A Comprehensive Cross – Jurisdiction Summary: EU, UK and USA
What applies to an AI product or service used in each market
This summary maps the principal laws and regulations that bear on an AI product or service used in the European Union, the United Kingdom and the United States. Two points frame everything that follows. First, in none of these markets is AI governed by a single instrument: dedicated AI rules sit alongside data- protection, consumer, anti- discrimination, sector and product- liability law, and it is the combination that applies. Second, this is among the fastest- moving areas of law anywhere; the position is stated as at June 2026 and should be checked before being relied upon.
| ⚠ A note on direction of travel The EU is consolidating a single, comprehensive regime (now being fine- tuned, with some deadlines proposed to move). The UK continues to apply existing law through sector regulators rather than a dedicated AI statute. The US is the most volatile: a dense and growing body of state law, federal enforcement under existing statutes, and an active federal effort to curtail state rules. Treat the US position in particular as provisional. |
Part 1 – European Union
The EU has the most developed and prescriptive regime. An AI product used in the EU typically engages several instruments at once.
The AI Act (Regulation (EU) 2024/1689)
The centrepiece: a comprehensive, risk- based regime applying across all member states, with extraterritorial reach to non- EU businesses whose systems are placed on the EU market or whose outputs are used in the EU. It classifies systems into prohibited, high- risk, limited- risk (transparency) and minimal- risk tiers, with general- purpose AI (GPAI) models treated separately. Obligations differ by role, provider, deployer, importer, distributor.
- Phasing: prohibited practices and AI- literacy duties since February 2025; GPAI model obligations since August 2025; the bulk of high- risk obligations due from 2 August 2026; AI embedded in regulated products from 2 August 2027.
- Penalties: up to the higher of €35 million or 7% of global annual turnover for prohibited- practice breaches, with lower tiers for other infringements.
The “Digital Omnibus” package, under negotiation in 2026, is expected to adjust parts of the Act, including potentially moving certain high- risk application dates towards December 2027 and easing the use of special- category data for bias detection. As at June 2026 these changes are not yet finalised; plan against the existing dates and confirm the current position.
Data protection – GDPR and the ePrivacy regime
The General Data Protection Regulation applies in full to any AI that processes personal data, and the AI Act is expressly without prejudice to it. A lawful basis is needed for personal data used in training, deployment and monitoring; the AI Act creates no new basis. A Data Protection Impact Assessment may be required under Article 35 GDPR, sitting alongside (and overlapping with) the AI Act’s Fundamental Rights Impact Assessment. Article 22 GDPR restricts solely automated decisions producing legal or similarly significant effects, independently of the AI Act. The ePrivacy rules apply where AI touches electronic communications or device data.
Product liability and safety
The revised Product Liability Directive ((EU) 2024/2853), in force from December 2024 and to be transposed by 9 December 2026, explicitly brings software, and therefore AI, within the no- fault product- liability regime, and links defectiveness to compliance with product- safety law such as the AI Act. Non- compliance with the AI Act can therefore translate into liability exposure. The separate AI Liability Directive, which would have eased fault- based claims, was withdrawn. The General Product Safety Regulation and sector product rules (e.g. the Machinery Regulation, medical- device rules) may also apply.
The surrounding digital rulebook
Depending on the product, other EU instruments bite: the Digital Services Act (where AI is embedded in intermediary or platform services), the Digital Markets Act (for designated gatekeepers), the Data Act (data access and sharing), and the Cyber Resilience Act (security of products with digital elements). Anti- discrimination and consumer- protection law apply throughout.
EU – at a glance
| Instrument | What it covers for AI | Status |
| AI Act 2024/1689 | Risk- based AI- specific regime; provider/deployer duties | Phasing to 2027 |
| GDPR | Any AI processing personal data; DPIA; Art. 22 ADM | In force |
| Product Liability Directive 2024/2853 | No- fault liability extended to software/AI | Transpose by Dec 2026 |
| DSA / DMA | AI in platforms; gatekeeper duties | In force |
| Data Act / Cyber Resilience Act | Data access/sharing; product security | Phasing |
Part 2 – United Kingdom
The UK has deliberately chosen not to enact a comprehensive AI statute. Instead it applies five cross- cutting principles, safety and security; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress, through existing sector regulators using their existing powers. There is, accordingly, no single “AI rulebook”; obligations depend on the system and the regulator whose remit it falls within. A dedicated AI Bill has been signalled but, as at June 2026, no comprehensive AI statute is in force, and none is expected imminently.
Data protection – UK GDPR, DPA 2018 and the DUAA 2025
The most widely engaged regime. The UK GDPR and Data Protection Act 2018 apply to any AI processing personal data. The Data (Use and Access) Act 2025, with data- protection provisions in force from early 2026, made the most significant change: it reshaped the rules on solely automated decision- making, replacing the near- blanket prohibition formerly in Article 22 with a conditions- based approach, and putting weight on whether there is “meaningful human involvement”. The Information Commissioner’s Office is the central regulator and has extensive AI guidance.
Sector regulators applying existing law
Beyond data protection, AI is policed by whichever regulator owns the domain, applying existing statutes:
- Financial Conduct Authority and Prudential Regulation Authority – AI in financial services, model risk and governance.
- Ofcom – AI in online services and communications, including duties under the Online Safety Act.
- Competition and Markets Authority – competition and consumer protection; note significant fining powers for unfair commercial practices under the Digital Markets, Competition and Consumers Act 2024, which makes overstated AI claims a real hazard.
- Medicines and Healthcare products Regulatory Agency – AI as a medical device.
