King’s Speech sets out cyber and AI regulatory overhaul for UK
TL;DR:
- The government’s King’s Speech package combines Computer Misuse Act reform, a Cyber Security and Resilience Bill, a Regulating for Growth Bill addressing AI, and a Financial Services Bill into a single legislative push.
- The Regulating for Growth Bill is the first concrete UK statutory framework for AI oversight since the 2023 White Paper, and follows three years of “pro-innovation” guidance without primary legislation.
- Industry data cited in the package: 70% of UK businesses now use AI but only 7% deploy it extensively in day-to-day operations — a gap the legislation explicitly aims to close.
The Computer Misuse Act element is the most overdue of the four. The 1990 statute has left UK security researchers exposed to criminal liability for legitimate testing — an issue the CyberUp Campaign has lobbied on for years. CyberUp’s response that “cyber professionals cannot be expected to defend the country with one hand tied behind their backs” frames the change as a national-resilience question rather than a niche legal one.
Cyber resilience extends to managed service providers
The Cyber Security and Resilience Bill broadens the regulatory perimeter to managed IT service providers and data centres, alongside tougher incident-reporting requirements across critical digital supply chains. The expansion mirrors the EU’s NIS2 directive in scope, though enforcement detail is yet to be published. Rob Demain, CEO of e2e-assure, framed the bill as a “British capability” play, citing UK cybersecurity sector revenue of £14.7 billion across 2,603 active firms.
UK angle: a regulatory framework, not a regulator
The Regulating for Growth Bill is the headline AI item, but its design intentionally avoids creating a single AI super-regulator. Existing sectoral regulators — Ofcom, CMA, ICO, FCA, MHRA — keep their AI oversight remits, with the new framework providing coordination, common definitions, and statutory backing for the AI Safety Institute’s role. That is the same approach the EU rejected in favour of the AI Office, and the contrast will matter for UK firms operating across both markets.
Looking forward
Three things to watch. First, whether the digital-identity scheme — confirmed in the same package as a separate voluntary framework — passes alongside the AI Bill or as standalone legislation. Second, whether the Regulating for Growth Bill includes the kind of HRAIS-style high-risk categorisations the EU AI Act introduced this week (mid-cap simplifications extended to companies up to 750 employees). Third, whether HMRC’s £175 million Quantexa contract, also confirmed this week, becomes a template the new framework codifies. The bill text is expected before recess.