UK, Switzerland & Non-EU Europe Voice AI Regulations 2026

Last updated on June 22, 2026

Talk to AI engineers

We build and advise on production AI systems. Bring your questions to a free intro call.

Talk to us

Non-EU Europe is not a regulatory gap. It is a fragmented map with no single floor, where the rules that decide your exposure change at every border. A voice agent that records calls freely in London commits a criminal offence in Zurich. A product that ships EU customer data to a vendor in Tbilisi or Istanbul has no adequacy cover and needs explicit safeguards. And a UK or Swiss company that takes a single call from an EU resident is pulled back inside the EU AI Act regardless of where it sits.

This guide maps the markets outside the EU: the United Kingdom and Switzerland (the two commercial heavyweights, both with EU adequacy), Turkey and Ukraine (large markets with strict criminal recording rules), Georgia, and the Western Balkans. It is the companion to the EU and EEA founder’s guide and the US founder’s guide. The EEA states (Norway, Iceland, Liechtenstein) apply the GDPR in full and are covered in the EU/EEA guide.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. National rules change weekly, and several instruments cited below are at draft or pre-enactment stage. Verify current status before relying on anything here, and consult a qualified attorney for your situation.


How to read this guide: three axes and one long arm

Outside the EU there is no shared AI Act or GDPR applying by default. For each country, three things determine your real exposure:

  1. GDPR adequacy – whether the EU has ruled the country’s data protection “adequate.” If yes (only the UK and Switzerland among the countries here), EU-to-country data flows are unrestricted. If no (everywhere else), moving EU caller data there needs explicit safeguards (standard contractual clauses, explicit consent).
  2. Call-recording consent regime – one-party, all-party, or all-party backed by criminal law. This is the single most dangerous national divergence for a voice agent.
  3. AI-specific law – whether the country has any binding AI rule, a draft one, or nothing yet.

Then the long arm: the EU AI Act applies extraterritorially. Under Article 2, it reaches providers and deployers outside the EU whose system output is used in the EU. If your voice agent handles EU residents, the Article 50 disclosure duty (tell callers they are talking to AI, from 2 Aug 2026) binds you even from London or Zurich. The same is true of the GDPR under its own Article 3.


The reference table: adequacy, recording, AI law

CountryEU GDPR adequacyRecording consent (+ code)AI-specific law
United KingdomYes (renewed Dec 2025, valid to Dec 2031)One-party for the act; GDPR/PECR disclosure for business useNo AI Act (pro-innovation); sandbox powers proposed
SwitzerlandYes (reconfirmed Jan 2024)All-party, criminal (Criminal Code Art. 179bis / 179ter)None yet; signed the Council of Europe AI Convention
TurkeyNoAll-party, criminal (Penal Code Art. 132–134)None in force; draft AI-content labelling law (Nov 2025)
UkraineNoAll-party (Constitution Art. 31; Criminal Code Arts. 163/182)None binding; voluntary code aligned to the EU AI Act
GeorgiaNoAll-party / consent-based (Law No. 3144)None
SerbiaNoPer national law plus GDPR-aligned actNo binding law; national AI strategy aligned to the EU AI Act
Moldova, N. Macedonia, Albania, Montenegro, BosniaNoPer national law plus GDPR baselineNone binding

United Kingdom

Jurisdiction stack: outside the EU, but governed by the UK GDPR plus the Data Protection Act 2018, which still hold a full EU adequacy decision (renewed in December 2025 and valid until 27 December 2031, so EU-to-UK data flows are free). No AI Act. Regulators: the ICO (data) and Ofcom (telecoms). If you serve EU residents, the EU AI Act and EU GDPR also reach you.

Where it bites:

  • Voiceprints are Article 9 data, and the ICO enforces it. ICO biometric-recognition guidance treats a voiceprint used for identification or verification as special-category data, needing a lawful basis plus an Article 9 condition (usually explicit consent) and a DPIA. The clearest precedent: HMRC was ordered to delete around 5 million voiceprints collected through its voice-ID service without a valid lawful basis.
  • AI marketing calls are already drawing fines. Automated or AI-voice marketing calls require prior specific consent under PECR. In September 2025 the ICO fined Home Improvement Marketing Ltd £300,000 and Green Spark Energy Ltd £250,000 for unlawful calls made with AI “avatar” software impersonating named UK agents. The Data Use and Access Act raised PECR’s fine ceiling to UK GDPR levels: up to £17.5 million or 4% of global turnover. Ofcom separately polices silent and abandoned calls (up to £2 million).
  • Automated decisions got easier, except on biometrics. The Data (Use and Access) Act 2025 (Royal Assent 19 June 2025, commenced in stages) liberalised solely-automated decision-making: significant automated decisions are now broadly permitted with safeguards (notice, a right to make representations, a right to human intervention) except where they rely on special-category data such as a voiceprint, where the stricter regime remains.

