UK Regulated Commerce 2026: FCA, MHRA, NIS & the Data Act
Key Takeaways
Regulation count: 7+ overlapping rules now apply to UK commerce businesses — UK GDPR, Data Use and Access Act, Cyber Security and Resilience Bill, FCA PS21/3, MHRA, Cyber Essentials Plus, and sector-specific licensing.
The challenge: Post-Brexit divergence means UK rules no longer mirror EU rules. Businesses serving both markets face two compliance stacks, not one.
The solution: Self-hosted open-source platforms with full source code access, flexible data residency, and audit-ready architecture handle both UK and EU requirements from a single codebase.
Key deadlines: DUAA smart data provisions (Feb 2026), FCA operational resilience (in force), Cyber Essentials Plus v3.3 (Apr 2026), DUAA complaints handling (Jun 2026), Cyber Security and Resilience Bill (Royal Assent expected spring 2026).
Last verified: March 2026
What Does UK eCommerce Compliance Look Like in 2026?
If you sell into the UK, 2026 is the year post-Brexit regulatory divergence stops being theoretical and starts hitting your platform architecture. The UK now operates its own data protection regime, its own cyber security framework, and its own financial services rules. None of them copy-paste from Brussels anymore.
In January 2025, the ICO fined TikTok £12.7 million for misusing children’s data under UK GDPR. A month later, the FCA issued enforcement notices to three payment firms for failing operational resilience requirements under PS21/3. These aren’t warnings. They’re the new enforcement baseline.
The UK government’s own Impact Assessment for the Cyber Security and Resilience Bill estimates the expanded scope will cover 1,000+ additional organisations, including managed service providers and data centres that were previously exempt under the 2018 NIS Regulations.
The real challenge for commerce businesses is the dual-compliance problem. If you serve both UK and EU customers, you now maintain two data protection regimes, two cyber security frameworks, and two sets of incident reporting timelines. The Data Use and Access Act creates a seventh legal basis for processing that doesn’t exist under EU GDPR. The Cyber Security and Resilience Bill introduces powers with no direct EU equivalent. Your platform has to handle both stacks simultaneously.
What Are the Key UK Regulations Affecting Commerce in 2026?
| Regulation | Status | 2026 Deadline | Applies To |
|---|---|---|---|
| UK GDPR | In force since 2018 (diverging via DUAA) | DUAA provisions phased Feb–Jun 2026 | All UK data processors |
| Data Use and Access Act (DUAA) | Royal Assent Oct 2025 | Smart data: Feb 2026; Complaints: Jun 2026 | All digital services handling UK personal data |
| Cyber Security and Resilience Bill | Second Reading Jan 2026 | Royal Assent expected spring 2026 | Critical infrastructure, MSPs, data centres |
| FCA PS21/3 | In force since Mar 2025 | Ongoing compliance | Payment providers, financial services |
| MHRA | In force (CE mark recognition extended) | Consultation closes Apr 2026 | Medical device marketplaces |
| Cyber Essentials Plus v3.3 | Update effective Apr 2026 | Apr 27, 2026 | Government suppliers, regulated industries |
UK GDPR remains the data protection foundation. But the Data Use and Access Act rewrites significant portions of it. Starting February 2026, the DUAA introduces “recognised legitimate interest” as a seventh legal basis for processing, something that doesn’t exist in EU GDPR. This means UK data processing can happen under conditions that would be illegal in the EU. If your platform serves both markets, you need logic that applies different processing rules per jurisdiction.
The DUAA also relaxes cookie consent requirements for UK users and changes how data subject access requests work. From June 19, 2026, new complaints handling obligations take effect. Your platform’s consent management, data access workflows, and complaint routing all need updating.
The Cyber Security and Resilience Bill replaces the NIS Regulations 2018 and is the UK’s answer to the EU’s NIS2 directive. Introduced in Parliament in November 2025, it passed Second Reading in January 2026, with Royal Assent expected by spring. The Bill expands scope to cover managed service providers and data centres for the first time, with penalties reaching £17 million or 4% of global turnover.
