Laws/Regulations directly regulating AI (the “AI Regulations”)

Status of the AI Regulations 

Both principal instruments are at different stages of implementation. The AI Law is in force, and its subordinate regulatory framework is being progressively built out, while the Digital Code has been enacted but does not yet apply:

• The AI Law: In force. Enacted on 17 November 2025; entered into force on 18 January 2026. On 14 January 2026, the Prime Minister of Kazakhstan issued its Order¹ approving an implementation plan that identifies a number of subordinate legal acts to be adopted or amended. A number of these acts, such as Order of the Deputy Prime Minister - Minister of Artificial Intelligence and Digital Development of the Republic of Kazakhstan "On Approval of the Criteria for Classifying Informatization Facilities as Artificial Intelligence Systems" dated 1 April 2026, Order of the Deputy Prime Minister - Minister of Artificial Intelligence and Digital Development of the Republic of Kazakhstan "On Approval of the Rules for Development, Use and Distribution of Machine-Readable Forms" dated 15 April 2026 (not in force) have been adopted, but some legal acts are still in the process of being developed and adopted, and the overall regulatory framework is expected to consolidate progressively through 2026.
• The Digital Code: Not yet in force. Enacted on 9 January 2026; enters into force on 11 July 2026.

Other laws affecting AI

There are various laws that do not directly seek to regulate AI but may affect the development or use of AI in Kazakhstan. A non-exhaustive list of key examples includes:

• Civil Code of the Republic of Kazakhstan (General Part) No. 268-XIII dated 27 December 1994
• Civil Code of the Republic of Kazakhstan (Special Part) No. 409-I dated 1 July 1999
• Code of Administrative Offenses of the Republic of Kazakhstan
• Code of the Republic of Kazakhstan No. 375-V "Entrepreneurial Code of the Republic of Kazakhstan" dated 29 October 2015
• Law of the Republic of Kazakhstan No. 94-V "On Personal Data and Their Protection" dated 21 May 2013
• Law of the Republic of Kazakhstan No. 418-V "On Informatization" dated 24 November 2015

Definition of “AI”

Artificial intelligence is defined as "the functional ability to imitate cognitive functions characteristic of humans, providing results comparable to or exceeding the results of human intellectual activity".²

Territorial scope

Both the AI Law and the Digital Code apply within the territory of the Republic of Kazakhstan. Under the Digital Code, foreign and stateless persons conducting activities in the digital environment on the territory of Kazakhstan are subject to the same rights and obligations as Kazakhstan's citizens and legal entities, unless otherwise provided by the Constitution, the Digital Code, the laws of Kazakhstan, or ratified international treaties.

Sectoral scope

The AI Law and the Digital Code are not sector specific. The Government of Kazakhstan approves a list of priority economic sectors for AI implementation. This pre-approved list determines which sectors receive access to the computing resources of the National AI Platform and benefit from state support measures.

Compliance roles 

Under the AI Law, three primary compliance roles are established:

1. Owners and holders: must manage AI system risks; take measures to ensure security and reliability, including protection from unauthorized access and failures; maintain documentation proportionate to impact on safety, rights, and public order; provide user support; and give users access to the user agreement before use commences. They must ensure continuous oversight across all stages of the AI system lifecycle.
2. Users: a user is a person using an AI system to perform a specific function and/or task. Users have the right to: review the user agreement; have personal data protected; protect intellectual property rights in AI-generated outputs; receive explanations about AI decisions affecting their rights; request information on data underlying decisions; and decline AI interaction where not legally mandatory. Users must use AI systems only within granted access rights and comply with established safety rules.
3. Operator of the National AI Platform: a designated legal entity responsible for the development and functioning of the National AI Platform, including creating, developing, and operating the Platform; providing AI services; collecting, processing, and storing data libraries; and developing platform software products and AI models.

