UK Update
Date
2025-12-26
Author
Ramil Gachayev

Introduction

This period shows UK AI governance becoming more operational: Ofcom is now issuing repeat Online Safety Act penalties and activating the fees regime; government teams are rolling out practical ethics tooling for AI use in public services; and cyber resilience legislation is moving through Parliament with the ICO setting out what expanded oversight could mean for digital and managed service providers. EU sandbox implementation work and wider transatlantic friction around online regulation remain important for UK organisations with cross-border exposure. 

1. Executive snapshot

  • Ofcom fined a file-sharing service £20,000 under the Online Safety Act for failing to respond to legally binding information requests, signalling that procedural compliance and record-keeping are now enforcement priorities. The Online Safety fees regime is now live (threshold regulations in force from 11 December 2025) and the initial notification window is open until 11 April 2026.
  • The Government Digital Service published a refreshed Data and AI Ethics Framework plus a self-assessment tool aimed at embedding lifecycle governance for public-sector AI and data projects.
  • DSIT highlighted active workstreams on software security and AI security, alongside the Cyber Security and Resilience Bill agenda.
  • The ICO published its formal response to the Cyber Security and Resilience (NIS) Bill, supporting expanded powers and scope, while flagging the need for clarity in secondary legislation.
  • The European Commission is taking feedback on a draft implementing act for AI regulatory sandboxes under the AI Act (consultation open 2 December 2025).

2. UK regulators and enforcement

2.1 Ofcom: Online Safety Act penalties and process compliance

  • Ofcom issued a £20,000 fine against an online file-sharing service for failing to comply with statutory information requests, reinforcing that Ofcom will enforce not just substantive duties but also cooperation, documentation and timely responses.
  • Context for providers: Ofcom’s wider enforcement posture includes an ongoing programme monitoring children’s risk assessment and record-keeping duties (last updated 4 December 2025).

2.2 Online Safety fees: the regime is now operational

  • Ofcom confirms the fees regime is live from 11 December 2025, with the initial charging year set as 2026/27 and notifications due by 11 April 2026.
  • The statutory instrument confirms commencement on 11 December 2025 and UK-wide extent.
  • DSIT’s letter accepts Ofcom’s recommended £250 million qualifying worldwide revenue threshold, shaping which services must notify and pay fees.

3. Public-sector AI governance and adoption

3.1 New Data and AI Ethics Framework and self-assessment tool (GDS)

  • GDS presented the self-assessment tool as part of a “robust governance process” and designed for revisiting throughout a project lifecycle, especially when projects change.
  • GOV.UK’s framework page now explicitly points AI teams to use the Data and AI Ethics Self-Assessment Tool to capture information and share learnings.

4. Cyber resilience and AI security governance signals

4.1 Cyber Security and Resilience (NIS) Bill: parliamentary progress and regulatory posture

  • The Bill was introduced for first reading on 12 November 2025 and is progressing as a UK-wide reform of the NIS Regulations 2018.
  • The ICO’s published response supports expanding scope to managed service providers and strengthening regulators’ tools, while stressing that secondary legislation will need clarity on incident reporting thresholds, security requirements, critical supplier criteria and enforcement mechanics.

4.2 DSIT signals on AI security workstreams

  • DSIT’s December cyber security newsletter explicitly invites engagement on AI security alongside software security, placing AI security within mainstream national cyber resilience activity.

5. EU and international context relevant to UK organisations

5.1 EU AI Act sandboxes: implementation mechanics

  • The Commission is collecting feedback on rules for establishing and operating AI regulatory sandboxes under the AI Act.

5.2 Cross-border pressure around online safety regulation

  • Reporting (Guardian) highlights growing transatlantic tension around European online safety regimes, with the UK Online Safety Act referenced as part of the wider conflict over platform governance and speech.

6. Key dates to track

  • Online Safety fees notifications (initial charging year): window open until 11 April 2026.
  • EU AI regulatory sandboxes consultation: closes 13 January 2026.
  • ICO enforcement procedural guidance consultation: closes 23 January 2026.

Conclusion

This fortnight is less about new high-level AI strategy and more about governance becoming concrete. Ofcom is enforcing procedural duties and switching on the funding mechanics for ongoing supervision; the UK public sector is standardising ethics and governance tooling for AI projects; and cyber resilience reforms are advancing with the ICO mapping how expanded oversight should work in complex digital supply chains. 

Sources: Ofcom, DSIT, GOV.UK, GDS, ICO, UK Parliament, European Commission, The Guardian

Tags
AI sandboxes
Online Safety Act
fees
AI Ethics
Cyber Security
ICO
EU AI Act
Ofcom