EU AI Act is the baseline. Designing to the Act's requirements now avoids retrofit costs later.

  4. Monitor quarterly. Regulation is moving fast. Schedule a quarterly review of relevant guidance in your jurisdictions.

  5. Bias audits. If your AI touches employment, credit, housing, or any protected-group-relevant decision, bias audits are becoming standard. Budget for them.

Sources

Compiled by Richard Bland (human) and Serene [AI], April 2026. Check dates on all sources and verify current status before relying on any specific provision.