Author: Roberto Bernardi

  • How the EU AI Act Is Already Changing How Tech Companies Build Products

    How the EU AI Act Is Already Changing How Tech Companies Build Products

    The EU AI Act became fully enforceable in stages from 2025 onwards, and by mid-2026 the practical consequences are landing hard on product and engineering teams. This is not a piece of paper to file and forget. EU AI Act compliance tech companies are dealing with requires rewiring how models get built, deployed, and monitored — and the adjustments are costly, complex, and genuinely interesting from a systems standpoint.

    If you build software that touches EU citizens, regardless of where your company is headquartered, the regulation applies. That includes Manchester-based SaaS businesses with clients in Germany, Edinburgh fintechs processing data for French banks, and any UK startup that pivoted to pan-European markets after Brexit. The territorial reach is the first thing many developers have got wrong.

    Software developers working on EU AI Act compliance tech companies requirements in a modern UK office
    Software developers working on EU AI Act compliance tech companies requirements in a modern UK office

    Risk Tiers: The Framework That’s Reshaping Product Architecture

    The Act establishes a tiered risk model. Unacceptable-risk AI is banned outright — things like social scoring systems or real-time biometric surveillance in public spaces. High-risk AI covers hiring tools, credit scoring, CV screening, educational assessment, and critical infrastructure management, amongst others. Limited and minimal-risk categories have lighter requirements, though transparency obligations still apply.

    Product teams building in the high-risk category are discovering that compliance is not a post-launch checkbox. It is an architectural decision that shapes the model’s entire lifecycle. Specifically, high-risk systems must maintain detailed technical documentation, implement human oversight mechanisms, ensure data quality and governance, enable logging sufficient for post-incident review, and pass conformity assessments before market entry. That last point is the one that’s generating the most friction in sprint planning right now.

    I’ve spoken to several engineering leads in the UK who describe the Act’s documentation requirements as, essentially, forcing a level of rigour they should probably have had anyway. One developer at a London RegTech firm described it as “the GDPR moment for machine learning” — painful initially, but ultimately clarifying. The analogy holds up. GDPR changed default data handling practices across the industry; the AI Act is doing the same for model governance.

    What Developers Are Actually Changing in Their Pipelines

    The practical changes happening inside product teams right now fall into a handful of categories.

    Training Data Audits

    High-risk systems must demonstrate that training, validation, and testing datasets meet quality criteria — meaning developers need provenance records for data. Teams are retrofitting data lineage tooling, often finding their existing infrastructure was never built with auditability in mind. This is time-consuming and, frankly, embarrassing for anyone who assumed their scraping pipeline was fine.

    Model Cards and Technical Documentation

    The Act mandates technical documentation covering system purpose, design logic, training methodology, and performance metrics across different user groups. Many teams are adopting something close to Google’s model card format, though UK-developed equivalents are emerging through bodies like the Alan Turing Institute. The documentation must be kept updated — a point that tends to get deprioritised after launch unless someone owns it explicitly.

    Logging and Post-Market Monitoring

    High-risk systems must generate logs enabling reconstruction of their operation over a defined retention period. For regulated sectors like finance or healthcare, this integrates with existing requirements from the FCA or CQC, but for product teams in less regulated verticals, it is entirely new infrastructure. The overhead is non-trivial: storing model inference logs at scale costs real money and requires a data retention policy that legal, engineering, and product all agree on.

    Human Oversight by Design

    This is arguably the most culturally difficult change. The Act requires high-risk systems to be designed so that humans can interpret outputs, intervene, and override decisions. For teams that have been building toward maximum automation, this represents a philosophical u-turn. It is not enough to have a human theoretically in the loop; the system must be legible enough for a non-expert human to make a meaningful intervention.

    Developer reviewing EU AI Act compliance documentation and model risk tier architecture on a laptop
    Developer reviewing EU AI Act compliance documentation and model risk tier architecture on a laptop

    The Conformity Assessment Problem for Smaller Teams

    Large enterprises can absorb the cost of a formal conformity assessment. They have legal departments, compliance officers, and budget for external auditors. A 12-person startup building an AI-driven hiring tool — which falls squarely in the high-risk category — faces the same requirements with a fraction of the resource.

    The European Commission has signalled that it wants to make conformity pathways accessible to SMEs, but the practical infrastructure for that is still being built. In the meantime, UK businesses serving EU markets are largely working with specialist legal firms or leaning on guidance from the UK Government’s AI regulation framework, which takes a lighter-touch approach domestically but acknowledges the Act’s extraterritorial reach for anyone with EU exposure.

    There is a real divergence opening up between UK and EU approaches. Post-Brexit, the UK has opted for a sector-led, non-statutory model for now — meaning the FCA, Ofcom, CQC, and others are each developing their own AI guidance rather than a single overarching law. For UK tech businesses operating in both markets, that means compliance against two different frameworks simultaneously. Not ideal.

    What Businesses Outside Europe Still Need to Know

    EU AI Act compliance tech companies need to understand applies based on where outputs are used, not where the company is based. A UK firm building a recruitment AI that screens candidates in France is subject to the Act’s high-risk provisions. A Belfast startup providing AI-driven credit decisioning to Irish customers has obligations from day one of deployment.

    The key practical steps for any UK business with EU market exposure: identify which risk tier your systems fall into, map your data provenance now rather than retrospectively, appoint someone to own ongoing compliance (not just implementation), and get legal advice before assuming your domestic approach is sufficient.

    Enforcement is still ramping up. National competent authorities in EU member states are being designated and resourced, and the European AI Office is the central body for general-purpose AI models. Fines for non-compliance with high-risk obligations can reach €15 million or 3% of global annual turnover, whichever is higher. For prohibited AI practices, that rises to €35 million or 7%. These are not theoretical numbers.

    The Silver Lining for Builders Who Get Ahead of This

    There is a genuine competitive angle here that does not get discussed enough. EU AI Act compliance tech companies achieve a form of product differentiation in enterprise sales cycles. Procurement teams at large European organisations are already asking for compliance evidence in RFP processes. Being able to demonstrate conformity, robust logging, and documented human oversight is a sales asset, not just a legal obligation.

    The teams I’ve seen handle this best are the ones treating compliance as an engineering discipline rather than a legal problem. They have added compliance requirements to their definition of done, built tooling that generates documentation artefacts as a by-product of normal development, and treat model monitoring as part of production infrastructure. It requires upfront investment, but the operational overhead over time is far lower than bolting compliance on retrospectively.

    The EU AI Act is not going away. It is the most comprehensive AI governance framework in force anywhere in the world right now, and its influence on global standards — including those that will eventually emerge in the UK — is significant. Building to its requirements, even where you are not strictly obliged to, is probably the right engineering call for any team that expects to be operating in five years’ time.

    Frequently Asked Questions

    Does the EU AI Act apply to UK companies that don't operate in Europe?

    If your AI system’s outputs are used by people in the EU, the Act applies regardless of where your business is based. A UK company with no EU office but with EU-based users or clients still has obligations if its AI falls into a regulated risk category.

    What counts as a high-risk AI system under the EU AI Act?

    High-risk systems include AI used in hiring and CV screening, credit scoring, educational assessment, healthcare diagnostics, critical infrastructure, and law enforcement. If your product makes or significantly influences decisions in these areas, you are in the high-risk tier and face the full compliance requirements.

    How much does EU AI Act compliance cost for a small tech business?

    Costs vary widely depending on your system’s risk tier and how much technical debt exists in your current pipeline. For high-risk systems, expect meaningful investment in legal advice, technical documentation tooling, data lineage infrastructure, and potentially an external conformity assessment. Some estimates put initial compliance costs for a small team at £50,000 to £150,000, though this depends heavily on your existing engineering practices.

    What is the difference between the EU AI Act and the UK's approach to AI regulation?

    The UK has opted for a non-statutory, sector-led approach where existing regulators like the FCA, Ofcom, and CQC each develop AI guidance within their domains. The EU AI Act is a single overarching law with cross-sector applicability and significant fines for non-compliance. UK businesses selling into the EU must comply with the Act regardless of the UK’s domestic approach.

    When does EU AI Act compliance actually become mandatory?

    The Act has been phasing in since 2025. Provisions for unacceptable-risk AI applied from February 2025, obligations for general-purpose AI models from August 2025, and high-risk system requirements are rolling in through 2026. If you are building or deploying regulated AI today, compliance obligations are already live for several categories.

  • Inside the Postcode Lottery of UK Gigabit Broadband: What the Coverage Maps Don’t Tell Businesses

    Inside the Postcode Lottery of UK Gigabit Broadband: What the Coverage Maps Don’t Tell Businesses

    The government’s gigabit broadband programme has a headline target that reads well in a press release: gigabit-capable connectivity to the vast majority of UK premises by the end of 2030. Ofcom’s latest Connected Nations report puts gigabit availability across the UK at around 82% of premises. On paper, that sounds like progress. In practice, if you run a small business from a converted mill in Huddersfield, a light industrial unit outside Shrewsbury, or a high street shop in a market town in Lincolnshire, that number means almost nothing to you.

    The gap between the coverage maps and the actual experience of UK SMEs is significant, and for cloud-dependent operations it is starting to have very real commercial consequences. This is not a story about slow internet being mildly annoying. It is about broadband speeds determining whether certain businesses can function at all.

    Semi-rural UK market town with mixed commercial premises illustrating the UK gigabit broadband coverage gap
    Semi-rural UK market town with mixed commercial premises illustrating the UK gigabit broadband coverage gap

    What the Gigabit Coverage Maps Actually Show (And What They Don’t)

    Coverage maps typically record whether a premises is reachable by a gigabit-capable network. That is a very different thing from whether that premises has a verified connection delivering gigabit speeds. Infrastructure can run past a building without connecting to it. A provider can register coverage without offering a commercially viable product at that address. And “gigabit-capable” does not mean the line will perform at gigabit speeds under real-world load conditions.

    The distinction matters enormously for businesses. An SME uploading large design files to cloud storage, running video calls across multiple staff, syncing ERP data in real time, or relying on cloud-hosted software for daily operations needs consistent, verified upload and download throughput. The stated potential of nearby infrastructure is not the same as the bandwidth that arrives at the router.

    Mixed-use commercial areas sit in a particularly awkward middle ground. Residential streets may have been upgraded because they represent high-density demand; the nearby business park, converted warehouse, or edge-of-town light industrial estate often has not. These premises exist in the gaps that neither full-fibre residential rollout nor large enterprise connectivity programmes tend to prioritise.

