In this article:

Home
/
Blog
/
AI Regulations Around the World: A 2026 Country-by-Country Guide

AI Regulations Around the World: A 2026 Country-by-Country Guide

Compliance

June 30, 2026

AI Regulations Around the World: A 2026 Country-by-Country Guide

Artificial intelligence has rapidly grown from a research field into a technology shaping economies, industries, and everyday life. As AI capabilities continue to expand, governments and international organizations are introducing new laws, regulations, and policy frameworks to address issues such as safety, transparency, privacy, accountability, and innovation.

While regulatory approaches differ across jurisdictions, the overall trend reflects a growing effort to balance technological progress with risk management. This article provides an overview of the current AI regulatory landscape, highlighting key legislative developments and governance initiatives across major regions and countries.

These approaches span a wide spectrum. Some jurisdictions, such as the European Union and South Korea, have adopted comprehensive, binding AI laws, while China enforces strict but sector-specific rules, most notably for generative AI. Others, including the United Kingdom, Canada, Singapore, Japan, and Australia, rely mainly on principles, voluntary frameworks, and existing laws. The United States sits in between, combining a deregulatory federal stance with a fast-growing patchwork of state laws. Despite these differences, common themes recur across regions: risk-based classification, transparency and labelling, non-discrimination, and human oversight. In this article, you will see how AI is regulated across the United States, the European Union, the United Kingdom, Canada, the Asia-Pacific, Latin America, and the Middle East.

AI Regulations in the United States

The United States has no single, comprehensive federal AI law. Instead, AI is governed by a patchwork of presidential executive orders, voluntary federal frameworks, targeted federal statutes, and a fast-growing body of state and local legislation. The federal direction under the current administration is deregulatory and pro-innovation, and Washington is now actively pushing for one national standard, while individual states continue to legislate, creating a fragmented landscape that businesses must navigate jurisdiction by jurisdiction.

Federal level

Executive Order 14179: Removing Barriers to American Leadership in Artificial Intelligence

Status & timeline. Signed by President Trump on January 23, 2025, Executive Order 14179 took effect immediately and mandated a national AI Action Plan within 180 days, which was delivered in July 2025.

Scope & applicability. Directed at federal agencies and the overall posture of US AI policy. It is an executive directive rather than a statute, so it does not impose obligations directly on private companies, but it shapes how every federal agency approaches AI.

Key requirements. The order revokes the prior administration's Executive Order 14110 (Safe, Secure, and Trustworthy AI, October 30, 2023), directs agencies to identify and remove policies seen as barriers to AI innovation, and sets the goal of developing AI systems "free from ideological bias or engineered social agendas."

Governance / enforcement body. The White House and the Office of Science and Technology Policy, implemented across federal agencies.

Penalties. None; as a presidential directive it carries no civil penalties.

Business impact. Signals a lighter-touch federal posture, so companies can expect fewer new federal AI mandates and a pro-innovation environment, while state-level obligations continue to apply.

America's AI Action Plan

Status & timeline. The White House released America's AI Action Plan on July 23, 2025, as the roadmap mandated by Executive Order 14179.

Scope & applicability. A federal policy roadmap that guides agency action across government. It is not binding on private companies but sets the priorities that drive federal AI rule-making, funding, and infrastructure decisions.

Key requirements. The plan is built on three pillars:

Accelerate AI innovation, including dismantling regulatory barriers to private-sector development.
Build American AI infrastructure, with streamlined permitting for data centers and semiconductor facilities.
Lead in international AI diplomacy and security, including exporting American AI to allies and partners.

Governance / enforcement body. The White House, executed through federal agencies.

Penalties. None; it is a non-binding policy roadmap.

Business impact. Points to faster permitting and federal support for AI infrastructure and exports, which is especially relevant to AI-dependent companies and those building data-center and compute capacity.

Executive Order 14365: Ensuring a National Policy Framework for Artificial Intelligence

Status & timeline. Executive Order 14365 was signed on December 11, 2025.

Scope & applicability. Aimed at state-level AI laws, with the stated goal of replacing a patchwork of state rules with a single national standard.

Key requirements. The order directs the Attorney General to create an AI Litigation Task Force to challenge state AI laws deemed inconsistent with federal policy, instructs the Department of Commerce to identify conflicting state laws, and calls for legislative recommendations on federal preemption, with limited exceptions such as child safety and state procurement.

Governance / enforcement body. The Department of Justice (through the litigation task force), the Department of Commerce, and the FTC.

Penalties. None directly; the order works through federal litigation challenging state laws rather than fines.

Business impact. Introduces real uncertainty about the future of state AI laws, so multi-state operators should track preemption challenges that could significantly reshape their compliance obligations.

A National Policy Framework for Artificial Intelligence: Legislative Recommendations

Status & timeline. The White House published its National Policy Framework for Artificial Intelligence: Legislative Recommendations on March 20, 2026, as the follow-up to Executive Order 14365.

Scope & applicability. A set of recommendations to Congress, not binding law. It outlines what the administration wants federal AI legislation to contain.

Key requirements. The document recommends that Congress:

Protect children, building on the TAKE IT DOWN Act, including age-assurance requirements for AI platforms likely to be accessed by minors.
Establish a federal framework against unauthorized AI-generated digital replicas of a person's voice or likeness, with exceptions for parody, satire, and news.
Create regulatory sandboxes for AI and avoid creating any new federal AI rulemaking body, relying instead on existing sector regulators.
Streamline federal permitting for AI infrastructure while protecting residential electricity ratepayers.

Governance / enforcement body. Directed at Congress; the administration coordinates through the Special Advisor for AI and existing agencies.

Penalties. None; these are legislative recommendations.

Business impact. Signals the likely shape of future federal AI law, particularly around child safety, digital-replica/likeness rights, and a sector-by-sector rather than centralized regulatory model.

Executive Order 14409: Promoting Advanced Artificial Intelligence Innovation and Security

Status & timeline. President Trump signed Executive Order 14409 on June 2, 2026.

Scope & applicability. Federal agencies, national security systems, and, on a voluntary basis, frontier AI developers.

Key requirements. The order directs agencies to strengthen the cyber defense of federal systems, has the Treasury establish an AI cybersecurity clearinghouse, creates a classified process to benchmark the cyber capabilities of advanced AI models, and sets up a voluntary framework for AI developers to give the government early access to frontier models. It expressly states it does not create any mandatory licensing, preclearance, or permitting requirement for new AI models.

Governance / enforcement body. The White House, CISA, the Treasury, and national security agencies.

Penalties. None; it is a directive focused on federal cybersecurity and voluntary cooperation.

Business impact. Frontier AI developers may be invited into voluntary early-access and benchmarking arrangements, and the order reaffirms there is no federal licensing regime for AI models.

AI is transforming cybersecurity, for attackers and defenders alike

See the key stats and protective tips in our guide to the impact of AI on cybersecurity.

NIST AI Risk Management Framework (AI RMF 1.0)

Status & timeline. NIST published the AI Risk Management Framework (AI RMF 1.0) on January 26, 2023.

Scope & applicability. Voluntary guidance intended for any organization, in any sector, that designs, develops, deploys, or uses AI systems.

Key requirements. The framework is built around four core functions:

Govern: establish a culture and structure for managing AI risk.
Map: identify the context and risks of a given AI system.
Measure: assess, analyze, and track those risks.
Manage: prioritize and act on the risks over the system's lifecycle.

Governance / enforcement body. NIST as issuer; there is no enforcement authority attached to it.

Penalties. None; it is voluntary and not legally binding.

Business impact. Although voluntary, the AI RMF has become a de facto benchmark for AI governance programs and is increasingly referenced in contracts, audits, procurement requirements, and emerging regulations.

What will NIST's AI agent standards mean for compliance?