The Bill also gives the Technology Secretary power to update regulations without primary legislation. As the UK government stated in the King’s Speech briefing, the Bill will “strengthen our defences and ensure that more essential digital services than ever before are protected.”
FCA PS21/3 on operational resilience has been in force since March 31, 2025. Financial services firms and payment providers must now demonstrate they can stay within “impact tolerances” for important business services during disruptions. If you operate a payment processing platform or financial marketplace serving UK customers, FCA auditors expect documented resilience testing and third-party dependency mapping.
MHRA regulations matter if you sell medical devices in the UK. The CE mark recognition, originally set to expire, is now under consultation for indefinite extension (consultation runs February–April 2026). Digital post-market surveillance requirements are tightening. Medical device marketplaces need traceability from manufacturer to patient.
Cyber Essentials Plus v3.3 takes effect April 27, 2026, with mandatory multi-factor authentication, cloud service audits, and identity management controls. This certification is already required for UK government contracts above £5 million, and increasingly for any regulated industry procurement.
How Do UK and EU Regulations Differ After Brexit?
This is where the compliance stacking problem gets real. UK rules used to mirror EU rules. They don’t anymore. And the divergence is accelerating.
| Area | UK Rule | EU Rule | Impact on Commerce Platforms |
|---|---|---|---|
| Data processing | 7th legal basis (“recognised legitimate interest”) | 6 legal bases only | Different consent logic per jurisdiction |
| Cookie consent | Relaxed under DUAA | Strict under ePrivacy | Different banner/consent flows |
| Data transfers | “Not materially lower” test | Schrems II / adequacy decisions | Different transfer safeguards |
| Cyber security | Cyber Security and Resilience Bill | NIS2 Directive | Different scope, different reporting timelines |
| Operational resilience | FCA PS21/3 | DORA | Different testing requirements |
| Medical devices | CE mark extended (consultation) | CE/UKCA transition | Different conformity marking |
For businesses serving both markets, this means running parallel compliance logic. Your consent management can’t apply UK cookie rules to EU users or vice versa. Your data transfer mechanisms need different safeguards depending on which direction data flows. Your incident reporting goes to different regulators with different timelines.
A UK fintech marketplace, for example, faces FCA PS21/3 for UK operations and DORA for EU operations. Both require operational resilience testing, but the frameworks define “resilience” differently. FCA focuses on impact tolerances for important business services. DORA focuses on ICT risk management and third-party vendor audits. Your platform needs to satisfy both.
Scenario: UK-EU Medical Device Marketplace. You sell medical devices to NHS trusts and EU hospitals. In the UK, MHRA is consulting on indefinite CE mark recognition. In the EU, the MDR transition requires UKCA/CE dual marking. Your product catalog needs to track which conformity marks apply in which jurisdiction, and your audit trail must prove compliance to both MHRA and EU notified bodies.
Why Do SaaS Platforms Struggle with UK Compliance?
SaaS platforms built for a single regulatory environment hit structural limits when UK compliance diverges from EU compliance. This isn’t a feature gap. It’s an architecture problem.
Data residency and the CLOUD Act. Most SaaS platforms run on US cloud infrastructure. Under the US CLOUD Act, American law enforcement can compel US cloud providers to hand over data regardless of where it’s stored. In 2025, Microsoft acknowledged in regulatory filings that it could not guarantee data sovereignty for non-US customers hosted on its infrastructure. For UK businesses handling sensitive data, that’s an unacceptable jurisdictional risk.
UK GDPR requires a data protection regime that’s at least “not materially lower” than the UK standard. If your data sits on US servers subject to CLOUD Act requests, proving that standard becomes a legal exercise your compliance team shouldn’t have to run.
Dual-jurisdiction consent logic. The DUAA relaxes cookie consent for UK users but not for EU users visiting the same site. SaaS platforms typically offer one consent management configuration per domain. A commerce platform serving both UK and EU customers needs geolocation-aware consent logic that applies different rules based on user location. Most SaaS vendors don’t offer this natively.
Source code auditability. The Cyber Security and Resilience Bill, like NIS2, expects regulated entities to demonstrate security controls in their software supply chain. If your platform is closed-source SaaS, auditors see a dashboard. They don’t see the code. For Cyber Essentials Plus v3.3 certification, you need documented evidence of patching timelines, vulnerability management, and access controls. Self-hosted open-source platforms provide that evidence by default.