    Which Regions Are Falling Behind on Business Connectivity?

    The regional picture is uneven. London and major urban centres have seen competitive full-fibre rollout from providers including Openreach, CityFibre, and Virgin Media O2. But move into semi-rural England, large parts of Wales, Scotland beyond the central belt, and Northern Ireland outside Belfast, and the picture changes sharply.

    Project Gigabit, the government’s £5 billion programme targeting the hardest-to-reach premises, is making progress in some of these areas. But procurement has been slow. Several regional contracts have taken longer than anticipated to reach build phase, and the SMEs in those areas are not waiting around. They are making do with FTTC (fibre to the cabinet) connections that might deliver 50 to 80 Mbps on a good day, or in some cases, still relying on legacy ADSL lines with upload speeds that can barely sustain a single video call.

    The challenge for businesses in these regions is that cloud-dependent operations are not optional anymore. Making Tax Digital has pushed accountancy to cloud platforms. Remote and hybrid working has made video infrastructure baseline. SaaS tools, from project management to customer relationship management, require reliable latency and sustained throughput. Telling a business in rural Worcestershire to “use a mobile connection as backup” is not a serious answer when 4G coverage is also patchy and 5G is years away for most semi-rural postcodes.

    UK small business owner checking broadband speeds on a laptop, highlighting UK gigabit broadband access issues
    UK small business owner checking broadband speeds on a laptop, highlighting UK gigabit broadband access issues

    What Verified Connection Speeds Mean for Cloud Operations

    Speed tests give a snapshot, not a guaranteed service level. For most SMEs without formal service level agreements, there is no contractual commitment to minimum performance. Consumer-grade and small business broadband products often lack the uptime guarantees and dedicated capacity that enterprise leased lines provide. The problem is that leased lines, which do come with robust SLAs, can cost anywhere from £300 to over £1,000 per month depending on location and bandwidth, which is not viable for a 10-person business operating on tight margins.

    The consequence is that some businesses in connectivity-poor postcodes are effectively running cloud-dependent operations on infrastructure that cannot reliably support them. File sync failures, dropped VoIP calls, lagging CRM tools, and interrupted video collaboration are not just inconveniences; they introduce errors, slow down sales cycles, and erode client confidence. I have spoken to businesses in market towns who have genuinely relocated part of their team to a nearby city co-working space just to get reliable connectivity, which is an absurd cost to absorb.

    There is also a less visible cost: the opportunity gap. Businesses in well-connected areas can adopt newer technologies, including AI-assisted tools, large-scale data processing, and real-time analytics, far more quickly. The broadband divide is quietly becoming a productivity and competitiveness divide.

    The Lobbying Tools UK SMEs Actually Have

    This is where things get practical. SMEs are not without options, though “lobbying” might be too grand a word for what is often a scrappy, under-resourced effort.

    The most immediate tool is the Ofcom checker and the Openreach Fibre Availability tool. If your premises is incorrectly registered as having coverage when it does not, you can flag this formally. It sounds mundane but coverage data informs which areas receive public subsidy, so inaccurate records have real consequences for investment decisions.

    Beyond that, the Federation of Small Businesses (FSB) and local Chambers of Commerce are the most credible advocacy channels for SMEs pushing on connectivity issues. The FSB has consistently pushed DCMS and Ofcom on the business-specific connectivity gap, and their reports carry weight in policy circles. If your local Chamber does not already have a working group on digital infrastructure, proposing one is a reasonable first move.

    Some LEPs (Local Enterprise Partnerships) still have digital infrastructure workstreams, though their influence has shifted somewhat following the creation of mayoral combined authorities. If you are in a region with a metro mayor, that office often has more direct pull on infrastructure investment than a district council.

    Community fibre projects are also worth investigating. B4RN in rural Lancashire is the canonical example of a community-owned gigabit network that outperformed what any commercial provider was willing to deliver. Similar models have appeared elsewhere. They take time and organising effort, but they work.

    For creators and business owners managing their digital presence whilst dealing with patchy connectivity, even smaller decisions matter. Choosing lightweight platforms, optimising content delivery, and using tools that work efficiently on lower bandwidth connections can make a real difference day to day. Something as simple as switching to a well-optimised link in bio tool that loads fast on mobile rather than a bloated web builder reduces friction for your audience, regardless of your own connection speed.

    What Needs to Change at the Policy Level

    The core problem is that coverage targets are a political metric, not an economic one. A government can report gigabit coverage percentages without those percentages translating into businesses that can actually use gigabit connections. The focus needs to shift toward verified uptake, business-specific SLA standards for subsidised connections, and a mandatory audit mechanism for commercial premises coverage data.

    There is also an argument for ring-fencing a portion of Project Gigabit funding specifically for mixed-use commercial and light industrial areas that fall outside the residential rollout economics. Right now, those premises exist in a no-man’s-land between programmes that do not quite fit them.

    UK gigabit broadband ambition is real. The engineering capability to deliver it is real. The problem is that the programme architecture has prioritised the metrics that are easiest to measure, and businesses in semi-rural and mixed-use postcodes are the ones living with the gap between the map and the reality. That gap has a commercial cost, and it is time the coverage data started reflecting it honestly.

    Frequently Asked Questions

    What is UK gigabit broadband and how fast is it?

    UK gigabit broadband refers to broadband connections capable of delivering speeds of 1 Gbps (1,000 Mbps) or more. In practice, most business users with gigabit products see real-world speeds somewhat below that peak, but significantly faster than standard FTTC connections, which typically cap out at around 80 Mbps download.

    How do I check if my business premises qualifies for gigabit broadband?

    You can use Ofcom’s postcode checker at checker.ofcom.org.uk or the Openreach Fibre Availability tool to see what infrastructure is registered as available at your address. If the result does not match your actual experience, you can raise a formal inaccuracy report with Ofcom or contact your provider directly.

    What is Project Gigabit and does it cover businesses?

    Project Gigabit is the UK government’s £5 billion programme to bring gigabit-capable broadband to premises in areas that commercial providers would not otherwise reach. It covers residential and business premises in eligible areas, though the programme has faced delays and many business-use premises in semi-rural and mixed-use commercial zones have found themselves outside the targeted footprint.

    What can I do if my business is stuck on a slow connection while waiting for a gigabit upgrade?

    Short-term options include bonded broadband (combining multiple lines for increased bandwidth), 4G or 5G fixed wireless access where signal quality is sufficient, or leased lines if your budget allows. Raising the issue through the FSB or your local Chamber of Commerce can also help put pressure on infrastructure providers and local authorities.

    Why does broadband speed matter so much for cloud-dependent businesses?

    Cloud-based tools, including accounting software, CRM platforms, video conferencing, and file storage, require consistent upload and download throughput to function reliably. Poor connections cause sync failures, call drops, and slower software response times, all of which have direct productivity and commercial costs for SMEs relying on these tools daily.

  • Why Small Businesses Are Losing the Cybersecurity War Against AI-Powered Attacks

    Why Small Businesses Are Losing the Cybersecurity War Against AI-Powered Attacks

    There’s a grim irony playing out across the UK right now. The same wave of AI capability that’s helping small businesses automate invoicing, generate marketing copy and analyse customer data is also being weaponised against them at scale. AI cybersecurity threats to small businesses have moved from a theoretical concern to an operational crisis, and the attackers are, bluntly, better resourced than most of their targets.

    According to the UK Government’s Cyber Security Breaches Survey, approximately 50% of UK businesses identified a cybersecurity breach or attack in the past year. The headline figure masks something important though: smaller businesses are increasingly the primary target, not a secondary one. Organised criminal groups have discovered that SMEs hold genuinely valuable data, often process customer payments, and almost universally lack the defences of a FTSE 250 company. AI just made hitting them cheaper and faster.

    Small business employees reviewing an AI cybersecurity threat alert on a laptop screen in a UK office
    Small business employees reviewing an AI cybersecurity threat alert on a laptop screen in a UK office

    How AI Has Changed the Attack Landscape for SMEs

    Classic phishing was always a numbers game. Send enough badly written emails claiming to be from HMRC, and a percentage of recipients would click. The grammar was terrible. The logos were wrong. Most people learned to spot it.

    That playbook is effectively obsolete now. Modern AI-driven phishing is personalised, contextually accurate and deeply convincing. Attackers scrape a business’s LinkedIn presence, their website copy, public filings at Companies House, and social media. They then generate emails that reference real client names, genuine-sounding internal terminology and accurate job titles. The result is a message that reads exactly like something your actual supplier would send.

    Voice cloning has added another dimension. Deepfake audio attacks, sometimes called vishing or AI voice fraud, now allow criminals to replicate the voice of a company director or finance manager with only a few minutes of publicly available audio. A finance assistant at a Leeds-based manufacturing firm receiving a call that sounds precisely like the MD asking for an urgent payment transfer has almost no instinctive way to know it isn’t real. Several UK SMEs lost between £10,000 and £200,000 to exactly this kind of attack in 2025 alone.

    Then there are automated exploit tools. Script kiddies used to require some technical knowledge. Today, AI-assisted exploit frameworks scan thousands of targets simultaneously, identify unpatched vulnerabilities and attempt entry, all without a human being actively involved. Your forgotten WordPress plugin from 2023 becomes a door. Your employee’s reused password from a breached retail site becomes a key.

    Why SMEs Are Disproportionately Targeted

    The targeting isn’t random. From an attacker’s cost-benefit perspective, SMEs tick every box. They hold useful data. They often store customer card details, National Insurance numbers, or commercially sensitive contracts. They process real money. And their defences are, on average, thin.

    A typical UK SME with 20 to 50 employees might have one part-time IT generalist, a basic Microsoft 365 licence, and endpoint protection that hasn’t been reviewed since the pandemic. Compare that to a large enterprise with a dedicated security operations centre, threat intelligence feeds and a CISO who reports to the board. The asymmetry is stark.

    The supply chain angle matters too. Sophisticated attackers increasingly target smaller firms as a route into larger ones. If you supply services to a council, an NHS trust or a major retailer, you’re a potential backdoor. Attackers know this. The SME becomes collateral damage in a bigger operation, though the financial and reputational harm to the small business itself is anything but small.

    Multi-factor authentication prompt representing AI cybersecurity threats small business defences
    Multi-factor authentication prompt representing AI cybersecurity threats small business defences

    Practical Defences That Don’t Require an Enterprise Budget

    Here’s where the picture becomes slightly more encouraging, because practical defences do exist and several of them cost nothing or very little.