Read our breakdown of the NIST AI Agent Standards Initiative and how it could reshape frameworks like HIPAA, GDPR, and FedRAMP.

TAKE IT DOWN Act

Status & timeline. The TAKE IT DOWN Act was enacted as Public Law 119-12 on May 19, 2025.

Scope & applicability. Individuals who publish non-consensual intimate images, including AI-generated deepfakes, and online platforms that host user-generated content.

Key requirements. The Act:

Criminalizes knowingly publishing non-consensual intimate images of an identifiable person, including AI-generated "digital forgeries."
Requires covered platforms to remove a flagged image within 48 hours of a valid request and make reasonable efforts to remove identical copies.

Governance / enforcement body. The Federal Trade Commission enforces the notice-and-takedown obligation as an unfair or deceptive practice; criminal provisions are prosecuted federally.

Penalties. Criminal penalties of up to two years' imprisonment for offenses involving adults and up to three years for those involving minors, plus FTC enforcement against non-compliant platforms.

Business impact. Any platform hosting user-generated images or video needs a compliant notice-and-takedown process that can act within 48 hours.

Federal Trade Commission (FTC) AI enforcement

Status & timeline. Enforcement is ongoing; the FTC announced its Operation AI Comply sweep on September 25, 2024.

Scope & applicability. Companies that make deceptive AI claims or use AI in unfair or deceptive ways that harm consumers, nationwide.

Key requirements. Using AI to trick, mislead, or defraud people is illegal, and there is "no AI exemption from the laws on the books." The FTC has acted against an "AI lawyer" service that overstated its capabilities and a tool used to generate fake consumer reviews, among others.

Governance / enforcement body. The Federal Trade Commission, under Section 5 of the FTC Act (unfair or deceptive acts or practices).

Penalties. Enforcement actions, monetary settlements, and conduct bans; for example, one company settled for $193,000 and agreed to restrictions on its claims.

Business impact. AI marketing claims must be substantiated, and "AI washing" or selling AI tools designed for deception is a direct enforcement risk.

State level

Colorado Artificial Intelligence Act (SB 24-205 / SB 26-189)

Status & timeline. SB 24-205 was signed on May 17, 2024, becoming the first comprehensive US state AI law. Before it took effect, it was repealed and reenacted by SB 26-189 (signed May 14, 2026), which moved the effective date to January 1, 2027 and narrowed the law's scope.

Scope & applicability. Developers and deployers of automated decision-making technology (ADMT) used in consequential decisions, such as employment, lending, and housing.

Key requirements. SB 26-189 moves away from the original law's duty of reasonable care against algorithmic discrimination to a transparency and disclosure regime for ADMT:

Give consumers clear and conspicuous notice when ADMT is used in a consequential decision.
After an adverse decision, provide a plain-language explanation of the ADMT's role, with rights to correction and human review.
Supply technical documentation from developers to deployers.
Retain records needed to demonstrate compliance for at least three years.

Governance / enforcement body. The Colorado Attorney General, with exclusive enforcement authority.

Penalties. Civil enforcement by the Attorney General, with violations handled under Colorado consumer protection law.

Business impact. Companies using ADMT on Colorado consumers have until January 1, 2027 to put disclosure, documentation, and record-keeping processes in place.

California: Transparency in Frontier Artificial Intelligence Act (SB 53)

Status & timeline. Governor Gavin Newsom signed SB 53 on September 29, 2025; it takes effect in January 2026 and is the first US state law specifically targeting frontier AI models.

Scope & applicability. Developers of frontier models trained using more than 10^26 computing operations, with the strictest duties falling on large frontier developers that have annual gross revenue over $500 million.

Key requirements.

Publish a safety and governance framework describing how national and international standards are incorporated.
Publish transparency reports about frontier models.
Report critical safety incidents through a dedicated mechanism.
Provide whistleblower protections for employees who disclose significant safety risks.

Governance / enforcement body. The California Attorney General.

Penalties. Civil penalties of up to $1,000,000 per violation, depending on severity.

Business impact. The largest AI labs operating in California must formalize and publicly publish their safety governance and incident-reporting processes, setting a transparency standard likely to influence the wider industry.

California: Generative AI Training Data Transparency Act (AB 2013)

Status & timeline. AB 2013 applies on or before January 1, 2026 to generative AI systems made available to Californians, and covers systems released on or after January 1, 2022.

Scope & applicability. Developers of generative AI systems made publicly available to Californians.

Key requirements. Developers must post on their website a high-level summary of the datasets used to train the system, including:

The sources and owners of the datasets.
Whether the data includes copyrighted, trademarked, or patented material, or personal information.
Whether datasets were purchased or licensed, and any data cleaning or modification.
The time periods of data collection and whether synthetic data was used.

Governance / enforcement body. Enforced under California law, with the documentation made public for transparency.

Penalties. Non-compliance exposes developers to enforcement under applicable California consumer and civil statutes.

Business impact. Any company releasing generative AI to Californians must document and disclose its training-data provenance, a significant transparency and copyright-exposure exercise.

California AI Transparency Act (SB 942)

Status & timeline. SB 942 was enacted with an original operative date of January 1, 2026, but AB 853 (signed October 13, 2025) moved it to August 2, 2026, with phased obligations from January 1, 2027.

Scope & applicability. "Covered providers" of generative AI systems with over 1,000,000 monthly users or visitors that are publicly accessible in California.

Key requirements.

Make a free, publicly accessible AI detection tool that lets users check whether content was created by the provider's system.
Offer users a manifest disclosure that clearly labels content as AI-generated.
Embed a latent disclosure in AI-generated image, audio, or video content, conveying the provider, system version, and creation date.

Governance / enforcement body. The California Attorney General, along with city and county counsel.

Penalties. Civil penalties of $5,000 per violation, with each day treated as a separate violation.

Business impact. Large consumer-facing generative AI providers must build watermarking, content-provenance, and AI-detection infrastructure before the August 2026 date.

Utah Artificial Intelligence Policy Act (SB 149)

Status & timeline. The Utah Artificial Intelligence Policy Act (SB 149) took effect on May 1, 2024, one of the first AI-specific state statutes.

Scope & applicability. Businesses that use generative AI in consumer interactions, with stricter duties for regulated occupations such as healthcare.

Key requirements.

Disclose that a consumer is interacting with generative AI rather than a human, if the consumer asks.
For regulated occupations, disclose the use of generative AI prominently and upfront, before oral or written communication.
Establish the Office of Artificial Intelligence Policy and an AI regulatory sandbox (the Artificial Intelligence Learning Laboratory Program).

Governance / enforcement body. The Utah Division of Consumer Protection, alongside the Office of Artificial Intelligence Policy.

Penalties. Administrative fines of up to $2,500 per violation.

Business impact. Consumer-facing businesses using chatbots or generative AI in Utah need clear AI-disclosure practices, and the requirements are strictest for licensed professionals.

Texas Responsible Artificial Intelligence Governance Act (HB 149)

Status & timeline. HB 149 was signed on June 22, 2025 and is effective January 1, 2026.

Scope & applicability. Developers and deployers of AI systems in Texas across sectors, with specific additional limits placed on governmental entities.

Key requirements. The Act prohibits developing or deploying AI systems that:

Are intended to incite a person to physical self-harm.
Unlawfully discriminate against a protected class.
Produce child sexual abuse material.

It also bars governmental entities from using AI for social scoring or for capturing biometric data without consent, and it creates the Texas Artificial Intelligence Council and a regulatory sandbox administered by the Department of Information Resources.

Governance / enforcement body. The Texas Attorney General has exclusive enforcement authority, supported by the Texas Artificial Intelligence Council and the Department of Information Resources.

Penalties. Civil penalties apply where a violation is not cured within the allowed period.

