UK AI regulation: King’s Speech, Crime Act and ICO converge in May

TL;DR:

  • The Crime and Policing Act 2026 received Royal Assent on 29 April and creates new criminal offences for AI tools optimised to generate CSAM, deepfake intimate imagery and “purported intimate image generators” — extending corporate as well as individual liability.
  • The King’s Speech 2026 contains no fresh primary AI legislation but puts regulatory sandboxes onto a statutory footing via a Regulating for Growth Bill, while the Police Reform Bill creates a new facial-recognition regulator.
  • For UK businesses, the practical effect is that AI compliance now sits at the intersection of online-safety, equalities, privacy and criminal law — and the government has explicitly retreated from its earlier copyright proposals.

May’s UK AI regulatory output is dense rather than headline-grabbing, but several pieces converge to shift the compliance picture for businesses deploying or building AI products. Law firm Osborne Clarke’s regulatory outlook draws together the Crime and Policing Act 2026 (CPA), the King’s Speech, new ICO cyber guidance and the government’s response to the House of Lords copyright report into a single regulatory map.

Crime and Policing Act 2026: AI now in criminal law

The CPA, which received Royal Assent on 29 April, amends the Online Safety Act 2023 to give ministers powers to regulate “illegal AI-generated content” and “AI services” used to commit priority offences. Existing offences relating to deepfake intimate imagery are made priority offences under the OSA, meaning regulated platforms must not only remove such content but take steps to prevent it appearing in the first place.

The CPA also creates two new criminal offences: making, adapting or supplying a “CSA image-generator” (an AI model optimised to produce child sexual abuse material), and making or supplying a “thing” — including a programme, service or piece of information — used as a generator of “purported intimate images” (deepfakes). Both offences apply to corporate bodies as well as individuals, sharply increasing the corporate-liability picture for AI vendors and platforms operating in the UK.

What the King’s Speech does and does not do

King Charles III opened Parliament on 13 May with 37 bills, none of which represent fresh primary AI legislation. The Regulating for Growth Bill formalises regulatory sandboxes on a statutory footing, allowing temporary relaxation of existing rules to test innovative AI products in real-world settings. The Police Reform Bill creates a new legal framework for facial recognition and similar technologies, including an independent regulator. Notably absent: any plan to revisit the AI-and-copyright settlement.

The government’s response to the House of Lords Communications and Digital Committee report on AI and copyright confirms it “no longer has a preferred option” on the underlying copyright reform question. Instead, it points to forthcoming work on AI labelling, digital replicas, creator-control mechanisms and a Creative Content Exchange.

ICO cyber guidance and EU AI Act developments

The ICO has issued five practical steps for organisations facing AI-powered cyber threats — including AI-enhanced phishing, deepfake social engineering, automated vulnerability exploitation and indirect prompt injection — alongside the existing AI Cyber Security Code of Practice. The guidance treats AI integration into access control as a privacy and security concern in its own right.

In parallel, EU legislators reached a provisional Digital Omnibus on AI agreement on 7 May, including a fixed timeline for high-risk AI rules and a new prohibition on AI systems generating non-consensual sexual content. The EU AI Act’s high-risk provisions remain scheduled for 2 August 2026, subject to formal adoption.

Looking forward

UK firms deploying AI now operate within a layered framework: criminal liability under the CPA, sectoral rules under the FCA, ICO and Ofcom regimes, and the EU AI Act where they touch the European market. The absence of a single UK AI Act is starting to look less like a gap and more like deliberate policy — but the cumulative compliance burden is no less for that.