As organizations continue with their rollout of AI, the global regulatory landscape is becoming increasingly complex. AI-specific laws like the EU AI Act are already applicable and new AI-specific laws are proposed, adding to the range of existing laws and regulations relevant to AI.
AI regulation
Canada
United States
South Africa
Australia
Hong Kong
Singapore
China
Italy
Netherlands
United Kingdom
France
Germany
Australia
The Australian Government is implementing an AI Action Plan that aims to create an environment in which AI can be developed and adopted.
The government is not proposing to introduce comprehensive AI legislation.
Download the PDF
Canada was the first country in the world to introduce a national AI strategy which includes various initiatives to support responsible use of AI, including the Advisory Council on Artificial Intelligence and the Safe and Secure Artificial Intelligence Advisory Group.
Download the PDF
The PRC government has taken various measures to promote and regulate the development of the AI industry. The policy direction of the AI field is to achieve a balance by promoting the development of the AI industry while safeguarding the legitimate rights and interests of all parties involved.
The central government issued several documents to promote the development of the AI industry, and some local governments have issued detailed policies on practical measures. Certain departments of the central government have also issued administrative regulations and rules around the development of the AI industry which regulate the usage and development of AI tools.
Download the PDF
The current French administration prioritizes 'digital sovereignty' as a national policy, aiming to foster the growth of a domestic AI industry, particularly by supporting start-ups that develop and utilize innovative AI technologies, including with the law.
Initiated in 2018, France's National AI Strategy aims to position the country as a global leader in AI by 2030 with an investment of almost €2.5 billion. The strategy has evolved through multiple phases, with the latest phase launched in February 2025 to strengthen computing infrastructure, attract and train AI talent, accelerate AI applications and build trustworthy AI.
Download the PDF
Due to a lack of a competent authority, the AI Act has so far remained less important in Germany.
Under the GDPR, the conference of German data protection authorities (Datenschutzkonferenz – DSK) has provided extensive guidance on choosing and using AI.
Download the PDF
The government has adopted an internal AI guideline, “Ethical Artificial Intelligence Framework” to assist government bureaus/departments in planning, designing and implementing AI and big data analytics in their IT projects and services.
The government is not proposing to introduce comprehensive AI legislation.
Download the PDF
The second strand is at the Parliament level and consists of the intensive fact-finding work carried out during this legislative term by various bodies of the Chamber of Deputies.
In parallel, the Italian Data Protection Authority (IDPA) has been at the forefront of AI oversight, having already issued several decisions and fines aimed at ensuring compliance with data protection standards in the development and deployment of AI systems.
Download the PDF
Regulators are applying existing regulations to AI applications, focusing on transparency, explainability and risk management.
The Dutch Data Protection Authority (AP) is working on guidelines for the use of AI in line with the GDPR (AVG), focusing mainly on preventing discrimination and ensuring data protection.
Download the PDF
Singapore has opted for a soft law, industry-led approach to AI governance, preferring advisory guidelines, toolkits, and frameworks over binding, AI-specific legislation. Regulatory agencies have proactively published comprehensive and, in many cases, prescriptive guidance – including for key industries and business sectors (as elaborated on below).
As a general approach, Singapore regulators continue to emphasize a risk-based, pragmatic approach, balancing innovation with robust governance measures.
Download the PDF
The South African government, spearheaded by the Department of Communications and Digital Technologies, published the National Artificial Intelligence Policy Framework (October 2024), aiming to position South Africa as a leader in AI innovation while promoting responsible and inclusive use of AI. The policy emphasizes ethical AI systems, talent development and leveraging AI to address developmental challenges.
South Africa endorsed the Africa Declaration on Artificial Intelligence (2025), which emphasizes ethical and inclusive AI principles, including references to data sovereignty, ethics and diverse cultural contexts across Africa.
Download the PDF
The government is taking forward a number of recommendations from an AI Opportunities Action Plan that looks to enable and embrace AI.
The government is not proposing to introduce comprehensive AI legislation.
Download the PDF
On January 23, 2025 President Trump issued an Executive Order (Removing Barriers to American Leadership) that rolled back all policies, directives, regulations, orders and other actions taken pursuant to Biden’s Executive Order from October 2023 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence).
The policy stated in Trump’s Executive Order is for the United States to sustain and enhance America’s global AI dominance in order to promote human flourishing, economic competitiveness and national security.
Download the PDF
The data protection regulator, the Office of the Australian Information Commissioner (OAIC), has provided guidance on the applicability of privacy laws to AI.
In 2023, Canada launched the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems which now has 46 signatories.
The Cyberspace Administration of China (CAC) is the most active official department to issue several regulations and measures on cybersecurity, personal data protection and AI-generated content. Other departments such as the China National Intellectual Property Administration (CNIPA) and the Ministry of Science and Technology (MOST) also published some guidelines and policies regarding IP establishment and promoting the development of the industry.
Current litigation is mainly focused on copyright infringement caused by AI-generated content. Some cases also relate to the AI training process. The number of patents related to AI is now increasing, which gives a good basis for enforcement cases in the future.
The government has published standards (soft law) covering various areas.
One of the future areas of focus for AI legislation may be AI ethics.
In February 2025, the French Government announced the creation of the National Institute for the Evaluation and Safety of Artificial Intelligence (INESIA) dedicated to the evaluation and safety of AI and aimed at guaranteeing national security in the AI domain.
The data protection regulator, the Office of the Privacy Commissioner for Personal Data (PCPD), has published “Guidance on the Ethical Development and Use of Artificial Intelligence.”
The Italian Strategy for Artificial Intelligence 2024-2026 was published on July 22, 2024, identifying three strategic macro-objectives, namely, (i) supporting the implementation and adoption of AI applications to support management practices, production models, and innovation projects; (ii) promoting functional and applied scientific research activities; (iii) enhancing human capital through training and the development of talent with the necessary skills.
In recent years, the Italian government has developed a structured and forward-looking approach to the regulation of AI, based on the guidelines of the European Commission's White Paper on AI.
This approach is based on two main strands. The first involves the government's commitment, which began in 2020 with the development of a National AI Strategy under the Ministry of Enterprise and Made in Italy. This strategy is part of the broader European Coordinated Plan on AI and is designed to be implemented through joint efforts between EU member states and institutions.
The Dutch government supports initiatives such as the Innovation Centre for Artificial Intelligence (ICAI) to promote cooperation between academic institutions and industry in developing reliable AI applications.
The Dutch DPA uses fines to enforce the GDPR.
Regional cooperation is also part of Singapore’s strategy, as seen in its key role in developing and endorsing the ASEAN Guide on AI Governance and Ethics, promoting consistent and ethical AI deployment across Southeast Asia.
The Film and Publication Board (FPB) conducted research on regulating generative AI for misinformation/disinformation but has not published final regulations.
South Africa’s G20 Presidency placed national emphasis on digital inclusion, ethical AI and digital public infrastructure, reflecting its broader commitment to global digital equity as well as strong governmental support for AI-driven economic development and the need for inclusive digital infrastructure.
The data protection regulator, the Information Commissioner’s Office (ICO), has provided extensive guidance on developing and using AI.
There has been some ICO enforcement but at present, fines have been used sparingly.
Within 180 days of Trump’s Executive Order (mid-July 2025), a task force is to develop and submit to Trump an action plan to achieve this policy.
In the US, laws can be enacted at the federal, state and local level, adding to the potential complexity of governing AI. The US does not have comprehensive AI legislation, nor data privacy legislation at the federal level. Generally, new laws are being enacted at the state level.
Global | Publication | July 2025
Canada
United States
South Africa
Australia
Hong Kong
Singapore
China
Italy
Netherlands
United Kingdom
France
Germany
The Privacy Act and Australian Privacy Principles are applicable:
Key principles include fairness, transparency and accuracy.
Collection of personal information must be necessary, and consent is required for the collection of sensitive personal information.
From June 10, 2025, a new statutory tort of serious invasions of privacy allows individuals to bring claims if their privacy is intruded upon or their personal information is misused.
From December 10, 2026, privacy policies must inform individuals when decisions are made using automated processes (many of which will likely include AI).
Currently small businesses with an annual turnover of less than AU$3 million are exempt from the Privacy Act requirements (except for the statutory tort), however amendments are expected in 2026 which may remove this exemption.