Business impact. Companies and agencies deploying AI in Texas should review their use cases against the prohibited categories and can use the state sandbox to test novel deployments with limited legal exposure.

New York City: Local Law 144 (Automated Employment Decision Tools)

Status & timeline. Local Law 144 of 2021 is implemented through rules adopted by the NYC Department of Consumer and Worker Protection (DCWP).

Scope & applicability. Employers and employment agencies using an automated employment decision tool (AEDT) to screen candidates or employees for hiring or promotion in New York City.

Key requirements.

Have the AEDT undergo a bias audit by an independent auditor within the prior year, calculating selection rates and impact ratios across sex and race/ethnicity categories.
Publish a summary of the bias-audit results.
Provide notice to candidates or employees that an AEDT will be used.

Governance / enforcement body. The NYC Department of Consumer and Worker Protection (DCWP).

Penalties. Civil penalties per violation, with each day of non-compliant use treated as a separate violation.

Business impact. Employers using AI hiring tools in NYC must commission annual independent bias audits and publish the results before deploying the tool.

Illinois: Artificial Intelligence Video Interview Act (820 ILCS 42)

Status & timeline. The Artificial Intelligence Video Interview Act (820 ILCS 42) has been in force since January 1, 2020, with demographic-reporting provisions added in 2022.

Scope & applicability. Employers that ask applicants for Illinois-based positions to record video interviews and use AI to analyze them.

Key requirements. Before the interview, the employer must:

Notify the applicant that AI may be used to analyze the video interview.
Explain how the AI works and what general characteristics it evaluates.
Obtain the applicant's consent, and may not evaluate applicants who do not consent.

In addition, employers may share videos only with those whose expertise is needed to evaluate the applicant, and must delete the video within 30 days of an applicant's request.

Governance / enforcement body. Employers relying solely on AI to decide who advances must also report applicant race/ethnicity data to the Illinois Department of Commerce and Economic Opportunity.

Penalties. Enforced under the Act's consent, sharing, deletion, and data-reporting provisions.

Business impact. Employers using AI to screen video interviews of Illinois candidates must build notice, consent, sharing-limit, and deletion processes.

Illinois: HB 3773 (amendment to the Illinois Human Rights Act)

Status & timeline. Enacted as Public Act 103-0804, it took effect on January 1, 2026 as part of the Illinois Human Rights Act. In May 2026 the Illinois Department of Human Rights proposed detailed notice regulations, but it withdrew them on June 2, 2026, so for now the statute requires only that employers give notice, without a prescribed form or frequency.

Scope & applicability. Employers using AI in covered employment decisions, including recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, and the terms, privileges, or conditions of employment.

Key requirements.

It is a civil rights violation to use AI that has the effect of subjecting employees to discrimination based on a protected class.
It is a civil rights violation to use ZIP code as a proxy for a protected class.
Employers must give employees notice when AI is used for covered employment decisions.

Governance / enforcement body. The Illinois Department of Human Rights, which was given authority to issue notice regulations, and the Human Rights Commission.

Penalties. Handled as civil rights violations under the Illinois Human Rights Act, through charges filed with the Department of Human Rights.

Business impact. Illinois employers using AI in hiring must give workers notice and test their tools for discriminatory impact, including proxies such as ZIP code; the precise notice format remains open after the proposed rules were withdrawn.

Employee data protection is more than a compliance checkbox

Learn more in our HR guide to employee data protection.

Other notable state laws

Several states regulate narrower AI uses. Tennessee's ELVIS Act (Ensuring Likeness, Voice, and Image Security Act of 2024), effective July 1, 2024, replaced the state's Personal Rights Protection Act of 1984 to strengthen protection of a person's voice, image, and likeness. California's AB 3030, effective January 1, 2025, requires health facilities that use generative AI in patient clinical communications to disclose that the message was AI-generated and explain how to reach a human provider.

AI Regulations in the European Union

The European Union has the world's first comprehensive, horizontal AI law, the AI Act. It sits within a wider framework of data-protection, product-liability, and human-rights instruments, and is increasingly complemented by national AI laws in individual member states. Together these rules take a risk-based, human-centric approach that reaches well beyond Europe's borders, since they apply to any provider whose AI affects people in the EU.

EU Artificial Intelligence Act (Regulation (EU) 2024/1689)

Status & timeline. The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies in phases:

2 February 2025: prohibited AI practices and AI literacy obligations.
2 August 2025: rules for general-purpose AI (GPAI) models and governance.
2 August 2026: general full application.
2 December 2027: high-risk systems in certain areas (biometrics, critical infrastructure, education, employment, migration, border control).
2 August 2028: high-risk systems embedded in regulated products such as lifts and toys.

The high-risk dates were postponed by the Digital Omnibus simplification package, politically agreed on 7 May 2026.

Scope & applicability. The Act takes a risk-based approach with four tiers:

Unacceptable risk: banned outright.
High risk: allowed but subject to strict obligations.
Transparency (limited) risk: subject to disclosure duties.
Minimal or no risk: no specific obligations (for example spam filters or AI in video games).

It applies to providers placing AI systems on the EU market, whether established in the EU or in a third country, and to deployers established in the EU. It can also reach providers and deployers outside the EU where the system's output is used in the Union. It does not apply to AI used solely for military, defence, or national security purposes, or developed solely for scientific research and development.

Key requirements. Prohibited (unacceptable-risk) practices include:

Harmful AI-based manipulation or exploitation of vulnerabilities.
Social scoring by public or private actors.
Individual criminal-offence risk assessment based on profiling.
Untargeted scraping of facial images to build recognition databases.
Emotion recognition in workplaces and education.
Biometric categorisation to infer protected characteristics.
Real-time remote biometric identification in public spaces for law enforcement, save narrowly defined exceptions.

High-risk systems must meet obligations including risk assessment and mitigation, high-quality datasets, technical documentation, activity logging, human oversight, clear information to deployers, and a high level of robustness, accuracy, and cybersecurity.

Governance / enforcement body. Oversight is shared between the European AI Office (within the Commission, responsible for general-purpose AI models), the European Artificial Intelligence Board (coordinating Member States), and national competent and market-surveillance authorities in each Member State.

Penalties. Administrative fines are tiered under Article 99:

Up to €35 million or 7% of total worldwide annual turnover for breaching the prohibited-practice rules (Article 5).
Up to €15 million or 3% for breaching other operator obligations, including transparency duties.
Up to €7.5 million or 1% for supplying incorrect, incomplete, or misleading information to authorities.

The higher of the amount or percentage applies; for SMEs and startups, the lower of the two applies.

Business impact. Any company that develops or uses AI affecting people in the EU can fall within scope, even from abroad. Providers of high-risk systems face the heaviest compliance burden (documentation, testing, human oversight), while the phased timeline gives organizations until 2026 to 2028 to comply depending on the system type.

Get compliant with the EU AI Act

Our EU AI Act consultants guide providers and deployers through the Act's requirements: classifying your AI systems by risk level, implementing a quality management system, creating a risk management process, preparing technical documentation, and testing systems before they reach the EU market. We also help you navigate related EU regulations such as GDPR, NIS2, and DORA.

Get started with our EU AI Act Consulting Services.

General-Purpose AI (GPAI) Code of Practice

Status & timeline. The General-Purpose AI Code of Practice was prepared by independent experts, received by the Commission on 10 July 2025, and approved on 1 August 2025; it supports the AI Act's GPAI obligations, which apply from 2 August 2025.

Scope & applicability. A voluntary tool aimed at providers of general-purpose AI models, including those that carry systemic risks.

Key requirements. It gives practical guidance to help providers comply with their AI Act obligations on:

Transparency about the model.
Copyright (respecting EU copyright law in training).
For models with systemic risk, assessing and mitigating those risks (safety and security).