Operational resilience evidence. FCA PS21/3 requires payment firms to map dependencies on third-party providers and prove they can operate within impact tolerances during disruptions. If your commerce platform is SaaS, the vendor controls the uptime, the failover, and the incident logs. You report to the FCA, but the evidence lives in someone else’s system.
The pattern repeats across every UK regulation: compliance demands control, and SaaS trades control for convenience.
What Does a UK-Compliant Commerce Platform Look Like?
A platform that passes UK compliance audits in 2026 needs six capabilities that most SaaS vendors don’t offer: flexible data residency, dual-jurisdiction consent management, full source code access, FCA-grade audit logging, MHRA traceability, and Cyber Essentials-ready security controls.
| Capability | Requirement | Why It Matters |
|---|---|---|
| Data Residency | UK-hosted option with customer choice | UK GDPR + CLOUD Act: eliminate US jurisdictional exposure |
| Dual Consent | Geolocation-aware consent flows | DUAA + EU ePrivacy: different cookie rules per jurisdiction |
| Source Code Access | Full open-source or audit-ready codebase | Cyber Security Bill + Cyber Essentials: auditors verify security |
| Audit Logging | Tamper-proof logs with regulatory timestamps | FCA PS21/3 + Cyber Security Bill: prove compliance in real time |
| Product Traceability | Manufacturer-to-customer tracking | MHRA: medical device post-market surveillance |
| Dependency Transparency | Bill of materials for all software components | Cyber Essentials Plus v3.3: documented vulnerability management |
Data residency is the foundation. UK GDPR compliance is simpler when your data lives on UK infrastructure. A platform offering customer choice of deployment region (London, Frankfurt, Dublin) lets you satisfy both UK and EU data residency from one codebase. SaaS platforms that default to US hosting force you into supplementary safeguards that add legal cost and audit complexity.
Source code access separates self-hosted open source from black-box SaaS. The Cyber Security and Resilience Bill expects regulated entities to understand their software supply chain. Open source (BSD 3-Clause) lets your security team audit every dependency, every patch, every configuration change. Closed-source SaaS gives you a trust-us promise.
Audit logging with regulatory timestamps matters for FCA PS21/3. Payment firms must prove that important business services stayed within impact tolerances during incidents. That proof lives in logs. If you own the logs, you own the evidence. If the SaaS vendor owns the logs, you’re dependent on their cooperation during an FCA inquiry.
For businesses operating across both UK and EU markets, a self-hosted open-source platform with flexible deployment is the architectural answer. One codebase, two compliance stacks, full control over both.
UK Compliance by Regulation: Deep-Dive Guides
Every regulation in this post connects to a deeper guide covering specific audit procedures, platform requirements, and implementation steps. Start with the regulation that carries the highest risk for your business.
For the Data Use and Access Act, see UK Data Act eCommerce Compliance. It covers the new legal basis for processing, relaxed cookie consent rules, international transfer changes, and platform architecture implications for dual UK-EU compliance.
For DORA (Digital Operational Resilience Act, applying to UK firms with EU financial services operations), see DORA eCommerce Compliance. It covers ICT risk management, third-party vendor audits, and incident reporting frameworks.
For GDPR and Schrems II (still relevant for UK-EU data transfers), see GDPR & Schrems II eCommerce Compliance. It explains the data transfer mechanisms that apply when moving personal data between UK and EU jurisdictions.
For the full EU regulatory picture (if you serve both markets), see EU eCommerce Compliance 2026. It maps the full EU compliance stack including NIS2, CRA, and eIDAS 2.0.
UK Compliance by Industry: Sector-Specific Guides
Your compliance stack depends on your sector. A HealthTech marketplace faces MHRA + UK GDPR + Cyber Security Bill. A financial services platform faces FCA PS21/3 + DORA + Cyber Essentials Plus.
Financial Services & FinTech. FCA PS21/3 is already in force. If you operate a payment platform or financial marketplace, operational resilience testing is mandatory now, not later. Firms with EU operations also face DORA.