The OAIC has also provided guidance on the applicability of privacy obligations to commercially available AI.
Download the PDF
PIPEDA and similar provincial privacy legislation is currently applicable to use of AI systems:
Key principles include accountability, identifying purposes, consent, openness and safeguards.
There is no outright prohibition on the use of AI systems for automated decision-making in Canada, but data privacy laws focus on minimizing risk.
The Office of the Privacy Commissioner of Canada has published a document entitled Principles for responsible, trustworthy and privacy-protective generative AI technologies that identifies considerations for applying the key privacy principles to emerging AI systems.
Enforcement of compliance with privacy regulations and penalties occurs pursuant to PIPEDA under the jurisdiction of the Office of the Privacy Commissioner of Canada (OPC). The CPPA will introduce significantly stronger enforcement powers and increased fines for privacy violations involving automated decision-making and AI systems, including:
Administrative money penalties (AMPs) up to $10 million or 3 percent of global revenue for violating consent, transparency or data security requirements; and
Criminal penalties of up to $25 million or 5 percent of global revenue for obstruction of an inquiry by the federal privacy commissioner, destruction of data or other serious non-compliance.
Download the PDF
The three fundamental laws governing cyber security and data protection (in other words, the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law) generally apply in the AI space.
Key principles include transparency, fairness and the prohibition of unreasonable differential treatment. Personal information protection impact assessment is also required for implementing automated decision making.
The CAC (being the major governing authority in the data protection space), together with various other governmental agencies, form a joint force to regulate the AI space and has issued various lower-level regulations to specifically regulate algorithms/deepfake/generative AI with an emphasis on personal information protection.
Various local governments have issued measures to promote and embrace AI technologies.
The National Technical Committee 260 on Cybersecurity of Standardization Administration of China (known as TC260) has issued and will issue various national standards (soft law) to provide guidelines in development and use of AI technologies. It is anticipated that over 50 national standards and sectoral standards will be issued in the near future in this area.
Download the PDF
The GDPR applies to any AI use involving personal data.
Key principles include fairness, transparency, accuracy and accountability.
There is a default prohibition on solely automated decisions with significant effects.
In May 2023, the CNIL released its AI action plan addressing the rapid development of generative AI and large language models.
As part of its efforts to encourage and lead the development of soft law in AI, since 2022 the CNIL has also published various guidance, including:
a self-assessment guide including a series of checklists with explanations to assist providers or users of AI systems in complying with data protection obligations;
recommendations for AI system development (10 factsheets), clarifying the intersection of AI with GDPR, and supplemented by two additional factsheets focusing on informing individuals and facilitating their rights;
recommendations on the use of public data and open data distributors to ensure the lawful reuse of personal data databases;
FAQs on the EU AI Act and its relationship with the GDPR; and
FAQs regarding the deployment of GenAI systems, emphasizing key points to ensure compliance with the GDPR and the EU AI Act.
Download the PDF
The GDPR applies to any AI use involving personal data.
Key principles include fairness, transparency, accuracy and accountability.
There is a default prohibition on solely automated decisions with significant effects.
Several state data protection authorities and the DSK have published guidance on the selection and usage of AI from a privacy perspective.
The guidance by the Conference of Data Protection Authorities contains detailed guidance on setting up and using AI from a privacy perspective and the requirements which operators should consider when choosing an AI system to use.
Download the PDF
The key principles of the Personal Data (Privacy) Ordinance (PDPO) include fairness in the collection of personal data, informed consent to the use of data for direct marketing, openness and transparency, as well as accuracy and security of data.
The PCPD published the Guidance on the Ethical Development and Use of Artificial Intelligence in 2021, recommending the three Data Stewardship Values (respectful, beneficial and fair) and adopting the seven Ethical Principles for AI:
accountability,
human oversight,
transparency and interpretability,
data privacy,
fairness,
beneficial AI, and
reliability, robustness and security.
The “Guidance on the Ethical Development and Use of Artificial Intelligence” published by PCPD in 2024 provides a set of recommendations on the best practices for any organisations procuring, implementing and using any type of AI systems that involve the use of personal data.
Human oversight is not compulsory but is recommended to mitigate the risks of AI systems.
The PCPD also issued guidance notes on collection and use of fingerprint and biometric data.
In the enforcement space, the PCPD investigated an employer for unnecessary and excessive collection of fingerprint data and issued a warning letter (Case No.:2008C04).
Download the PDF
The GDPR applies to any AI use involving personal data.
Key principles include fairness, transparency, accuracy and accountability.
There is a default prohibition on solely automated decisions with significant effects.
The IDPA has been active on AI enforcement:
On December 20, 2024 the IDPA imposed a fine of €15 million against OpenAI in relation to its ChatGPT service. The IDPA alleged that OpenAI had breached various obligations under the GDPR, including its transparency and information obligations and the requirement to identify an appropriate lawful basis. The IDPA also alleged it had failed to implement age verification to protect children. OpenAI is appealing the fine and was granted an interim suspension on the IDPA’s fining decision by the Court of Rome while the appeal is ongoing.
On May 19, 2025, the IDPA imposed a €5 million fine on the US-based company Luka Inc., which manages the chatbot Replika. Alleged breaches included failing to identify an appropriate lawful basis, breaches of transparency and information obligations, and failure to implement age verification mechanisms. The IDPA also launched a further investigation to assess whether personal data are being properly processed by the generative AI system behind the service.
On January 30, 2025, the IDPA ordered Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence, the Chinese companies that provide the DeepSeek chatbot service, to stop processing Italian users’ data, as a matter of urgency and with immediate effect.
Download the PDF
The GDPR applies to any AI use involving personal data.
Key principles include fairness, transparency, accuracy and accountability.
There is a default prohibition on solely automated decisions with significant effects.
The Dutch DPA is producing and updating online content aimed at organizations to help them comply with the GDPR, such as guidance on DPIAs, privacy in annual reports and guidelines for supervisory boards (RvC & RvT) of organizations.
Download the PDF
Singapore’s Personal Data Protection Act 2012 (PDPA) is principles-based and technology-neutral. Organizations are generally required to notify individuals of the purposes of data collection and obtain consent, except in limited circumstances. While the PDPA does not ban automated decision-making, organizations should inform individuals and ensure transparency, especially in AI-related contexts.
The Personal Data Protection Commission (PDPC) has introduced multiple frameworks and guidelines to strengthen AI governance, including the Artificial Intelligence Governance Framework in collaboration with the IMDA and an Implementation and Self-Assessment Guide for Organisations to assess their
AI governance processes. In March 2024, the PDPC released the Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems, which provide practical guidance on how core obligations under the PDPA (for example, consent, purpose limitation, and notification) apply when organisations use AI to make personalized recommendations or decisions.
The PDPC has taken enforcement action and issued fines in cases of data breaches or other instances where data protection obligations are contravened. The PDPA also provides for potential civil claims to be brought by impacted individuals against organizations
for damages suffered as a result of breaches of the PDPA.
In relation to cybersecurity, Singapore’s Cyber Security Agency (CSA) released the Guidelines on Securing AI Systems and a complementary companion guide in October 2024 to support the secure design and use of AI technologies. These documents adopt a lifecycle approach, outlining practical security considerations across five stages: planning and design, development, deployment, operations and maintenance, and end-of-life.
While non-binding, the guidelines are intended to help organizations integrate security “by design and by default” into AI systems, and the Companion Guide provides concrete measures and best practices drawn from industry and research. The CSA views these as living documents, to be updated as the AI threat landscape evolves.
Download the PDF
Data protection in South Africa is primarily governed by the Protection of Personal Information Act, 2013 (POPIA):
Key principles include lawfulness, minimality, transparency, and accountability in processing personal information, which is broadly defined and includes both natural and juristic persons (in other words, incorporated entities such as companies).
POPIA limits solely automated decision-making with legal consequences or substantial effects (Section 71). Certain automated decisions may require additional safeguards or justification, though further guidance is still evolving.
The Information Regulator oversees POPIA enforcement. Organisations developing or utilizing AI must comply with POPIA’s requirements on obtaining consent or other lawful justifications, protecting data and upholding data subject rights such as access and objection.
