AI Regulation and Compliance at the Physical Layer

AI Regulation and Compliance at the Physical Layer

The EU AI Act, UK AI regulation and ICO guidance on AI surveillance create specific compliance requirements for the physical network infrastructure supporting AI systems in commercial buildings. This is the compliance argument for physical layer security that nobody in the sector has written yet.

By Wayne Connors·Managing Director, BICSI RCDD·Published June 2026·Reviewed July 2026·8 min read
BICSI member Fluke DSX test evidence 28+ years trading London, Kent and the South East

Regulation is catching up with AI deployment

The EU AI Act came into force in August 2024. The UK government published its AI Regulation: a pro-innovation approach in 2023 and has been progressively implementing sector-specific guidance since. The ICO published detailed guidance on AI and data protection under UK GDPR in 2022 and updated it in 2024. For organisations deploying AI systems in commercial buildings, AI-powered CCTV with facial recognition, AI access control systems, AI building management platforms processing occupancy data, compliance is not optional and is not a future consideration. It is a current legal obligation.

What the compliance frameworks require at the physical infrastructure level is less well understood than their software and governance requirements. This piece addresses that gap.

The EU AI Act and UK AI regulation: infrastructure requirements

The EU AI Act classifies AI systems by risk level. AI systems used for biometric identification, emotion recognition, or remote biometric surveillance are classified as high-risk and subject to the most stringent requirements. AI-powered CCTV systems with facial recognition or behavioural analysis capabilities fall into this category.

High-risk AI systems must maintain detailed logs of system inputs, outputs and decisions, including audit trails of when and where the system operated, what it identified, and what decisions or alerts it generated. Those logs must be stored securely, with access controls, for defined retention periods. The network and storage infrastructure that supports these audit trail requirements must be specified, documented and demonstrably fit for purpose.

For UK organisations, the UK AI regulation framework applies a similar risk-based approach through sector regulators, the FCA, the ICO, the CQC, rather than a single cross-sector act. The practical compliance requirements for AI building systems are broadly aligned with the EU approach: audit trails, access controls, data minimisation, transparency to data subjects.

An AI CCTV system that captures facial recognition data and stores it on a network that is not adequately segmented from other business systems creates a data protection liability, not just a technical risk.

The physical network separation of AI surveillance systems from corporate data systems is a GDPR compliance requirement, not just a security best practice. Article 25 of UK GDPR requires data protection by design, and physical network architecture is part of that design.

The network and storage infrastructure behind AI audit trails must be specified, documented and demonstrably fit for purpose.

ICO guidance on AI and surveillance

The ICO’s guidance on AI and data protection is clear on several points relevant to building infrastructure. First, facial recognition technology for access control or monitoring is biometric data processing under UK GDPR, requiring a lawful basis, a Data Protection Impact Assessment, and clear signage informing data subjects. Second, AI systems that profile individuals based on movement or behaviour patterns are processing personal data, even if no facial recognition is involved. Third, data minimisation applies, AI systems should capture and retain only the data that is necessary for the specified purpose, and for no longer than necessary.

The physical infrastructure implications of the ICO’s guidance include: dedicated, physically segmented storage and network infrastructure for AI surveillance data; access controls on that infrastructure that are auditable; retention policies enforced at the storage and network level, not just at the application level; and physical security for the comms room housing the infrastructure that processes biometric and surveillance data.

Key point

What compliance frameworks require at the physical infrastructure level is far less understood than their software and governance requirements.

The compliance checklist for AI infrastructure specification

  • Network segmentation: AI surveillance and biometric systems on dedicated VLAN or physically separate network, isolated from corporate data traffic
  • Comms room access control: Access-controlled comms room with auditable entry log for the infrastructure housing AI systems
  • Storage infrastructure: Dedicated, access-controlled NVR or server storage for AI system data, with documented retention and deletion schedules
  • Cabling documentation: Complete TIA-606-B asset labelling and as-built documentation, enabling auditors to trace every connection in the AI system infrastructure
  • DPIA records: Physical infrastructure specification documented as part of the Data Protection Impact Assessment for each AI system
  • Signage: ICO-compliant signage at all entry points to areas covered by AI surveillance systems
Biometric data: the highest-risk category

Biometric data, including facial recognition data, fingerprints and iris scans, is special category data under UK GDPR. Processing it without a lawful basis under Article 9 UK GDPR is unlawful. For access control systems using biometric readers, the lawful basis is typically explicit consent from each individual enrolled in the system.

The infrastructure implication: biometric data must be stored on access-controlled, encrypted storage. The network carrying biometric data must be physically or logically separated from general business networks. The comms room housing this infrastructure must have its own access control and audit log. ACCL can specify and install all of these elements as part of a biometric access control project.

Standards and sources

Frequently asked questions

Does the EU AI Act apply to UK businesses?

The EU AI Act applies to AI systems placed on the EU market or used in the EU, including by UK businesses operating in EU member states. UK businesses operating exclusively in the UK are subject to UK AI regulation, which is implemented through sector regulators rather than a single cross-sector act. However, the practical compliance requirements are broadly aligned with the EU approach. Any UK business with EU operations, EU customers, or EU employees should assess EU AI Act compliance alongside UK regulatory requirements.

Is AI-powered CCTV compliant with UK GDPR?

AI-powered CCTV can be operated compliantly under UK GDPR, but requires a lawful basis for processing, a Data Protection Impact Assessment, ICO-compliant signage, data minimisation (retaining footage only as long as necessary for the stated purpose), and appropriate technical and organisational security measures. AI systems that perform facial recognition or behavioural profiling process biometric or sensitive personal data and require additional safeguards. The ICO’s guidance on CCTV and AI is the primary reference for compliance planning.

What is a Data Protection Impact Assessment and when is it required for AI systems?

A Data Protection Impact Assessment (DPIA) is a structured analysis of the data protection risks of a processing activity, required under UK GDPR Article 35 when processing is likely to result in high risk to individuals. AI systems that perform systematic monitoring of individuals, process biometric data, or make automated decisions with significant effects are all likely to require a DPIA. The DPIA should document the purpose of the AI system, the data it processes, the technical and organisational measures in place to protect it, including the network architecture, storage security, and access controls, and the residual risk assessment.

Does physical network separation count as a GDPR security measure?

Yes. UK GDPR Article 32 requires appropriate technical measures to protect personal data against unauthorised access. Physical network separation, dedicated cable runs, dedicated switch hardware, access-controlled comms rooms, constitutes a technical security measure that reduces the risk of unauthorised access to personal data processed by AI systems. It complements VLAN-based logical separation and is particularly appropriate for systems processing special category data such as biometric information.

Find out if your infrastructure is ready

A physical layer audit takes less than a day. It tells you exactly what your building’s cabling can support, what needs upgrading, and what it will cost before you commit to systems that depend on infrastructure you have not yet verified.

0333 900 0101