Governance / enforcement body. The European AI Office, supported by the AI Board, oversees general-purpose AI models.

Penalties. None directly; the Code is voluntary. Signing it helps providers demonstrate compliance with AI Act GPAI rules, whose breach can trigger AI Act fines.

Business impact. GPAI providers that sign gain a clearer path to show compliance with their AI Act duties; non-signatories must demonstrate compliance by other means.

General Data Protection Regulation (GDPR): automated decision-making (Article 22)

Status & timeline. The General Data Protection Regulation (Regulation (EU) 2016/679) has applied since 25 May 2018; Article 22 governs solely automated decisions.

Scope & applicability. Any organisation processing the personal data of people in the EU, including through AI-driven automated decisions and profiling.

Key requirements. Under Article 22, a data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, unless the decision is:

necessary for entering into or performing a contract,
authorised by Union or Member State law, or
based on the data subject's explicit consent.

Where such decisions are allowed, the controller must provide safeguards, including the right to obtain human intervention, to express one's point of view, and to contest the decision.

Governance / enforcement body. National data protection authorities in each Member State, coordinated by the European Data Protection Board.

Penalties. Breaches of the data-subject rights in Articles 12 to 22, which include Article 22, fall under GDPR's highest fine tier: up to €20 million or 4% of total worldwide annual turnover, whichever is higher (Article 83(5)).

Business impact. Organisations that use AI to make significant decisions about people in the EU must offer a human-review route and meet GDPR's transparency and lawful-basis requirements, independently of the AI Act.

What does GDPR compliance actually involve?

Learn more in our comprehensive GDPR compliance guide and checklist.

Revised Product Liability Directive (Directive (EU) 2024/2853)

Status & timeline. Directive (EU) 2024/2853 on liability for defective products entered into force on 8 December 2024; Member States must transpose it by 9 December 2026, and it applies to products placed on the market or put into service after that date.

Scope & applicability. Modernises the EU's product-liability rules and explicitly treats software and AI systems as products, alongside digital manufacturing files and related integrated services.

Key requirements.

Maintains no-fault (strict) liability: economic operators are liable for defective products regardless of negligence.
Introduces disclosure obligations, so defendants must disclose relevant evidence when a claimant shows the claim is plausible.
Eases the burden of proof, with presumptions of defectiveness where evidence is withheld, mandatory safety rules are breached, or a case is excessively complex.

Governance / enforcement body. Enforced through the national civil courts of the Member States, not a single regulator.

Penalties. Not a fines regime; it creates civil liability to compensate people harmed by defective AI-enabled or software products.

Business impact. Software and AI providers can be held strictly liable for damage caused by defective products, and claimants have an easier path to prove their case, raising litigation and compliance stakes for AI vendors selling into the EU.

Council of Europe Framework Convention on Artificial Intelligence

Status & timeline. The Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law is the first-ever international legally binding treaty on AI; it was opened for signature on 5 September 2024.

Scope & applicability. It covers activities within the lifecycle of AI systems by public authorities (and private actors acting on their behalf) and by private actors; Parties may apply the Convention's provisions directly to the private sector or take other measures achieving the same result. It does not apply to national defence or to research and development (unless testing may interfere with human rights, democracy, or the rule of law), and national-security activities are exempt but must respect international law. It is technology-neutral, and is open to non-member states (signatories include the EU, the United Kingdom, the United States, Canada, Japan, Israel, and others).

Key requirements. Parties must ensure AI lifecycle activities respect fundamental principles:

Human dignity and individual autonomy.
Equality and non-discrimination.
Respect for privacy and personal data protection.
Transparency and oversight.
Accountability and responsibility.
Reliability and safe innovation.

They must also provide remedies and procedural safeguards (including notice that a person is interacting with an AI system and the ability to challenge AI-based decisions), carry out iterative risk and impact assessments, and may introduce bans or moratoria ("red lines") on certain AI applications.

Governance / enforcement body. A follow-up mechanism, the Conference of the Parties, made up of representatives of the Parties, monitors implementation.

Penalties. No fines under the treaty itself; Parties implement its obligations through national law, with the Conference of the Parties monitoring compliance.

Business impact. As signatory states implement the Convention, businesses can expect national AI rules grounded in human-rights principles, transparency, and the right to challenge AI-based decisions.

Italy: National AI Law (Law No. 132/2025)

Status & timeline. Law No. 132/2025 was adopted on 23 September 2025, published on 25 September 2025, and entered into force in October 2025, making Italy the first EU member state to adopt a national AI law.

Scope & applicability. Applies nationally alongside the EU AI Act, which it complements rather than duplicates, with sector-specific safeguards.

Key requirements.

Anthropocentric principles: AI can support decisions, services, and training but cannot replace human responsibility or compress fundamental rights.
Prohibits automated decisions on employment matters.
Requires human oversight in the justice system.
Is interpreted and applied consistently with EU Regulation 2024/1689.

Governance / enforcement body. AgID as the notification authority and the National Cybersecurity Agency (ACN) as market-surveillance authority and single point of contact with EU institutions, with sectoral regulators (Banca d'Italia, CONSOB, IVASS, and the Data Protection Authority) for high-risk systems in their domains.

Penalties. Introduces a new criminal offence (Article 437-bis of the Penal Code) for omitting or altering security measures in high-risk AI systems where this creates concrete danger to life, public safety, or state security, with corporate liability under Legislative Decree 231/2001.

Business impact. Companies running AI in Italy must align with both the EU AI Act and Italy's national rules, including stricter limits on automated employment decisions and exposure to Italian criminal law.

Spain: Draft Organic Law for the Good Use and Governance of AI

Status & timeline. Spain's Council of Ministers approved the draft Organic Law for the good use and governance of artificial intelligence on 26 May 2026; it is now in parliamentary processing and not yet in force.

Scope & applicability. Develops the EU AI Act in national law, classifying AI by risk level and applying across public administration and the private sector.

Key requirements.

Establishes a national AI governance model and a sanctions regime.
Sets rules for trustworthy AI and its good use in public administration.
Guarantees human supervision of AI.

Governance / enforcement body. The Spanish Agency for the Supervision of Artificial Intelligence (AESIA), which also acts as the single point of contact, alongside notifying and market-surveillance authorities. Products already covered by sectoral rules (such as machinery, toys, vehicles, and medical devices) keep their existing authorities, while non-product systems such as employment, biometrics, and education fall mainly to AESIA, the Spanish Data Protection Agency (AEPD), and the General Council of the Judiciary (CGPJ).

Penalties. The draft law sets a sanctions regime with infringements classified as very serious, serious, or minor; fines can reach up to €35 million or 7% of turnover for the most serious cases and up to €500,000 or 0.5% for the least serious, with reductions for early payment or corrective measures and special consideration for SMEs and startups.

Business impact. Once enacted, Spain will have a dedicated AI regulator (AESIA) and a national sanctions regime layered on top of the EU AI Act; companies should track the bill's passage through Parliament.

AI Regulations in the United Kingdom

The United Kingdom has deliberately chosen not to pass a single, comprehensive AI law. Instead it follows a "pro-innovation", principles-based, sector-led approach: existing regulators apply a common set of AI principles within their own remits, supported by new institutions and targeted updates to data, online-safety, and other laws. The government has signalled future legislation for the most powerful AI models, but for now the framework is non-statutory and spread across existing regulators.

UK pro-innovation AI regulation framework

Status & timeline. The UK set out its approach in the white paper A pro-innovation approach to AI regulation, presented to Parliament on 29 March 2023 (Command Paper 815).

Scope & applicability. A non-statutory, cross-sector framework that focuses on the context and use of AI rather than the technology itself, applied through existing regulators rather than a new AI law.

