Our thinking

AI Watch: Global regulatory tracker

What's inside

Keeping track of AI regulatory developments around the world.

The global dash to regulate AI

Artificial intelligence (AI) has made enormous strides in recent years and has increasingly moved into the public consciousness.

Subscribe

We encourage you to subscribe to receive AI-related updates.

Subscribe here

Explore Trendscape

Our take on the interconnected global trends that are shaping the business climate for our clients.

Read more

Increases in computational power, coupled with advances in machine learning, have fueled the rapid rise of AI. This has brought enormous opportunities, as new AI applications have given rise to new ways of doing business. It has also brought potential risks, from unintended impacts on individuals (e.g., AI errors harming an individual's credit score or public reputation) to the risk of misuse of AI by malicious third parties (e.g., by manipulating AI systems to produce inaccurate or misleading output, or by using AI to create deepfakes).

Governments and regulatory bodies around the world have had to act quickly to try to ensure that their regulatory frameworks do not become obsolete. In addition, international organizations such as the G7, the UN, the Council of Europe and the OECD have responded to this technological shift by issuing their own AI frameworks. But they are all scrambling to stay abreast of technological developments, and already there are signs that emerging efforts to regulate AI will struggle to keep pace. In an effort to introduce some degree of international consensus, the UK government organized the first global AI Safety Summit in November 2023, with the aim of encouraging the safe and responsible development of AI around the world. The EU is also implementing the first comprehensive horizontal legal framework for the regulation of AI systems across EU Member States (the EU AI Act is addressed in more detail here: AI watch: Global regulatory tracker - European Union, and you can read our EU AI Act Handbook here).

Most jurisdictions have sought to strike a balance between encouraging AI innovation and investment, while at the same time attempting to create rules to protect against possible harms. However, jurisdictions around the world have taken substantially different approaches to achieving these goals, which has in turn increased the risk that businesses face from a fragmented and inconsistent AI regulatory environment. Nevertheless, certain trends are becoming clearer at this stage:

  1. "AI" means different things in different jurisdictions: One of the foundational challenges that any international business faces when designing an AI regulatory compliance strategy is figuring out what constitutes "AI." Unfortunately, the definition of AI varies from one jurisdiction to the next. For example, the EU AI Act adopts a definition of "AI systems" that is based on (but is not identical to) the OECD's definition, and which leaves room for substantial doubt due to its uncertain wording. Canada has proposed a similar, though more concise, definition. Various US states have proposed their own definitions, which differ from one another. And many jurisdictions (e.g., the UK, Israel, China, and Japan) do not currently provide a comprehensive definition of AI. Because several of the proposed AI regulations have extraterritorial effect (meaning more than one AI regulation may apply simultaneously), international businesses may be forced to adopt a "highest common denominator" approach to identifying AI based on the strictest applicable standard.
  2. Emerging AI regulations come in different forms: The various emerging AI regulations have no consistent legal form – some are statutes, some are executive orders, some are expansions of existing regulatory frameworks, and so on. The EU AI Act is a "Regulation" (which means that most of it will apply directly in all EU Member States, without the need for national implementation in most cases). The UK has taken a different approach, declining to legislate at this early stage in the development of AI, and instead choosing to task existing UK regulators with the responsibility of interpreting and applying five AI principles in their respective spheres. In the US, there is a mix of White House Executive Orders, federal and state initiatives, and actions by existing regulatory agencies, such as the Federal Trade Commission. As a result, the types of compliance obligations that international businesses face are likely to be materially different from one jurisdiction to the next. Many other jurisdictions have yet to decide whether they will issue sector-specific or generally applicable rules and have yet to decide between creating new regulators or expanding the roles of existing regulators, making it challenging for businesses to anticipate what form their AI regulatory relationships will take in the long term.
  3. Emerging AI regulations have different conceptual approaches: The next difficulty is the lack of a consistent conceptual approach among emerging AI regulations around the world – some are legally binding while others are not, some are sector-specific while others apply across all sectors, some will be enforced by regulators while others are merely guidelines or recommendations, and so on. As noted above, the UK approach is to use existing regulators to implement five AI principles, but with no new explicit legal obligations. This has the advantage of meaning that businesses will deal with AI regulators with whom they are already familiar but has the disadvantage that different UK regulators may interpret these principles differently in their respective spheres. The EU AI Act is cross-sectoral and creates new regulatory and enforcement powers for existing bodies, including the European Commission, and also creates entirely new bodies such as the AI Board and the AI Office, while leaving EU Member States to appoint their own AI regulators tasked with enforcing the EU AI Act. In the US, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau, and Department of Justice issued a joint statement clarifying that their existing authority covers AI, while various state regulators are also likely to have competence to regulate AI. International organizations including the OECD, the UN, and the G7 have issued AI principles, but these impose no legal obligations on businesses. In principle, these initiatives encourage consistency across members of each organization, but in practice this does not seem to have worked.
  4. Flexibility is a double-edged sword: In an effort to create AI regulations that can adapt to technological advances that have not yet been anticipated, many jurisdictions have sought to include substantial flexibility in those regulations, either by using deliberately high-level wording and policies, or by allowing for future interpretation and application by courts and regulators. This has the obvious advantage of prolonging the lifespan of such regulations by allowing them to be adapted to future technologies. However, it also creates the disadvantage of uncertainty because it leaves businesses uncertain of how their compliance obligations will be interpreted in the future. This is likely to mean that it is harder for businesses to know whether their planned implementations of AI will be lawful in the medium-to-long term and may make it harder to attract long-term AI investment in those jurisdictions.
  5. The overlap between AI regulation and other areas of law is complex: A substantial number of laws that are not directly focused on AI nevertheless apply to AI by association within their respective spheres, meaning that any use of AI will often trigger compliance issues and legal challenges even where there is not (yet) any enforceable AI-specific law. These areas of overlap include: IP (e.g., IP infringement issues with respect to AI model training data, and questions about copyright and patentability of AI-assisted inventions); antitrust; data protection (which adds restrictions to processing of personal data, and in some cases imposes special compliance obligations for processing carried out by automated means, including by AI); M&A (where AI innovation is driving dealmaking in many markets); financial regulation (where financial regulatory requirements may limit the ways in which AI can lawfully be deployed); litigation; digital infrastructure; securities; global trade; foreign direct investment; mining & metals; and so on. This overlap will mean that many businesses need to understand not just AI regulations in general, but also any rules that affect the use of AI in the context of the relevant sector or business activity.

Businesses in almost all sectors need to keep a close eye on these developments to ensure that they are aware of the AI regulations and forthcoming trends, in order to identify new opportunities and new potential business risks. But even at this early stage, the inconsistent approaches each jurisdiction has taken to the core questions of how to regulate AI is clear. As a result, it appears that international businesses may face substantially different AI regulatory compliance challenges in different parts of the world. To that end, this AI Tracker is designed to provide businesses with an understanding of the state of play of AI regulations in the core markets in which they operate. It provides analysis of the approach that each jurisdiction has taken to AI regulation and provides helpful commentary on the likely direction of travel.

Because global AI regulations remain in a constant state of flux, this AI Tracker will develop over time, adding updates and new jurisdictions when appropriate. Stay tuned, as we continue to provide insights to help businesses navigate these ever-evolving issues.

Articles

African Union

The African Union's Continental AI Strategy sets the stage for a unified approach to AI governance across the continent.

Read 10 min. article
Africa Union

Australia

Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.

Read 11 min. article
Australia

Brazil

The enactment of Brazil's proposed AI Regulation remains uncertain with compliance requirements pending review.

Read 8 min. article
Sao Paulo

Canada

AIDA expected to regulate AI at the federal level in Canada but provincial legislatures have yet to be introduced.

Read 15 min. article
Canada

China

The Interim AI Measures is China's first specific, administrative regulation on the management of generative AI services.

Read 9 min. article
China

Colombia

Despite congressional activity on AI in Colombia, regulation remains unclear and uncertain.

Read 10 min. article
Colombia

Council of Europe

The Council of Europe is developing a new Convention on AI to safeguard human rights, democracy, and the rule of law in the digital space covering governance, accountability and risk assessment.

