Last reviewed: April 10, 2026

Jurisdictions covered: UK (primary), EU (comparison)

Reading time: 16 minutes

DRCF Explained: How Four UK Regulators Coordinate AI Governance Without a Single AI Law

The UK has no cross-sector AI law. Instead, 19 sector regulators each apply their existing powers to AI systems. The obvious question: who coordinates them?

The answer is the Digital Regulation Cooperation Forum — the DRCF. It brings together the four most active UK regulators on AI: the ICO, FCA, CMA, and Ofcom. Thirteen additional regulators participate in a broader roundtable. Together, they publish joint guidance, run a multi-regulator innovation hub, and coordinate their responses to cross-cutting AI issues.

The DRCF cannot issue binding rules, take enforcement action, or direct its member regulators. It is the connective tissue of the UK’s distributed regulatory model — coordination without compulsion. On March 31, 2026, it published “The Future of Agentic AI,” the UK’s most detailed cross-regulatory assessment of autonomous AI systems. The X/Grok parallel investigation (Ofcom + ICO, January 2026) is its first real-world stress test.

This article explains what the DRCF is, how it works, what it has produced, and what it means for organizations navigating the UK’s multi-regulator AI landscape.

Key Takeaways

• The DRCF is a voluntary coordination forum, not a regulator. It cannot issue binding rules or enforcement actions. Member regulators “remain individually accountable” (DRCF’s own language).
• Four core members: ICO (data protection), FCA (financial services), CMA (competition), and Ofcom (online safety/telecoms). Thirteen additional bodies participate in a wider roundtable.
• The AI & Digital Hub pilot received 30 applications in 12 months — suggesting limited awareness or uptake. Eight anonymized case studies were published. The Hub is now succeeded by Thematic Innovation Hubs, with agentic AI as the first theme.
• The March 2026 agentic AI paper is the DRCF’s most significant output — a five-level autonomy framework affirming that existing UK regulatory powers apply to autonomous AI systems.
• The X/Grok investigation is the DRCF coordination model under live stress — ICO and Ofcom investigating in parallel under separate legal frameworks, with DRCF providing coordination but no enforcement override.

What Is the DRCF — and What Is It Not?

The DRCF was established in 2020 by the CMA, FCA, ICO, and Ofcom. Its stated purpose: “to ensure a joined-up approach to online regulation” — a response to the growing overlap between data protection, competition, financial services, and online content regulation.

What the DRCF is:

• A voluntary forum for strategic coordination between four independent regulators
• A publisher of joint guidance, research papers, and foresight reports
• An operator of multi-regulator innovation hubs for businesses facing overlapping regulation
• A participant in the International Network of Digital Regulators Cooperation (INDRC), formed in December 2024

What the DRCF is not:

• A regulator — it has no statutory remit, no enforcement powers, no ability to fine
• A binding authority — it “does not provide formal advice or direction to member regulators”
• A replacement for sector-specific regulation — each member retains independent enforcement discretion
• The UK’s answer to the EU AI Office — the AI Office has binding authority; the DRCF has none

For practitioners, the DRCF matters because it shapes how the four most powerful UK regulators interpret AI governance. A joint DRCF publication on a topic signals a coordinated position. But DRCF guidance is advisory — if the ICO and CMA take different approaches to the same AI issue, the DRCF has no mechanism to resolve the conflict.

Who Is in the DRCF?

The Core Four

Regulator	AI Domain	Key Power	Why They Lead
ICO	Data protection (cross-sector)	Fines up to £17.5M or 4% turnover	AI systems process personal data — the ICO touches every sector
FCA	Financial services AI	Consumer Duty + Senior Managers Regime	Highest AI adoption sector (75% of firms); biggest economic impact
CMA	Competition and market power	Market studies, merger review, SMS designation	Algorithmic collusion and AI market concentration are competition issues
Ofcom	Online platforms, telecoms	Online Safety Act enforcement (fines up to £18M or 10% revenue)	Most active UK AI enforcer by volume; AI content is an OSA priority

The Wider Roundtable

Thirteen additional bodies participate in DRCF roundtable discussions, including the Bank of England/PRA, MHRA, HSE, Ofgem, and others from the 19-regulator DSIT list. The roundtable structure means these regulators receive DRCF research outputs and can participate in joint projects, but they do not have the same strategic steering role as the core four.

The asymmetry matters. The core four regulators — ICO, FCA, CMA, Ofcom — are the only UK regulators with both significant AI governance activity and meaningful enforcement powers. The roundtable participants include regulators with minimal AI activity (Ofwat, ORR, Environment Agency) alongside those with emerging programs (MHRA, Ofgem, CAA). The DRCF’s effectiveness depends on its core four; the roundtable extends reach but not depth.

