nudgecompliant
Global compliance guide

UK Technology Compliance Hub

Plain English guide to tech regulation in the UK — updated July 2026

Start your free UK compliance audit

1. UK GDPR

What it is
The UK's core rules for collecting, using, sharing, and protecting personal data.
Who it applies to
Controllers and processors handling personal data in the UK, including overseas organisations targeting UK residents.
Key deadlines
Ongoing. Certain personal-data breaches must be reported within 72 hours.
Penalties for non-compliance
The ICO can issue fines up to £17.5 million or 4% of worldwide annual turnover, whichever is higher.

Not sure if this applies to you? The free audit takes 4 minutes.

Find out where you stand →

2. UK AI Bill (anticipated)

What it is
Emerging UK AI legislation expected to build on regulator-led principles. Final scope and wording are not yet settled.
Who it applies to
Likely to focus first on powerful AI models and higher-impact uses; ordinary businesses should treat current requirements as preparation, not enacted duties.
Key deadlines
No enacted compliance deadline. Monitor legislative developments through 2026/27.
Penalties for non-compliance
No statutory penalties exist until legislation is passed and commenced.

Not sure if this applies to you? The free audit takes 4 minutes.

Find out where you stand →

3. UK NIS regime and NIS2 alignment

What it is
The UK retained its own NIS Regulations after Brexit and is developing broader cyber-security and resilience reforms; it is not directly implementing EU NIS2.
Who it applies to
Operators of essential services, relevant digital service providers, and potentially managed service providers under proposed reforms.
Key deadlines
Current NIS duties are ongoing. New scope and reporting dates depend on final UK legislation.
Penalties for non-compliance
Current NIS enforcement can reach £17 million for the most serious contraventions.

Not sure if this applies to you? The free audit takes 4 minutes.

Find out where you stand →

4. Cyber Essentials

What it is
A government-backed certification scheme covering five practical technical security controls.
Who it applies to
Organisations seeking stronger baseline security or bidding for certain UK government contracts.
Key deadlines
Certification is renewed annually; procurement deadlines depend on the contract.
Penalties for non-compliance
No regulatory fine, but missing certification can block contracts and increase insurance or customer scrutiny.

Not sure if this applies to you? The free audit takes 4 minutes.

Find out where you stand →

5. DORA for financial services

What it is
EU operational-resilience rules that can affect UK firms serving EU financial entities or providing critical ICT services.
Who it applies to
EU-regulated financial entities and their ICT supply chains, including some UK service providers by contract or designation.
Key deadlines
Applied from 17 January 2025. Contract, register, testing, and incident duties are ongoing.
Penalties for non-compliance
Penalties vary by EU member state; designated critical ICT providers can face periodic penalty payments.

Not sure if this applies to you? The free audit takes 4 minutes.

Find out where you stand →

6. Product Security and Telecommunications Infrastructure Act

What it is
Security requirements for consumer-connectable products, including password, vulnerability-reporting, and support-period duties.
Who it applies to
Manufacturers, importers, and distributors placing consumer-connectable products on the UK market.
Key deadlines
The product-security regime has applied since 29 April 2024.
Penalties for non-compliance
Maximum fines can reach £10 million or 4% of qualifying worldwide revenue, whichever is greater.

Not sure if this applies to you? The free audit takes 4 minutes.

Find out where you stand →

Operating across borders?

Operating across multiple jurisdictions? NudgeCompliant maps your obligations across all of them in one audit.

Start your free UK compliance audit

Related regulation hubs

This guide is for information only — not legal advice. Requirements change, so confirm critical decisions with a qualified professional.

Find out where you stand. About 4 minutes.

Tell us what technology you use and where you operate. Get a plain-English readout of what matters — and what doesn't.

Check my tools →

No account. No card. Start with the obligations that matter now.