Enforcement has primarily been through compliance notices and recommendations rather than fines, however, no action by the Information Regulator for AI usage has been publicized to date.
Download the PDF
The UK GDPR remains very close to the EU GDPR:
Key principles include fairness, transparency and accuracy.
A lawful basis is needed for any processing of personal data, and a specific condition must be met to process special category data.
There is currently a default prohibition on solely automated decisions with significant effects.
The ICO has looked to provide a range of resources to help organizations innovate responsibly, including an innovation advice service.
The ICO has published guidance on AI and data protection, an AI and data protection risk toolkit, guidance on explaining decisions made with AI, and guidance on biometric data.
Enforcement has generally been limited to reprimands or enforcement notices – a fine has been issued to Clearview AI, which was successfully appealed (though a further appeal from the ICO is ongoing).
Download the PDF
By the end of 2025, there will be 16 states that have comprehensive privacy laws in effect. Many of these laws continue the US tradition of “opt-out” privacy, including a specific opt-out right with respect to the use of AI for certain rights (criminal justice, education, employment, financial services, health insurance, housing and access to basic necessities such as food and water). Certain states, most notably California, continue to pursue legislation that impacts AI use cases in the name of data privacy.
In addition to the state data privacy laws, the Health Insurance Portability and Accountability Act 1996 (HIPAA) also has an impact on the use of protected health information in certain AI use cases.
Download the PDF
Canada
United States
South Africa
Australia
Hong Kong
Singapore
China
Italy
Netherlands
United Kingdom
France
Germany
Canada
United States
South Africa
Australia
Hong Kong
Singapore
China
Italy
Netherlands
United Kingdom
France
Germany
No standalone AI law is in place yet; currently a patchwork of existing laws, industry-specific regulations and non-binding guidance and standards define the AI legal landscape.
The Department of Industry, Science and Resources published a Voluntary AI Safety Standard which recommends 10 guardrails for organizations to follow when developing and deploying AI.
The Department has also proposed mandatory guardrails which heavily overlap with the Voluntary AI Safety Standard.
Existing laws apply to AI, in particular:
Privacy Act 1988 (Cth) Competition and Consumer Act 2010 (Cth)
Intellectual property legislation such as the Copyright Act 1968 (Cth)
Directors’ duties under the Corporations Act 2001 (Cth)
Download the PDF
There is currently no specific regulatory framework for AI in Canada.
The Artificial Intelligence and Data Act (AIDA) was tabled by the federal government in June 2022, and sought to enact a comprehensive regulatory scheme for the development, deployment and operation of AI systems in Canada. The controversial proposed legislation died with the prorogation of Parliament in January 2025, bringing renewed uncertainty to the future of AI regulation in Canada.
In March 2025, the federal government launched Canada’s first AI Strategy for the federal public sector which aims to advance accountability, training and transparency in the adoption of responsible AI systems utilized by the federal government.
Existing laws are applicable to AI, including:
Personal Information Protection and Electronic Documents Act (PIPEDA);
Consumer Privacy Protection Act (CPPA); and
provincial privacy laws, including Quebec’s Law 25.
Download the PDF
The CAC has issued rules on its own or jointly with other relevant authorities, covering:
The governance of generative AI services.
The administration of deepfake technologies.
The administration of algorithms of AI models.
The administration of AI-generated content labeling.
Other departments also issue rules and guidelines in their specific areas:
CNIPA issued guidelines on AI-related patent applications.
MOST issued policies and guidelines on supporting the development of the AI industry.
Both the state council and MOST released opinions and specifications of AI ethics.
Some ministries issued guidelines on applying AI techs in their fields:
The Ministry of Industry and Information Technology and the Ministry of Transportation issued guidelines and rules of on-road autopilot test and autopilot services.
The legislation department will continue to push forward legislation in the AI space in 2025.
Download the PDF
The EU AI Act has applied from February 2, 2025.
As of now, France does not have jurisdiction-specific laws exclusively governing AI.
However, AI applications are subject to existing regulations such as data protection laws (see below) and a patchwork of sector-specific regulations.
For instance, Law No. 2019-486 of May 22, 2019 (“Pacte Law”) sets out the conditions for autonomous vehicles to travel on the roads and clarifies the criminal liability regime applicable in the event of an accident involving such a vehicle.
Law No. 2023-451 of June 9, 2023, requires that influencers clearly indicate the label “virtual images” on any photos or videos that have been digitally generated using AI to ensure transparency for their audience.
Law No. 2024-449 of May 21, 2024, introduces a new criminal offense under Article 226-8-1 of the French Criminal Code, punishing the non-consensual dissemination of sexually explicit content generated by AI (deepfakes). The law also mandates educational measures in secondary schools to raise awareness about AI-generated content.
Download the PDF
The EU AI Act has applied from February 2, 2025.
The German Government released a draft bill for a law implementing the European AI Regulation AI Market Surveillance Act (KI-Marktüberwachungsgesetz) in January 2025, which addresses the competent authorities under the EU AI Act:
Existing market surveillance and notifying authorities will also oversee compliance with the EU AI Act (for example, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht).
In areas where no supervisory authority exists, the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railways (Bundesnetzagentur) serves as the market surveillance authority and notifying authority.
Download the PDF
No comprehensive AI law is proposed.
The government has proposed to amend the Copyright Ordinance to intoduce a text and data mining (TDM) exception.
Various authorities including the PCPD, Hong Kong Monetary Authority (HKMA), Securities and Futures Commission (SFC), Financial Services and the Treasury Bureau (FSTB), Department of Health and the Judiciary issued industry-specific guidelines on AI.
Download the PDF
The EU AI Act has applied from February 2, 2025.
The Italian Parliament is working on a draft law on AI. The proposal sets out principles governing the research, testing, development, adoption and application of AI systems and models.
The aim of the bill is to promote proper, transparent and responsible use of AI in an anthropocentric context, with a view to seizing the opportunities it offers. It will ensure oversight of the economic and social risks and the impact of AI on fundamental rights.
The provisions included in the draft law shall be interpreted and applied in accordance with the EU AI Act.
Download the PDF
The EU AI Act has applied from February 2, 2025.
There are no AI-specific laws in the Netherlands. The regulation of AI is done within existing legal frameworks, such as the GDPR (AVG), the Financial Supervision Act (Wft) and the Healthcare Quality, Complaints and Disputes Act (Wkkgz).
Download the PDF
Singapore does not currently have AI-specific legislation in place. The government has adopted a soft law strategy of focusing on governance first and legislating later if needed.
The Infocomm Media Development Authority (IMDA) has been particularly active, spearheading initiatives in collaboration with the AI Verify Foundation such as the Model AI Governance Framework for Generative AI (May 2024) and Global AI Assurance Pilot (February 2025). These efforts promote voluntary testing, transparency and good practice through frameworks aligned with global standards.
Download the PDF
South Africa does not currently have a standalone, overarching AI law.
Governance relies on a combination of sectoral regulations (healthcare, financial services), the Protection of Personal Information Act (POPIA), Electronic Communications and Transactions Act (ECTA), and common law principles.
The National Artificial Intelligence Policy Framework (2024) proposes guiding principles on issues such as data governance, transparency, ethics and fair competition and is intended as a precursor to more formal legislative or regulatory measures.
Download the PDF
No comprehensive AI law has been proposed.
The government may consult on a law to impose obligations on the most powerful models.
The government has consulted on an exception to copyright law for text and data mining for commercial activities (including training generative AI models).
The government has proposed making the creation of sexually explicit deepfakes of adults a criminal offense (the law already covers creating images of children)
Regulation-making powers to make rules for products with intangible components (like AI) are likely to be introduced.
The Automated Vehicles Act 2024 will create an authorization regime for automated vehicles when brought into force.
Download the PDF
Colorado enacted the first broad AI law which is focused on algorithmic discrimination and imposes obligations on the AI developer and deployers for high-risk AI systems. The Colorado Attorney General will have exclusive authority to enforce it. Enacted in May 2024, it will be effective in February 2026, but there are indications that the law may be amended before going into effect.
California has enacted a handful of laws related to AI, including a law that requires the developers of generative AI solutions to disclose the data used by the developer to train the solution. This law will take effect on January 1, 2026.