HealthTech & Medical Devices. MHRA CE mark consultation runs through April 2026. Medical device marketplaces need product traceability, post-market surveillance, and UK GDPR compliance for patient data. See HealthTech eCommerce for the full breakdown.
Defense & Government Procurement. Cyber Essentials Plus is mandatory for UK government contracts above £5 million. The v3.3 update (April 2026) adds MFA requirements and cloud audit controls. See Defense Procurement eCommerce for platform requirements.
Legal Services. The SRA requires outcome-based digital compliance. Law firms operating eCommerce for client services face UK GDPR for client data, professional conduct rules for digital communications, and new AI compliance guidance. See UK Legal Services eCommerce for the regulatory map.
Energy & Critical Infrastructure. The Cyber Security and Resilience Bill directly targets energy companies, water utilities, and transport operators. If you operate a B2B marketplace serving critical infrastructure, expect audits under the expanded NIS framework. See Energy & Carbon Marketplace for sector-specific controls.
Build for UK Compliance with Spree
UK compliance in 2026 demands architectural choices that most SaaS platforms weren’t built to support. Post-Brexit divergence is accelerating, not stabilising. The businesses that succeed are the ones choosing platforms built for dual-jurisdiction complexity: self-hosted architecture with full source code access, flexible data residency, auditable encryption, and transparent supply chains.
Start with the regulation that carries the highest risk for your sector. For financial services, that’s FCA PS21/3 (already in force). For government suppliers, it’s Cyber Essentials Plus v3.3 (April 2026). For all UK digital services, it’s the Data Use and Access Act (provisions rolling out through June 2026). Then work outward, addressing the Cyber Security and Resilience Bill as it moves toward Royal Assent.
Ready to explore a platform built for UK and EU compliance? Start here.
Frequently Asked Questions
Does UK GDPR still match EU GDPR after the Data Use and Access Act?
No. The DUAA creates meaningful divergence starting February 2026. The new “recognised legitimate interest” legal basis, relaxed cookie consent, and changed data subject access request rules mean UK data processing follows different rules than EU processing. Platforms serving both markets need jurisdiction-aware logic.
Is Cyber Essentials Plus mandatory for all UK businesses?
Not universally, but it’s effectively mandatory for government suppliers (contracts above £5 million) and increasingly expected in regulated industries. The v3.3 update (April 27, 2026) adds mandatory MFA, cloud service auditing, and identity management controls. Even if not legally required for your sector, it’s becoming a procurement checkbox.
How does the Cyber Security and Resilience Bill differ from NIS2?
Both expand the scope of cyber security regulation beyond the original NIS Regulations 2018. NIS2 covers 18 EU sectors with approximately 160,000 entities. The UK Bill adds managed service providers and data centres to scope, introduces fines up to £17 million or 4% of global turnover, and gives the Technology Secretary powers to update requirements without new legislation. If you serve both UK and EU markets, you face both frameworks with different reporting timelines.
Can US SaaS platforms meet UK compliance requirements?
Only with significant supplementary controls. The CLOUD Act creates jurisdictional risk for any data hosted on US infrastructure. UK GDPR’s “not materially lower” transfer test requires demonstrable safeguards. Source code auditability requirements under the Cyber Security Bill and Cyber Essentials Plus are structurally impossible for closed-source SaaS.
What happens if I serve both UK and EU customers from one platform?
You need dual compliance logic. Different consent management rules (DUAA vs. ePrivacy), different data transfer safeguards, different incident reporting timelines (Cyber Security Bill vs. NIS2), and potentially different operational resilience frameworks (FCA PS21/3 vs. DORA). A self-hosted platform with flexible deployment handles both from one codebase. SaaS platforms typically force you to choose one configuration.
Do I need separate UK and EU data residency?
It depends on your sector and data sensitivity. UK GDPR allows EU data transfers under adequacy (the EU currently recognises UK adequacy, but this expires June 2025 and requires renewal). For regulated industries (financial services, healthcare, defense), separate UK residency is the safer default. Self-hosted platforms let you deploy in both jurisdictions from the same codebase.
