Independent data-protection authority. Enforces UK GDPR + Data Protection Act 2018 + PECR. Authority for DSAR enforcement, breach reporting (72h), DPIA review, age-appropriate design code.
UK regulators. UK adequacy. UK clinical safety. All in one platform.
ReguNav ships 24 frameworks; six of them are anchored directly to UK regulators or UK national standards. Whether you're an NHS supplier facing MHRA AI Airlock, a fintech inside the FCA perimeter, an essential service under NCSC CAF, or a SaaS platform under ICO authority — the UK regulator anchors are first-class on the platform, not an after-thought translation of an EU regime.
UK regulator landscape
Every UK control on the platform is anchored to a named regulator artefact. If the regulator updates their guidance, the framework registry gets the bump and every dependent control on your platform inherits it.
MHRA (Medicines & Healthcare products Regulatory Agency)
Healthcare AI · medical devices · SaMD/AIaMDofficial ↗Regulator for medicines + medical devices in the UK. Runs the AI Airlock regulatory sandbox for AI-as-a-Medical-Device. Operates the SaMD/AIaMD Change Programme + the 2025 Post-Market Surveillance regulations.
UK technical authority for cyber. Publishes the Cyber Assessment Framework (CAF) — outcome-based controls for operators of essential services (NIS-UK) — plus Active Cyber Defence + secure-design principles.
UK financial-services regulator. SYSC handbook for systems + controls, AI/ML model risk + outsourcing (SYSC 8), operational-resilience (PS21/3), AI in financial services discussion paper DP5/22.
Bank of England prudential regulator. SS1/23 model risk management principles — applies to AI/ML models in PRA-regulated firms. SS2/21 ICT operational risk + resilience.
UK communications regulator + enforcer of the Online Safety Act 2023. Illegal-content + child-safety duties on regulated services. Codes of practice + transparency reporting.
DSIT (Department for Science, Innovation & Technology)
UK AI policy · Digital Regulation Cooperation Forumofficial ↗Sponsoring department for UK AI policy. Co-ordinates the AI White Paper principles regulator approach (rather than a single AI Act). Hosts the AI Safety Institute + the DRCF inter-regulator forum.
NHS commissioning + digital authority. Owns the DCB0129 (manufacturer) + DCB0160 (deployment org) clinical-safety standards, NHS App + Login, DSPT data-security toolkit for NHS suppliers.
UK-specific frameworks on the platform
Post-Brexit UK data-protection regime. UK adequacy regulations, Schedule 2 exemptions, DSAR right-to-information, accountability + DPIA + breach notification — all anchored to ICO authority. Crosswalked to GDPR (EU 2016/679) + ISO/IEC 27701.
MHRA AI Airlock anchored. Eight clauses cover agent identification, clinical safety + risk, data provenance, human oversight, post-market monitoring, transparency, SaMD/AIaMD change management, and agent decision replay. Crosswalked to EU AI Act + ISO 42001 + HIPAA.
NIS-UK · Network & Information Systems Regulations 2018
NCSC CAF · 4 objectives · 14 principlesUK transposition of the EU NIS Directive (post-Brexit, retained). Operators of Essential Services + Relevant Digital Service Providers — covered by NCSC CAF outcome-based controls. Reform via the Cyber Security & Resilience Bill in flight.
FCA SYSC + PRA SS2/21 (UK operational-resilience equivalent)
Crosswalked to DORA via SYSC + SS2/21UK doesn't transpose DORA, but FCA PS21/3 + PRA SS2/21 + the Building Operational Resilience consultation paper deliver an analogous regime for financial-services ICT resilience. ReguNav crosswalks SYSC + SS2/21 to DORA's Art. 5–24 so a single control programme satisfies both.
Online Safety Act 2023
Phased commencement · Ofcom-supervisedDuties of care on user-to-user + search services. Illegal-content + (for in-scope) child-safety duties, codes of practice, transparency reporting, risk assessment. Enforced by Ofcom from 2025 onwards in phased commencement.
UK national standard for healthcare-AI validation. Transparency + robustness + post-deployment monitoring across the AI lifecycle. Pairs with HAARF as the underlying assurance framework.
UK SaaS, fintech, healthcare-AI, or essential-service?
We work with ICO-supervised SaaS, MHRA AI Airlock participants, FCA/PRA-regulated firms, and NIS-UK operators of essential services. Every UK regulator anchor is one framework module away.
Talk to UK team →ReguNav is registered with the ICO as a data controller + processor. All UK customer data resides in the eu-central-1 (Frankfurt) region with London edge presence; full data-residency election available on Enterprise tier. See /security + /legal/dpa.