The new federal law known as the TAKE IT DOWN Act makes it illegal to “knowingly publish” or threaten to publish intimate images without a person’s consent, including AI-created deepfakes. Websites and social media companies must remove such material within 48 hours of notice from a victim, and they must also take steps to delete duplicate content. Several states, including California and Tennessee, have adopted laws prohibiting deepfakes, digital replicas and use of likeness, as well as transparency requirements. In addition, several states have laws that require disclosures to consumers when interacting with AI systems or receiving other communications that are AI generated.
At the federal level, there are numerous existing laws that can be applied to AI use cases, especially as they relate to discrimination or consequential decisions related to consumers including those enforced (for example, CFPB, DOJ, FTC, EEOC). Each AI use case, especially those impacting consumers, needs to be reviewed against this backdrop. Currently enforcement has been limited.
Download the PDF
Canada
United States
South Africa
Australia
Hong Kong
Singapore
China
Italy
Netherlands
United Kingdom
France
Germany
There is a variety of legislation to protect people from discrimination and harassment:
Racial Discrimination Act 1975 (Cth)
Sex Discrimination Act 1984 (Cth)
Australian Human Rights Commission Act 1986 (Cth)
Disability Discrimination Act 1992 (Cth)
Age Discrimination Act 2004 (Cth)
State- and Territory-specific legislation which generally overlaps with the federal legislation· There is a variety of legislation to protect people from discrimination and harassment:
The Australian Human Rights Commission (AHRC) has statutory responsibilities under legislation to enforce the prohibition on discrimination and harassment, and promote equal opportunity.
The AHRC has made submissions to committees on Adopting AI and on the Mandatory Guardrails for AI in High-Risk Settings, with recommendations to ensure the safe implementation of AI.
Download the PDF
Various laws exist to protect people from bias, discrimination and harassment, including:
Canadian Human Rights Act, RSC, 1985, c H-6 (CHRA);
provincial human rights legislation, such as the Ontario Human Rights Code, R.S.O. 1990, c. H.19 (OHRC);
Consumer Privacy Protection Act , Bill C-27 (CPPA);
Canada Labour Code, RSC, 1985, c L-2 (CLC); and
provincial employment standards legislation.
Bill 149, the Working for Workers Four Act, 2024, amended the regulations to Ontario’s Employment Standards Act, 2000 (ESA) to include a definition of “artificial intelligence” as part of a newly introduced scheme requiring AI-related disclosure by employers.
Beginning in 2026, Bill 149 will require employers in Ontario to disclose in job postings if they are using AI in the hiring process to support with screening, assessing or selecting applicants.
Similarly, Quebec’s Law 25 explicitly enforces automated decision transparency for organizations, including employers, that utilize AI systems. Employers in Quebec must notify and explain AI-based decisions to applicants and employees.
The Ontario Human Rights Commission and the Law Commission of Ontario launched a Human Rights Impact Assessment for AI Technologies (HRIA), which helps assess and mitigate human rights impacts of AI systems by organizations, including employers.
Download the PDF
Currently, there is no specific guidance on AI discrimination in an employment context, although certain provisions on equal rights and non-discrimination can be found in the relevant labor laws.
The Provisions on the Management of Algorithmic Recommendations for Internet Information Services issued by the CAC provide that where algorithmic recommendation service providers provide work scheduling services to workers, they shall protect the lawful rights and interests of workers in obtaining labor compensation, rest and vacation. They must also establish and improve algorithms such as for the assigning of orders on the platform, the composition and payment of remuneration, working hours, rewards and punishments.
Download the PDF
Under Article L. 1132-1 of the French Labour Code, employees and job applicants in the private sector are protected against discrimination. More generally, discrimination is an offense defined in the French Criminal Code under Articles 225-1 et seq.
The Economic, Social and Environmental Council (CESE) has issued a cross-cutting opinion on AI and its impacts on labor and employment.
In November 2024, the CNIL published a guide regarding the use of AI-augmented cameras in freight vehicles to monitor employees for safety purposes.
Download the PDF
The General Act on Equal Treatment (Allgemeines Gleichbehandlungsgesetz – AGG) includes protection against discrimination (direct and indirect), as well as harassment and victimization – protected characteristics:
race or ethnic origin,
gender,
religion or belief,
disability,
age, or
sexual orientation
The Federal Anti-Discrimination Agency published a detailed legal opinion on The General Equal Treatment Act and protection against discrimination by algorithmic decision-making systems.
Also, the DSK guidance on AI contains a brief section on avoiding discrimination when using AI systems.
In certain cases, using AI systems in companies may also trigger co-determination of the works council. When simply allowing the usage of AI, this can be prevented by not allowing the employer to access users’ prompts.
Download the PDF
The four anti-discrimination laws in Hong Kong are:
Sex Discrimination Ordinance;
Disability Discrimination Ordinance;
Family Status Discrimination Ordinance; and
Race Discrimination Ordinance.
The Equal Opportunities Commission (EOC) has not issued any formal guidance regarding AI, but in an interview the EOC Chairperson acknowledged the potential impact of AI and automated decision-making systems on inequalities and discrimination.
Download the PDF
The Italian legal framework on HR, employment and discrimination is composed of a patchwork of legislation:
Article 3 of the constitution establishes the principle of equality of all citizens before the law, stipulating that everyone has equal social dignity without distinction of sex, race, language, religion, political opinion, personal or social conditions.
The Workers' Statute (Law No. 300 of 20 May 1970) establishes rules on the protection of workers' freedom and dignity, freedom of association and trade union activity in the workplace, and rules on employment.
The Code of Equal Opportunities (Legislative Decree No. 198 of 11 April 2006) brings together the existing state legislation on gender equality in the political, social and economic contexts. The Law No. 162 of 5 November 2021 amended the Code of Equal Opportunities and introduced gender equality certification and incentive tools for the most compliant companies.
Law No. 4 of 15 January 2021, regarding the ratification and implementation of the International Labor Organization Convention No. 190 on the elimination of violence and harassment in the workplace, adopted in Geneva on June 21, 2019.
The draft law on AI mentioned above includes specific provisions on the use of AI in the field of employment and possible related discrimination. It examines the specific case of the use of AI in the areas of organization and management of employment relationships. In this regard, the provision stipulates that, when using AI, the fundamental rights of individuals must be guaranteed, avoiding forms of discrimination based on sex, age, ethnic origin, religious belief, sexual orientation, political opinions, and personal, social and economic conditions, in accordance with European Union law.
Download the PDF
The Dutch General Equal Treatment Act (Algemene wet gelijke behandeling) sees on the equal treatment of persons irrespective of religion, belief, political affiliation, race, sex, nationality, heterosexual or homosexual orientation or marital status.
In addition, there are a number of more specific laws, such as the Equal Treatment of Man and Women Act (WGB), the Equal Treatment on the Grounds of Disability or Chronic Illness Act (WGBH/CZ) and the Equal Treatment on the Basis of Age in Employment Act (WGBL).
The Dutch Ministry of the Interior and Kingdom Relations has provided guidance on ‘non-discrimination by design’ for the leading questions and principles that apply when developing and deploying an AI-system. More recently, the government published an eLearning on non-discrimination in algorithms and data for government organizations.
The Dutch childcare benefits scandal (toeslagenaffaire) involved the Tax Administration using a self-learning algorithm to detect fraud in childcare benefit applications. This algorithm disproportionately flagged families with dual nationalities or foreign-sounding names as high-risk, leading to false accusations of fraud and severe financial hardship for thousands of families. The scandal highlighted the dangers of unregulated algorithmic profiling and resulted in the resignation of the Dutch government in 2021. The Dutch DPA imposed a fine of €2.75 million on the Dutch Tax administration.
Download the PDF
Singapore’s approach to workplace discrimination has recently moved from a guidance-based model to a formal legal framework with the introduction of the Workplace Fairness Act 2025, which gives legal force to certain anti-discrimination protections and fair employment practices. Previously, safeguards were outlined in the non-binding Tripartite Guidelines on Fair Employment Practices.
There is growing attention on the use of AI in hiring. The government has encouraged responsible AI use, including in HR contexts, highlighting the importance of transparency, explainability and accountability when AI tools are used in employment decisions. However, there is no sector-specific regulation yet that directly governs the use of AI in hiring or employment.