Key requirements. Regulators are expected to apply five cross-sectoral principles:

Safety, security and robustness.
Appropriate transparency and explainability.
Fairness.
Accountability and governance.
Contestability and redress.

Governance / enforcement body. Existing sector regulators apply the principles within their remits; there is no central AI regulator.

Penalties. None under the framework itself; enforcement happens through each regulator's existing powers.

Business impact. Companies must work out how the five principles apply through each relevant regulator, rather than following a single AI rulebook, so obligations depend on the sector and the existing laws that apply.

Sector regulators. Rather than a new AI authority, the UK relies on existing regulators to oversee AI in their domains: the Information Commissioner's Office (ICO) for personal data and automated decisions, Ofcom for online services and telecoms, the Financial Conduct Authority (FCA) for financial services, the Competition and Markets Authority (CMA) for competition and markets, and the Medicines and Healthcare products Regulatory Agency (MHRA) for medical devices, among others. Each applies the five principles using its own statutory powers.

AI Security Institute (formerly AI Safety Institute)

Status & timeline. The UK established the AI Safety Institute on 2 November 2023 and renamed it the AI Security Institute on 14 February 2025.

Scope & applicability. A government body, not a regulator, focused on the most serious security risks of advanced AI.

Key requirements. It tests and evaluates advanced AI models and studies risks such as AI-enabled chemical and biological weapons, cyber-attacks, and crimes like fraud and child sexual abuse; it explicitly does not focus on bias or freedom of speech.

Governance / enforcement body. Part of the UK government (Department for Science, Innovation and Technology); it has no regulatory or enforcement powers.

Penalties. None; it is a research and evaluation body.

Business impact. Frontier AI developers may engage with the Institute on model testing, but it imposes no direct legal obligations.

Data (Use and Access) Act 2025

Status & timeline. The Data (Use and Access) Act 2025 (2025 c. 18) received Royal Assent on 19 June 2025; its data-protection changes, including new rules on automated decision-making, commence from 2026.

Scope & applicability. Organisations subject to UK data protection law that make solely automated decisions about individuals.

Key requirements. It restructures the UK GDPR's automated decision-making rules, replacing the single Article 22 with a new framework, while keeping safeguards for significant decisions based solely on automated processing, including the rights to be informed, to obtain human intervention, to make representations, and to contest the decision.

Governance / enforcement body. The Information Commissioner's Office (ICO).

Penalties. Enforced under UK data protection law (UK GDPR and the Data Protection Act 2018), through the ICO's existing fining powers.

Business impact. Organisations using AI for significant automated decisions about people in the UK must provide human-review and contestability safeguards under the updated regime.

Online Safety Act 2023

Status & timeline. The Online Safety Act 2023 (2023 c. 50) received Royal Assent on 26 October 2023.

Scope & applicability. User-to-user services (such as social media and messaging) and search services accessible in the UK; it captures illegal content and content harmful to children, including illegal content that is AI-generated.

Key requirements. Regulated services must assess the risk of illegal content and risks to children, put in place proportionate safety measures, operate complaint and reporting systems, and maintain clear terms of service.

Governance / enforcement body. Ofcom.

Penalties. Ofcom can impose fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is higher.

Business impact. Platforms and services that let users share content must manage illegal and harmful material, including AI-generated abuse such as deepfake intimate images and child sexual abuse material.

Crime and Policing Act 2026: illegal AI-generated content (Online Safety Act amendment)

Status & timeline. The Crime and Policing Act 2026 (2026 c. 20) received Royal Assent on 29 April 2026 and inserts a new section 216A into the Online Safety Act 2023. The Secretary of State must report to Parliament by 31 December 2026 on progress toward making regulations under it.

Scope & applicability. Targets "AI services", defined as internet services capable of generating AI-generated content (which captures AI chatbots and content generators), whether provided from inside or outside the UK.

Key requirements. It gives the Secretary of State power to make regulations amending the Online Safety Act to minimise or mitigate the risks of harm from:

illegal AI-generated content; and
the use of AI services to commit or facilitate priority offences.

Such regulations could impose Online Safety Act style duties on AI-service providers (covering illegal content, search content, fraudulent advertising, and the reporting of child sexual exploitation and abuse content), bring AI services within the Act's "regulated service" definitions, and extend the regime to AI services provided from outside the UK.

Governance / enforcement body. Ofcom, under functions and powers that the regulations may confer; the Secretary of State makes the regulations.

Penalties. The enabling power allows regulations to give Ofcom monetary-penalty powers over AI services, mirroring the Online Safety Act enforcement regime; no standalone fine applies until those regulations are made.

Business impact. Providers of AI chatbots and content-generation services should expect to be brought within the Online Safety Act regime for illegal AI-generated content, with Ofcom oversight, once the Secretary of State makes regulations.

Artificial Intelligence (Regulation) Bill [HL]

Status & timeline. The Artificial Intelligence (Regulation) Bill [HL] is a Private Member's Bill introduced in the House of Lords (HL Bill 76, "as introduced"). It has not become law, and represents a proposed statutory model for UK AI regulation rather than a binding one.

Scope & applicability. Would apply to any business that develops, deploys, or uses AI in the UK, across sectors.

Key requirements. The Bill would:

Create an "AI Authority" to ensure regulators take account of AI, align their approaches, run a gap analysis, and monitor economy-wide AI risks.
Put regulatory principles on a statutory footing (safety, security and robustness; transparency and explainability; fairness; accountability and governance; contestability and redress).
Require regulatory sandboxes to help AI innovators test products.
Require any business that develops, deploys, or uses AI to designate an "AI responsible officer".
Require those training AI to record and disclose third-party data and intellectual property used, comply with IP and copyright obligations, label AI products clearly, and allow independent accredited audits.

Governance / enforcement body. Would create a new central "AI Authority", working with existing regulators.

Penalties. None; it is a bill, not enacted law.

Business impact. If enacted, it would shift the UK from its non-statutory framework toward a central AI Authority, mandatory AI responsible officers, and labelling and audit duties; for now it mainly signals the possible direction of future UK legislation.

AI Regulations in Canada

Canada has no comprehensive AI law in force. Its main legislative attempt, the Artificial Intelligence and Data Act, did not pass before Parliament's session ended, so AI is currently governed by a voluntary code, federal and provincial privacy laws, and rules for the government's own use of AI.

Artificial Intelligence and Data Act (AIDA), part of Bill C-27

Status & timeline. AIDA was introduced as part of Bill C-27, the Digital Charter Implementation Act, 2022. It was still at committee stage when the 44th Parliament's first session ended, on prorogation on 6 January 2025, so it did not become law and, as of 2026, has not been reintroduced.

Scope & applicability. Would have applied to businesses that design, develop, or deploy "high-impact" AI systems in Canada.

Key requirements. As drafted, it would have required businesses to identify and address risks of harm and bias across the AI lifecycle, assess uses and limitations during development, put in place risk-mitigation measures, and continuously monitor high-impact systems.

Governance / enforcement body. Would have been administered by the federal government through Innovation, Science and Economic Development Canada.

Penalties. The bill proposed administrative monetary penalties and offences, but none are in force because it did not pass.

Business impact. There is currently no binding federal AI statute in Canada, so businesses should watch for a possible successor bill while relying on existing privacy and sectoral rules.

Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems

Status & timeline. Launched by Innovation, Science and Economic Development Canada in September 2023.

Scope & applicability. Voluntary, for organizations developing or managing advanced generative AI systems with general-purpose capabilities; signatories include companies such as Cohere, TELUS, and IBM Canada, and research bodies such as Mila and the Vector Institute.

Key requirements. Signatories commit to six principles:

Accountability.
Safety.
Fairness and equity.
Transparency.
Human oversight and monitoring.
Validity and robustness.