- Equality and Human Rights Commission – the Equality Act 2010 applies to discriminatory AI outcomes.
General law of course continues to apply: contract, negligence, consumer rights, intellectual property and confidentiality all bear on AI products.
| ⚠ UK reach of the EU regime A UK business is not insulated from the EU AI Act. If its AI is placed on the EU market or affects people in the EU, the Act can apply, and a UK provider of a high- risk system may need an EU authorised representative. Many UK businesses will in practice be governed more by the EU Act than by domestic AI rules. |
Part 3 – United States
The US has no comprehensive federal AI statute. Compliance is assembled from three layers: federal enforcement under existing law; a large and fast- growing body of state law; and sector- specific rules. The position is unusually unsettled because the federal government is actively trying to curtail state AI laws.
Federal: existing law applied by agencies
- Federal Trade Commission – Section 5 of the FTC Act reaches deceptive or unfair AI practices, including unsubstantiated capability claims (“AI washing”) and, on the FTC’s stated view, foreseeable misuse of AI tools released without reasonable safeguards.
- Anti- discrimination law – Title VII, the ADA and ADEA (employment), and ECOA, the Fair Housing Act and FCRA (credit, housing, background screening) apply to AI- driven decisions, including where a third- party model does the deciding.
- Sector regulators – SEC and FINRA (securities), banking regulators and the CFPB (lending, adverse- action explainability), FDA (AI- enabled medical devices), and HIPAA (health data).
- Children – COPPA governs data from under- 13s, a category expressly carved out of federal pre- emption efforts.
State law – the centre of gravity
State legislation is where most binding AI- specific obligation now sits, and the volume is large, well over a thousand AI- related bills were introduced across the states in early 2026 alone. The most significant in force or imminent include:
- Colorado AI Act (SB 24- 205) – duties of reasonable care on developers and deployers of high- risk AI to guard against algorithmic discrimination; effective 30 June 2026 (delayed from February). The one state law named in the December 2025 federal executive order.
- Texas Responsible AI Governance Act (TRAIGA) – in force since 1 January 2026; narrowed in passage to focus largely on government use, with categorical bans on certain manipulative, discriminatory and abusive uses, plus a regulatory sandbox.
- California – the Transparency in Frontier Artificial Intelligence Act (frontier developers); CCPA/CPRA automated decision- making technology regulations in force since 1 January 2026; AB 2013 training- data transparency; and health- care generative- AI disclosure rules.
- Illinois – BIPA (biometric data, with a private right of action and substantial statutory damages); the AI Video Interview Act; and Human Rights Act amendments on AI in employment.
- New York City – Local Law 144 bias- audit requirement for automated employment decision tools.
Many comprehensive state privacy laws (e.g. in Connecticut, Virginia and others) also regulate profiling and automated decisions, and several states have standalone biometric statutes. A business operating nationally faces overlapping and sometimes conflicting definitions, and is generally best served by a “highest common denominator” posture.
| ⚠ Federal–state pre- emption is being actively contested A December 2025 executive order (EO 14365) asserted federal authority to challenge state AI laws and stood up a DOJ litigation task force; the administration has also recommended federal pre- emption legislation to Congress. But an executive order does not itself repeal state law, Congress has not enacted pre- emption, and a bipartisan group of state attorneys general opposes it. The prudent course, echoed across practitioner guidance, is to keep complying with state AI laws until the courts or Congress provide clarity. Child- safety, AI- infrastructure and state- government- use rules were expressly excluded from the pre- emption effort. |
US framework standard
Though voluntary, the NIST AI Risk Management Framework (and ISO/IEC 42001) function as the de facto baseline: expected by procurement teams and insurers, and treated under some state laws (including Colorado and Texas) as evidence of reasonable care or a route to an affirmative defence.
Cross- cutting themes
Four threads run across all three markets and are worth holding in mind whatever the footprint:
- No single law governs AI anywhere. Data- protection, anti- discrimination, consumer and product- liability law apply in every market regardless of dedicated AI rules.
- Extraterritorial reach is the norm. The EU AI Act and GDPR, and many US state laws, can apply to businesses with no local establishment where their AI reaches local users.
- Recognised frameworks are converging. The NIST AI RMF and ISO/IEC 42001 are emerging as a common compliance language across jurisdictions.
- Documentation is the connective tissue. In each market the ability to evidence what a system does, how it was tested and how risks were managed is central to demonstrating compliance.
The three jurisdictions compared
| European Union | United Kingdom | United States | |
| Model | Single comprehensive AI law plus digital rulebook | Principles applied by existing sector regulators | Federal enforcement + state patchwork + sector rules |
| Dedicated AI statute? | Yes – the AI Act | No (none in force) | No federal; many state laws |
| Lead data regime | GDPR | UK GDPR / DPA 2018 / DUAA 2025 | State privacy laws; sector rules |
| Predictability | High | Moderate | Low – actively contested |
How we can help
360 Business Law help businesses work out precisely which of these regimes apply to a given AI product or service, in each market it touches, and translate that into a practical compliance plan, covering classification, data protection, contracting, liability and governance. If you would like this summary tailored to a specific product, sector or set of markets, we would be glad to assist.
This summary is general information current as at June 2026 and does not constitute legal advice. It is necessarily high- level, is not exhaustive, and omits many sector- specific and sub- national rules. The law in this field is changing rapidly, notably the EU Digital Omnibus negotiations and the US federal–state pre- emption dispute, and specific advice should be obtained before acting. To discuss how these regimes apply to your business, contact Robert Taylor, CEO & General Counsel, at r.taylor@360businesslaw.com.