Download the PDF
The Constitution of South Africa prohibits unfair discrimination. Discrimination protection is robustly addressed by the Employment Equity Act, and Promotion of Equality and Prevention of Unfair Discrimination Act, collectively protecting against discrimination on grounds including race, gender, disability, sexual orientation, religion, culture and language.
No specific regulatory guidance on AI in the employment and discrimination context has yet been issued, but the use of AI in recruitment, staff management, or automated performance assessments must ensure compliance with existing discrimination laws and regulations.
Download the PDF
Article 14 of the European Convention on Human Rights (ECHR) provides protection from discrimination, while the Human Rights Act 1998 allows ECHR rights to be enforced in the UK courts.
Equality Act 2010 includes protection against discrimination (direct and indirect), as well as harassment and victimization – the following characteristics are protected:
age;
disability;
gender reassignment;
marriage and civil partnership;
pregnancy and maternity;
race;
religion or belief;
sex; and
sexual orientation.
The Equality and Human Rights Commission has provided guidance on AI and equality for public sector bodies.
Litigation has been brought alleging that facial recognition checks required to access a work app were racially discriminatory, while in a separate case, the Court of Appeal found police use of automated facial recognition breached human rights and equality laws.
Download the PDF
There is no specific federal law regulating AI in the workplace. However, the existing employment laws remain applicable. In addition, several states have passed laws applicable to the use of AI in employment practices.
At the local level, New York City Local Law 144 places limits on the use of automated employment decisions tools regulation, which requires posting of annual audits. There has been no enforcement action.
There have been a few enforcement actions, including one instance where the employer’s AI tool allegedly discriminated based on age and gender. Interestingly, the AI tool provider is also included in this suit and potentially faces liability – in addition to the employer.
Download the PDF
Canada
United States
South Africa
Australia
Hong Kong
Singapore
China
Italy
Netherlands
United Kingdom
France
Germany
Medical devices (including software) are subject to the Therapeutic Goods Act 1989 (Cth) and the Therapeutic Goods (Medical Devices) Regulations 2002, which impose a range of safety and conformity obligations.
The Therapeutic Goods Administration (TGA) has provided updated guidance on software and AI as a medical device.
Generally, software (including AI) that is supplied in Australia for health or medical purposes comes under this legislation and must be registered with the TGA and included in the Australian Register of Therapeutic Goods.
Where a developer adapts, builds on or incorporates AI into their product or service offering to a user or patient in Australia, the developer is deemed to be the manufacturer and must comply with obligations under the legislation.
Download the PDF
AI medical devices often process sensitive personal health information and therefore their use must comply with relevant privacy laws, including:
PIPEDA; and,
Provincial health privacy laws, such as Ontario’s Personal Health Information Protection Act (PHIPA).
Health Canada regulates the approval of medical devices for use in Canada pursuant to the Food and Drugs Act and accompanying Medical Devices Regulations.
This scheme outlines requirements for pre-market approval, quality management, clinical evaluation and post-market surveillance requirements.
Key principles applied in approving AI-based medical devices include transparency and explainability.
Download the PDF
Central and local governments have issued policies and measures to embrace and promote integration of AI technologies within the pharmaceutical/healthcare sector.
The National Health Commission (together with other governmental agencies) has issued guidelines for applying AI technology to different use cases in the healthcare sector.
Medical devices (including software) are subject to the Medical Devices Supervision and Management Regulations, which impose a range of safety and conformity obligations.
The National Medical Products Administration (NMPA) has issued a few guidelines relating to AI including those, for example, on categorization of AI-based medical software products, and registration review of AI-based medical devices. NMPA has also issued sectoral standards to regulate the application of AI-related technology in the healthcare space.
Download the PDF
The EU Medical Devices Regulation and AI Act affects players who intend to implement AI in medical devices or healthcare. In addition, the new EU Product Liability directive makes it easier for consumers to bring claims for defective products and AI medical devices.
The Bioethics law of 2021 first brought the concept of AI into the French public health Code. Also, both the AI Act and the Medical Device Regulation (2017/745) are applicable to medical devices using AI in France.
In November 2022, the French National Advisory Ethics Council for Health and Life Sciences (CCNE) and the French National Pilot Committee for Digital Ethics (CNPEN) issued a joint guidance on the AI systems applied to medical diagnostic which can be essential to the patient’s care.
In 2023, the CNIL launched a sandbox with healthcare companies. Some projects used AI, and the CNIL provided informal guidance on data protection during AI training and deployment.
On February 11, 2025, during the AI Summit, the French Minister for Health and Access to Care announced the launch of work on a national roadmap for AI in healthcare, highlighting AI’s strategic importance in this area.
Download the PDF
The EU Medical Devices Regulation and AI Act affects players who intend to implement AI in medical devices or healthcare. In addition, the new EU Product Liability directive makes it easier for consumers to bring claims for defective products and AI medical devices.
Medical devices (including software) are subject to the Medical Devices Regulation (Regulation (EU) 2017/745), which impose a range of safety and conformity obligations.
The German Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte – BfArM) is currently exploring ways of using AI in the healthcare space. For example, Health Data Lab of the BfArM is currently working on a project to use AI to generate synthetic health data to be used for medical research.
Download the PDF
There is no specific law in Hong Kong regulating medical devices, but depending on the nature of the product it may be regulated by other laws such as the Pharmacy and Poisons Ordinance, the Radiation Ordinance, the Telecommunications Ordinance and the Electrical Products (Safety) Regulation.
A voluntary Medical Device Administrative Control System (MDACS) is available for registration of medical devices.
The Department of Health issued a technical note on the requirements for listing of AI medical devices on the MDACS.
Download the PDF
The EU Medical Devices Regulation and AI Act affects players who intend to implement AI in medical devices or healthcare. In addition, the new EU Product Liability directive makes it easier for consumers to bring claims for defective products and AI medical devices.
The healthcare sector could also be affected by the draft law on AI mentioned above. In fact, the bill includes several provisions aimed at regulating the use of AI in the healthcare sector.
In particular, it provides that AI systems in healthcare shall serve as support in prevention, diagnosis, treatment, and therapeutic choice processes, without prejudice to the decision, which must always be left to healthcare professionals.
It also establishes that AI systems in healthcare and the related data used must be reliable, periodically verified, and updated, with a view to minimizing the risk of errors and improving patient safety.
The draft bill also includes prohibitions on conditioning access to healthcare services on discriminatory criteria using AI tools.
Download the PDF
The EU Medical Devices Regulation and AI Act affects players who intend to implement AI in medical devices or healthcare. In addition, the new EU Product Liability directive makes it easier for consumers to bring claims for defective products and AI medical devices.
The Dutch Health and Youth Inspectorate (IGJ) calls on healthcare providers to introduce generative AI in their own organizations carefully and with attention to any risk. It states that healthcare providers must realize that the usage of AI applications must comply with the MDR and the AI Act.
The IGJ published a Digital Care Assessment Framework which consists of standards and associated assessment criteria based on different laws and regulations.
Download the PDF
The Ministry of Health (MOH) and Health Sciences Authority (HSA) have developed and published the Artificial Intelligence in Healthcare Guidelines.
AI in medical devices is regulated by the HSA. AI-powered tools that meet the definition of a medical device under the Health Products Act 2007 are subject to regulatory oversight, including registration and quality assurance requirements.
The HSA has published the Regulatory Guidelines for Software Medical Devices – A Lifecycle Approach, including how AI/ML-based tools are classified and assessed. Singapore is also exploring the regulatory sandbox approach to facilitate innovation while managing risks.
Download the PDF
South Africa’s health sector is broadly overseen by the National Department of Health.
Where AI-powered software or devices meet the definition of a “medical device,” they may fall under the Medicines and Related Substances Act and need licensing or registration (enforced through the South African Health Products Regulatory Authority).
It is not yet fully clear how SAHPRA classifies and evaluates “software as a medical device” or advanced AI solutions.
The Health Professions Council of South Africa (HPCSA) sets standards of professional conduct for healthcare practitioners. The HPCSA’s draft Ethical Guidelines on the Use of Artificial Intelligence (2024) outline proposed expectations for safety, accountability, and patient-centricity. The draft Guidelines:
provide that AI must be patient-centered and integrated responsibly into clinical workflows, minimizing risks of over-reliance on automated tools;
stress the importance of patient confidentiality, safe deployment, oversight by qualified professionals and compliance with privacy legislation, and, once final, may require informed patient consent for AI-driven diagnostic or treatment support systems; and
urges caution regarding biases in training data.
