‍The Automated Vehicles Act is law. Pilots are on UK roads. The question is no longer whether autonomous transport is coming. It is whether the governance, liability, safety, and public trust frameworks are ready.

For years, autonomous and connected transport occupied a comfortable space in policy discussions as something that was coming rather than something that needed governing now. That period is over. The Automated Vehicles Act received Royal Assent in May 2024. Commercial pilots of self-driving taxi and bus services on UK roads without a safety driver were brought forward to spring 2026. The full regulatory framework is scheduled for implementation from the second half of 2027.

The UK has moved faster on AV legislation than most comparable nations. What it has not yet fully resolved are the decisions that sit beneath that legislative framework: the detailed questions of safety standards, liability allocation, public trust, cyber risk, accessibility, and what happens when something goes wrong. These are not abstract policy questions. They are decisions that will determine whether autonomous transport actually benefits the public, or simply arrives before the system is ready for it.

What the Automated Vehicles Act Actually Does and Does Not Do

The AV Act 2024 is principally a framework law. It establishes the legal basis for autonomous vehicles to operate on UK roads and sets out the principle that when a vehicle is in self-driving mode, liability shifts from the human occupant to the Authorised Self-Driving Entity (ASDE). That entity, likely the manufacturer or software developer, becomes responsible for the vehicle's actions and for compensating victims of any accident that occurs in autonomous mode.

This is a significant and deliberate policy choice. It is designed to give manufacturers clarity and encourage deployment. It builds on the Automated and Electric Vehicles Act 2018, which established that insurers would be primarily responsible for compensating accident victims, with the right to recover costs from responsible parties downstream.

What the Act does not do is resolve the detail. Safety standards, the precise definition of what constitutes the self-driving test, data retention obligations, incident investigation processes, remote operation rules, and in-use monitoring requirements are all being developed through secondary legislation. The DfT's Call for Evidence published in December 2025, comprising 125 questions across virtually every aspect of AV deployment, gave an indication of how much remains to be determined. A further consultation is expected in the second half of 2026, with final regulations in place from 2027.

The Act creates a legal structure. The secondary legislation creates the operating reality. For any organisation deploying, insuring, or relying on autonomous transport, the detail in those regulations will matter at least as much as the primary Act itself.

The Safety Question Is Not Resolved by Optimism

The government's central safety argument for autonomous vehicles is statistically compelling: human error contributes to 88% of all road collisions. If autonomous systems are meaningfully safer than the average human driver, widespread deployment should save lives. The AV Act requires that vehicles meet a safety standard at least equivalent to that of a careful and competent human driver before they can be authorised.

The challenge is that the safety standard against which AVs will be assessed is not yet fully defined. The Statement of Safety Principles, which will specify what a vehicle must demonstrate to pass the self-driving test, is being developed through secondary legislation. And the real-world performance of AV systems in the specific conditions of UK roads, including weather, road quality, signage, and the behaviour of other road users, has not yet been demonstrated at scale.

There is also a category of safety risk that is specific to the connected dimension of these vehicles. Modern AVs are, in effect, networked software platforms on wheels. The EU published a cybersecurity risk assessment for connected and autonomous vehicles in February 2026, identifying 14 top cybersecurity risks and flagging that existing type approval frameworks were not designed to counter the supply chain threats now facing the sector. Pwn2Own Automotive 2025 demonstrated nearly 50 vulnerabilities across connected vehicle systems, ranging from infotainment units to charging infrastructure. Remote exploitation of vehicle systems is not a theoretical risk. It is a documented capability.

Liability: The Framework Exists, the Complexity Does Not

The liability framework established by the AV Act is clearer than what preceded it, but it introduces new complexity rather than eliminating the old kind.

Under the framework, when a vehicle is in authorised self-driving mode, the ASDE bears liability for accidents. When a human has taken back control, conventional driver liability applies. The insurer pays compensation to victims immediately, with the right to recover from the ASDE where the autonomous system was at fault. This is designed to be fast and clear for victims.

The complications arise in three areas. First, the boundary between autonomous and human control in semi-autonomous or level 3 vehicles, where the system can drive but a human must be available to take over, creates a contested liability zone that courts have not yet tested. Second, where multiple software systems and hardware suppliers contribute to an autonomous function, establishing which party's failure caused an incident involves forensic investigation that may be both technically complex and commercially contested. Third, data retention and disclosure obligations, which determine what evidence is available after an incident, are still being developed. As of early 2026, it had not yet been determined what data businesses would be required to collect and share.