Read 7 min. article
European Union

Czech Republic

The successful implementation of the EU AI Act into national law is the primary focus for the Czech Republic, with its National AI Strategy being the main policy document.

Read 7 min. article
Czech Republic

European Union

The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.

 

Read 15 min. article
European Union

France

France actively participates in international efforts and proposes sector-specific laws.

Read 10 min. article
Paris

G7

The G7's AI regulations mandate Member States' compliance with international human rights law and relevant international frameworks.

Read 11 min. article
G7 flags

Germany

Germany evaluates AI-specific legislation needs and actively engages in international initiatives.

Read 9 min. article
Germany

Hong Kong

Hong Kong lacks comprehensive AI legislative framework but is developing sector-specific guidelines and regulations, and investing in AI.

Read 8 min. article
Photo of Hong Kong

India

National frameworks inform India’s approach to AI regulation, with sector-specific initiatives in finance and health sectors.

Read 5 min. article
India

Israel

Israel promotes responsible AI innovation through policy and sector-specific guidelines to address core issues and ethical principles.

Read 10 min. article
Israel

Italy

Italy engages in political discussions for future laws.

Read 8 min. article
Milan

Japan

Japan adopts a soft law approach to AI governance but lawmakers advance proposal for a hard law approach for certain harms.

Read 9 min. article
Tokyo

Kenya

Kenya's National AI Strategy and Code of Practice expected to set foundation of AI regulation once finalized.

Read 8 min. article
Kenya
Kenya

Nigeria

Nigeria's draft National AI Policy underway and will pave the way for a comprehensive national AI strategy.

Read 7 min. article
Nigeria
Nigeria

Norway

Position paper informs Norwegian approach to AI, with sector-specific legislative amendments to regulate developments in AI.

Read 9 min. article
Norway

OECD

The OECD's AI recommendations encourage Member States to uphold principles of trustworthy AI.

Read 10 min. article
country flags

Saudi Arabia

Saudi Arabia is yet to enact AI Regulations, relying on guidelines to establish practice standards and general principles.

Read 6 min. article
Riyadh_Hero_1600x600 Saudi Arabia

Singapore

Singapore's AI frameworks guide AI ethical and governance principles, with existing sector-specific regulations addressing AI risks.

Read 7 min. article
Singapore

South Africa

South Africa is yet to announce any AI regulation proposals but is in the process of obtaining inputs for a draft National AI plan.

Read 6 min. article
Johannesburg

South Korea

South Korea's AI Act to act as a consolidated body of law governing AI once approved by the National Assembly.

Read 6 min. article
Korea

Spain

Spain creates Europe's first AI supervisory agency and actively participates in EU AI Act negotiations.

Read 12 min. article
Madrid

Switzerland

Switzerland's National AI Strategy sets out guidelines for the use of AI, and aims to finalize an AI regulatory proposal in 2025.

Read 8 min. article
Switzerland

Taiwan

Draft laws and guidelines are under consideration in Taiwan, with sector-specific initiatives already in place.

Read 6 min. article
Taiwan city

Turkey

Turkey has published multiple guidelines on the use of AI in various sectors, with a bill for AI regulation now in the legislative process.

Read 11 min. article
Türkiye

United Arab Emirates

Mainland UAE has published an array of decrees and guidelines regarding regulation of AI, while the ADGM and DIFC free zones each rely on amendments to existing data protection laws to regulate AI.

Read 15 min. article
UAE

United Kingdom

The UK prioritizes a flexible framework over comprehensive regulation and emphasizes sector-specific laws.

Read 16 min. article
London hero image

United Nations

The UN's new draft resolution on AI encourages Member States to implement national regulatory and governance approaches for a global consensus on safe, secure and trustworthy AI systems.

Read 7 min. article
United Nations

United States

The US relies on existing federal laws and guidelines to regulate AI but aims to introduce AI legislation and a federal regulation authority.

Read 21 min. article
New York city photo

Contacts

Tim Hickman
Tim Hickman
Partner
London
Erin Hanson
Erin Hanson
Partner
New York
Dr. Sylvia Lorenz
Dr. Sylvia Lorenz
Partner
Berlin

Service areas

Colombia

AI Watch: Global regulatory tracker - Colombia

Despite congressional activity on AI in Colombia, regulation remains unclear and uncertain.