Download the PDF
Medical devices (including software) are subject to the Medical Devices Regulations 2002, which impose a range of safety and conformity obligations.
The Medicines & Healthcare products Regulatory Agency (MHRA) has provided updated guidance on software and AI as a medical device.
The MHRA launched an ‘AI Airlock’ to provide a specific regulatory sandbox for AI as a Medical Device.
Download the PDF
The Food and Drug Administration (FDA) has proposed a framework for AI/ML-enabled medical devices, and provides a list of AI/ML-enabled medical devices that are authorized for marketing in the US.
See also comments related to protected health information above.
Download the PDF
Canada
United States
South Africa
Australia
Hong Kong
Singapore
China
Italy
Netherlands
United Kingdom
France
Germany
Financial services are governed by a range of legislation, including:
Corporations Act 2001 (Cth)
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
Competition and Consumer Act 2010 (Cth)
Prudential and Reporting Standards and guidance for authorized deposit-taking institutions
There are also several regulators for the sector, including the Australian Securities and Investments Commission (ASIC), Australian Prudential Regulation Authority (APRA), Reserve Bank of Australia and the Australian Competition and Consumer Commission (ACCC).
ASIC has published a review into the adoption of AI by financial service providers and raised concerns that the rate of adoption is outpacing risk and governance arrangements. It encourages financial service providers to take a proactive approach to ensure their use of AI does not breach existing obligations, consumer protection laws and directors’ duties.
�
Download the PDF
Financial services in Canada are governed by various laws, including:
Bank Act;
Financial Consumer Agency of Canada Act;
Competition Act; and
Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
In 2024, the Office of the Superintendent of Financial Institutions (OSFI) and the Financial Consumer Agency of Canada (FCAC) released a joint report on best practices for adopting AI systems in the financial services industry.
The Canadian Securities Administrators (CSA) have also issued a notice on the application of existing securities laws to AI systems by capital market participants which highlights the importance of transparency, accountability and risk mitigation to foster a fair and efficient market environment.
Download the PDF
The current regulatory landscape of China’s financial services sector emphasizes aspects of risk control, transparency and reasonableness of AI models or algorithms, as well as data privacy/security protections.
The Administrative Measures for Data Security of Banking and Insurance Institutions released by the National Financial Regulatory Administration (NFRA, being one of the financial services regulators in China) on December 27, 2024 (became effective on the same date) require that:
If a banking/insurance institution carries out automated decision-making analysis or model or algorithm development, it shall ensure the transparency of data handling and the fairness and reasonableness of the results;
Before a model or algorithm is put into use, a banking/insurance institution shall perform a data security review, and examine the reasonableness, legitimacy and interpretability of the use of data and models, as well as the impact of the use of data on the legitimate rights and interests of the relevant subjects, ethical and moral risks and the effectiveness of prevention and control measures; and
When using AI technology to carry out business, a banking/insurance institution shall explain and disclose the impact of data on the decision-making results and establish risk mitigation measures for AI applications.
The People’s Bank of China (PBOC) has also issued several industry standards for the financial services sector relating to utilization of AI algorithm applications. It recommends that financial institutions in China conduct a compliance audit over their financial applications based on AI algorithm and disclose relevant audit results/reports online, such as through their official website.
The regulatory environment in China for the financial services sector has been supportive in terms of deployment of AI services and development of AI applications, whilst authorities continue to strike a balance between technology innovation and the increasing regulatory complexity alongside the development of AI technology.
Download the PDF
Under the French administrative Order (Arrêté) of 3 November 2014 on the internal control of entities in the banking, payment services and investment services sectors, AI systems used in internal controls in the financial sector must be supervised by qualified personnel.
Article L.533-10-3 of the French Monetary and Financial Code, which transposes Directive 2014/65 (MiFID II), establishes a regulatory framework for algorithmic and high-frequency trading. In May 2024, the Financial Market Authority (AMF) underlined governance duties and algorithm accountability in high-frequency contexts.
The French banking authority (ACPR) and the AMF regularly publish guidance on the use of AI in the financial sector in the form of good practices, research and news items, such as on the explainability of AI (for example, with AI-based-credit risk predictive models or robot-advisor). The AMF also warned investors in April 2025 against relying solely on AI tools for investments decisions, emphasizing that these tools do not guarantee returns and may be exploited in scams.
Several enforcement measures have been taken against entities found to have breached French rules in relation with algorithmic trading. For example, the AMF fined a British high-frequency trading firm €400,000 for allowing technical failures to persist, leading to order book pollution on several CAC 40 stocks (AMF, Commission des sanctions, 8 July 2016).
Download the PDF
The German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) has been actively publishing guidance on AI for the last couple of years.
Its Principles for the Use of Algorithms in Decision-Making Processes from 2021 laid down four principles for using AI in the finance and insurance sector:
clear responsibility of management;
adequate risk and outsourcing management;
avoidance of bias; and
prevention of legally prohibited discrimination
Since then, the BaFin has published several pieces of guidance on the matter with the main focus being risk management of using AI systems and ensuring fair and non-discriminatory usage.
Download the PDF
A number of guidelines are published by HKMA, SFC and FSTB:
Generative Artificial Intelligence in the Financial Services Space (HKMA, 2024)
Use of Artificial Intelligence for Monitoring of Suspicious Activities (HKMA, 2024)
Consumer Protection in respect of Use of Generative Artificial Intelligence (HKMA, 2024)
High-level Principles on Artificial Intelligence (HKMA, 2019)
Circular to licensed corporations - Use of generative AI language models (SFC, 2024)
Policy Statement on Responsible Application of Artificial Intelligence in the Financial Market (FSTB, 2024)
HKMA and the Hong Kong Cyberport initiated a Generative AI Sandbox program in which participants (including 10 banks and four technology companies) are developing and testing AI systems for enhancing risk management, anti-fraud measures and customer experience.
Download the PDF
The Bank of Italy is active within the space of AI and regularly publishes guidance and papers on the topic, to provide information and analysis on various aspects at the intersection between AI and financial services regulation. For instance, in May 2025 it published a paper on the exploration of large language models (LLM) alignment in finance.
Download the PDF
De Nederlandse Bank (DNB) and the AFM (the Dutch financial supervisory organizations) published guidance on the impact of AI on the financial sector, and general principles for the use of AI by financial institutions. In addition to this, the Dutch Financial supervision Act (Wft) and the EU AI Act are important for the usage of AI by financial institutions.
The IGJ published a Digital Care Assessment Framework which consists of standards and associated assessment criteria based on different laws and regulations.
Download the PDF
The Monetary Authority of Singapore (MAS) has issued AI-specific guidance for the financial sector, notably the FEAT principles — Fairness, Ethics, Accountability and Transparency — for the use of AI and data analytics in financial services. While not legally binding, these principles help firms assess and manage AI risks, including in areas like credit scoring, fraud detection and customer profiling.
In March 2024, MAS also published an information paper on Cyber Risks Associated with Generative AI, highlighting risks like data leakage, prompt injection attacks, model hallucination and overreliance on Gen AI outputs. The paper provides risk mitigation strategies such as enhanced governance, prompt controls and monitoring mechanisms, and underscores the importance of human oversight.
MAS supports responsible AI use through the Veritas Initiative, which provides toolkits and methodologies to help financial institutions implement FEAT principles in a measurable and verifiable manner. Key deliverables include fairness assessment metrics, ethics and accountability implementation checklists and model governance frameworks. The initiative aims to promote trust in AI by operationalizing responsible AI practices, encouraging consistency across the industry and enabling firms to demonstrate that their AI-driven decisions are fair and transparent. One such example is Project MindForge, which focuses on the risks and opportunities of generative AI in financial services. Its goals are to create a framework for the responsible use of GenAI and to promote innovation that tackles industry challenges and improves risk management.
Download the PDF
The financial sector is regulated by various laws as well as by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (a division of the South African Reserve Bank (SARB)).