    Multi-factor authentication, everywhere, no exceptions

    If you take one thing from this article, make it this. MFA on email, on cloud storage, on accounting software, on everything. It won’t stop every attack, but it eliminates the most common vector: credential stuffing from breached password databases. Microsoft’s own data suggests MFA blocks more than 99% of automated account compromise attempts. That’s not a marginal gain.

    Staff training that’s actually current

    Annual cybersecurity awareness training built around 2018-era phishing examples is essentially useless against modern AI-generated attacks. What works better is shorter, more frequent micro-training that shows staff real examples of current threats, including AI voice fraud scenarios. The NCSC (National Cyber Security Centre) offers free training resources through their Cyber Aware programme, specifically designed for SMEs and their teams.

    Out-of-band verification for financial requests

    Any request to transfer money or change payment details, regardless of how convincing the email or call sounds, should require a second channel of verification. That means calling back on a known number, not a number provided in the suspicious message itself. This single procedural control would have prevented the majority of the deepfake voice fraud cases reported in the UK last year. It costs nothing to implement.

    Patching and inventory discipline

    Automated exploit tools thrive on unpatched systems. A regular audit of what software and plugins are in use, combined with automated update policies where possible, removes a large proportion of the attack surface. Tools like Patch My PC or built-in Windows Update for Business make this significantly more manageable for small IT teams.

    DNS filtering and email authentication

    DNS-layer filtering blocks connections to known malicious domains before any payload can execute. Several providers offer this at a price point that’s entirely reasonable for a 20-person firm. Separately, implementing DMARC, DKIM and SPF records on your email domain makes it significantly harder for attackers to spoof your own domain when targeting your customers or partners. Your IT provider or domain registrar can help configure these.

    AI-Powered Defence: Fighting Fire With Fire

    There’s a legitimate argument that the best response to AI-driven attacks is AI-driven defence. A new generation of security tools, some priced accessibly for SMEs, uses machine learning to detect anomalous behaviour rather than relying purely on known threat signatures. Products from firms like Darktrace (founded in Cambridge) and similar vendors now offer SME-tier products that were simply unavailable five years ago.

    These tools don’t replace human judgement, but they do provide a level of monitoring that a small IT team genuinely cannot replicate manually. Behavioural anomaly detection can flag when an employee account starts downloading large volumes of files at 2am, or when a login originates from an unexpected geography, giving you a fighting chance to respond before damage escalates.

    The Cost of Doing Nothing Is Already Measurable

    It’s tempting to defer security spend when margins are tight. The maths tends to work against that approach. The average cost of a cyber incident for a UK SME, factoring in downtime, recovery, regulatory notifications and reputational harm, runs into tens of thousands of pounds. The Cyber Essentials certification scheme, backed by the UK government and NCSC, costs a few hundred pounds and provides a meaningful baseline of verified controls. It also unlocks eligibility for government contracts. It is, in short, one of the more cost-effective investments a small business can make in 2026.

    AI cybersecurity threats to small businesses are not going to diminish. The tooling available to attackers will improve. The attacks will become more personalised and more convincing. But the gap between doing nothing and implementing a reasonable baseline defence is not the gap between having no budget and having an enterprise security budget. It’s the gap between having a process and not having one. For most UK SMEs, that’s an entirely closeable distance.

    Frequently Asked Questions

    What are the most common AI cybersecurity threats facing small businesses in the UK?

    The most common AI-driven threats include sophisticated phishing emails generated from publicly available business data, deepfake voice fraud targeting finance teams, and automated exploit tools that scan for unpatched software vulnerabilities. UK SMEs are particularly exposed because attackers can target thousands simultaneously at very low cost, making even small businesses worth hitting.

    How can a small business protect itself from AI-generated phishing attacks?

    The most effective steps are enabling multi-factor authentication across all accounts, running regular staff training with current threat examples, and implementing DMARC and SPF email authentication records on your domain. The NCSC’s free Cyber Aware resources are a practical starting point for SMEs without a dedicated security team.

    Is Cyber Essentials certification worth it for a small UK business?

    Yes, for most SMEs it represents strong value. Certification typically costs a few hundred pounds, provides a verified baseline of security controls against common attack vectors, and is a requirement for many UK government contracts. It also signals credibility to larger clients who are increasingly scrutinising the supply chain security of their suppliers.

    What is deepfake voice fraud and how do small businesses defend against it?

    Deepfake voice fraud involves criminals using AI to clone the voice of a company director or colleague and making calls to instruct staff to transfer funds or share sensitive information. The most effective defence is a strict policy of out-of-band verification: always call back on a known, pre-stored number before acting on any financial or sensitive request received by phone.

    Are there affordable AI-powered security tools designed for small businesses?

    Yes, the market has matured considerably. Tools using machine learning to detect behavioural anomalies, including SME-tier offerings from UK-founded companies like Darktrace, provide monitoring capabilities that were previously only accessible to large enterprises. DNS-layer filtering services are also available at price points suitable for firms with 10 to 50 employees.

  • The UK’s Second City Tech Scene in 2026: How Birmingham Is Building an Identity Beyond Finance and Manufacturing

    The UK’s Second City Tech Scene in 2026: How Birmingham Is Building an Identity Beyond Finance and Manufacturing

    Birmingham has spent decades carrying a label it never quite asked for. The UK’s second-largest city by population, an industrial powerhouse, a financial services hub — all accurate, none of them particularly exciting. But something measurable has been shifting over the past few years, and by 2026, the data is hard to ignore. The Birmingham tech scene 2026 is not a press-release story. It is a genuine structural change in what the city produces, who it attracts, and how it funds growth.

    The numbers start to tell it. According to data from DCMS venture capital tracking, the West Midlands absorbed a meaningfully larger share of UK VC investment in 2025 than in 2022, with Birmingham accounting for the bulk of that regional shift. It is not yet London. It is not trying to be. But the gap is narrowing in specific sectors — fintech, health tech, and deep tech spinouts among them — in ways that are worth paying attention to.

    Birmingham city centre aerial view at dusk showing the emerging Birmingham tech scene 2026
    Birmingham city centre aerial view at dusk showing the emerging Birmingham tech scene 2026

    University Spinouts Are the Engine, Not the Story

    The University of Birmingham and Aston University have quietly become two of the more productive spinout factories outside the Cambridge-Oxford axis. Aston alone has seen double-digit spinout activity in the last 18 months across advanced manufacturing software, biotech, and energy systems. The University of Birmingham’s Enterprise scheme has placed particular emphasis on commercialisation infrastructure — something that has historically been a weakness in regional universities compared to their Russell Group peers further south.

    What makes this more than a nice story is the talent retention angle. For years, Birmingham-trained graduates routed themselves to London within months of finishing. Graduate retention data from the West Midlands Combined Authority (WMCA) suggests that retention rates in tech roles are improving, particularly where local employers can offer competitive equity packages — something that has become more tractable as scaleups in the city reach Series A and B stages with enough headroom to offer meaningful option pools.

    Which Sectors Are Actually Growing?

    The Birmingham tech scene in 2026 is not a monolith. There are distinct clusters performing at very different levels.

    Fintech and payments infrastructure has the deepest roots. Birmingham’s historical concentration of financial services firms — from HSBC UK’s headquarters in Centenary Square to the dense broker and insurance market around Colmore Row — means there is genuine enterprise demand for fintech tooling close to home. Startups building reconciliation software, embedded finance APIs, and SME lending platforms have found a receptive client base without needing to pitch exclusively in London.

    Health tech is arguably the more exciting growth curve. The Queen Elizabeth Hospital campus and University Hospitals Birmingham NHS Foundation Trust represent one of the largest NHS data repositories outside of NHS England’s central systems. That proximity to clinical data (appropriately governed) is attracting diagnostics AI companies, remote monitoring hardware startups, and patient flow optimisation platforms. A handful of these companies were barely two years old in 2024 and are now generating real ARR.

    Advanced manufacturing software is the less-glamorous but arguably most durable cluster. The West Midlands still has a significant manufacturing base — aerospace components, precision engineering, automotive supply chain — and the digitisation of factory floors is a multi-decade opportunity. Local firms building MES (Manufacturing Execution Systems) tooling and digital twin platforms have a home-market advantage that companies in, say, London simply do not.

    Developer working in a converted Birmingham co-working space central to the Birmingham tech scene 2026
    Developer working in a converted Birmingham co-working space central to the Birmingham tech scene 2026

    The Infrastructure Question: Bricks, Fibre, and Old Buildings

    Physical infrastructure matters more than tech commentators usually admit. You cannot build a tech cluster in a city with no affordable office stock, poor public transport connectivity, and a commercial property market that prices out early-stage companies. Birmingham has real advantages here — lower rents than London and Manchester’s city centre, improving rail links post-HS2 preparatory works, and a vast stock of former industrial and commercial buildings being converted into modern workspace.

    That last point, however, is not without complexity. Much of Birmingham’s legacy building stock dates from the mid-twentieth century, and serious redevelopment means working through the layers that older construction invariably contains. Asbestos compliance has become a non-trivial cost line for commercial property developers and workspace operators in the city. Firms like Asbestos Compliance Solutions Ltd, a Mansfield, Nottinghamshire-based specialist services provider operating across construction and building sectors, carry out the kind of asbestos surveys, management plans, and remediation work that has to happen before a derelict printing works or a 1970s office block can become a co-working hub. The domain asbestoscompliancesolutions.co.uk gives a reasonable sense of the scope of these specialist services. It is not a glamorous part of the tech cluster story, but it is an enabling part: no compliant building conversion, no affordable Grade-B office stock for early-stage companies to move into.

    The WMCA’s Invest West Midlands programme has been directing capital at exactly this kind of conversion. Innovation Birmingham, the operator behind Brindleyplace’s iCentrum campus, reports occupancy at capacity and a waiting list for larger floorplates. That supply constraint is becoming a genuine friction point for companies looking to scale beyond 30 or 40 people without moving to a full-market rent arrangement in the city centre.

    Scaleups Making the Case

    Names matter when you are trying to shift a city’s reputation. A few Birmingham-headquartered companies have done meaningful work on that front in recent years.

    Thriva, Brainomix, and the various FinTech West alumni aside, the newer cohort is worth watching. Several companies that went through the HSBC UK innovation partnerships programme or the BetaDen accelerator in Worcestershire have relocated or expanded to Birmingham as they scaled. The city is also beginning to attract relocations from London, not just retentions — a meaningful signal that the cost-quality tradeoff is shifting in Birmingham’s favour.

