The EU AI ACT and UK’s Data (User and Access) Act: two distinct paths to unlocking AI opportunities

Generative and Agentic AI are enabling new frontiers of innovation, and regulators are racing to catch up. The UK’s new Data (Use and Access) Act 2025 (DUAA) lays important groundwork for how data can be accessed and reused, However, the DUAA is not an AI law, but instead amends existing UK data protection frameworks (UK GDPR and DPA 2018) to enhance data access and interoperability – the cornerstones of successful AI adoption.

With the EU AI Act set to be fully implemented by August 2026, several countries – including the UK – have signaled alternative paths forward. Financial services and energy firms accordingly face a widening divergence in rules, risk expectations and ethical standards. This is a defining moment, as navigating this complexity will be key to future success. Organizations that proactively align AI governance with both UK and EU standards, even in the absence of any legal obligation, will be better positioned to scale safely, compliantly and competitively.

The current state of AI regulation: UK & EU

The EU AI Act, which formally entered into force in August 2024, is the world’s first comprehensive legal framework for AI. It classifies systems by risk level, bans certain use cases outright, and imposes strict obligations on high-risk systems, including those used in credit scoring, biometric ID and critical infrastructure.

For its part, the UK has pursued a decentralized, principles-based approach. Rather than a single AI law, the UK government has issued a cross-sector framework based on five core values –
safety, transparency, fairness, accountability and contestability – to be interpreted and enforced by industry regulators such as the Financial Conduct Authority and Ofgem. The UK’s approach remains non-statutory as of mid-2025, though sector regulators are expected to issue more binding guidance during 2025 and 2026. Financial services firms should track updates from the FCA’s AI risk framework and the Bank of England’s supervisory tech agenda.

Capco’s perspective – Financial services and energy firms operating across jurisdictions should view the EU AI Act as a default governance baseline, even where they are not legally bound by it. The UK’s flexible approach offers room for innovation, but firms must define their own thresholds for risk, transparency and assurance. This means establishing internal AI classification matrices, model risk scoring frameworks and sector-specific policy overlays. While there is potential for regulatory arbitrage, there are ethical considerations to consider; such a step would in any case need to be supported by robust AI governance frameworks to manage compliance risks. Moreover, aligning to the most robust standard now will futureproof operations and substantially reduce the cost of compliance divergence later.



Download the full white paper to access:

1. GenAI in focus: new power, new pressure

2. Operating across borders: the regulatory reality

3. The intersection with DUAA: what's missing, and what to build

4. DUAA as a catalyst to unlock new AI opportunities

5. Practical steps that firms should take now