Governance / enforcement body. Administered by Innovation, Science and Economic Development Canada; it does not change existing legal obligations.

Penalties. None; the Code is voluntary.

Business impact. It gives Canadian generative AI developers a common set of expectations ahead of any formal AI law, and signing signals responsible-AI practices.

Directive on Automated Decision-Making

Status & timeline. Canada's Directive on Automated Decision-Making took effect on 1 April 2019, with compliance required by 1 April 2020; updated requirements (last modified 24 June 2025) must be met by existing systems by 24 June 2026.

Scope & applicability. Applies to federal government institutions subject to the Policy on Service and Digital that use an automated decision system to make or assist an administrative decision about a client; it excludes systems used solely for research or in test environments. Systems are graded across four impact levels, from Level I (low risk) to Level IV (very high risk).

Key requirements.

Complete, approve, and publish an Algorithmic Impact Assessment before a system goes into production.
Give notice before decisions and a meaningful explanation afterwards, scaled to the impact level.
Test the data and model for accuracy, bias, and human-rights impacts, and monitor outcomes.
Ensure human involvement, with the final decision made by a human for higher-impact systems.
Provide recourse so clients can challenge an administrative decision.

Governance / enforcement body. The Treasury Board of Canada Secretariat issues and oversees the Directive and maintains the Algorithmic Impact Assessment tool.

Penalties. No fines; it is an internal government policy, enforced through Treasury Board compliance mechanisms and deputy-head accountability.

Business impact. It governs the public sector rather than private companies, but it sets Canada's benchmark for responsible automated decision-making and shapes expectations for vendors that sell AI to the federal government.

Quebec: Law 25 (automated decision-making)

Status & timeline. Quebec's Law 25 (2021) modernised the Act respecting the protection of personal information in the private sector, phasing in new privacy obligations, including rules on decisions based exclusively on automated processing (section 12.1).

Scope & applicability. Any enterprise carrying on business in Quebec that uses personal information to render a decision based exclusively on automated processing.

Key requirements. Under section 12.1, the enterprise must:

Inform the individual that the decision is based exclusively on automated processing, no later than when it informs them of the decision.
On request, tell the individual the personal information used, the reasons and the principal factors and parameters that led to the decision, and their right to have that information corrected.
Give the individual the opportunity to submit observations to a member of staff who is able to review the decision.

Governance / enforcement body. The Commission d'accès à l'information du Québec.

Penalties. Law 25 introduced significant administrative monetary penalties and penal fines for breaches of the Act.

Business impact. Businesses that make fully automated decisions about people in Quebec must build notice, explanation, correction, and human-review processes, similar in spirit to GDPR Article 22.

Personal Information Protection and Electronic Documents Act (PIPEDA)

Status & timeline. PIPEDA is Canada's federal private-sector privacy law and applies to AI systems that process personal information in the course of commercial activities.

Scope & applicability. Organizations that collect, use, or disclose personal information in the course of commercial activities across Canada, except where a substantially similar provincial law (such as Quebec's) applies.

Key requirements. Organizations must comply with the fair information principles in Schedule 1, including:

Accountability and identifying the purposes for which personal information is collected.
Obtaining valid, meaningful consent (consent is valid only if a person can reasonably be expected to understand the nature, purpose, and consequences of the collection, use, or disclosure).
Collecting, using, or disclosing personal information only for purposes a reasonable person would consider appropriate.
Safeguarding personal information and giving individuals access to their own information.

Governance / enforcement body. The Office of the Privacy Commissioner of Canada.

Penalties. Enforced through Commissioner investigations and Federal Court proceedings, with offences for certain breaches such as failing to report a security breach.

Business impact. Any business using AI on Canadians' personal data must ensure a valid basis (usually consent), purpose limitation, transparency, and access rights, even in the absence of an AI-specific federal law.

AI Regulations in the Asia-Pacific

The Asia-Pacific region has no single regulatory model. Several major economies, including Singapore and Japan, favour light-touch, pro-innovation approaches built on voluntary frameworks and guidance, while China has enacted some of the world's most detailed and binding AI rules. Australia sits in between, relying on a voluntary standard while consulting on mandatory rules for high-risk AI.

Singapore

Model AI Governance Framework for Generative AI

Status & timeline. Singapore's Model AI Governance Framework for Generative AI was published in May 2024 by the Infocomm Media Development Authority (IMDA) and the AI Verify Foundation, building on the original Model AI Governance Framework (first issued in 2019 and updated in 2020).

Scope & applicability. A voluntary framework addressed to the whole AI ecosystem, including model developers, application deployers, and cloud providers; it is not legally binding.

Key requirements. It proposes nine dimensions to foster a trusted AI ecosystem:

Accountability.
Data.
Trusted development and deployment.
Incident reporting.
Testing and assurance.
Security.
Content provenance.
Safety and alignment research and development.
AI for public good.

Governance / enforcement body. IMDA and the AI Verify Foundation steward the framework; there is no enforcement body.

Penalties. None; it is voluntary guidance.

Business impact. It gives companies operating in Singapore a practical, internationally aligned blueprint for responsible generative AI, and is widely used as a reference across Asia. Singapore has no comprehensive AI statute; personal data used in AI is separately governed by the Personal Data Protection Act 2012.

AI Verify (testing framework and toolkit)

Status & timeline. AI Verify was launched by IMDA and the PDPC on 25 May 2022 as a testing framework and software toolkit, open-sourced in June 2023, and updated on 29 May 2025 to cover generative AI as well as traditional AI.

Scope & applicability. Voluntary; for AI application owners and developers, internal compliance teams, and external auditors that want to test and document responsible AI practices.

Key requirements. It lets a company assess an AI system against 11 internationally recognised AI governance principles:

Transparency.
Explainability.
Repeatability and reproducibility.
Safety.
Security.
Robustness.
Fairness.
Data governance.
Accountability.
Human agency and oversight.
Inclusive growth, societal and environmental well-being.

Each principle has desired outcomes that are validated through documented processes and evidence.

Governance / enforcement body. IMDA and the AI Verify Foundation; it is voluntary self-assessment, not enforced.

Penalties. None; it is a voluntary testing tool.

Business impact. It gives companies a structured way to demonstrate responsible AI and build stakeholder trust, mapped to international frameworks including the NIST AI Risk Management Framework, the OECD principles, ISO/IEC 42001, and the Hiroshima Process Code of Conduct.

Japan

AI Promotion Act (Act on Promotion of Research, Development and Utilization of AI-Related Technologies)

Status & timeline. Japan's AI Promotion Act was enacted on 28 May 2025, making it Japan's first AI-specific law.

Scope & applicability. A "fundamental law" that sets the national policy direction for AI research, development, and use; it defines broad directions rather than detailed obligations on specific businesses.

Key requirements. It sets national objectives to promote safe and beneficial AI and innovation, provides for a Basic AI Plan to guide government action, and creates centralized policy oversight, relying on principles, coordination, and voluntary alignment rather than mandates.

Governance / enforcement body. The central government, through Cabinet-led AI policy structures.

Penalties. None; the Act does not establish detailed compliance obligations or penalties, though authorities may issue advice or request information.

Business impact. Japan signals a strongly pro-innovation stance, so businesses face guidance and expectations (such as the AI Guidelines for Business) rather than binding AI-specific rules.

AI Guidelines for Business (METI/MIC)

Status & timeline. The AI Guidelines for Business were finalised on 19 April 2024 by the Ministry of Economy, Trade and Industry (METI) and the Ministry of Internal Affairs and Communications (MIC), consolidating Japan's earlier AI policy instruments, with a revised version issued in 2025.

Scope & applicability. Voluntary guidance for all actors in the AI value chain, organised into three tiers: AI developers, AI providers, and business users.