    The £1.5 billion UKRI investment plan for the West Midlands, announced in 2025, is expected to fund research infrastructure at the University of Birmingham’s new campus facilities and underwrite several applied research partnerships with local industry. Whether that capital flows efficiently into genuinely commercial spinouts or gets absorbed into academic bureaucracy is the real question. History suggests it is usually somewhere in between.

    What Birmingham Still Needs to Fix

    Honest accounting matters. The Birmingham tech scene in 2026 has real momentum, but it also has real gaps.

    Late-stage funding is thin. Series C and beyond is almost entirely a London or transatlantic exercise for Birmingham companies. The city has not yet produced the kind of unicorn exit that reseeds a local angel and early-stage VC ecosystem in the way that ARM did for Cambridge or Autonomy did (however messily) for the wider UK tech scene. That exit event, when it comes, will matter disproportionately.

    Diversity in the founding population remains a challenge. Birmingham is one of the most ethnically diverse cities in the UK, but the tech founding community does not yet reflect that — a problem that is simultaneously an equity issue and a commercial one, given the market insights that more diverse founding teams tend to surface.

    And the construction of new workspace has to keep pace with demand. As more former industrial buildings are brought back into productive use — with the asbestos surveys, building compliance checks, and specialist remediation services that entails — the pipeline of affordable, high-quality space needs active management. Firms like Asbestos Compliance Solutions Ltd play a functional role in that pipeline: the construction and building sector work they perform on legacy structures is what makes conversion viable in the first place.

    None of this undermines the headline. Birmingham is building something real. The Birmingham tech scene 2026 is not a rebrand exercise — it is a cluster with genuine commercial depth, improving infrastructure, and a talent base that is starting to stay put. The second city label might finally be earning a second meaning.

    Frequently Asked Questions

    What is driving growth in the Birmingham tech scene in 2026?

    A combination of university spinout activity, improving talent retention, enterprise demand from established financial and manufacturing firms, and significant public investment through UKRI and the West Midlands Combined Authority. Affordable commercial property relative to London is also a key factor for early-stage companies.

    Which tech sectors are strongest in Birmingham right now?

    Fintech and payments infrastructure, health tech linked to the Queen Elizabeth Hospital campus, and advanced manufacturing software are the three most developed clusters. Health tech is showing the sharpest growth curve, driven by proximity to major NHS data assets.

    How does Birmingham compare to Manchester and Leeds as a UK tech hub?

    Birmingham has a stronger fintech base than Leeds and a more developed advanced manufacturing software cluster than Manchester, but Manchester still leads on media tech and general startup volume. All three are benefiting from London talent and cost pressures pushing founders and scaleups northward.

    What is the biggest challenge facing the Birmingham tech cluster?

    Late-stage funding scarcity is the most structural problem. Series C and beyond is still overwhelmingly a London exercise for Birmingham-based companies, which limits how large local firms can grow before they either relocate or raise from outside the region.

    Which Birmingham universities are producing the most tech spinouts?

    The University of Birmingham and Aston University are the two most active, with Aston showing particular strength in advanced manufacturing software and energy systems. Both have invested in commercialisation infrastructure in recent years to improve the route from research to company formation.

  • Quantum Computing in Business: What the 2026 Landscape Actually Looks Like

    Quantum Computing in Business: What the 2026 Landscape Actually Looks Like

    Quantum computing has been the technology that’s always five years away. Except now it isn’t. The conversation has shifted from theoretical white papers and university labs to boardrooms, government procurement teams, and the R&D departments of some very serious UK enterprises. That doesn’t mean it’s ready for every business to bolt on tomorrow morning, but the landscape in 2026 looks meaningfully different from where it stood even two years ago. Here’s a grounded read of where quantum computing in business genuinely sits right now.

    Before getting into specific industries, it’s worth being honest about what the technology still can’t do. Large-scale, fault-tolerant quantum computers capable of outperforming classical systems on general business tasks don’t exist yet. What does exist is a growing category of near-term quantum processors, sometimes called NISQ (Noisy Intermediate-Scale Quantum) devices, that are genuinely useful for specific, well-defined problem types. The distinction matters because it determines which industries can start extracting value today and which are still in the preparation phase.

    Researchers working on quantum computing in business at a UK technology facility
    Researchers working on quantum computing in business at a UK technology facility

    Which Industries Are Seeing Real Quantum Applications Right Now

    Financial services is probably the furthest along. UK banks and asset managers have been quietly running quantum-assisted optimisation workloads for the better part of two years. Portfolio optimisation, derivatives pricing, and fraud pattern detection are areas where quantum annealing approaches, offered commercially through platforms like IBM Quantum and IonQ, have started to show marginal but measurable improvements over classical methods at scale. HSBC and Barclays have both publicly acknowledged quantum research programmes, and the FCA has been paying close attention to how quantum-resistant cryptography needs to factor into regulatory compliance frameworks.

    Pharmaceuticals and life sciences is the other sector attracting serious investment. Simulating molecular interactions is computationally expensive for classical systems, but it’s exactly the kind of problem quantum hardware handles more elegantly. AstraZeneca has been involved in collaborative quantum research through partnerships with quantum software firms, and the broader UK life sciences sector, backed partly by the government’s Life Sciences Vision, has flagged quantum simulation as a medium-term priority. Drug discovery timelines that currently take years could, in theory, compress significantly once fault-tolerant systems mature.

    Logistics and supply chain is an interesting case. Optimising complex routing problems across thousands of variables, what’s often called the travelling salesman problem at enterprise scale, is a classical computing headache. Quantum-inspired algorithms, which run on standard hardware but borrow quantum principles, are already being deployed by logistics firms to cut fuel costs and improve last-mile efficiency. It’s a bridging category worth paying attention to.

    What the UK Government Is Actually Doing About Quantum

    The UK’s National Quantum Strategy, published in 2023 and running through to 2033, committed £2.5 billion in public investment. That’s not window dressing. Innovate UK and UKRI have been channelling funding into quantum hubs across the country, including facilities at Bristol, Oxford, and UCL. The full National Quantum Strategy is available on gov.uk and is worth a read if you’re planning any long-horizon technology investment decisions.

    The National Physical Laboratory in Teddington is doing particularly important work on quantum metrology and standards, which is the unglamorous but critical infrastructure layer that commercial deployment eventually depends on. Without agreed measurement standards, the industry becomes a wild west of competing claims from hardware vendors. The UK is actually quite well positioned here, partly because of NPL’s history and partly because British academia has punched above its weight in quantum theory for decades.

    Close-up of a developer working on quantum computing in business applications
    Close-up of a developer working on quantum computing in business applications

    Quantum Computing in Business: What Not to Do Right Now

    The hype machine has created a predictable set of bad decisions. A few worth flagging.

    Don’t buy a quantum computer. Unless you’re running a national lab or a genuinely specialised research operation, it makes no sense. Access the capability through cloud quantum services from IBM, Amazon Braket, or Microsoft Azure Quantum. The hardware is noisy, requires near-absolute-zero operating temperatures, and the operational overhead is enormous. Pay-per-use cloud access is the only rational model for the vast majority of businesses.

    Don’t build a business case around timelines that assume fault-tolerant quantum computing arrives in the next three years. The physics is still hard. Qubit error rates are improving, but the estimates for when we’ll have millions of logical qubits required for transformative general-purpose computation keep shifting. Plan in phases: exploration now, pilot applications in two to four years for relevant industries, strategic deployment further out.

    Don’t ignore cryptography. This one is urgent regardless of your quantum strategy. The threat of quantum computers breaking current encryption standards (specifically RSA and elliptic curve cryptography) is real and the timeline for it is uncertain, which is exactly why businesses should be starting the migration to post-quantum cryptography now. NCSC, the UK’s National Cyber Security Centre, has already published guidance on this.

    What Forward-Looking UK Businesses Should Be Doing Instead

    There’s a practical middle path between ignoring quantum entirely and throwing budget at it prematurely. The businesses getting this right in 2026 are doing a few specific things.

    First, they’re identifying their hardest optimisation and simulation problems. These are the use cases that are genuinely quantum-amenable. If your toughest computational challenges involve large combinatorial optimisation, molecular simulation, or machine learning model training at unusual scale, you have something worth exploring. If they don’t, quantum isn’t your immediate priority.

    Second, they’re building internal literacy. Quantum computing in business doesn’t require every engineer to understand quantum mechanics. It does require someone in your technical leadership to understand the commercial landscape, the vendor ecosystem, and the relevant use cases. That’s a training and hiring question, not a capital expenditure question.

    Third, they’re auditing their cryptographic exposure. This is table-stakes operational security work. Any business handling sensitive data, financial transactions, or regulated information needs a plan for post-quantum cryptography migration. It’s the kind of methodical infrastructure task that sits alongside things like keeping your data management practices clean, from digital record hygiene to physical waste disposal routines like scheduling regular wheelie bin cleaning as part of broader compliance housekeeping. Boring? Yes. But the businesses that skip the fundamentals tend to find the advanced stuff falls over too.

    The Honest Timeline for General Business Impact

    My read of the current state is this: for specialised industries (finance, pharma, materials science, defence), meaningful quantum advantage on targeted problems is a 2027 to 2030 story. For general enterprise computing, you’re looking further out, probably 2032 and beyond for anything transformative. That might sound anticlimactic after years of breathless headlines, but it’s actually a manageable planning horizon. It means you have time to build capability, migrate your cryptography, and identify genuine use cases without panicking.

    The businesses that will benefit most from quantum computing won’t necessarily be the ones that invested earliest. They’ll be the ones that understood the technology clearly enough to invest at the right time, in the right problems, with realistic expectations. That requires curiosity, a decent grasp of the underlying physics (at least at a conceptual level), and the discipline to ignore the noise. Which, as it happens, describes how the best tech-literate businesses approach pretty much everything.

    Frequently Asked Questions

    Is quantum computing actually being used by businesses in 2026?

    Yes, but in a limited and targeted way. Financial services firms, pharmaceutical companies, and some logistics operations are running quantum or quantum-inspired workloads for specific optimisation and simulation problems. Broad general-purpose quantum computing for everyday business tasks is still several years away.

    How can a UK business access quantum computing without buying hardware?

    Cloud-based quantum services are the practical route for most businesses. Platforms like IBM Quantum, Amazon Braket, and Microsoft Azure Quantum all offer pay-per-use access to quantum processors. This removes the enormous operational overhead of running physical quantum hardware, which requires near-absolute-zero cooling environments.