No standalone AI-specific regulatory instrument exists, however, standard consumer protection duties will apply. Institutions using AI must comply with broad obligations set out in, for example, the Financial Advisory and Intermediary Services (FAIS) Act, Financial Intelligence Centre Act (FICA), and POPIA’s data protection requirements. “Treating Customers Fairly” principles mean AI systems must not result in discriminatory or unfair customer outcomes.
The FSCA has highlighted AI-driven risks (such as model bias, explainability gaps, and data privacy concerns) in its consumer protection work.
The FSCA and PA have confirmed they are working on a joint standard looking at AI use by financial institutions as part of their regulatory roadmap.
Download the PDF
The Financial Conduct Authority (FCA) has set out how it will use the current regulatory framework to regulate AI – key regulations include:
overarching requirements such as the Principles for Business and Threshold Conditions;
more specific rules and guidance such as the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook; and
the cross-cutting Consumer Duty.
The Prudential Regulation Authority has highlighted the potential implications of widespread AI adoption in financial services, particularly concerning financial stability.
The FCA has launched an AI Lab, to provide a pathway for the FCA, firms and wider stakeholders to engage in AI-related insights, discussions and case studies.
The Bank of England has also established an AI consortium to provide a platform for engagement on AI in UK financial services.
Download the PDF
In the US, the insurance sector is governed by state law. As of March 2025, 24 states have adopted, in some form, the National Association of Insurance Commissioners’ model AI bulletin (Use of Artificial Intelligence Systems by Insurers). Four other states have issued insurance-specific laws or regulations concerning AI use in the insurance industry. Several other states are considering or have laws pending also relevant to the insurance business with certain states focused on methods of testing the algorithms and data for unfairly discriminatory outcomes.
As it relates to the broader financial services markets, the existing regulatory agencies (for example, FINRA, SEC, Federal Reserve, OCC, FDIC) have been issuing guidance, and in some cases, there has been limited enforcement based on existing regulations.
On October 16, 2024, the New York Department of Financial Services (DFS) issued guidance raising awareness about combatting cybersecurity risks arising from AI used by DFS licensees, such as insurers and virtual currency businesses.
Download the PDF
Content box A
Content box B
Content box C
Content box D
Content box E
Content box F
Content box G
Content box H
AI regulation: Overview
AI laws
Data protection law and guidance
HR, employment and discrimination
Medical devices/healthcare
Financial services regulation and guidance
Our global guide provides you with an overview of the key points on AI regulation across twelve jurisdictions, equipping you with the tools to navigate the regulatory issues applicable to your AI projects.
AI regulation: Overview
Canada
AI regulation: Overview
China
AI regulation: Overview
France
AI regulation: Overview
Germany
AI regulation: Overview
Hong Kong
AI regulation: Overview
Italy
AI regulation: Overview
Netherlands
AI regulation: Overview
Singapore
AI regulation: Overview
South Africa
AI regulation: Overview
UK
AI regulation: Overview
US
AI regulation: Overview
Australia
AI laws
Canada
AI laws
China
AI laws
France
AI laws
Germany
AI laws
Hong Kong
AI laws
Italy
AI laws
Netherlands
AI laws
Singapore
AI laws
South Africa
AI laws
UK
AI laws
US
AI laws
Australia
Data protection law and guidance
Canada
Data protection law and guidance
China
Data protection law and guidance
France
Data protection law and guidance
Germany
Data protection law and guidance
Hong Kong
Data protection law and guidance
Italy
Data protection law and guidance
Netherlands
Data protection law and guidance
Singapore
Data protection law and guidance
South Africa
Data protection law and guidance
UK
Data protection law and guidance
US
Data protection law and guidance
Australia
HR, employment and discrimination
Canada
HR, employment and discrimination
China
HR, employment and discrimination
France
HR, employment and discrimination
Germany
HR, employment and discrimination
Hong Kong
HR, employment and discrimination
Italy
HR, employment and discrimination
Netherlands
HR, employment and discrimination
Singapore
HR, employment and discrimination
South Africa
HR, employment and discrimination
UK
HR, employment and discrimination
US
HR, employment and discrimination
Australia
Medical device/healthcare
Canada
Medical device/healthcare
China
Medical device/healthcare
France
Medical device/healthcare
Germany
Medical device/healthcare
Hong Kong
Medical device/healthcare
Italy
Medical device/healthcare
Netherlands
Medical device/healthcare
Singapore
Medical device/healthcare
South Africa
Medical device/healthcare
UK
Medical device/healthcare
US
Medical device/healthcare
Australia
Financial services regulation and guidance
Canada
Financial services regulation and guidance
China
Financial services regulation and guidance
France
Financial services regulation and guidance
Germany
Financial services regulation and guidance
Hong Kong
Financial services regulation and guidance
Italy
Financial services regulation and guidance
Netherlands
Financial services regulation and guidance
Singapore
Financial services regulation and guidance
South Africa
Financial services regulation and guidance
UK
Financial services regulation and guidance
US
Financial services regulation and guidance
Türkiye
Türkiye
Türkiye
Türkiye
Türkiye
Türkiye
Türkiye
AI regulation: Overview
Türkiye is actively shaping its AI policy with a focus on ensuring the safe, ethical and fair use of AI technologies, while protecting personal data and privacy rights. The overarching aim is to maximize societal benefits and minimize potential risks. This strategic vision is articulated in the National Artificial Intelligence Strategy (2021-2025).
The Presidency's Digital Transformation Office and the Ministry of Industry and Technology are key governmental bodies that collaborate on AI policy. The "National Artificial Intelligence Strategy Steering Committee" plays a significant role in guiding these efforts. While these bodies define strategy, sector-specific regulators (for example, the Banking Regulation and Supervisory Agency (BRSA) for banking, Capital Markets Board (SPK) for capital markets, Information and Communications Technologies Authority (BTK) for electronic communications, and the Personal Data Protection Authority (PDPA) for data protection) are expected to adapt their oversight to AI's implications within their respective domains.
A significant step has been taken with the submission of an "Artificial Intelligence Law Proposal" to the Turkish Grand National Assembly on June 24, 2024. This proposes a comprehensive regulatory framework for AI systems, covering providers, distributors, users, importers, and affected individuals.
Download the PDF
Türkiye
AI laws
As of early October 2025, there is no standalone, comprehensive Artificial Intelligence Law fully enacted in Türkiye. However, the "Artificial Intelligence Law Proposal" is before the Turkish Grand National Assembly, signaling an upcoming dedicated legal framework.
While the proposed AI Law targets a broad range of AI systems, specific legislation for areas like autonomous vehicles is still developing. Regulations concerning vehicle technologies and road traffic general rules would apply, but AI-specific rules for autonomy are nascent. The underlying principles of the proposed AI law would likely extend to such technologies once enacted.
Türkiye is not a member of the European Union. Therefore, the EU AI Act does not directly apply as a binding legal instrument in Türkiye. However, given Türkiye's close economic ties with the EU and its efforts towards regulatory harmonization, the EU AI Act is closely monitored and is expected to influence future Turkish AI legislation and best practices. There is no direct implementation or enforcement mechanism for the EU AI Act in Türkiye.
Download the PDF
Türkiye
Data protection law and guidance
Türkiye's primary data protection law is the Law on the Protection of Personal Data No. 6698 (KVKK), which came into force in 2016 and is largely inspired by GDPR principles. Key principles include processing personal data lawfully and fairly, ensuring accuracy, processing for specified explicit and legitimate purposes, adequacy, relevance and retention for the necessary period. Automated decision-making that results in an adverse outcome for the data subject is subject to the data subject's right to object, request human intervention, express their own point of view and challenge the decision (KVKK Article 11). Explicit consent or a lawful basis (for example, for specified legal obligations) is typically required for processing. Cross-border data transfers are highly restricted (KVKK Article 9).
The PDPA and its Board regularly issue guiding decisions, communiqués and guidelines. These often clarify practical application of the KVKK, including principles for data processing, security measures, and specific guidance on emerging technologies or sectors. While direct guidance specifically on AI applications post-KVKK's full implementation is limited, the general principles of data processing, data minimization, transparency and data security are directly applicable to AI systems.
