For many Cambridge founders building with artificial intelligence, regulation feels like a problem for later. There's a product to ship, customers to win and, often, a funding round to close. Rules can wait. The trouble is that regulatory exposure rarely announces itself politely. It tends to arrive at exactly the moment a company is least prepared for it: the first enterprise customer asking pointed questions about data handling, the first investor running technical due diligence, or the first expansion into a market with its own way of doing things.
The good news is that getting ahead of this doesn't require a legal department. It requires knowing which questions to ask, and when. For AI and machine learning businesses in the Cambridge cluster, where life sciences and fintech sit close together, a little early orientation goes a long way.
The UK's Approach: Principles, not a single rulebook
The UK has deliberately avoided writing one large AI law. Instead, it relies on existing regulators applying a shared set of cross-sector principles, covering safety, transparency, fairness, accountability and contestability. The thinking, set out in the government's pro-innovation approach to AI regulation, is that sector regulators understand their own territory better than a central body would, and that flexible guidance adapts faster than statute.
For a founder, this has a practical upside and a practical catch. The upside is room to move. The catch is that “no single law” doesn't mean “no rules”. It means your obligations are spread across whichever regulators already govern your sector, and you need to know who they are. A diagnostics startup answers to a different set of expectations than a credit-scoring tool, even if both are, underneath, machine learning models. This sector-led model sits within a broader national strategy, which Cambridge Network has set out in more detail, covering the AI Opportunities Action Plan and the UK's wider AI ambitions.
The EU AI Act: Relevant even if you're not based there
If you have users, customers or partners in the European Union, the EU AI Act applies to you regardless of where your company is registered. It takes the opposite approach to the UK: one horizontal law covering all sectors, sorting AI systems into risk tiers, with the heaviest obligations falling on high-risk uses such as those in healthcare, recruitment and credit.
Timing matters here. According to the European Commission's AI Act implementation timeline, the rules for high-risk systems and the broader enforcement regime take effect from 2 August 2026. For a company planning to scale into the EU, that's not a distant date. It's close enough to factor into product decisions being made right now, from how training data is documented to how human oversight is built into the system.
Jurisdiction is Becoming a Strategic Choice
One shift worth watching is how smaller jurisdictions are positioning themselves around AI. Rather than waiting for consensus to settle, some are engaging early, hoping to attract AI-native businesses with clearer, more responsive regulatory environments. The Gibraltar law firm Hassans has explored how smaller jurisdictions approach AI regulation, drawing on Gibraltar's earlier experience with online gaming and distributed ledger technology, where engaging while the rules were still forming proved an advantage.
For most Cambridge founders, the answer won't be to relocate. The point is subtler. Where you incorporate, where you base operations and which markets you enter first all carry regulatory weight, and those decisions are easier to shape early than to unwind later. Jurisdiction has quietly become part of product strategy.
Sector Rules Sit on Top of Everything
Whichever framework applies, sector-specific regulation doesn't go away. An AI tool used in healthcare still meets medical device expectations. A model used in financial services still answers to financial conduct rules. For Cambridge founders, this is often the most important point, because the cluster's strengths in health tech and fintech put many local companies squarely in the most heavily scrutinised categories. Treating sector compliance as part of the build, rather than a hurdle at the end, tends to be far cheaper than retrofitting it.
This is also where scaling pressure shows up. As founders at The EpiCentre near Cambridge recently discussed when talking about a tougher funding environment, serious investors expect founders to be on top of issues like intellectual property well before a raise. Regulatory readiness belongs in the same bracket. It's increasingly part of what makes a company look investable and expansion-ready.
Where to Start
None of this needs to slow a company down. A sensible first step is simply to map it out. Identify which regulators already govern your sector, check whether any of your AI systems would count as high-risk under the EU framework, and note the dates that apply to your expansion plans. That short exercise turns regulation from a vague worry into a manageable list. For founders planning to scale, knowing the terrain early is far less costly than discovering it halfway up the climb.