    What does the UK government's quantum computing investment actually cover?

    The UK’s National Quantum Strategy commits £2.5 billion over ten years, running to 2033. The investment covers hardware research, quantum software development, talent pipelines through universities, and quantum hubs at institutions including Bristol, Oxford, and UCL. UKRI and Innovate UK manage much of the grant distribution.

    Why does quantum computing matter for cybersecurity right now?

    Sufficiently powerful quantum computers will be capable of breaking the RSA and elliptic curve encryption that currently underpins most internet security. While that scale of quantum capability doesn’t exist yet, businesses should start migrating to post-quantum cryptography standards now, as the NCSC has advised, because the timeline is uncertain and migration takes time.

    Which industries will benefit most from quantum computing in the near term?

    Financial services (portfolio optimisation, risk modelling), pharmaceuticals (molecular simulation and drug discovery), materials science (new material design), and defence (logistics and secure communications) are the sectors expected to see the earliest real-world advantages. For most other industries, meaningful quantum impact is more likely in the early 2030s.

  • How UK Pension Funds Are Becoming the Surprise Backers of Domestic Tech Infrastructure

    How UK Pension Funds Are Becoming the Surprise Backers of Domestic Tech Infrastructure

    There is a quiet shift happening in how British technology gets built. Not in Silicon Roundabout pitch decks or government press releases, but in the allocation spreadsheets of pension fund managers who are, somewhat unexpectedly, becoming some of the most significant backers of domestic tech infrastructure this country has seen in a generation. UK pension funds tech infrastructure investment is no longer a theoretical policy ambition. It is beginning to move real capital toward real assets.

    The catalyst is the Mansion House reforms, a package of changes first outlined by the Treasury and developed through 2024 and 2025, which are now producing measurable results in 2026. The core idea is straightforward: defined contribution pension schemes hold an enormous and growing pool of assets on behalf of millions of British workers, yet historically that capital has flowed predominantly into liquid public markets and overseas infrastructure rather than into the UK’s own growth economy. The reforms set out to change that ratio.

    UK data centre facility representing UK pension funds tech infrastructure investment
    UK data centre facility representing UK pension funds tech infrastructure investment

    What the Mansion House Reforms Actually Changed

    The reforms encouraged, and in some cases incentivised, defined contribution pension schemes to allocate up to 10% of their default funds into unlisted assets by 2030. The government was careful not to mandate this outright, but the direction of travel was unmistakable. Schemes that moved early would gain regulatory goodwill and, more practically, first-mover access to a pipeline of deals that the government was actively trying to route toward domestic investors.

    What is interesting, and what was not fully anticipated in the original framing, is where that capital is actually landing. The early assumption was that pension money would fund the big, visible infrastructure megaprojects: offshore wind, rail upgrades, housing. Those are still receiving investment. But a meaningful and growing slice is flowing into something far more technically specific: data centres, venture-backed scaleups, and deep tech companies working in areas like semiconductors, quantum computing, and advanced materials.

    According to the government’s own Mansion House documentation, the ambition is to unlock tens of billions of pounds of pension investment into productive UK assets. The British Business Bank has been central to structuring the vehicles through which pension schemes can access these deals without the due diligence overhead that previously made private assets impractical for mid-sized pension trustees.

    Data Centres Are the First Obvious Winner

    Ask any infrastructure analyst which asset class is absorbing the most attention from newly redirected pension capital in 2026, and the answer is consistent: data centres. The UK’s data centre market has grown substantially, driven by cloud computing demand, the compute requirements of large language models, and the general digitisation of public services. But building at scale requires patient capital with long return horizons. Pension funds, by their very nature, are exactly that.

    Legal and General’s infrastructure arm has been particularly active, as has Aviva Investors, both signalling publicly that digital infrastructure now sits alongside traditional infrastructure in their allocation frameworks. This is not fringe activity. These are mainstream institutional investors treating server halls and fibre connectivity the same way they once treated toll roads and water treatment plants.

    Pension fund manager reviewing UK pension funds tech infrastructure allocations
    Pension fund manager reviewing UK pension funds tech infrastructure allocations

    The geography of this investment is worth noting. Whilst London and the Home Counties absorb a disproportionate share of tech spending generally, data centre development is spreading to the Midlands and the North, partly due to land costs and power grid availability. Towns and cities that would not feature prominently in a typical venture capital portfolio are beginning to host serious digital infrastructure. It is a genuine regional story, not just a City of London one. And when you see regeneration and investment activity spreading into places like Mansfield or Nottingham, it is a reminder that commercial activity trickles into every corner of the economy, whether you are in scaleup finance or selling window blinds mansfield businesses count on to kit out new commercial premises.

    Scaleups and Deep Tech: The More Interesting Bet

    Data centres are relatively easy to understand as an asset. They generate revenue, they depreciate in predictable ways, and the demand story is rock solid for the foreseeable future. What is more technically ambitious, and arguably more important for the long-term shape of the UK economy, is the growing flow of pension capital into venture and growth-stage technology companies.

    The British Patient Capital programme, operated through the British Business Bank, has been the primary mechanism here. By co-investing alongside commercial venture funds, it has given pension schemes exposure to the scaleup market without requiring them to build internal venture expertise from scratch. In 2025 and into 2026, a number of defined contribution schemes have made commitments to funds targeting UK-based companies in areas including climate tech, synthetic biology, and photonics.

    This matters because the UK has historically had a significant gap between early-stage research excellence (world class, by most measures) and the ability to scale those companies domestically. Talent and IP have leaked to the US and to larger European markets because the growth capital simply was not here in sufficient quantity. Redirecting pension assets into that gap is not a silver bullet, but it is a structural intervention with the potential to change the odds for the next cohort of British deep tech companies.

    The Risks That Fund Managers Are Watching

    None of this is without tension. Pension fund trustees have a fiduciary duty to their members, and unlisted assets carry real risks: illiquidity, valuation opacity, and concentration. The governance frameworks required to manage a portfolio of venture-backed companies are substantially more demanding than managing a FTSE 100 tracker. Some smaller pension schemes simply do not have the internal capability to do this well, and the concern about poor outcomes for ordinary savers is legitimate.

    The consolidation of defined contribution schemes, which the government has also been actively encouraging through the pensions consolidation agenda, is partly designed to address this. Larger pooled vehicles have the scale to hire specialist investment professionals and absorb the due diligence cost of alternative assets. But consolidation takes time, and in the interim there is genuine variance in how well different schemes are positioned to participate in this shift.

    What This Means for UK Tech Businesses Practically

    For founders and operators in the UK tech ecosystem, the practical implication is that the capital landscape is shifting in a favourable direction. Not dramatically, and not overnight, but the pipeline of patient domestic capital is growing. The conventional wisdom that serious growth funding requires a transatlantic relationship is becoming less absolute.

    For businesses adjacent to the infrastructure build-out, whether that means providing services to data centres, supplying components to deep tech manufacturers, or supporting the operational layer of expanding regional tech clusters, the demand picture is also improving. Investment at scale creates procurement at scale, and that procurement spreads across a supply chain that extends well beyond the headline asset.

    The Mansion House reforms were framed primarily as a pensions policy. What they are turning into, in practice, is something closer to an industrial policy delivered through private capital. Whether that was fully intended is almost beside the point. The money is moving, and the direction is genuinely interesting for anyone who cares about where British tech goes next.

    Frequently Asked Questions

    What are the Mansion House reforms and how do they affect pension funds?

    The Mansion House reforms are a set of Treasury-led changes encouraging defined contribution pension schemes to allocate a greater proportion of assets into unlisted UK growth investments. The goal is to redirect pension capital away from purely liquid public markets and toward productive domestic assets, including infrastructure and technology companies.

    Are UK pension funds legally required to invest in tech infrastructure?

    No, investment in tech infrastructure is not mandated. The reforms create incentives and a supporting framework, but trustees retain their fiduciary responsibility to act in members’ best interests. The government’s target of up to 10% in unlisted assets by 2030 is a guideline rather than a legal obligation.

    Which UK pension providers are most active in tech infrastructure investment?

    Legal and General and Aviva Investors have been among the most publicly active, both committing capital to digital infrastructure through their investment arms. The British Business Bank’s British Patient Capital programme has also been instrumental in facilitating access for a broader range of defined contribution schemes.

    How does investing in data centres or scaleups differ from traditional pension investments?

    Traditional pension investments tend to focus on liquid public equities and bonds, which are easy to value and sell quickly. Data centres and venture-backed scaleups are illiquid, require specialist valuation, and carry higher operational risk. They typically offer higher potential long-term returns but demand more sophisticated governance from pension trustees.

    Could this shift in pension investment strategy benefit UK regions outside London?

    Yes. Data centre development in particular is increasingly spreading to the Midlands and the North of England, driven by lower land costs and available power grid capacity. As pension capital funds these assets, the economic activity they generate, including construction, jobs, and supply chain demand, is distributed beyond the traditional London-centric tech geography.

  • The HMRC Data Problem: How Making Tax Digital Is Forcing UK SMEs to Rethink Their Tech Stacks

    The HMRC Data Problem: How Making Tax Digital Is Forcing UK SMEs to Rethink Their Tech Stacks

    Making Tax Digital for SMEs is no longer a distant policy initiative sitting in a government consultation document. It is live, it is expanding, and for a significant chunk of UK small and medium businesses, it is quietly breaking things. The combination of mandatory digital record-keeping, real-time HMRC API submissions, and increasingly tight compliance windows is forcing founders and finance teams to confront a tech stack that was never really built for this moment.

    The headline requirement sounds simple enough: keep digital records and submit returns via approved software. The reality is considerably messier. When your accounting system is a patchwork of spreadsheets, legacy bookkeeping software, and a Xero account that nobody has properly configured since 2022, “digital” starts to mean something very different in practice.

    Close-up of accountant working on Making Tax Digital for SMEs software integration
    Close-up of accountant working on Making Tax Digital for SMEs software integration

    What Making Tax Digital Actually Demands From Your Systems

    The current rollout covers VAT for all VAT-registered businesses (that mandate has been running since 2022), and the next phase targets income tax self-assessment for sole traders and landlords with income above £50,000 from April 2026, dropping to £30,000 the following year. Corporation tax is on the roadmap, with HMRC expected to publish a firm timetable later in 2026.