The PDPA continues active enforcement. The Board regularly issues administrative fines for non-compliance with KVKK provisions. Enforcement actions range from failures in data breach notifications, lack of explicit consent, unlawful data transfers, insufficient data security measures and failures to register with the Data Controllers' Registry (VERBIS). Fines can range from tens of thousands to millions of Turkish Liras, depending on the severity of the violation and the size of the entity.
Download the PDF
Türkiye
HR, employment and discrimination
The Turkish Labor Law No. 4857 prohibits discrimination based on language, race, gender, political opinion, philosophical belief, religion, sect and similar reasons (Article 5). The Constitution of the Republic of Türkiye also lays down general principles of equality and non-discrimination.
Specific official guidance on AI's application in HR, employment and discrimination from Turkish regulators is currently limited. However, general principles of non-discrimination and fairness under Labor Law and the KVKK (for example, for automated decision-making in recruitment, performance evaluation or termination) would implicitly apply. This area is expected to be more explicitly covered by the proposed AI Law.
Download the PDF
Türkiye
Medical device/healthcare
AI in medical devices falls under the purview of existing Medical Device Regulations, Pharmacy and Medical Devices Law No. 5371, and related communiqués issued by the Turkish Medicines and Medical Devices Agency (TİTCK). These regulations focus on safety, efficacy, quality and clinical validation. AI-powered medical devices must meet the technical and clinical requirements applicable to all medical devices, including pre-market approval and post-market surveillance.
The proposed AI Law is expected to introduce broader AI-specific regulations that would also affect this sector.
TİTCK has issued general guidelines for medical device manufacturers, which implicitly apply to AI-driven components by addressing software as a medical device. There are no specific AI-focused regulatory initiatives from TİTCK that have been publicly announced.
Download the PDF
Türkiye
Financial services regulation and guidance
Turkish financial regulators, primarily the Banking Regulation and Supervision Agency (BRSA - BDDK) and the Capital Markets Board (CMB - SPK), have not yet issued comprehensive, dedicated guidance specifically on the application of AI within the financial services sector. However, existing regulations on information systems integrity, cybersecurity, data governance, anti-money laundering (AML) and customer protection are directly applicable to AI deployment. For instance: Banking Law No. 5411 and its secondary regulations (for example, "Regulation on Information Systems of Banks," "Regulation on Support Services Provided to Banks") require robust IT infrastructure, data security, business continuity and risk management, all of which would encompass AI systems used by banks.
Capital Markets Law No. 6362 and its secondary legislation (for example, "Communiqué on Information Systems in Capital Markets," "Communiqué on Crypto Asset Service Providers") demand similar high standards for data integrity, system security and operational resilience.
Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions imposes stringent requirements on payment service providers and eMoney institutions regarding IT systems security and fraud prevention.
Download the PDF
Any AI application in financial services would be scrutinized under these existing regulations, ensuring it complies with principles of fairness, transparency, accountability, and consumer protection.
While specific AI initiatives are nascent, regulators are closely monitoring global developments. For instance, the Central Bank of the Republic of Türkiye (CBRT) has shown interest in FinTech innovation, and while it does not directly regulate AI, its broader FinTech strategy will inevitably intersect with AI adoption.
Thailand
Thailand
AI regulation: Overview
Thailand is advancing its efforts to establish a comprehensive national framework for AI and is entering a pivotal stage in the adoption of AI technology—transitioning from mere experimental use to systematic governance.
Download the PDF
Thailand
Thailand
AI laws
Thailand is moving toward comprehensive AI legislation through the consolidation of two earlier proposals—the 2022 Draft Royal Decree on Business Operations Using AI Systems and the 2023 Draft Act on the Promotion and Support for National AI Innovation. In June 2025, regulators held a public hearing to merge these into a unified framework known as the Draft Principles of the AI Law (Draft Principles).
The resulting Draft Principles of the AI Law attempt to harmonize these two perspectives—introducing rules that safeguard human rights while supporting technological progress. The Draft Principles also protect individual rights by requiring transparency in AI-based decisions, allowing affected persons to receive explanations and challenge outcomes. Moreover, it addresses AI-generated disinformation and deepfakes, proposing watermarking and tracing mechanisms for synthetic media.
Download the PDF
To encourage innovation, the Draft Principles include limited copyright exemptions for text and data mining to aid AI training and propose an AI regulatory sandbox for supervised testing of new applications. The Artificial Intelligence Governance Center, under Electronic Transaction Development Agency (ETDA), will lead in AI governance research, provide advisory services, oversee the sandbox, monitor AI readiness and promote cooperation domestically and internationally. ETDA is now revising the Draft Principles based on public consultation, with another round of hearings expected to continue into late 2025.
Thailand
Data protection law and guidance
Even though the Personal Data Protection Act B.E. 2562 (2019) (Thai PDPA) adopts most of its general concepts and protections from the GDPR, it does not currently contain any provisions on automated decision-making, nor has it issued any guidelines regarding the use of AI in this sector.
Major commercial banks, telecommunications companies and other large corporations in Thailand have already begun integrating AI into their regular business operations. In this regard, it is inevitable that the use of AI must also take into account personal data protection considerations. It is expected that the Personal Data Protection Committee of Thailand will soon issue guidelines on the use of AI in data protection to align with other sectors that have already introduced similar guidelines.
Additionally, on the cybersecurity side, there has been a lot of AI development recently with the National Cyber Security Agency (NCSA) recently publishing the “AI Securities Guideline” (NCSA Guideline).
The NCSA Guideline includes key information, recommendations and best practices from international standards and frameworks such as the International Organization for Standardization and the International Electrotechnical Commission, the European Union Agency for Cybersecurity and the Open Worldwide Application Security Project, as well as relevant laws, practices and technical reports of Thailand.
Download the PDF
Thailand
Thailand
HR, employment and discrimination
There are currently no guidelines in Thailand regarding the use of AI in this sector.
Existing laws on employment and non-discrimination apply to the use of AI. In Thailand, the Gender Equality Act B.E. 2558 (2015) prohibits discrimination based on gender. In summary, this Act prohibits any government agency, private organization or individual to formulate or implement any policy, rule, regulation, announcement, measure, project or practice that results in unfair discrimination on the basis of gender.
Download the PDF
Thailand
Thailand
Thailand
Thailand
Medical device/healthcare
On October 9, 2025, the Minister of Public Health of Thailand, in his capacity as the President of the Medical Council of Thailand, announced that the Medical Council places significant importance on the adoption of AI in the medical field. The Ministry of Public Health also plans to work closely with the Medical Council of Thailand to establish guidelines for the safe, transparent and patient-centered use of AI, ensuring that doctors remain the primary decision-makers in treatment, with AI serving solely as a supporting tool.
Download the PDF
The key information included under Development and Security of AI Systems is that the Regulated Service Providers should have policies to control data risks, including appropriate use of data for AI model training and data leakage prevention. Additionally, they should have policies to assess model accuracy and reliability, including measures to explain AI outcomes. Finally, they should implement policies to prevent and detect cybersecurity threats that could affect the AI system.
As for the insurance sector, the Office of Insurance Commission of Thailand (OIC) is currently preparing the AI Governance Guideline for insurance companies, having conducted a public hearing in August 2025. This AI guideline will cover AI governance, robustness and AI security, AI transparency and explainability, fairness and consumer protection. The OIC is now revising the draft and expects to issue the final guideline by the end of 2025 or early 2026.
Thailand
Financial services regulation and guidance
On September 12, 2025, the Bank of Thailand (BOT) issued the AI Risk Management Guidelines (BOT Guideline) for financial institutions and special financial institutions under the Financial Institution Business Act, as well as payment service providers under the Payment Systems Act (collectively referred to as “Regulated Service Providers”) that are under the BOT’s supervision. This guideline applies to the use and management of AI adopted by Regulated Service Providers, both internally and externally.
Under this BOT Guideline, there are two main parts in AI risk management, which are (1) AI System Governance, and (2) Development and Security of AI Systems.
The key information included under AI System Governance is that the board of directors and senior management must ensure that an AI usage policy is in place, appoint personnel responsible for AI risk management and provide training for employees to properly use the AI system. They must also implement an AI usage policy that aligns with the organization’s goals and recognized responsible AI frameworks. In addition, they should establish appropriate AI risk management measures covering the assessment of risks and potential impacts arising from the use of AI on both the organization and its customers.
Download the PDF