The AI posture: the UK has no AI Act and is not planning one. The 2026 King’s Speech announced a “Regulating for Growth” bill and sandbox powers rather than horizontal AI legislation, and DSIT launched an AI Growth Lab sandbox consultation in late 2025. There is no general “label your AI voice” statute; deepfake provisions sit in the Online Safety Act 2023 and the DUAA, and are abuse-focused, not commercial-voice labelling. The practical effect: lighter AI-specific friction than the EU, but real PECR and biometric enforcement.


Switzerland

Jurisdiction stack: outside the EU, governed by the revised Federal Act on Data Protection (revFADP / nFADP), in force since 1 September 2023, with a full EU adequacy decision (reconfirmed January 2024), so EU-to-Switzerland flows are free. Regulator: the FDPIC. No AI Act yet. EU residents pull in the EU AI Act and GDPR.

Where it bites:

  • Recording without all-party consent is a crime. Swiss Criminal Code Article 179bis (recording by a non-participant) and Article 179ter (recording by a participant) make recording a non-public conversation without the consent of all participants a criminal offence. The FDPIC stresses that consent must be obtained before recording. Every recorded call in Switzerland needs an all-party consent gate, not a passive notice.
  • Voice is sensitive data by statute. The revised FADP added biometric data that uniquely identifies a person to the “sensitive personal data” category, and the definition expressly covers voice recordings used for unique identification. Sensitive-data processing triggers heightened consent and security duties.
  • Penalties land on individuals, not just the company. Switzerland has no GDPR-style administrative fines. Instead, the FADP imposes criminal fines of up to CHF 250,000 on the responsible natural person for intentional serious breaches (including breaching information duties or transfer rules). The FDPIC investigates and can order remediation but cannot itself levy fines.

The AI posture: no comprehensive AI law. Switzerland signed the Council of Europe Framework Convention on Artificial Intelligence on 27 March 2025 and plans targeted legal changes, with a consultation draft due by the end of 2026. The FDPIC confirmed in May 2025 that the FADP already applies directly to AI systems processing personal data, including a duty to inform people of solely-automated decisions with significant effects.


Turkey

Jurisdiction stack: governed by KVKK (Law No. 6698), amended by Law No. 7499 (effective 1 June 2024), which modernised the special-category rules and introduced a GDPR-style three-tier international transfer regime (adequacy, standard contractual clauses or binding rules, derogations). No EU adequacy decision. Regulator: the KVKK authority.

Where it bites:

  • Recording is criminal and all-party. Turkish Penal Code Articles 132–134 make recording private conversations without all parties’ consent a crime: a participant who secretly records faces 6 months to 2 years, and third-party recording of a conversation 2 to 5 years (up to 6 years for intercepting the content of communications). The KVKK adds a lawful-basis and notice duty on top.
  • Voiceprints are special-category data under KVKK Article 6, and the authority has issued a dedicated Guideline on Processing Biometric Data requiring explicit consent and enhanced security. Fines for data-security failures reach TRY 17 million in the 2026 schedule, alongside criminal liability for unlawful recording.

The AI posture: no comprehensive AI law in force, but a Draft Law on AI-Generated Content was submitted to Parliament in November 2025. It would mandate “Generated by Artificial Intelligence” labelling for synthetic content, a 6-hour takedown window, and BTK and KVKK enforcement, with fines of TRY 500,000 to 5,000,000. Treat AI-voice labelling as a likely near-term requirement.


Ukraine

Jurisdiction stack: governed by the pre-GDPR Law on Personal Data Protection No. 2297-VI (2010), light-touch and not EU-adequate. The GDPR-alignment reform, Draft Law No. 8153, passed first reading on 20 November 2024 but is not yet enacted. Regulator: the Parliament Commissioner for Human Rights (Ombudsperson).