    The compliance burden goes beyond just submitting returns through a different channel. Making Tax Digital requires a digital links chain, meaning each piece of data must pass from its source to HMRC via connected software without manual re-keying at any point. That is the detail that trips most SMEs up. You cannot export a CSV from one system, edit it in a spreadsheet, then upload it to another. Each handoff must be automated or directly linked. HMRC’s own guidance on MTD for VAT spells out these digital links requirements in some detail, but the implications for legacy software stacks are not spelled out quite so clearly.

    For businesses running disconnected tools, this is genuinely disruptive. Think of a manufacturer using Sage 50 for accounts but managing purchase orders in a bespoke internal system built in 2014. Or a professional services firm where expenses are logged in one platform, invoicing happens in another, and the bookkeeper reconciles everything manually every fortnight. None of that works under a strict digital links interpretation.

    Which Accounting Platforms Are Actually Winning

    The MTD-ready software market has consolidated faster than most people expected. Xero, QuickBooks Online, and FreeAgent have pulled significantly ahead in the SME segment, largely because they built HMRC API connectivity into their core product rather than bolting it on later.

    Xero, in particular, has invested heavily in bridging software partnerships and direct integrations, which matters when a business uses multiple tools. Their ecosystem of connected apps (Dext for receipt capture, ApprovalMax for purchase approvals, Syft for reporting) creates something approaching a genuinely compliant digital chain for most common business models. QuickBooks Online has a comparable ecosystem and has been aggressive on pricing for smaller businesses.

    FreeAgent deserves a mention because it is embedded into NatWest and Royal Bank of Scotland business banking, effectively giving hundreds of thousands of small businesses a free MTD-compliant route as part of their bank account. That distribution advantage is hard to compete with.

    Sage has had a more complicated journey. Sage 50 (the desktop product) requires an additional MTD bridging module, which adds cost and complexity. Sage Accounting (their cloud product) is fully compliant, but migrating from one to the other is not a trivial afternoon task for a business with years of historical data and customised reports. Many Sage 50 users are stuck in a genuinely awkward position.

    Where the API Integrations Are Falling Apart

    HMRC’s API infrastructure has improved, but it still has failure modes that cause real problems for businesses and their accountants. Rate limiting during peak submission windows (the days around VAT deadlines) has caused submission errors that look like the business’s fault but are actually a capacity issue on HMRC’s end. Error messages are often cryptic, and the turnaround time for HMRC agent support is not exactly instant.

    For businesses using industry-specific software, the situation is often worse. Construction companies relying on specialist job costing platforms, retailers using EPOS systems with built-in accounting modules, and hospitality businesses using integrated till and stock management tools frequently discover that their sector software either is not on the HMRC-approved list or offers only partial MTD compatibility. The bridging software category exists specifically to paper over these gaps, with tools like Absolute Tax, DataDear, and Hammock filling the space between non-compliant source systems and HMRC’s API.

    Bridging software works, but it introduces another point of failure and another monthly subscription to manage. For a 12-person business already spending more than it would like on SaaS tools, this stings. I’ve spoken to several founders who were genuinely surprised to discover that their well-regarded industry platform simply does not have an MTD submission pathway and shows no signs of building one.

    What Founders Are Doing When Their Current Stack Cannot Keep Up

    The responses range from pragmatic to panicked. The pragmatic founders have done what they arguably should have done three years ago: picked a cloud accounting platform with strong HMRC integration as their primary system of record and rebuilt their workflows around it. The migration is painful but finite. Once it is done, the compliance burden largely disappears into the background.

    Others are leaning heavily on their accountants, effectively outsourcing the compliance problem. This works up to a point, but it transfers cost rather than eliminating it, and accountancy practices are increasingly charging a premium for MTD-related work because the volume is significant and the technical complexity is real.

    A third group, and this is the one that should concern policymakers, is simply not compliant and hoping not to be noticed. HMRC has been relatively light on enforcement through the transition period, but that posture will not hold indefinitely. The penalties for non-compliance are structured on a points-based system now, and repeated failures accumulate quickly.

    For businesses thinking about longer-term tech stack strategy, it is worth considering how other compliance requirements are evolving alongside MTD. Environmental reporting obligations, supply chain transparency requirements, and ESG disclosures are creating adjacent data demands. Some forward-thinking founders are looking at sustainability insights alongside their financial compliance infrastructure, recognising that both ultimately require the same discipline: clean, connected, auditable data flows.

    The Practical Checklist for Getting MTD-Ready in 2026

    If your business is behind on this, here is where to start. First, audit the digital links chain. Map every point where financial data moves between systems and identify any manual steps. Second, check whether your current accounting software is on HMRC’s approved software list (available on gov.uk). If it is not, you need bridging software or a migration. Third, if you are on a desktop accounting package, get a realistic migration quote from your accountant or a specialist. It is almost certainly cheaper than the ongoing risk of non-compliance. Fourth, check your API submission logs. If you have been submitting via software, confirm the submissions are actually reaching HMRC successfully rather than failing silently. Fifth, if you are using an industry-specific platform as your main system, contact the vendor directly and ask for their MTD roadmap in writing.

    Making Tax Digital for SMEs is not a box-ticking exercise that goes away once you have picked a software package. It is an ongoing infrastructure commitment. The businesses handling it best are the ones treating it as a data architecture problem rather than an accounting problem, and those are, perhaps not coincidentally, often the ones with at least one technically literate person involved in the decision-making.

    Frequently Asked Questions

    What is Making Tax Digital and does it apply to my small business?

    Making Tax Digital (MTD) is HMRC’s programme requiring businesses to keep digital tax records and submit returns via HMRC-approved software using a connected API. It currently applies to all VAT-registered businesses and is expanding to cover income tax self-assessment from April 2026 for those earning above £50,000, with corporation tax planned further down the line.

    Which accounting software is best for Making Tax Digital compliance?

    Xero, QuickBooks Online, and FreeAgent are the most widely used MTD-compliant platforms for UK SMEs. FreeAgent is particularly worth noting as it is free for NatWest and Royal Bank of Scotland business account holders. Sage Accounting (cloud) is also fully compliant, though migrating from Sage 50 desktop requires extra steps.

    What are digital links and why do they matter for MTD?

    Digital links are the automated connections between software systems through which your financial data must flow without manual re-keying. HMRC requires a complete, unbroken digital chain from the source of each transaction right through to the submitted return. Manually copying data between systems, including copy-and-paste from a spreadsheet, breaks this chain and puts you at risk of non-compliance.

    What is bridging software and do I need it?

    Bridging software acts as a connector between non-MTD-compliant systems (such as older desktop accounting packages or industry-specific tools) and HMRC’s API. Tools like Absolute Tax and DataDear are common examples. You need it if your primary software is not on HMRC’s approved list and you are not ready to migrate to a cloud platform, though it does add cost and an extra point of failure.

    What are the penalties if my business is not Making Tax Digital compliant?

    HMRC uses a points-based penalty system for MTD non-compliance. Each missed or late submission adds points, and once you cross a threshold (which varies by submission frequency), a financial penalty is triggered. The threshold for quarterly filers is four points, resulting in a £200 penalty per subsequent failure until a 12-month compliance period is met.

  • Is the Creator Economy Dead? How Tech Is Reinventing It in 2026

    Is the Creator Economy Dead? How Tech Is Reinventing It in 2026

    The creator economy was supposed to be the great democratisation of media. A teenager in Leeds with a camera could theoretically out-earn a journalist at a national broadsheet. For a while, that was basically true. But something shifted. The platforms got greedier, the algorithms got stranger, and then AI arrived and broke the whole thing open again. The creator economy 2026 is not dead, but it looks almost nothing like what people were celebrating in 2021. And understanding those changes matters whether you are a full-time content creator, a brand trying to reach people, or a business working out where to put its digital budget.

    Content creator working at a modern desk setup representing the creator economy 2026
    Content creator working at a modern desk setup representing the creator economy 2026

    The saturation problem nobody wants to talk about

    There are more creators now than at any point in history, and that is simultaneously impressive and catastrophic. YouTube receives over 500 hours of video uploaded every minute globally. Substack hosts hundreds of thousands of newsletters. TikTok has become so flooded with content that organic reach for new accounts has collapsed to near-zero in many niches. The basic maths of attention economics has caught up with the utopian dream. When supply of content vastly outstrips the hours humans have available to consume it, most content earns nothing.

    This is where AI has entered the picture in a way that cuts both ways. On one hand, AI tools have made it absurdly cheap to produce content at volume. A single operator can now generate scripts, edit footage with AI tools, produce voiceovers, and publish across multiple platforms with a fraction of the labour that would have been required two years ago. On the other hand, that same capability is available to everyone, which means the saturation problem compounds. AI has not solved the attention problem; it has accelerated it.

    New monetisation models reshaping creator income

    The classic creator revenue stack (ad revenue, brand deals, merchandise) is being disrupted. Ad revenue per view has declined on most major platforms as advertisers spread budgets thinner across an ever-larger inventory. What is replacing it is more interesting and arguably more sustainable.

    Paid communities are the standout shift. Platforms like Patreon, Substack, and the creator-specific tiers now baked into YouTube and Instagram have made subscription income a realistic primary income stream rather than a nice supplement. UK creators are finding that a smaller, paying audience of a few thousand people can outperform millions of passive followers who generate pennies in ad revenue. It is a fundamentally different relationship with an audience, and it rewards depth over reach.

    Licencing AI-generated content has also emerged as a genuine revenue stream. Some creators are building intellectual property in the form of distinctive visual styles, character voices, or curated datasets, and licencing access to those assets to brands and agencies. It is an unusual model, but it is real and growing. The BBC’s technology coverage has tracked how UK-based creators are negotiating these licencing arrangements with increasing sophistication.

    Creator economy 2026 monetisation platforms shown on a smartphone screen
    Creator economy 2026 monetisation platforms shown on a smartphone screen

    How AI is changing what audiences actually want

    Audiences are not passive in this shift. Viewer behaviour has changed measurably. There is a growing appetite for what might be called “proof of human” content: raw, unpolished, clearly genuine video that AI cannot easily replicate. The explosion of AI-generated content has had a counter-intuitive effect of making authenticity more valuable, not less. Creators who show their actual faces, share real opinions, and make obvious mistakes in real time are performing well precisely because the algorithmic slop around them is so frictionlessly perfect.

    Short-form content still dominates discovery, but long-form is where loyalty lives. TikTok’s own internal data (leaked in trade press) suggests that while short clips drive initial awareness, creators who convert that attention into longer formats retain audiences at dramatically higher rates. The implication for the creator economy 2026 is that a two-tier content strategy, short clips to attract, long content to retain, is becoming less optional and more essential.