Key requirements. They set out ten common guiding principles, including human-centricity, safety, fairness, privacy protection, security, transparency, accountability, education and literacy, fair competition, and innovation, with tier-specific recommended practices and an "agile governance" approach.

Governance / enforcement body. METI and MIC issue the Guidelines; there is no dedicated AI regulator, and accountability flows through existing laws such as the Act on the Protection of Personal Information.

Penalties. None directly; the Guidelines are voluntary soft law, with enforcement risk arising under adjacent statutes.

Business impact. Companies operating in Japan use the Guidelines as the practical benchmark for AI governance, often referenced in procurement and supervisory dialogue even though they are not legally binding.

Australia

Voluntary AI Safety Standard

Status & timeline. Australia's Voluntary AI Safety Standard was published on 5 September 2024 by the National Artificial Intelligence Centre and last updated on 2 December 2025; on 21 October 2025 the government published a simplified Guidance for AI Adoption (six essential practices) that evolves the standard.

Scope & applicability. Voluntary; it applies to all Australian organisations across the AI supply chain, including developers and deployers, with a focus on legitimate high-risk settings.

Key requirements. The standard consists of ten voluntary guardrails covering transparency and accountability across the AI supply chain, helping organisations manage the risks AI may pose to people and groups. Its language is deliberately aligned with international standards so that compliance also supports international alignment.

Governance / enforcement body. The National Artificial Intelligence Centre, within the Department of Industry, Science and Resources.

Penalties. None; the standard is voluntary.

Business impact. It gives Australian organisations a practical, internationally aligned baseline for responsible AI now, while the government progresses its broader Safe and Responsible AI agenda for high-risk settings. Australia has no comprehensive AI statute, and AI is also governed by existing laws such as the Privacy Act.

China

Interim Measures for the Management of Generative AI Services

Status & timeline. China's Interim Measures for the Management of Generative AI Services were promulgated on 10 July 2023 and took effect on 15 August 2023, making China one of the first jurisdictions with binding rules specifically for generative AI.

Scope & applicability. They apply to the use of generative AI to provide text, image, audio, or video generation services to the public in mainland China; they do not apply to research and development that is not offered as a public service, and they can reach services provided from outside mainland China.

Key requirements.

Generated content must uphold Core Socialist Values and must not endanger national security or generate prohibited, false, or harmful information.
Providers must take measures to prevent discrimination, respect intellectual property and others' rights (including image, reputation, privacy, and personal information), and improve content transparency and accuracy.
Training data must come from lawful sources, respect IP, and obtain consent where personal information is involved.
Generated content such as images and video must be labelled in line with the Deep Synthesis Provisions.
Services with "public opinion properties or the capacity for social mobilization" must complete a security assessment and file their algorithms with the authorities.

Governance / enforcement body. The Cyberspace Administration of China (CAC), together with the National Development and Reform Commission, the Ministry of Education, the Ministry of Science and Technology, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration of Radio and Television.

Penalties. Enforced under China's Cybersecurity Law, Data Security Law, and Personal Information Protection Law; authorities can issue warnings, order corrections, and suspend services, with public-security sanctions or criminal liability for serious violations.

Business impact. Any company offering generative AI to the public in China faces detailed content, data, labelling, and filing obligations, the strictest regime among the major economies, and foreign providers can also be brought within scope.

Measures for Labeling of AI-Generated Synthetic Content

Status & timeline. The Measures for Labeling of AI-Generated Synthetic Content were promulgated on 7 March 2025 and take effect on 1 September 2025, alongside a mandatory national standard.

Scope & applicability. They apply to online information service providers covered by the Algorithm Recommendation, Deep Synthesis, and Generative AI rules that produce AI-generated synthetic content, including text, images, audio, video, and virtual scenes.

Key requirements.

Add explicit labels that users can clearly perceive (text, audio, or visual notices) to AI-generated text, audio, images, video, and virtual scenes.
Add implicit labels in the file metadata, including the content's attribute information, the provider's name or code, and a content reference number; digital watermarks are encouraged.
Content-transmission platforms must check metadata for implicit labels and add notices identifying, or flagging as suspected, AI-generated content.
Users who publish AI-generated content must declare it, and labels must not be maliciously removed, altered, or forged.

Governance / enforcement body. The CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration of Radio and Television.

Penalties. Handled by the internet information, telecommunications, public security, and radio and television authorities under the Cybersecurity Law and related rules.

Business impact. Any provider offering generative AI to users in China must build both visible labelling and metadata or watermark provenance into its products before 1 September 2025, a stricter content-provenance regime than most other countries.

Related provisions. These rules build on two earlier CAC frameworks that the generative AI Measures cross-reference: the Provisions on the Administration of Deep Synthesis Internet Information Services (2023), which require labelling of synthetically generated or altered content, and the Provisions on the Management of Algorithmic Recommendations in Internet Information Services (2022), which govern recommendation algorithms.

South Korea

AI Basic Act (Framework Act on AI Development and Establishment of a Foundation for Trustworthiness)

Status & timeline. South Korea's AI Basic Act was passed by the National Assembly on 26 December 2024, promulgated on 21 January 2025, and enters into force one year later, on 22 January 2026. It is Asia's first comprehensive AI law. A grace period applies in 2026, during which administrative fines are generally deferred except in serious cases.

Scope & applicability. It applies to AI development business operators and AI utilization business operators, with heightened duties for high-impact and generative AI. It has extraterritorial reach: foreign operators whose AI affects Korea must designate a domestic representative; national defence and security activities are exempt.

Key requirements.

Identify, assess, and mitigate risks for AI systems whose training compute exceeds prescribed thresholds.
Carry out impact assessments for high-impact AI affecting fundamental rights and public interests.
For generative AI and high-impact AI, notify users that AI is being used and label AI-generated content where it is hard to distinguish from human-made content.
Implement risk-management and safety-incident monitoring across the AI lifecycle.

High-impact AI is defined as AI used in areas that may significantly affect human life, safety, or fundamental rights, including energy supply, drinking water, healthcare services, medical devices, nuclear facilities, biometric analysis for criminal investigations or arrests, judgments affecting individual rights such as employment and loan assessments, transport, public-sector decision-making, and student assessment in schools.

Governance / enforcement body. The Ministry of Science and ICT (MSIT), supported by the National AI Committee, with AI-related data processing overseen by the Personal Information Protection Commission (PIPC).

Penalties. Administrative fines of up to KRW 30 million; the Act does not establish civil liability, and it emphasizes post-market oversight over pre-market approval.

Business impact. South Korea pairs a comprehensive, risk-based framework with a lighter, more innovation-friendly enforcement posture than the EU; companies serving Korean users, including from abroad, should appoint a domestic representative and prepare risk-assessment, labelling, and transparency processes.

AI Regulations in Latin America

Latin America has no comprehensive AI law fully in force in its largest economy yet, but the region is moving quickly. Brazil is advancing a comprehensive, EU-style risk-based bill, Peru has already enacted a promotional AI law, and existing data-protection laws govern automated decisions across the region.

Brazil

Artificial Intelligence Bill (PL 2338/2023)

Status & timeline. PL 2338/2023, a bill that provides for the use of artificial intelligence, was approved by the Federal Senate plenary on 10 December 2024 as a substitute text (Substitutivo) and sent to the Chamber of Deputies on 17 March 2025; it is not yet law.

Scope & applicability. It applies to the development, supply, and use of AI systems in Brazil, graded by risk, with the strictest controls on high-risk systems.

Key requirements. The approved text follows a risk-based approach:

It defines prohibited applications classified as "excessive risk" (risco excessivo).
It defines "high-risk" (alto risco) systems, which are subject to stricter controls, including a preliminary assessment, an algorithmic impact assessment, internal governance measures, technical documentation, and human oversight.
It strengthens protection against discrimination and gives affected people rights including the right to information and understanding, the right to contest decisions, and the right to correction of discriminatory biases.