Where it bites:

  • Recording is all-party and constitutionally protected. Article 31 of the Constitution plus Criminal Code Articles 163 and 182 make recording lawful only with the recorded person’s consent or a court order. Get explicit consent at call start.
  • Enforcement is modest today, but about to jump. Current fines are small (roughly €170 to €425). Draft Law 8153 would add GDPR principles, special categories (covering biometric voiceprints), an independent DPA, and fines up to UAH 150 million or 8% of turnover. Build to the GDPR now, because the reform is on the EU-accession track.

The AI posture: a deliberate bottom-up, voluntary-first approach aligned to the EU AI Act for accession. Ukraine published an AI Regulation Roadmap (2023) and White Paper (2024) and endorsed a voluntary Code of Conduct on ethical AI in December 2024. No binding AI law yet.


Georgia

Jurisdiction stack: governed by the GDPR-modelled Law on Personal Data Protection No. 3144 (main provisions in force 1 March 2024), but not EU-adequate. No AI law, no AI regulator, no national AI strategy.

Where it bites:

  • Audio monitoring is consent-based. Recording is permissible with the data subject’s consent plus narrow exceptions; the controller must document purpose, scope, and retention, and notify the data subject in advance or promptly. Biometric data, including voiceprints, is special-category and needs explicit consent.
  • The regulator just changed. The independent Personal Data Protection Service was abolished on 2 March 2026, with its functions moved to the State Audit Office, a change criticised over regulator independence. Penalties remain modest (roughly GEL 1,000 to 10,000, set partly by reference to turnover).

The Western Balkans and Moldova

None of these EU-candidate states holds an adequacy decision, and all are harmonising with the GDPR to varying degrees. For any EU caller data, build to the GDPR. AI-specific binding rules are largely absent; Serbia is the regional front-runner.

  • Serbia. The Law on Personal Data Protection (2018, in force August 2019) is largely GDPR-harmonised, enforced by the Commissioner for Information of Public Importance and Personal Data Protection. Serbia is the regional AI leader: its national AI strategy (2025–2030) aligns with the EU AI Act, it hosted the Belgrade Ministerial Declaration on AI (December 2024), and it holds the GPAI presidency for 2025–2027.
  • Moldova. EU candidate since 2022, modernising its data-protection law toward the GDPR. Regulator: the National Center for Personal Data Protection.
  • North Macedonia. GDPR-aligned Law on Personal Data Protection (2020). Regulator: the Agency for Personal Data Protection.
  • Albania. Adopted a new GDPR-aligned data-protection law (2024–2025). Regulator: the Information and Data Protection Commissioner.
  • Montenegro. GDPR alignment ongoing; an accession frontrunner. Regulator: the Agency for Personal Data Protection.
  • Bosnia and Herzegovina. Still on an older 2006 law, not yet fully GDPR-aligned (flag this gap). Regulator: the Agency for Personal Data Protection.

Across the region, treat the recording rule conservatively (consent at call start) and the AI layer as the EU AI Act applied extraterritorially whenever you serve EU users.


Sector overlays: finance and health

Outside the EU, the sector regulators add the binding ceiling, and neither the UK nor Switzerland regulates AI as a category. They pull a voice agent in by what it does.

UK finance: the duty to record, and the duty of good outcomes

The most distinctive rule in the region is a positive duty to record. Under FCA Handbook SYSC 10A (implementing MiFID II Article 16(7)), firms handling client orders must take all reasonable steps to record order-related calls, including calls intended to result in an order even if none does, and retain them for five years (extendable to seven) on firm-controlled, retrievable infrastructure. This is the inverse of the general one-party-permissive rule: client refusal does not waive it, and the firm must not take the order on an unrecorded channel.

On top sits the FCA Consumer Duty (in force 31 July 2023), which is technology-neutral and judges the outcome, not whether a human or a bot delivered it. A voice agent must produce understandable communications, avoid foreseeable harm, and detect vulnerability signals and route them to a human (FCA finalised guidance FG21/1). The FCA has stated it will not write bespoke AI rules; existing principles apply. Vendors are governed as a (material) outsourcing arrangement under SYSC 8 and the operational-resilience regime (SYSC 15A), with the regulated firm carrying the liability.

UK health and employment

A voice agent doing symptom assessment or triage can be software as a medical device under MHRA rules, where breach is a criminal offence (up to six months’ imprisonment and an unlimited fine); a booking bot is not. For workers, the ICO’s monitoring guidance states that continuous audio recording is “unlikely to be justifiable in most circumstances”, and its November 2024 AI-recruitment audit found tools inferring gender and ethnicity from voice and names without a lawful basis.

