What is AI regulation by sector?
AI regulation: sectors and domains
AI regulation by sector means most of the law governing AI arrives not through one AI act but through existing regulators applying existing duties to AI used in their domain. Health, finance, employment, consumer protection, critical infrastructure, the public sector, online platforms and biometric surveillance each have their own rules that AI use must satisfy. Horizontal laws such as the EU AI Act sit on top, but frequently route enforcement back to those same sector regulators.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Most organisations meet AI rules through the regulators they already answer to. A bank using an AI credit model still reports to its financial regulator; a hospital deploying diagnostic AI still answers to its medical-device regulator; an employer using hiring software is still bound by equality and employment law. In practice, AI is treated as an overlay on duties that already exist, not as a clean slate that waits for a dedicated statute.
This is why two firms using the very same model can carry very different obligations. The rules attach to the use and the sector, not to the technology in the abstract. A horizontal law such as the EU AI Act adds a cross-cutting layer, but even that law leans heavily on sector regulators to supervise and enforce. The durable logic, which is unlikely to change quickly, is this: existing regulators, existing duties, AI as an overlay.
This page is a practical map of that landscape and a routing point to the dedicated article for each sector. For the abstract distinction between horizontal and sectoral approaches, see the concept page on sectoral-and-horizontal-ai-regulation. For the wider context of how AI is regulated overall, see ai-regulation, and for the governance practices that sit underneath all of this, see ai-governance.
Why it matters
If you assume that a single AI law covers everything, you will miss the rules that actually bite. The heaviest and most enforceable AI obligations frequently arrive through sector regulators using powers they already hold, from financial conduct rules to medical-device approval to anti-discrimination law. An organisation that spans several sectors can face overlapping, and occasionally conflicting, duties at once. The penalties are real: under the UK Online Safety Act, fines can reach 18 million pounds or 10 per cent of qualifying worldwide revenue, whichever is greater, and under the EU Digital Services Act up to 6 per cent of global annual turnover. Understanding which regulator owns which risk is therefore a board-level question, not a compliance footnote.
How it works
Horizontal versus sectoral, and why regulators are the real enforcers
Horizontal AI law applies across the economy regardless of sector. Sectoral AI regulation applies through the rules and regulators of a specific domain. The UK chose a principles-based, sector-led approach: its white paper, A pro-innovation approach to AI regulation, published on 29 March 2023 by the Department for Science, Innovation and Technology, asked existing regulators to apply five cross-cutting principles within their remits rather than creating a new AI regulator. Those five principles are safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress. The EU took the opposite structural route with the EU AI Act, a horizontal regulation. Yet even the EU AI Act routes enforcement to sector bodies. Under Article 74(6), for high-risk AI placed on the market, put into service or used by financial institutions regulated by Union financial services law, the market surveillance authority is the relevant national authority already responsible for the financial supervision of those institutions, to the extent the AI use is in direct connection with the provision of those financial services. The lesson holds across both models: the regulator in the room is usually the sector regulator. See high-risk-ai-system and eu-ai-act for the horizontal layer.
Health
AI used for diagnosis, triage or treatment is generally regulated as a medical device, governed by its intended use and risk class. In the US, the FDA regulates AI/ML-based Software as a Medical Device under a total product lifecycle approach; its public database listed over 1,250 AI-enabled medical devices authorised for marketing as of July 2025. In the UK, the MHRA regulates AI as a Medical Device under the Medical Devices Regulations 2002, supplemented by guidance and its AI Airlock regulatory sandbox, launched in 2024 to test novel AIaMD challenges. This is a clear case of AI inheriting a mature, pre-existing regime. See ai-regulation-in-healthcare.
Finance
Of every domain, financial services has the highest density of explicitly named high-risk AI use cases. The UK relies on existing rules: the FCA and the Bank of England supervise AI through instruments such as the Senior Managers and Certification Regime and the Consumer Duty rather than a bespoke AI rulebook. FCA officials have said these together give the regulator enough regulatory bite without writing new AI rules. The EU AI Act names AI used to evaluate the creditworthiness of natural persons or establish their credit score, and AI used for risk assessment and pricing in life and health insurance, as high-risk under Annex III, with a carve-out for fraud detection. See ai-regulation-in-financial-services.
Employment
Hiring and worker-management AI runs straight into equality and employment law. On 12 May 2022, the US EEOC, with the Department of Justice, issued technical assistance titled "The Americans with Disabilities Act and the Use of Software, Algorithms, and Artificial Intelligence to Assess Job Applicants and Employees", part of its AI and Algorithmic Fairness Initiative launched in October 2021. That guidance warns that a tool may "screen out" an individual on the basis of disability if the disability prevents the individual from meeting selection criteria, and that if the individual loses a job opportunity as a result, a violation of the ADA may occur. New York City's Local Law 144 of 2021, in effect from 1 January 2023 with enforcement by the Department of Consumer and Worker Protection beginning 5 July 2023, requires annual independent bias audits of automated employment decision tools and carries civil penalties of between 500 and 1,500 dollars per violation per day. The EU AI Act classes employment and worker-management AI as high-risk. See ai-regulation-in-employment.