Governance / enforcement body. A competent authority regulates excessive-risk and high-risk systems, is notified of high-risk systems through their preliminary and algorithmic impact assessments, and maintains a public database of high-risk AI impact assessments.

Penalties. Administrative sanctions include fines of up to R$50 million per infraction, or up to 2% of a private company's Brazilian revenue in its last financial year; for excessive-risk systems, at minimum a fine plus partial or total suspension of activities. Providers and operators of high-risk or excessive-risk systems bear strict (objective) civil liability for damages.

Business impact. Once enacted, Brazil would have one of Latin America's first comprehensive, risk-based AI laws, similar in structure to the EU AI Act; companies should prepare for risk classification, impact assessments, documentation, and rights-handling obligations.

General Data Protection Law (LGPD): automated decisions (Article 20)

Status & timeline. Brazil's General Data Protection Law (LGPD, Law No. 13.709/2018) has applied since 2020 and governs automated decision-making through Article 20.

Scope & applicability. Organizations that process the personal data of people in Brazil, including through automated decisions and profiling.

Key requirements. Under Article 20, a data subject has the right to request a review of decisions taken solely on the basis of automated processing of personal data that affect their interests, including decisions intended to define personal, professional, consumer, or credit profiles. On request, the controller must provide clear and adequate information about the criteria and procedures used for the automated decision, subject to commercial and industrial secrecy; where it withholds this on secrecy grounds, the ANPD may audit the system for discriminatory aspects.

Governance / enforcement body. The National Data Protection Authority (ANPD).

Penalties. LGPD provides for administrative sanctions, including fines based on a percentage of revenue, enforced by the ANPD.

Business impact. Companies using AI to make significant automated decisions about people in Brazil must be able to offer a review of those decisions, independently of the pending AI bill.

Peru

Law No. 31814 (promotion of the use of AI)

Status & timeline. Peru enacted Law No. 31814 in 2023 to promote the use of AI for the country's economic and social development.

Scope & applicability. A national framework promoting the safe, transparent, responsible, and rights-respecting use of AI across the public and private sectors.

Key requirements. It adopts a human-centric, rights-based approach and sets objectives such as fostering AI adoption, developing skills and digital infrastructure, and establishing ethical guidelines.

Governance / enforcement body. The Presidency of the Council of Ministers, through the Secretariat of Government and Digital Transformation (PCM-SGTD), as the national AI authority.

Penalties. The law is primarily promotional and principles-based rather than a penalty regime.

Business impact. Peru gives businesses an early, principles-based national AI framework with a designated regulator, signalling the region's direction even ahead of binding obligations.

AI Regulations in the Middle East

The Middle East has no binding, comprehensive AI law across the region, but its leading economies are investing heavily in AI governance. The United Arab Emirates and Saudi Arabia have each built national AI strategies, dedicated authorities, and ethics frameworks, and the financial free zones, notably the DIFC, have introduced the region's first AI-specific regulation.

Saudi Arabia

AI Ethics Principles (SDAIA)

Status & timeline. Saudi Arabia's AI Ethics Principles were issued by the Saudi Data and Artificial Intelligence Authority (SDAIA) in September 2023, under its mandate to develop data and AI policies, standards, and controls.

Scope & applicability. A national ethics framework for the design, development, deployment, and use of AI systems, applied across the AI system lifecycle and graded by a risk classification.

Key requirements. AI systems are classified into four risk levels:

Little or no risk: no restrictions, though ethical compliance is recommended.
Limited risk: must apply the AI ethics principles.
High risk: must undergo pre- and post-conformity assessments and meet relevant statutory requirements.
Unacceptable risk: not allowed (for example social profiling, exploitation of children, or distortion of behaviour).

Systems must also uphold seven principles: fairness; privacy and security; humanity; social and environmental benefits; reliability and safety; transparency and explainability; and accountability and responsibility.

Governance / enforcement body. SDAIA, which develops the standards and monitors compliance.

Penalties. The principles are a governance framework rather than a penalty regime; personal data is separately protected by Saudi Arabia's Personal Data Protection Law.

Business impact. Organizations developing or using AI in Saudi Arabia are expected to classify systems by risk and embed the seven principles across the lifecycle, with the strictest duties on high-risk systems.

United Arab Emirates

The UAE Charter for the Development and Use of Artificial Intelligence

Status & timeline. The UAE Charter for the Development and Use of Artificial Intelligence was issued in July 2024 by the Office of the Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications. It aligns with the UAE Strategy for Artificial Intelligence, which aims to position the UAE as a leading nation in AI by 2031.

Scope & applicability. A guiding, non-binding framework to protect the rights of the UAE community in the development and use of AI solutions and technologies.

Key requirements. The Charter sets out twelve general principles:

Strengthening human-machine ties.
Safety.
Fairness.
Data privacy.
Transparency.
Human oversight.
Governance and accountability.
Technological excellence.
Human commitment.
Peaceful coexistence with AI.
Promoting AI awareness for an inclusive future.
Commitment to treaties and applicable laws.

Governance / enforcement body. The Office of the Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications.

Penalties. None; it is a guiding charter rather than a binding law.

Business impact. It signals the ethical expectations the UAE places on AI development and use, giving organizations a national reference point ahead of more specific rules.

Artificial Intelligence and Data Authority

Status & timeline. On 14 June 2026, the UAE Prime Minister, Sheikh Mohammed bin Rashid, approved the creation of a federal Artificial Intelligence and Data Authority, consolidating the country's AI, data, and digital government functions under a single national body.

Scope & applicability. A federal government body overseeing AI, data, and digital government across the UAE. It merges the Office of Artificial Intelligence, Digital Economy and Remote Work Applications, the UAE Data Office, and the digital government portfolio of the Telecommunications and Digital Government Regulatory Authority.

Key requirements. Its mandate includes overseeing the national AI strategy, proposing national AI and data policies, and setting standards and guidelines for data and AI management, digital transformation, and government services across federal bodies.

Governance / enforcement body. Chaired by Omar Sultan Al Olama, the UAE Minister of State for Artificial Intelligence.

Penalties. It is an oversight and policy body that sets standards and guidelines rather than a standalone penalty regime.

Business impact. It centralizes UAE AI and data governance under one authority, so businesses can expect more unified national standards and guidelines for AI and data going forward.

Conclusion

Across the regions in this guide, one pattern stands out: there is no single global approach to AI. Some jurisdictions, such as the European Union, China, and South Korea, have adopted comprehensive, binding rules, and Brazil is close behind, while others, including the United Kingdom, Canada, Singapore, Japan, Australia, and the Gulf states, rely mainly on principles, guidance, and existing laws. The United States sits in between, combining a deregulatory federal stance with a growing patchwork of state laws. Despite this fragmentation, common themes recur: risk-based classification, transparency and labelling, non-discrimination, and human oversight. For now, businesses must navigate a fast-moving landscape jurisdiction by jurisdiction.

Stay a step ahead of AI regulation

Our AI governance consultants help you create the policies, procedures, and tools that guide the ethical development, deployment, and use of AI, so your organization complies with applicable laws and regulations. We deliver tailored solutions across frameworks including ISO 42001, the EU AI Act, NIS 2, and DORA, and can run AI governance as a service, from building an AI Management System to post-market monitoring and incident response.

Explore our AI Governance Consulting Services.

About the author

Drew spearheads BD Emerson's Governance, Risk, Compliance, and Security (GRC+Sec) division, where he channels his expertise into guiding clients through the labyrinth of Information Security, Risk Management, Regulatory Compliance, Data Governance, and Privacy. His stewardship is key in developing tailored programs that not only address the unique challenges faced by businesses but also foster a culture of security and compliance.