How Does the Hub Work?

The DRCF’s most practitioner-facing mechanism is its innovation hub system, which has evolved through two phases:

Phase 1: AI & Digital Hub Pilot (2024-2025)

The pilot ran for approximately 12 months. Results from the DRCF AI & Digital Hub Pilot Report (October 2025):

• 30 applications received — a low number that suggests limited awareness among businesses or skepticism about the value of multi-regulator engagement
• 9 full responses provided (detailed guidance involving two or more regulators)
• 11 partial responses (single-regulator guidance or signposting)
• 8 anonymized case studies published

The Hub worked as a single front door: a business facing regulatory questions from multiple DRCF members could submit one inquiry instead of contacting each regulator separately. The Hub team would route the question to the relevant regulators and coordinate a joint response.

Phase 2: Thematic Innovation Hubs (2025-present)

The pilot Hub closed and was replaced by Thematic Innovation Hubs — focused on specific technology areas rather than general multi-regulator queries. The first theme: agentic AI (launched October 2025).

The Thematic Hub model is more targeted: instead of waiting for businesses to ask questions, the DRCF identifies a cross-cutting technology area and proactively develops joint regulatory thinking. The agentic AI Hub produced the March 2026 foresight paper — the most significant output of this approach so far.

For practitioners, the practical implication is this: the general-purpose front door is closed. If you need multi-regulator guidance on a specific AI system, contact each regulator directly. But if your question falls within the current thematic focus (agentic AI), the Thematic Hub may be able to help.

What Does the Agentic AI Paper Actually Say?

On March 31, 2026, the DRCF published “The Future of Agentic AI” — co-authored by all four core members. This is the UK’s most detailed cross-regulatory assessment of autonomous AI systems.

The Five-Level Autonomy Framework

Level	Name	Description	Current Status
1	Tool	AI as passive instrument, human initiates and controls every action	Widespread
2	Assistant	AI suggests actions, human approves each one	Widespread
3	Operator	AI executes multi-step tasks within defined boundaries, human sets goals and constraints	Emerging
4	Collaborator	AI and human share decision-making, AI can modify goals within parameters	Mostly theoretical
5	Autonomous Actor	AI independently sets and pursues goals with minimal human oversight	Largely theoretical

The paper notes that most real-world deployments are at Levels 2 and 3 — assistants and operators. It explicitly states that “information retrieval alone does not make a system an agent.”

Key Findings

Existing law already applies. The paper’s central position: UK regulatory frameworks fully apply to agentic AI systems. No new legislation is needed to address autonomous AI. This is a deliberate signal — the DRCF is not calling for an AI law.

Algorithmic collusion is a live risk. The paper cites experiments where AI pricing agents “repeatedly converged to supra-competitive prices” without explicit coordination. For the CMA, this is the most concrete agentic AI risk — competition law may need to adapt to situations where collusion emerges from autonomous agent interactions rather than human agreements.

Action bundling creates accountability gaps. When an AI agent chains together multiple actions (browsing, purchasing, communicating) across different regulated domains, no single regulator has jurisdiction over the full chain. This is the coordination problem the DRCF exists to solve — and the paper acknowledges it has no ready answer.

Prompt injection is a security risk. Agents that accept instructions from external inputs (websites, emails, other agents) can be manipulated to take actions their operators did not intend. This connects to the AI Security Institute’s security-focused mandate.

Data minimization is harder for agents. AI agents that operate autonomously across services may collect and process more personal data than necessary — creating tension with the ICO’s data minimization requirements under UK GDPR.

The X/Grok Test Case: DRCF Coordination Under Stress

The Grok chatbot investigation is the DRCF’s first real-world coordination test for an AI-specific case.

Timeline:

• January 12, 2026: Ofcom opens investigation into X under the Online Safety Act 2023. Grok generated approximately 3 million sexualized images in 11 days, including potential CSAM.
• January 14, 2026: X removes Grok’s ability to edit images of real people in revealing clothing. Implements Geoblock technology.
• February 3, 2026: ICO opens formal investigation into X Internet Unlimited Company and X.AI LLC under UK data protection law, examining lawful basis for processing and adequacy of safeguards.
• February 16, 2026: Government announces it will close the legal loophole by bringing AI chatbot providers within scope of OSA illegal content duties.

What the DRCF model did: Macfarlanes/Mondaq (March 4, 2026) describes this as “co-ordinated regulatory engagement under the DRCF model.” ICO and Ofcom are sharing information and coordinating their approaches — exactly what the DRCF was designed to enable.

What the DRCF model did not do: Direct either regulator’s investigation. The ICO and Ofcom launched independently under separate legal frameworks (UK GDPR and OSA respectively). Neither waited for DRCF approval. Neither is bound by the other’s conclusions. If the ICO finds no data protection breach but Ofcom finds an OSA violation — or vice versa — the DRCF has no mechanism to reconcile the outcomes.