Switzerland: governance duties, but no duty to record

FINMA Guidance 08/2024 (18 Dec 2024) applies existing governance rules to any AI use by a supervised institution: an AI inventory, risk classification, testing, documentation, explainability, and independent review, with responsibility that cannot be outsourced. Outsourcing (Circular 2018/3) gives the institution, its auditors, and FINMA unrestricted audit rights over the vendor. Crucially, Switzerland imposes no general statutory duty to record client-order calls (FinSA requires documentation, not recording), the clean contrast with the UK. Where recording does happen, it is sensitive-data processing under the revised FADP, with the usual personal criminal liability up to CHF 250,000.

Turkey: a hard localisation wall

For banks, the BDDK’s IT regulation requires primary and secondary systems to stay on Turkish soil. Any cloud or AI voice vendor touching primary-system data must host it in Turkey, a binding architectural constraint that no contractual safeguard removes.

The UK inversion: a legal duty to record

Everywhere else in this guide, recording is something you are permitted to do if you disclose it. For UK firms handling client orders, recording is something you are required to do. Under SYSC 10A, every order call (including attempted and abandoned orders) must be recorded on firm-controlled infrastructure and kept five to seven years, and a client’s refusal does not release the firm, it just means the order cannot be taken on that channel. Switzerland, by contrast, imposes no such duty at all. Same continent, opposite defaults.


Compliance Framework for Non-EU Europe

1. Fix data transfers by adequacy status

For the UK and Switzerland, EU caller data flows freely on the adequacy decisions. For every other country here (Turkey, Ukraine, Georgia, the Balkans), moving EU resident data in or out needs explicit safeguards: standard contractual clauses, or explicit informed consent, plus a transfer risk assessment.

Switzerland, Turkey, and Ukraine impose criminal or constitutional all-party recording rules, stricter than the EU’s GDPR-only default. The UK is one-party but still needs disclosure for business use. Design a single audible all-party consent gate at the start of the call and it works across the whole region.

3. Treat voiceprints as sensitive everywhere

The UK (Article 9), Switzerland (sensitive data by statute), and Turkey (KVKK Article 6) all classify voiceprints as special-category or sensitive data needing explicit consent. The HMRC deletion of 5 million voiceprints is the cautionary precedent.

4. Assume the EU AI Act reaches you

If any of your callers are EU residents, AI Act Article 50 disclosure and the GDPR apply extraterritorially from your UK or Swiss base. Build start-of-call AI disclosure now rather than treating it as an EU-only problem.

5. Watch the reform pipeline

Ukraine (Draft Law 8153, fines to 8% of turnover), Turkey (the AI-content labelling bill), and Switzerland (the Council of Europe AI Convention implementation) are all moving. Today’s light-touch jurisdictions will not stay light-touch.


Regulatory Horizon (Next 12 Months)

DevelopmentStatusPractical preparation
UK adequacyRenewed Dec 2025, valid to 27 Dec 2031Settled; no near-term SCC fallback needed
UK DUAA commencementRoyal Assent June 2025, stagedApply the ADM safeguards; keep biometric decisions in the stricter lane
Turkey AI-content labelling lawDraft submitted Nov 2025Prepare “Generated by AI” labelling and takedown handling
Ukraine Draft Law 8153Passed first reading Nov 2024Build to the GDPR now; fines jump to 8% of turnover if enacted
Switzerland AI ConventionSigned Mar 2025; draft due end-2026Expect transparency and automated-decision duties to harden
Georgia regulator transitionService abolished Mar 2026Re-confirm the competent authority before relying on guidance

Conclusion

Outside the EU, there is no single rulebook to get right. There are three axes that decide your exposure country by country: adequacy (does EU data flow freely), the recording regime (one-party, or criminal all-party), and whether any AI law applies yet. The two markets worth real engineering effort, the UK and Switzerland, both hold EU adequacy but diverge sharply on recording: the UK is one-party with active PECR and biometric enforcement, while Switzerland makes an unconsented recording a crime and treats voice as sensitive data by statute.

The unifying move is simple. Default your call flow to all-party consent, treat every voiceprint as special-category data, and assume the EU AI Act’s Article 50 disclosure reaches you the moment an EU resident is on the line. Get those three right and the rest of the non-EU map becomes a transfer-safeguards and reform-tracking exercise, not a minefield.


Frequently Asked Questions

Does the EU AI Act apply to a UK or Swiss voice AI company?