Insight
|
10 min read

Laws/Regulations directly regulating AI (AI Regulations)

Currently, there are no specific laws, statutory rules, or regulations in Colombia that directly regulate AI. However, the Colombian government has issued and approved different legal instruments. For example:

CONPES 4144 establishes Colombia's National Artificial Intelligence (AI) Policy.1 The policy aims to position Colombia as a competitive country in AI through six strategic objectives:

  1. Ethics and Governance – Strengthen governance mechanisms and apply ethical principles to ensure responsible and trustworthy AI development and use
  2. Data and Infrastructure – Enhance technological infrastructure and access to high-quality data to support AI advancements
  3. Research, Development, and Innovation – Promote AI research and development to drive productivity and scientific progress in the country
  4. Capabilities and Digital Talent – Develop skills and specialized human capital in AI, fostering social adoption of the technology
  5. Risk Mitigation – Identify, prevent, and mitigate risks associated with AI use, including ethical concerns, biases, and cybersecurity threats
  6. AI Adoption and Use – Encourage the adoption of AI in public institutions, businesses, and local territories, with a focus on digital transformation and sustainability

External Directive 002 of 2024 by the Colombian Data Protection Authority (the Superintendence of Industry and Commerce) (SIC).2 This provides guidance on the processing of personal data for use with AI, in accordance with the Colombian General Data Protection Framework. The SIC provides instructions on ten points:

  1. The processing must meet criteria of suitability, necessity, reasonableness and proportionality, in order to safeguard the principles established in the CDPR
  2. Scenarios in which there is no certainty about potential damage should be avoided, and preventive measures should be implemented
  3. In line with the accountability principle, risks associated with personal data must be identified, measured, controlled and monitored
  4. If, prior to the design and development of the AI system, a high risk of harm to data subjects is identified, a privacy impact study must be implemented
  5. Personal data must be truthful, complete, accurate, updated, verifiable and understandable
  6. Differential privacy, a set of mathematical techniques that allow data analytics without revealing information about the individuals providing the data, is proposed as a way of complying with privacy by design and by default
  7. Data subjects should be able to obtain information about the processing of their data
  8. Security measures should be implemented to protect the confidentiality, integrity, and availability of personal data
  9. Personal information that is "publicly accessible" is not, per se, information "of a public nature", so such information should not be taken and processed without the prior, express and informed consent of the data subject
  10. The rights of data subjects must be ensured

Status of the AI Regulations

More than 20 bills that are intended to regulate AI have been proposed to Congress.3 However, at the time of writing, none have been approved.

Most recently, on May 7, 2025, a comprehensive bill backed by the Ministries of Science and of Information and Communication Technologies (ICT), was proposed to Congress (the "Proposed Bill").4

The Proposed Bill seeks to:

  • Introduce classification of AI systems by risk level (i.e., prohibited, high, limited, and minimal)5
  • Provide clear rules to protect privacy, non-discrimination, and human dignity
  • Establish a governance system led by the Ministry of Science as the National Authority on AI
  • Create the National Advisory Council on Artificial Intelligence
  • Promote research and the training of human talent
  • Provide measures for job transition
  • Incentivize projects with social, territorial, and scientific impact

The Proposed Bill still needs to be scrutinized, debated and voted on—by both the Senate and the House of Representatives—before being approved by the President. Therefore, it is currently unclear if the Proposed Bill will be approved, and if so, what the final text will look like. No date has been provided for possible discussion in Congress, and despite the government's backing, it is not expected to be a legislative priority.

Other laws affecting AI

There are various laws and regulations that do not directly seek to regulate AI but may be applied to its development, deployment or use in Colombia. Key examples include:

  • The Colombian General Data Protection Framework enclosed in Law 1581 of 2012 and Decree 1074 of 20156,7
  • The Colombian Consumer Protection Statute, Law 1480 of 20118
  • The Andean Community of Nations Decisions 351 of 1993 (Copyright) and 486 of 2000 (Trademarks, Patents, Industrial Designs and Trade Secrets)9,10
  • The Colombian Copyright Law, Law 23 of 198211

Definition of AI

Currently there is no legal definition of AI. However, the Government has used the definition provided in the National Digital Transformation Policy, CONPES 3975 (2019).12

This definition describes AI as: "a field of computer science dedicated to solving cognitive problems commonly associated with human intelligence or intelligent beings, understood as those who can adapt to changing situations. Its basis is the development of computer systems, data availability and algorithms."