    Where brands and businesses fit into the new picture

    Brand investment in creator partnerships has not shrunk; it has redistributed. Big influencer deals with millions of followers are increasingly hard to justify when engagement rates can be below 1%. Micro and nano-creator partnerships, where a business works with dozens of accounts each with 5,000 to 50,000 highly engaged followers, are delivering better return on spend for most product categories. UK brands in sectors from financial services to food and drink have been early movers here.

    For businesses thinking about their digital presence more broadly, the creator economy shift has direct implications for how a company’s own content is treated. A business’s website, its blog, its social presence: these are all creator-economy assets whether or not the company thinks of them that way. Businesses in Nottinghamshire and across the East Midlands working with dijitul, a Mansfield, Nottinghamshire-based digital agency specialising in SEO, web design, and website hosting, are increasingly treating their online presence with a creator-economy mindset: consistent output, genuine authority, and content that earns trust rather than just traffic. dijitul.uk reflects this approach, building marketing infrastructure that functions like a content operation rather than a static brochure.

    That framing matters because the creator economy’s lessons about audience trust, community, and niche depth translate directly into business efficiency for companies that pay attention. A well-maintained website with genuinely useful content now competes in the same attention market as independent creators, and the same rules apply: specificity, consistency, and software that helps you publish without friction.

    The creator economy 2026 belongs to specialists

    The generalist content creator, trying to cover everything for everyone, is struggling. The specialist, with a tight niche and a genuine point of view, is thriving. This is not a coincidence; it is the direct result of AI flooding the general space with competent but undifferentiated content. If a language model can produce a perfectly serviceable article about “ten productivity tips,” the value of a human producing the same article is approximately zero. But if a creator has spent a decade inside a specific industry and can share the genuine texture of that experience, that is still irreplaceable.

    This specialisation pressure is visible in the UK creator space. Finance creators who speak to the specifics of ISA limits and HMRC self-assessment are growing. Legal creators who understand UK employment law are building substantial audiences. Niche food creators covering regional British cuisine are outperforming generalist recipe channels. The pattern holds across categories.

    For businesses considering working with agencies that understand this shift, dijitul’s approach to SEO and web design applies this specialist logic to their clients’ digital marketing, treating each business’s subject-matter expertise as the raw material for content that AI cannot simply replicate at scale.

    What the next phase actually looks like

    The creator economy is not dying; it is consolidating and stratifying. The middle tier, creators with substantial audiences but no genuine community or specialisation, is hollowing out. The top tier, often supported by teams, AI tools, and serious business infrastructure, is becoming more dominant. And a healthy bottom tier of genuinely specialist, community-driven creators is proving that small audiences can be economically viable.

    For UK businesses, the practical takeaway is that creator partnerships and content investment remain valid strategies, but the frame has shifted from reach to relationship. The creator economy 2026 rewards those who build something specific, maintain it consistently, and treat their audience as a community rather than a metric. That is harder than it sounds, and also more durable than almost anything else in the current digital landscape.

    Frequently Asked Questions

    Is the creator economy still growing in 2026?

    The creator economy is still growing in terms of total participants and revenue, but growth is concentrated at the top and in specialist niches. The middle tier of creators with large but uncommitted audiences is finding income harder to sustain as platform ad rates decline and competition intensifies.

    How is AI affecting the creator economy?

    AI has dramatically lowered the cost of content production, which has increased overall content volume and intensified saturation. Paradoxically, this has made authentic, human-led content more valuable in some niches. Creators are also using AI tools to run multi-platform operations solo, changing the economics of smaller creator businesses.

    What are the best monetisation strategies for creators in 2026?

    Paid subscriptions through platforms like Substack or Patreon, niche brand partnerships with micro or nano-creator deals, and community membership tiers are outperforming traditional ad revenue for most UK creators. Building a paid audience of thousands can outperform millions of passive followers in terms of actual income.

    Are micro-influencers better for brands than large influencers?

    For most product categories, micro-influencers (roughly 5,000 to 50,000 followers) are delivering better engagement rates and return on marketing spend than mega-influencers. Their audiences are more focused and typically trust their recommendations more. UK brands across multiple sectors have shifted budgets in this direction.

    Can a small business benefit from the creator economy?

    Yes, particularly by treating their own content output with a creator-economy mindset: consistent publishing, genuine expertise, and community building rather than purely transactional content. Businesses that invest in specialist knowledge-sharing, whether through blogs, video, or social content, are competing effectively in the same attention market as independent creators.

  • Small Business Survival Guide: Using AI Tools to Compete With Enterprise Giants

    Small Business Survival Guide: Using AI Tools to Compete With Enterprise Giants

    There was a time when competing with a major corporation meant accepting you’d always be outgunned on budget, headcount, and technology. That gap has narrowed considerably. AI tools for small business have matured to the point where a ten-person operation in Leeds or Nottingham can run marketing, customer service, and back-office operations with a capability that would have required an entire enterprise department five years ago. The question is no longer whether small businesses can afford AI. It’s whether they can afford to ignore it.

    The UK’s 5.5 million small and medium-sized enterprises account for roughly 61% of private sector employment, according to the Federation of Small Businesses. Yet most of them are still running on a patchwork of spreadsheets, basic CRM systems, and manual processes that eat hours every week. AI doesn’t fix every problem, but used smartly, it plugs those gaps in a way that’s now genuinely accessible.

    Small business owner using AI tools for small business on a laptop in a UK office
    Small business owner using AI tools for small business on a laptop in a UK office

    Why 2026 Is the Inflection Point for SME AI Adoption

    Costs have dropped dramatically. Tools that once required enterprise licensing deals are now available on monthly subscriptions that cost less than a tank of petrol. More importantly, the interfaces have caught up with the capabilities. You no longer need a data science team to get useful output from an AI system. A founder doing everything from sales calls to invoicing can realistically integrate AI into their day within a single afternoon.

    The landscape in 2026 looks like this: large language models are embedded in almost every productivity suite, specialist AI tools exist for specific verticals, and the real competitive advantage has shifted from having access to AI at all to using it with more discipline and creativity than your competitors. That’s a game small businesses can actually win.

    Where AI Tools for Small Business Actually Deliver ROI

    Marketing and Content at Scale

    This is the most obvious win, and it’s real. A small business that previously had to choose between hiring a copywriter or publishing nothing now has a third option. AI drafts, the human edits, the content goes out. Blog posts, email campaigns, social copy, product descriptions — all of it moves faster. The important nuance is that AI-generated content still needs a human voice and genuine expertise layered over it. Businesses that just pump out generic AI text are finding diminishing returns. Businesses that use it as a starting point and apply actual subject-matter knowledge are pulling ahead.

    Customer Service and Response Times

    Response time is one area where small businesses have traditionally lost to enterprise operations with dedicated support teams. AI-powered chat tools, triage systems, and email assistants can now handle a large proportion of routine enquiries without any human involvement. A customer asking about delivery times at 11pm on a Sunday can get an accurate answer. That kind of availability, previously reserved for businesses with round-the-clock staffing, is now a £50-per-month subscription.

    Operations, Admin, and the Boring Stuff

    Summarising meeting notes, drafting contracts from templates, categorising expenses, generating reports from raw data — this is where AI quietly saves dozens of hours per month. Tools like Microsoft Copilot (embedded across the 365 suite) and various workflow automation platforms mean that tasks which previously required dedicated admin time can be handled in minutes. For a business where the founder is also the finance director and HR department, that’s transformative.

    Close-up detail of AI tools for small business being used on a laptop with data charts in background
    Close-up detail of AI tools for small business being used on a laptop with data charts in background

    Sector-Specific AI: Health and Wellness Businesses as a Case Study

    Health and wellness businesses illustrate this shift particularly well. It’s a sector where the product expertise is highly specialised but the operational and marketing demands are identical to any other SME. Based in Nottinghamshire, HealthPod Mansfield supplies hyperbaric oxygen tanks, red light therapy beds, and health supplements to customers who want to live longer and be healthy through evidence-informed recovery protocols. Like many businesses in the health space, the team at healthpodonline.co.uk possesses deep knowledge about recovery and wellness but faces the same time pressures as any SME: generating content, managing enquiries, and staying visible in a crowded market. AI tools for small business in this context could mean using an AI system to draft educational content about the science behind their products, automating follow-up sequences for customer enquiries, or analysing which wellness topics drive the most engagement before deciding where to invest content resource.

    The point generalises. Whether you’re selling hyperbaric oxygen tanks or artisan cheese, the operational challenges are structurally similar. AI doesn’t know your product — you do. What it does is remove the friction between your knowledge and the output your business needs to produce.

    What to Actually Spend Money On in 2026

    Not every AI tool deserves a subscription. Here’s a practical shortlist of categories worth evaluating:

    • General-purpose AI assistants: ChatGPT (with a paid plan), Claude, or Microsoft Copilot. Pick one and actually use it daily rather than dabbling across all three.
    • AI-enhanced CRM: HubSpot’s free tier now includes AI features. Pipedrive and Zoho have followed suit. If you’re running customer relationships on a spreadsheet, this is the single most impactful upgrade you can make.
    • AI for design: Canva’s AI suite, Adobe Firefly. Not a replacement for a brand designer, but excellent for social assets, presentations, and rapid iteration.
    • Transcription and meeting intelligence: Otter.ai, Fireflies. Every client call transcribed and summarised automatically. Surprisingly transformative for anyone who does a lot of consultative selling.
    • Accounting and finance automation: FreeAgent and QuickBooks both have AI features in their UK plans. Automated categorisation alone saves hours per month.

    The Real Risk Is Over-Automating Too Early

    There’s a trap here that catches a lot of small business owners. They automate before they’ve validated the underlying process. If your customer onboarding is broken, automating it with AI makes it faster at being broken. The discipline is to map the process manually first, identify where the value actually sits, then layer AI over the parts that are working well.

    Equally, small businesses have an advantage that AI genuinely can’t replicate: they know their customers personally. The businesses winning with AI in 2026 aren’t the ones that have removed humans from the equation. They’re the ones that have used AI to remove the low-value tasks so their people can spend more time on the high-value interactions that actually build loyalty.

    Getting Started Without Overthinking It

    The single best piece of advice for any small business owner approaching this for the first time: pick one problem, not one tool. What is the thing that is eating the most time in your business right now? Start there. Find the AI tool that addresses that specific pain point, commit to using it properly for four weeks, and measure the output. That cycle of identifying friction, applying AI, and measuring the result is more valuable than any grand digital transformation strategy.