Consumer protection and advertising
Consumer authorities police AI claims and AI-enabled harm under general powers rather than AI-specific statutes. The US FTC uses Section 5 of the FTC Act against deceptive or unfair practices, including misleading AI marketing, through its Operation AI Comply sweep announced on 25 September 2024 against five companies. The agency's position is blunt: there is no AI exemption from the laws on the books. See ai-regulation-in-consumer-protection-and-advertising.
Critical infrastructure
Energy, transport, water and digital infrastructure are governed by resilience and cybersecurity regimes that AI use must fit within. In the EU, the NIS2 Directive (Directive (EU) 2022/2555) sets cybersecurity obligations for essential and important entities across critical sectors. The EU AI Act treats AI used as a safety component in the management and operation of critical infrastructure as high-risk, so an AI system deployed in a regulated sector can attract both cybersecurity duties and AI Act duties. See ai-regulation-in-critical-infrastructure.
Public sector and government
Government use of AI faces public law duties, equality duties and transparency expectations on top of any horizontal rule. The UK's Algorithmic Transparency Recording Standard, first published in November 2021, became mandatory for all central government departments on 6 February 2024, with a mandatory scope and exemptions policy published on 17 December 2024. It requires departments to publish records of the algorithmic tools they use and why. See ai-regulation-in-public-sector-and-government.
Online platforms and content moderation
Platforms face online-safety and platform-governance regimes that increasingly reach into automated systems. The UK Online Safety Act 2023 gives Ofcom powers over illegal and harmful content, with codes of practice covering content moderation and recommender design. The EU Digital Services Act imposes duties on recommender systems, content moderation and systemic-risk assessment, with the heaviest obligations on very large online platforms. Both regimes touch AI-generated content such as deepfakes. See ai-regulation-in-online-platforms-and-content-moderation.
Biometric identification and surveillance
Biometrics sits across data-protection and AI law. The UK ICO regulates biometric data as special category personal data under data-protection law, and its AI and biometrics strategy, published on 5 June 2025, prioritises automated decision-making and police facial recognition. The EU AI Act treats remote biometric identification as high-risk and prohibits certain uses, such as untargeted scraping for facial recognition databases and most real-time remote biometric identification in public spaces by law enforcement. See ai-regulation-in-biometric-identification-and-surveillance.
How horizontal and sectoral rules interact, overlap and conflict
Horizontal and sectoral rules increasingly layer rather than replace one another. The EU AI Act tries to reduce duplication: under Article 17(4), financial institutions subject to internal-governance requirements under Union financial services law are deemed to have fulfilled the AI Act's quality-management obligation by complying with those sectoral rules, with limited exceptions for risk management, post-market monitoring and serious-incident reporting. Recital 158 explains the rationale of integrating procedural obligations into the existing regime for credit institutions under Directive 2013/36/EU to avoid overlaps. Even so, friction remains. A single credit-scoring model can simultaneously face EU AI Act high-risk duties, model-risk validation expectations, GDPR Article 22 limits on automated decisions, and national consumer-credit law, with no formal mechanism to resolve conflicts between them. The ECB has publicly noted gaps in information-sharing between prudential supervisors and market surveillance authorities under the Act. For organisations, overlap is the normal condition, not the exception.
What it means for an organisation spanning sectors
Map your AI uses to the sectors and regulators they touch, not just to one AI law. Build to the highest applicable standard, because the strictest regime usually sets your effective floor. Treat horizontal AI law as a baseline that sector rules may raise, and assume that the same tool used in two contexts may carry two different obligation sets. Frameworks such as the NIST AI Risk Management Framework, which supports sector and use-case profiles, and the OECD AI Principles can help you run one coherent governance programme across these overlapping regimes rather than several disconnected ones.
Examples
1. AI hiring tool. An employer using resume-screening or video-assessment AI must satisfy equality law before any AI act applies. The EEOC's May 2022 guidance warns these tools can unlawfully screen out applicants with disabilities, and an employer hiring in New York City must additionally commission an annual independent bias audit under Local Law 144 and notify candidates at least ten business days in advance.
2. FTC enforcement on AI claims. Under Operation AI Comply, the FTC finalised an order against DoNotPay, which had marketed an "AI lawyer". The order, approved by a unanimous 5-0 Commission vote on 16 January 2025, required DoNotPay to pay 193,000 dollars in monetary relief and to notify consumers who subscribed between 2021 and 2023. This is consumer-protection law, not AI-specific law, doing the enforcing.