The lesson for practitioners: When your AI system triggers multiple regulators, expect parallel investigations with coordinated but independent outcomes. Prepare for each regulator’s inquiry separately. The DRCF may smooth the process, but it does not guarantee consistency.

How Does the DRCF Compare to the EU AI Office?

Dimension	DRCF (UK)	EU AI Office
Legal basis	Voluntary — no statutory remit	Regulation (EU) 2024/1689
Enforcement power	None — member regulators enforce independently	Binding — can impose fines up to EUR 15M or 3% turnover
Scope	Cross-cutting digital regulation coordination (AI, online safety, data, competition)	GPAI model supervision + coordination with national authorities on high-risk AI
Members	4 core regulators + 13 roundtable	Single office within the European Commission
Innovation hub	Thematic Innovation Hubs (agentic AI first)	AI regulatory sandboxes (Art. 57-58)
Consistency mechanism	Advisory publications — regulators may diverge	Binding implementing acts + delegated acts
Established	2020	2024
Budget	Funded through member regulators’ existing budgets	Dedicated EU budget line

The structural difference is fundamental. The EU AI Office can direct, investigate, and fine. The DRCF can only coordinate. The EU approach sacrifices speed and flexibility for consistency and enforceability. The UK approach preserves regulatory independence but risks the kind of inconsistency the X/Grok case may soon illustrate.

For companies operating in both the UK and EU, the DRCF is an additional layer of coordination to understand — but it does not reduce the compliance burden the way a single binding regulation does. The EU AI Office is your primary enforcement contact for GPAI obligations. The DRCF is not a contact at all — you contact member regulators directly.

What Should Practitioners Do?

1. Know your regulators. The DRCF coordinates four regulators — but your obligation is to each one individually. If your AI system processes personal data (ICO), operates in financial services (FCA), affects competition (CMA), or appears on online platforms (Ofcom), you answer to that regulator regardless of what the DRCF publishes. Use our 19-regulator map to identify your specific regulators.

2. Read the joint publications. DRCF joint guidance signals coordinated regulatory thinking. The agentic AI paper (March 2026) tells you how four regulators will approach autonomous AI. Future Thematic Hub outputs will do the same for other technologies. These are not binding, but they are the closest thing to a preview of regulatory expectations.

3. Prepare for multi-regulator engagement. If your AI system crosses regulatory boundaries — which most complex AI systems do — expect that multiple regulators may be interested simultaneously. Maintain documentation that serves each regulator’s requirements. The DRCF may facilitate coordination, but each regulator will ask its own questions under its own legal framework.

4. Monitor the Thematic Innovation Hubs. The agentic AI theme is current. Future themes will likely include AI in financial services, AI-generated content, and AI in healthcare. If your sector is selected as a theme, the resulting DRCF output will shape your regulators’ expectations.

5. Factor in the EU AI Act as your baseline. The DRCF coordinates voluntary principles. The EU AI Office enforces binding obligations. If you operate in both markets, the EU standard is higher. DRCF guidance may help you understand UK-specific expectations, but it does not reduce your EU compliance requirements.

Disclaimer: This content is for informational purposes only and does not constitute legal advice. The DRCF is a coordination forum, not a regulatory authority. Organizations should consult qualified legal counsel for compliance planning. Reg Intel is not a law firm and does not provide legal services.

Last verified: April 10, 2026

Sources

Official Sources

• DRCF — About
• DRCF, “The Future of Agentic AI” foresight paper, March 31, 2026
• DRCF, “Smart Data Frameworks” insights paper, March 26, 2026
• DRCF AI & Digital Hub Pilot Report, October 2025
• FCA/ICO Joint Statement on Vulnerability Data, March 26, 2026

Analysis and Commentary

• Macfarlanes via Mondaq: X/Grok as DRCF coordination case, March 4, 2026
• Lewis Silkin: Responsible AI Forum summary, March 2026
• A&O Shearman: DRCF Smart Data analysis, March 2026

Enforcement Data

• Ofcom: X/Grok investigation opened January 12, 2026
• ICO: Formal investigations into X/X.AI opened February 3, 2026
• Government: AI chatbot providers brought into OSA scope, announced February 16, 2026

Compare: EU vs UK

For the comprehensive comparison across twelve dimensions — structural divergence, risk classification, the 19 UK regulators vs the EU AI Office, enforcement penalties, the Data (Use and Access) Act 2025, AISI vs the EU AI Office, and a five-step dual-market compliance baseline — see EU vs UK AI Regulation: Precaution vs Innovation Compared (2026).