Territorial scope

Colombia's proposed AI regulation framework presently features a wide territorial reach. According to the latest draft presented to Congress, the rules would cover the development, deployment, and use of AI systems within Colombian borders, applying equally to both domestic and international organizations.

Sectoral scope

The Proposed Bill does not currently take a sector-specific approach.13 The regulation would govern the development, deployment, and use of AI systems across all sectors, without limiting its application to any particular industry.

Compliance roles

The Proposed Bill establishes a clear framework of compliance roles, closely aligned with international best practices and tailored to the local context.

The main compliance role identified in the Proposed Bill is "Responsible for AI":14

  • This is the central compliance role defined in the Proposed Bill
  • It encompasses all natural and legal persons, whether public or private, who create, develop, implement, commercialize, import, represent, distribute, or use AI systems developed, implemented, and/or used within Colombian territory, or who, while located abroad, are subject to Colombian law due to the impact of their AI systems in Colombia
  • This broad definition ensures that all actors in the AI value chain—developers, providers, distributors, and users—are subject to the law's requirements

Core issues that the AI Regulations seek to address

The AI Bill states that its core principles are to promote competitive productivity, ensure transparency, and to foster productivity through advancing fundamental AI research and personnel development. While advancing these goals, the government aims to investigate and guide organizations away from the improper use of AI, which are uses that may lead to the violation of rights or harm prosperity.

Additionally, the Hiroshima Principles identify several significant risks, including: disinformation, copyright, cybersecurity, risks to health and safety, and societal risks (e.g., the ways in which advanced AI systems can give rise to harmful bias and discrimination).

The government has noted the following risks as ones that Japan should prioritize: safety, privacy and fairness, national security and crime, property protection, and intellectual property.

Further, regarding copyright, in-depth discussions are being held in Japan about how existing laws (i.e., the Copyright Act of Japan) should address issues concerning rights and harms that may arise from generative AI. Additionally, the Council of the Agency for Cultural Affairs has announced its position regarding copyright where AI is trained on the works of humans and AI-generated content.

Risk categorization

The Proposed Bill includes the following proposal for risk categorization:15

  • Prohibited AI Systems – These are banned outright due to posing unacceptable risks to fundamental rights, security, or human dignity. Examples include AI systems without human control, those designed to manipulate behavior, or those intended for discrimination or repression.
  • High-Risk AI Systems – These systems can significantly impact fundamental rights, safety, or well-being. They are subject to strict requirements, including data quality, transparency, human oversight, and impact assessments. Examples include systems used in privacy-sensitive areas, automated decision-making in critical sectors, or those affecting minors.
  • Limited-Risk AI Systems – These AI systems do not pose significant threats but may have indirect or notable effects on personal or economic decisions. They must be transparent, inform users that they are interacting with AI, and allow for deactivation or rejection. Examples include virtual assistants, recommendation systems, and unlabeled deepfakes.
  • Low-Risk AI Systems – These AI systems present minimal risk, and are mainly subject to general ethical, transparency, and good practice guidelines. Examples include administrative tools, educational aids (not otherwise categorized), public sector support tools, and simple automation or entertainment applications.

Key compliance requirements

The Proposed Bill sets out a comprehensive suite of compliance requirements, many of which are risk-based and tailored to the role and activity of the actor in the AI value chain. Key requirements include:

Risk Classification and Management:16

  • AI systems are classified into four risk categories: prohibited, high risk, limited risk, and low risk
  • Prohibited systems (e.g., those that cannot be controlled by humans, or that are designed to manipulate behavior or discriminate) are banned outright
  • High-risk systems (e.g., those affecting fundamental rights, health, safety, or used in sensitive sectors like justice or security) are subject to strict requirements, including:
    • Rigorous data quality standards
    • Transparency and explainability obligations
    • Human oversight and the ability to intervene or deactivate the system
    • Mandatory impact assessments on fundamental rights and data protection
    • Registration and documentation requirements