3. Police facial recognition. The UK ICO is auditing police forces' use of facial recognition technology under its AI and biometrics strategy, having published audit summaries for forces including South Wales Police and Gwent Police, and Essex and Leicestershire Police. The duty flows from data-protection law applied to a biometric use.
Common misunderstandings
1. "One AI law covers us." Often false. In most jurisdictions the binding, enforceable duties come from sector regulators applying existing law, with any horizontal AI law layered on top.
2. "If there is no AI act, AI is unregulated." False. Existing data-protection, equality, consumer, financial, medical-device and safety law already applies to AI, whether or not a dedicated statute exists.
3. "Horizontal AI law replaces sector law." It usually does not. The EU AI Act expressly integrates with and defers to sectoral regimes in several places, and routes enforcement to sector regulators.
4. "Our vendor handles compliance." Deployers retain their own duties. Under the EU AI Act a deployer can even "step up" into provider obligations if it changes a system's intended purpose, and under employment guidance the employer remains liable for a vendor tool's discriminatory effect.
5. "Same model, same rules." The obligations depend on the use and the sector, so an identical model can be low-risk in one context and high-risk in another.
Risks and boundaries
This page is a practical overview, not legal advice, and it does not replace tailored guidance from a qualified adviser in your jurisdiction. Sector specifics move quickly and differ by country, so treat named rules, dates and figures as current examples that may change. Some legal positions are genuinely in transition: most notably, the EU AI Act's high-risk obligations for standalone Annex III systems are currently set in law to apply from 2 August 2026, but a "Digital Omnibus" package, proposed by the European Commission on 19 November 2025 and provisionally agreed in May 2026, would defer standalone high-risk obligations to 2 December 2027 and embedded product obligations to 2 August 2028. As of 8 June 2026 that deferral was provisionally agreed but not yet published in the Official Journal, so the original 2 August 2026 date remained the operative legal deadline until formal adoption. Where sources or legal status conflict, verify against the primary text before relying on it.
What to do next
Start by building an inventory of every AI use across the organisation, including third-party and embedded tools, and map each use to the sectors and regulators it touches. Then identify, for each use, the highest applicable standard, because that usually sets your effective compliance floor. Assign a named accountable owner for each material AI use, mirroring the accountability that regulators such as the FCA already expect. Run one coherent governance programme, using a recognised framework such as the NIST AI Risk Management Framework so that a single control can earn credit across several regimes rather than duplicating effort. Finally, monitor sector regulator guidance actively, since in sector-led systems most of the concrete expectations emerge from regulators rather than central legislation. Revisit your map whenever you enter a new sector, change a tool's purpose, or a key date such as the EU AI Act high-risk applicability deadline is confirmed.
Explore individual entries: AI regulation in biometric identification and surveillance, AI regulation in consumer protection and advertising, AI regulation in critical infrastructure, AI regulation in employment, AI regulation in financial services, AI regulation in healthcare, AI regulation in online platforms and content moderation, AI regulation in the public sector and government.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Is sectoral AI regulation different from the EU AI Act?
It is distinct but interacting. The EU AI Act is a horizontal law that applies across the economy, yet it integrates with sector regimes and routes much of its enforcement to existing sector regulators, such as national financial supervisors for high-risk AI in finance.
Which sector has the most AI-specific rules?
Financial services has the highest density of explicitly named high-risk uses under the EU AI Act, covering credit scoring and life and health insurance pricing, and it also sits within a dense web of existing prudential and conduct rules.
Does the UK have a single AI act?
No. The UK relies on existing sector regulators applying five cross-cutting principles within their remits, set out in the 2023 white paper, rather than one statute, though targeted legislation for the most powerful models has been signalled.
Who enforces AI rules in finance?
Existing financial supervisors. In the UK that means the FCA and the Bank of England, including the PRA. In the EU, under Article 74(6) of the AI Act, the relevant national financial authority acts as the market surveillance authority for high-risk AI used by regulated financial institutions.
Are medical AI tools regulated as devices?
Generally yes. Diagnostic and treatment AI is typically regulated as a medical device, by the FDA in the US and the MHRA in the UK, based on intended use and risk class.
How is AI in hiring regulated?
Through equality and employment law first. US federal guidance applies the ADA and Title VII to algorithmic tools, some jurisdictions such as New York City require independent bias audits, and the EU AI Act classes employment AI as high-risk.
What should an organisation that spans several sectors do first?
Inventory its AI uses, map each to the relevant sector regulators, and build to the highest applicable standard rather than assuming one law governs everything.
Do horizontal and sectoral rules ever conflict?
Yes. A single system can attract overlapping duties from AI law, data-protection law and sector law at once, sometimes without a formal mechanism to resolve tensions, which is why mapping and a single governance programme matter.