King’s Speech 2026: Three Bills, No AI Act, and the Word “Growth” Forty-Seven Times

Yesterday’s State Opening of Parliament included three Bills of direct relevance to technology, AI, and cyber law. It did not include a standalone AI Act. That absence tells you more about the UK’s regulatory strategy than any of the Bills themselves.

What Did the King’s Speech Say About Cyber Security?

The Cyber Security and Resilience Bill has been carried over from the previous parliamentary session. It is intended to update existing Network and Information Systems regulations to protect essential services from cyberattacks, expand regulatory scope to cover more digital services and supply chains, strengthen reporting requirements, and introduce new enforcement powers including significant fines for non-compliance with breach reporting obligations.

The Bill is widely seen as the UK’s response to falling behind the EU’s updated NIS2 Directive. As one industry commentator noted, cyber incidents are now making a tangible impact on the bottom line for businesses, with reports of revenue and share value loss after breaches more than doubling year on year. Reputational damage is also climbing.

The National Security Bill, announced alongside, will update the Computer Misuse Act 1990, giving law enforcement modern powers for the digital age. This includes a new Cyber Crime Risk Order to control the behaviour of cyber criminals and, notably, new protections for cybersecurity researchers and professionals who test systems as part of their work. The campaign to reform the Computer Misuse Act has been running for years, and its inclusion is welcome.

What Is the Regulating for Growth Bill and What Does It Mean for AI?

The Regulating for Growth Bill is the most interesting announcement for AI governance, despite not being an AI Bill at all.

The Bill creates cross-economy sandboxing powers, giving the government legal authority to temporarily relax existing rules within controlled environments so that businesses can test new products and technologies in real-world settings. The briefing notes specifically reference "cross-cutting AI sandboxes" that enable "responsible testing and adoption of AI-enabled products and services across multiple sectors where existing regulatory frameworks currently slow innovation."

The Bill would also strengthen the Growth Duty on regulators, giving them a "clear, statutory mandate to prioritise growth" alongside their core functions. Ministers would gain a new statutory power to issue "strategic steers" to regulators. This chimes with the AI Opportunities Action Plan, under which 19 regulators were written to in January 2026 asking them to publish plans for enabling safe AI-powered innovation.

For businesses, the practical implication is that the UK’s approach to AI regulation is incremental rather than comprehensive. Instead of a single AI Act (as the EU has), the UK is threading AI through sector-specific reform, amended existing legislation (the Crime and Policing Act 2026 already extended the Online Safety Act to capture more AI chatbots), and regulatory sandbox trials.

Whether this produces a coherent regulatory environment or a patchwork quilt remains to be seen. The Regulating for Growth Bill gives the government the tools to run sandboxes. What it does not give is a clear answer to the question every GC and CTO is asking: what are the rules, and when do they apply to my business?

What About Digital ID?

The Digital Access to Services Bill will establish the legal framework for digital ID. The government has committed to making digital IDs available to those who want them by 2029. The Bill will specify the information the credential contains, how it may be issued, maintained, stored, and verified, and eligibility requirements.

For businesses, this is significant for identity verification, anti-fraud measures, and KYC compliance. For data protection teams, it raises questions about data minimisation, purpose limitation, and the security architecture of a national digital identity system.

Why Was There No Standalone AI Act?

The absence of a standalone AI Bill was expected. Both the Tech Secretary Liz Kendall and AI Minister Kanishka Narayan have repeatedly indicated that the UK will not follow the EU’s path of comprehensive, horizontal AI legislation. The government’s stated preference is for a pro-growth, pro-innovation approach that works through existing regulators and sector-specific reform.

This leaves a gap. The EU AI Act, for all its complexity, provides a single reference framework that businesses can plan against. The UK’s approach requires businesses to navigate multiple sector-specific regimes, an evolving patchwork of amended legislation, and regulatory guidance that varies by industry. For multinational businesses operating in both the UK and EU, the practical consequence is maintaining two compliance frameworks that operate on different principles.

For UK businesses that operate only domestically, the absence of standalone AI legislation creates a different risk: the temptation to assume that the absence of specific AI rules means the absence of AI-related legal exposure. It does not. Data protection law, consumer protection law, product liability, employment law, and the common law of negligence all apply to AI systems today, regardless of whether there is a piece of legislation with "AI" in the title.

What Should Businesses Do Now?

Three immediate actions:

1. If you are subject to NIS regulations, begin preparing for expanded scope and reporting requirements under the Cyber Security and Resilience Bill. The Bill has been carried over, indicating parliamentary priority.

2. Watch the Regulating for Growth Bill for sandbox opportunities relevant to your sector. If your business is deploying AI in a regulated industry, sandboxes may offer a controlled path to testing.

3. Do not treat the absence of a standalone AI Act as the absence of AI regulation. The rules already exist across data protection, consumer law, product liability, and employment law. Your compliance framework should reflect this, not wait for a single piece of legislation that may never arrive.

Rory O’Keeffe is the founder of RMOK Legal, a City of London commercial law practice specialising in AI governance, technology contracts, and fractional general counsel services. He is an SCL-accredited Leading IT Lawyer, AI Committee member of the Society for Computers and Law, and author of AI Advantage (2025

FAQs