Transparency and Explainability:17

  • All AI systems must be designed and operated to ensure clarity, accessibility, and traceability of automated processes and decisions
  • Users must be informed when they are interacting with an AI system, especially in the case of limited-risk systems (e.g., chatbots, recommendation engines)

Human Oversight and Control:18

  • Systems must allow for human intervention, audit, and supervision, particularly for high-risk applications

Data Protection and Privacy:19

  • Compliance with Colombia's existing data protection laws is mandatory
  • AI systems must not infringe on privacy or process personal data unlawfully

Non-Discrimination and Equity:20

  • AI systems must be developed and used to avoid discrimination and to promote diversity and inclusion
  • Special attention must be given to preventing the amplification of existing social, economic, or digital divides

Accountability and Documentation:21

  • Responsible parties must maintain documentation demonstrating compliance with risk management, transparency, and ethical requirements
  • For high-risk systems, detailed technical documentation and records of impact assessments are required

Workforce Transition and Training:

  • Employers implementing AI systems that may impact employment practices must develop and execute plans for retraining, redeployment, or upskilling affected workers

Regulators

The Proposed Bill names the Ministry of Science as the National Authority on AI.22 However, the SIC will continue to oversee data protection and consumer matters.23

Enforcement powers and penalties

The Proposed Bill outlines the following possible sanctions:24

  • Personal and institutional fines – These could be for a maximum of the equivalent of three thousand (3,000) current legal monthly minimum wages at the time the sanction is imposed. Fines may be imposed successively as long as the non-compliance that gave rise to them persists.
  • Suspension of activities related to the AI system – This suspension could last for up to twenty-four (24) months and may include the inability to access the AI system within Colombian territory. The suspension order will specify the corrective actions that must be taken.
  • Temporary closure of operations related to the AI system – This may include the inability to access the AI system within Colombian territory, even after the suspension period has elapsed, if the corrective actions ordered in the suspension order have not been implemented.
  • Immediate and definitive closure of the operation involving the AI system – This may include the permanent blocking of access to the AI system within Colombian territory.

1 See CONPES 4144 here.
2 See External Directive 002 of 2024 here.
3 See an article from El Espectador here.
4 See the press release here.
5 See the press release here.
6 See the Colombian General Data Protection Framework (Statutory Law 1581 of 2012) here.
7 See the Colombian General Data Protection Framework (Decree 1074 of 2015) here.
8 See the Colombian Consumer Protection Statute, Law 1480 of 2011 here.
9 See the Andean Community of Nations Decision 351 of 1993 (Copyright) here.
10 See the Andean Community of Nations Decision 486 of 2000 here.
11 See the Colombian Copyright Law, Law 23 of 1982 here.
12 See the National Digital Transformation Policy, CONPES 3975 (2019) here.
13 See Article 2 of the Proposed Bill (Note that although the Bill was proposed to Congress on May 7th, it has not been published in the official Congress Gazette, so it is currently lacking a Bill number)
14 See Articles 2 and 4 of the Proposed Bill.
15 See Article 5 of the Proposed Bill.
16 See Article 5 of the Proposed Bill.
17 See Article 3 of the Proposed Bill.
18 See Article 3 of the Proposed Bill.
19 See Article 3 of the Proposed Bill.
20 See Article 3 of the Proposed Bill.
21 See Article 5 of the Proposed Bill.
22 See Article 6 of the Proposed Bill.
23 See Article 31 of the Proposed Bill.
24 See Article 30 of the Proposed Bill.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Brigard Urrutia contributors

Sergio Michelsen

Sergio Michelsen
Partner, Brigard Urrutia
+57 60 13 46 20 11
smichelsen@bu.com.co
 

andrés-fernández-rgb.jpg

Andrés Fernández
Director, Brigard Urrutia
+57 60 13 46 20 11
afernandezdecastro@bu.com.co

nicolás-albornoz-rgb.jpg

Nicolás Albornoz
Associate, Brigard Urrutia
+57 60 13 46 20 11
nalbornoz@bu.com.co

 

Service areas

Top