Insurance Business Magazine described this in February 2026 as a system where legal groundwork has been laid but real-world deployments are raising new questions about how risk is priced and responsibility assigned. The liability framework is ahead of the evidentiary infrastructure needed to make it work in practice.

Public Trust Is the Constraint That Technology Cannot Fix

The policy and industry case for autonomous vehicles is built on assumed public adoption. That assumption is not yet supported by public attitudes data.

A YouGov survey conducted in October 2025 found that 79% of Britons lack trust in driverless taxis, with 85% preferring a human driver even if cost and convenience were equal. A Startline survey in November 2025 found that 64% of motorists feel uneasy about sharing roads with autonomous vehicles. Only 22% of UK road users in an HPI survey said they would trust and feel comfortable travelling in a driverless vehicle.

The concerns cited are consistent across surveys: safety is the primary worry, followed by technical malfunction, loss of human control, and cybersecurity risk. Only 8% of respondents in the HPI research believe manufacturers have done enough to demonstrate that driverless cars are safe. Younger adults are more open to the technology, but even in the 18-26 age group only a third expressed comfort with autonomous vehicles.

This is not a communications problem that can be solved with better marketing. Public trust in safety-critical technology is built through demonstrated performance over time, transparent incident reporting, and governance that is visibly independent of commercial interests. The governance architecture DfT establishes for in-use monitoring and incident investigation will be foundational to whether public confidence develops alongside deployment, or whether a single high-profile incident sets adoption back by years.

Accessibility and Equity: The Under-Discussed Dividend

One of the genuinely compelling arguments for autonomous transport is its potential to extend mobility to people who currently lack it. Older people who can no longer drive, disabled people for whom conventional public transport is inaccessible, and communities without viable transport links stand to benefit disproportionately from well-designed autonomous services.

The DfT's Call for Evidence explicitly included separate sections on accessibility and disability, and the government has highlighted this use case as a key motivation for the regulatory programme. Transport for All noted in December 2025 that disabled people still face persistent barriers to everyday journeys, and that self-driving technology has real potential to address this if it is designed with accessibility as a requirement rather than an afterthought.

Whether this dividend is realised depends on decisions that are not yet made. Route design for autonomous passenger services, pricing models, vehicle specification for wheelchair users, and the information systems that support accessible journey planning all need to embed accessibility from the outset. If commercial deployment prioritises high-revenue corridors first, the communities with the most to gain will be last to benefit.

The Decisions That Cannot Wait

Several policy choices sit on the critical path to AV deployment and cannot be deferred without affecting the 2027 timeline or the quality of what that timeline produces.

1. Data retention and disclosure standards must be finalised before large-scale incidents occur. Determining after an accident what data was collected and whether it is available is too late. The evidentiary architecture needs to be in place before deployment at scale.

2. The self-driving test criteria must be published with enough lead time for manufacturers to calibrate their systems before commercial service begins. Ambiguity in safety standards creates commercial uncertainty and, more importantly, safety risk.

3. In-use monitoring and incident investigation powers need independent credibility. If the body responsible for overseeing AV safety is perceived as captured by the industry it regulates, public trust will not develop regardless of actual performance.

4. Accessibility requirements need to be embedded in the Automated Passenger Services permitting scheme, not added later. Permits granted without accessibility conditions attached are difficult to revise once operators have built business models around them.

5. Cyber risk governance for connected vehicles needs to align with the EU's evolving framework. The UK is no longer in the EU type approval system, and divergence from the standards being developed under UN Regulation R155 and the EU's CAV cybersecurity toolbox creates compliance complexity for manufacturers deploying in both markets.

What This Means Beyond Government

Autonomous transport is not solely a government policy question. It is an enterprise risk and commercial strategy question for a wide range of organisations.

Insurers are pricing risk for a liability framework that has no actuarial history. Logistics operators are assessing when autonomous freight vehicles become commercially viable and what their liability exposure looks like in the interim. Local authorities need to plan infrastructure, data sharing arrangements, and enforcement frameworks for vehicles that their existing regulatory tools were not designed to handle. Fleet operators face procurement decisions that will determine whether vehicles purchased now are compatible with the autonomous systems that will define the sector within a decade.

Each of these decisions is being made now, in conditions of genuine regulatory uncertainty. The organisations that engage with the secondary legislation process, understand the direction of the safety framework, and build their planning assumptions on what the AV Act actually requires rather than what they hope it means will be better positioned than those that wait for the picture to clarify.

The technology for autonomous transport is maturing rapidly. The governance architecture that determines whether it can be trusted, who bears the consequences when it fails, and who benefits from when it succeeds is still being written. That is where the important decisions are.