Yes, if your system’s output is used in the EU. AI Act Article 2 gives it extraterritorial reach, so a UK or Swiss voice agent handling EU residents must meet the Article 50 disclosure duty (tell callers they are talking to AI, from 2 August 2026) regardless of where the company sits. The GDPR applies the same way under its Article 3.

Can I record calls in Switzerland the way I do in the UK?

No. The UK is effectively one-party (a participant can record, with disclosure for business use), but Switzerland makes recording a non-public conversation without all participants’ consent a criminal offence under Criminal Code Articles 179bis and 179ter. You need an audible all-party consent gate before any audio is stored.

Which non-EU European countries have EU data adequacy?

Among the markets in this guide, only the United Kingdom and Switzerland hold full EU adequacy decisions, so EU caller data flows to them without extra safeguards. Turkey, Ukraine, Georgia, and the Western Balkans do not, so transfers of EU resident data need standard contractual clauses or explicit consent plus a transfer risk assessment.

Is a voiceprint regulated in the UK?

Yes. The ICO treats a voiceprint used for identification or verification as special-category biometric data under the UK GDPR, requiring a lawful basis, an Article 9 condition (usually explicit consent), and a DPIA. HMRC was ordered to delete around 5 million voiceprints collected without a valid lawful basis.

Do AI voice marketing calls need consent in the UK?

Yes. Automated and AI-voice marketing calls require prior specific consent under PECR. The ICO fined two companies a combined £550,000 in September 2025 for unlawful calls made with AI avatar software, and the Data Use and Access Act 2025 raised the PECR fine ceiling to £17.5 million or 4% of global turnover.

Which non-EU European country is strictest for voice agents?

Switzerland for recording and biometrics (criminal all-party consent plus voice as statutory sensitive data), with Turkey close behind (criminal all-party recording plus a pending AI-content labelling law). Ukraine is also strict on recording today but light on enforcement, a balance that will shift once Draft Law 8153 is enacted.

Pay-by-Bank and Agentic Commerce: What ACP, AP2, MCP, and UCP Actually Enable

Can Pay-by-Bank Work With Agentic Commerce Protocols?

Native AI checkout distribution is still gated. Pay-by-Bank providers can still build hosted sessions, bank authorization handoff, webhooks, status APIs, and AP2-ready consent records now.

AI Commerce Payments: How Checkout Works in ChatGPT, Gemini, and Claude

How AI Checkout Actually Works

How AI shopping payments work today: what is live, whether you can connect your store now, and the concrete steps a US merchant can take this week.

How to Make Your Store Visible to AI Shopping Agents

How to Make Your Store Visible to AI Shopping Agents

AI shopping visibility starts with distribution paths, but it only works when your catalog, variants, inventory, policies, and checkout can be read by agents without guessing.

EU Voice AI Regulations 2026: AI Act, GDPR & Call Recording

EU & EEA Voice AI Regulations 2026: AI Act, GDPR, ePrivacy, and the Country Mosaic

One rulebook on paper, 27 regimes in practice. The same recorded call is routine in Dublin and a criminal offence in Berlin.

Middle East Voice AI Regulations 2026: UAE (PDPL, DIFC, ADGM), Saudi PDPL, Israel, GCC

Middle East Voice AI Regulations 2026: UAE, Saudi Arabia, Israel, and the GCC

In the Gulf, recording a call without consent is a crime, not a fine. Data may not leave the country – and your voiceprint feature may need a regulator's permit.

Multilingual Voice AI Agents and Code-Switching: The Engineering Guide for Real-Time ASR and TTS

The Code-Switching Gap: Where Multilingual Voice AI Loses Callers Mid-Sentence

Hinglish and Spanglish callers do not speak one language per call. Here is how to build an ASR-to-TTS pipeline that follows them across the switch instead of breaking on it.

Lowest-Latency Voice AI Agents: The Engineering Budget From Microphone to Speaker

The Core Latency Budget: Every Millisecond Between Microphone and Speaker

Streaming is not an answer. Here is the full turn-gap budget broken into twelve components, each in milliseconds, with the techniques that actually move the number.

Voice Prompt Engineering for AI Agents: Why Text Prompts Break in Real-Time Audio

Voice-Specific Prompt Engineering: Why Text Prompts Break in Real-Time Audio

A prompt that works in ChatGPT reads markup aloud, says 'two thousand five' for a year, and talks over the caller. Here is the prompt-engineering playbook for streaming voice agents.