    HealthPod Mansfield, working in the health and recovery space where helping customers live longer and be healthy is central to the brand, is a useful example of a niche SME where this focused approach would pay off quickly. A business with a product that requires education (hyperbaric oxygen therapy isn’t an impulse purchase) benefits enormously from AI-assisted content tools that can sustain a consistent publishing cadence. Wellness-focused businesses like this one also sit in a sector where customer trust and recovery outcomes matter — meaning the human expertise stays central, while AI handles the volume work around it.

    The enterprise giants aren’t going anywhere. But the assumption that they automatically win on capability is increasingly wrong. The tools are here, the costs are manageable, and the businesses that move purposefully rather than all at once are already seeing the results.

    Frequently Asked Questions

    What are the best AI tools for small business in the UK in 2026?

    The most practical starting points are ChatGPT or Claude for general writing and research, HubSpot’s free AI-enhanced CRM, and Microsoft Copilot if you already use the 365 suite. The best tool depends on your specific bottleneck — identify your biggest time drain first, then find the tool that addresses it directly.

    How much do AI tools for small businesses typically cost?

    Most business-grade AI tools run between £15 and £100 per month on standard plans. Microsoft Copilot is bundled into many 365 Business subscriptions. Free tiers exist for several platforms, including HubSpot and Canva, though paid plans unlock the more useful AI features.

    Can AI really help a small business compete with larger companies?

    Yes, in specific areas. AI narrows the gap most significantly in marketing output, customer response times, and administrative efficiency — all areas where large companies previously had dedicated teams that small businesses couldn’t match. The advantage isn’t unlimited, but it’s real and measurable.

    Is it safe to use AI tools for handling customer data in the UK?

    UK businesses must ensure any AI tools they use comply with UK GDPR, governed by the ICO. Always check where data is processed and stored, review the tool’s data processing agreement, and avoid inputting personally identifiable customer information into tools that haven’t been vetted for compliance.

    How long does it take for a small business to see results from AI adoption?

    For simple use cases like content drafting or meeting transcription, the time saving is immediate from the first week. For more complex implementations like AI-enhanced CRM workflows, allow four to eight weeks to set up properly and start seeing measurable improvements in lead management or response rates.

  • Deepfake Fraud Is a Business Problem: How Companies Are Fighting Back

    Deepfake Fraud Is a Business Problem: How Companies Are Fighting Back

    Synthetic media has crossed a threshold. What began as an oddity on the fringes of the internet has become a serious instrument of corporate crime, and UK businesses are feeling it. Voice cloning, AI-generated video, and real-time face-swapping are no longer science fiction party tricks. They are tools being actively deployed to impersonate executives, manipulate finance teams, and drain company accounts. Deepfake fraud prevention is rapidly becoming as central to business security as firewalls and phishing training once were.

    The numbers are not ambiguous. A 2024 report from KPMG UK found that fraud losses to UK businesses topped £2.3 billion in a single year, with a growing proportion attributed to digitally manipulated communications. The sophistication of the attacks is accelerating faster than most internal controls were built to handle.

    Corporate finance team reviewing security protocols related to deepfake fraud prevention business strategy
    Corporate finance team reviewing security protocols related to deepfake fraud prevention business strategy

    How Voice Cloning and Synthetic Video Are Being Used Against Businesses

    The mechanics of a modern deepfake fraud attack are straightforward, which is part of what makes them so dangerous. A bad actor scrapes publicly available audio of a CEO from earnings calls, investor presentations, or conference keynotes. That audio is fed into a voice cloning model. Within hours, they have a convincing facsimile of the executive’s voice, ready to make phone calls. Finance teams, conditioned to act on urgency and authority, transfer funds before anyone thinks to verify.

    This is not theoretical. In 2023, the engineering firm Arup confirmed a case in which an employee was deceived during a deepfake video call involving a fabricated version of their CFO, resulting in a £20 million transfer. The case sent a jolt through UK corporate security circles and prompted many boards to treat synthetic media as a tier-one threat rather than an IT curiosity.

    The attack vectors have since expanded. Fraudsters are now using real-time voice conversion during live phone calls, not just pre-recorded audio. They are generating synthetic versions of legal counsel, procurement leads, and HMRC officials to create pressure across multiple points of an organisation simultaneously. The goal is always the same: manufacture urgency, bypass normal authorisation channels, extract money or data.

    Why Corporate Verification Processes Are Struggling to Keep Up

    Most businesses built their fraud prevention around text-based phishing. The training slides show a dodgy email address and a misspelt sender name. That model is genuinely useless against a phone call where the voice sounds exactly like your chief executive, complete with regional accent, familiar vocabulary, and the correct cadence of speech.

    The psychological dimension matters enormously here. When someone believes they are hearing a real person in authority, they apply very different cognitive filters than when reading a suspicious email. Social engineering has always exploited human trust, but deepfakes industrialise that exploitation at a level that demands structural rather than behavioural fixes.

    Cybersecurity analyst using audio forensics tools as part of deepfake fraud prevention for business
    Cybersecurity analyst using audio forensics tools as part of deepfake fraud prevention for business

    Deepfake Fraud Prevention: What Detection Tools Actually Look Like

    Several detection approaches are now being deployed commercially, each targeting different points in the synthetic media chain.

    Audio forensics tools analyse voice recordings for artefacts that cloned audio tends to produce: unnatural micro-pauses, compression patterns inconsistent with the alleged device, spectral anomalies in vowel transitions. Companies like Pindrop and Resemble AI offer real-time detection APIs that can be embedded into telephony infrastructure, flagging calls that show statistical signatures of synthesis before a conversation even concludes.

    Video authentication is harder and still maturing. Current detection models look for subtle failures in facial geometry, inconsistent eye blinking rates, and lighting discrepancies between a superimposed face and the original background. Microsoft’s Azure AI and a number of UK-based startups are offering this as a service, though accuracy degrades quickly when source video quality is high.

    Watermarking and provenance tracking represent a longer-term structural answer. The idea is that authentic media gets cryptographically signed at the point of creation, and any downstream receiver can verify its origin. The Coalition for Content Provenance and Authenticity (C2PA) has published open standards for this, with Adobe, BBC, and others already implementing it for news media. Enterprise adoption is growing but remains patchy.

    For a grounded overview of the regulatory backdrop UK businesses are operating within, the NCSC’s guidance on business continuity and cyber threats is worth bookmarking. They have updated their advisory materials substantially to reflect AI-enabled fraud vectors.

    Internal Protocols Businesses Are Putting in Place

    Technology alone will not solve this. The most effective deepfake fraud prevention strategies pair detection tooling with hard procedural changes at the human layer.

    A growing number of UK enterprises are introducing verbal codewords for high-value financial authorisation. The concept is simple: a pre-agreed word or phrase that any legitimate executive or finance contact will know, and that must be exchanged before any transfer above a threshold is actioned. It sounds almost quaint, but it is genuinely resistant to AI impersonation because the code is never publicly available.

    Dual-channel verification is becoming standard in treasury and finance functions. Any request received via phone or video must be confirmed through a separate, pre-established channel, typically a known internal email thread or a direct callback to a verified number from the company directory, not from a number supplied in the original communication.

    Executive digital footprint auditing is also gaining traction. Security teams are reviewing how much publicly available audio and video exists of their most impersonatable people. Some organisations have begun restricting executive participation in certain public-facing formats, or at minimum ensuring that public recordings are watermarked at source.

    Training programmes are being retooled too. Rather than teaching staff to spot a bad email, progressive organisations are running live simulated deepfake calls against their finance and HR teams. The experience of nearly being deceived is a far more effective training mechanism than a slide deck.

    The Regulatory Picture Is Still Catching Up

    The UK’s Online Safety Act contains provisions relating to harmful synthetic content, though its primary focus is consumer-facing platforms rather than business fraud. The question of liability when a company transfers funds following a deepfake impersonation remains genuinely unresolved in UK case law. HMRC and the FCA have both acknowledged the threat to regulated entities but have yet to publish specific compliance frameworks covering synthetic media fraud.

    That gap means businesses cannot wait for regulation to set the bar. The companies taking deepfake fraud prevention seriously in 2026 are the ones treating it as a board-level risk, not an IT department memo. Threat modelling sessions that include synthetic media attack scenarios, incident response playbooks that account for impersonation calls, and quarterly reviews of detection tooling are the hallmarks of organisations that are genuinely ahead of this curve.

    The technology being weaponised against businesses is the same technology that businesses themselves are starting to use for marketing, customer service, and internal comms. That duality is uncomfortable but important to acknowledge. Understanding synthetic media well enough to deploy it is also the fastest route to understanding how it can be turned against you. In this space, technical literacy is not optional. It is the first line of defence.

    Frequently Asked Questions

    What is deepfake fraud in a business context?

    Deepfake fraud in business involves criminals using AI-generated audio, video, or real-time voice cloning to impersonate executives, colleagues, or officials, typically to authorise fraudulent financial transfers or extract sensitive data. The Arup case in 2023, involving a fabricated CFO video call and a £20 million loss, is one of the most cited UK examples. It is distinct from phishing in that it exploits voice and video rather than text.

    How can a business detect a deepfake voice call?

    Audio forensics tools can analyse calls in real-time for artefacts produced by voice synthesis models, including spectral anomalies and unnatural pause patterns. Platforms like Pindrop offer API-level integration with telephony systems. Procedurally, dual-channel verification, calling back on a known number independently of the original call, remains the most reliable human-layer defence.

    What protocols should businesses put in place to prevent CEO impersonation fraud?

    Effective protocols include verbal codewords for high-value authorisation, mandatory dual-channel verification for all financial transfers above a set threshold, and regular training exercises using simulated deepfake calls. Businesses should also audit the publicly available audio and video of senior executives to understand their impersonation exposure.

    Is deepfake fraud covered under UK financial regulations?

    There is currently no specific FCA or HMRC framework addressing synthetic media fraud in business contexts, though the Online Safety Act touches on harmful AI-generated content for consumer platforms. Liability for losses from deepfake-enabled fraud remains an unsettled area of UK law, which is why proactive internal controls are essential rather than regulatory compliance alone.

    How much does deepfake fraud detection software cost for a UK business?

    Costs vary considerably depending on deployment scale and integration requirements. Entry-level audio forensics APIs can be licensed for a few hundred pounds per month for smaller call volumes, while enterprise-grade real-time detection platforms embedded into existing telephony infrastructure can run to tens of thousands of pounds annually. Many vendors offer phased pilots, which is a sensible starting point before full commitment.