Under the Digital Code, additional obligations apply to AI systems as digital objects: owners and/or holders of digital objects (including AI systems) must observe the rights, freedoms, and lawful interests of third parties; ensure reliability, integrity, protection, and cybersecurity of the digital system; and comply with personal data protection requirements. Users of digital objects have the right to receive accurate information about the characteristics and risks of the digital object. State bodies and organizations must ensure the transparency, openness, and justification of decisions taken using digital technologies, including AI systems.

Core issues that the AI Regulations seek to address

The AI Law aims to ensure AI development and stimulate its implementation across sectors to improve quality of life and economic efficiency. Core issues addressed include:

• Establishing the legal and institutional framework for AI regulation
• Ensuring transparency and safety in the use of AI systems and their outputs
• Creating favorable conditions for attracting investment in AI development
• Providing state support for AI research and innovation

The AI Law also addresses prohibited AI applications, including systems that manipulate behavior, exploit physical or moral vulnerabilities, conduct unauthorized social scoring, unlawfully process personal data, classify individuals based on biometric data for discriminatory purposes, determine emotions without consent, or create and distribute outputs prohibited under Kazakhstan law.

The Digital Code addresses AI-related concerns as part of broader digital regulation. Key AI-adjacent issues addressed include:

• Non-discrimination in algorithmic and automated decisions
• Human oversight of fully automated algorithmic decisions
• Digital ethics, including prevention of manipulation and abuse of digital technologies
• Safety of persons, society, and the state in the application of digital technologies including AI
• Biometric data protection in AI-powered authentication systems
• Human-in-the-loop requirements for smart contract dispute resolution
• Quality and lawfulness audits of AI system data libraries

Risk categorization

Under the AI Law, a two-dimensional risk framework applies: 

1. Risk level by impact on safety. AI systems are classified into three tiers:
   • Minimal risk: failure would have minimal impact on users
   • Medium risk: failure could reduce user effectiveness and cause moral harm or material damage
   • High-risk: failure could lead to a social or man-made emergency situation and/or significant adverse consequences for defense, security, international relations, the economy, specific economic sectors, users, infrastructure, or individuals' livelihoods. Classification is performed by the owner and/or holder in accordance with informatization object classification rules.³ Sector-specific state bodies compile and publish lists of trusted high-risk AI systems. Owners and holders seeking inclusion must conduct an AI system audit.⁴
2. Autonomy level based on decision-making independence. AI systems are also classified by autonomy:
   • Low autonomy: automated data processing and recommendations, with all final decisions made by a human
   • Medium autonomy: autonomous processing and decision-making, where human correction or cancellation remains possible
   • High autonomy: autonomous processing and decision-making where human correction or cancellation is fully excluded or technically impossible. Special rules for creating and operating high-autonomy AI systems are to be established by separate Kazakhstani laws.⁵

Under the Digital Code, AI systems qualifying as critically important digital objects are subject to a parallel risk regime. A critically important digital object is one whose disruption or cessation leads to: unlawful collection and processing of restricted-access personal data; a social and/or technogenic emergency; or significant negative consequences for defense, security, international relations, the economy, specific sectors, or population livelihoods.⁶ High-risk AI systems under the AI Law will frequently meet this definition, making them subject to mandatory cybersecurity compliance and audit obligations under the Digital Code.

Key compliance requirements 

There are a number of compliance requirements under the AI Law, including:

• Transparency: users must be provided with complete information about the operational characteristics and limitations of an AI system.⁷ Persons subject to AI-based decisions have the right to be informed about the automated processing procedure and its consequences, and about available means of redress.⁸ Users must be informed that goods, works, and services are produced or provided using AI systems.⁹ Synthetic AI outputs may only be distributed if labeled in machine-readable form and accompanied by a visual or other warning perceptible to users.¹⁰ Responsibility for informing users about synthetic outputs rests with owners or holders.¹¹
• Risk management: risk management is a continuous process comprising identification and analysis of known and foreseeable risks; risk assessment under intended and foreseeable misuse conditions; adoption of targeted risk mitigation measures; and regular risk updates at least once per year.¹² Where risks of prohibited circumstances are identified, owners and holders must take immediate steps to prevent and minimize harm, including suspension or cessation of the system's operation.¹³
• Audits: audits of AI systems are conducted in accordance with rules for auditing information systems.¹⁴ Additional audit requirements include assessment of (i) the quality and lawfulness of data libraries used for AI model training; and (ii) the presence of prohibited functional capabilities.¹⁵
• Documentation: owners and holders must maintain documentation on the AI system commensurate with its degree of impact on safety, rights, freedoms, and public order.
• Data protection: AI systems must be operated in compliance with data protection and confidentiality requirements; unlawful collection, storage, and dissemination of personal data is prohibited; only high-quality, representative datasets obtained in compliance with Kazakhstani law may be used.¹⁶ Automated decision-making in respect of personal data is governed by Kazakhstan personal data legislation.¹⁷
• Liability: compensation for harm caused by AI systems is governed by the Civil Code.¹⁸ Liability insurance is governed by insurance legislation.¹⁹ All entities bear liability in accordance with their respective roles throughout the AI system lifecycle.²⁰
• Copyright: AI-generated works enjoy copyright protection only where a human creative contribution is present.²¹ Use of copyrighted works to train AI models is only permitted in the absence of a machine-readable prohibition by the rights-holder.²²
• Machine-readable forms: machine-readable forms must be applied to ensure transparency and accountability, enabling automated recording and recognition of information.²³

Under the Digital Code, additional requirements apply to AI systems as digital objects:

• Non-discrimination in algorithmic decisions: decisions made using algorithmic systems, including AI systems, must not result in discrimination on any grounds established by Kazakhstan law.²⁴
• Rights in respect of fully automated algorithmic decisions: a fully automated decision is one taken without human participation in assessing the circumstances or approving the result. The subject of such a decision has the right to: (i) be informed of the fact that an algorithmic system was applied; (ii) receive an explanation of the key factors and criteria that influenced the decision, without disclosure of source code or legally protected secrets; and (iii) demand review of the decision with participation of an authorized specialist where the decision has legal consequences or is capable of affecting the person's rights and lawful interests.²⁵
• Smart contracts – human-in-the-loop: smart contracts, including AI-powered smart contracts, must provide for a dispute resolution procedure in which the final decision is taken by a human.²⁶
• Cybersecurity of AI systems as digital systems: owners and/or holders of digital systems (including AI systems) must ensure protection against violation of confidentiality, integrity, and availability²⁷. Mandatory cybersecurity testing applies to designated digital objects.²⁸
• Quality audit of AI systems: the quality audit of AI systems must include assessment of the quality and lawfulness of data libraries used for training AI models, as well as the presence of prohibited functional capabilities, in accordance with the AI Law.²⁹
• Digital ethics: creation, development, and application of digital technologies, including AI, must comply with the principles of respect for human rights and dignity, non-discrimination, fairness, good faith, transparency, and accountability.³⁰

Regulators

Under the AI Law, the key regulators are:

The authorized body in the AI sphere:³¹ the Ministry of Artificial Intelligence and Digital Development of the Republic of Kazakhstan, which is the central executive body responsible for leadership and inter-sectoral coordination in the field of AI. Its powers include strategic, regulatory, implementation, and supervisory functions; forming state AI policy; developing and approving AI-sector normative legal acts; approving the list of required AI system documentation; and approving criteria for classifying informatization objects as AI systems.³²

The Government of the Republic of Kazakhstan:³³ Develops key AI policy directions, designates the National AI Platform operator, and approves the list of priority economic sectors for AI implementation.³⁴

Sector-specific state bodies:³⁵ Participate in implementing AI policy within their fields of competence,³⁶ and compile and publish sector-specific lists of trusted high-risk AI systems.³⁷

The National AI Platform Operator:³⁸ A designated legal entity responsible for ensuring the development and functioning of the National AI Platform.

Under the Digital Code, the key regulators are:

The authorized body in the digitalization sphere:³⁹ the Ministry of Artificial Intelligence and Digital Development of the Republic of Kazakhstan, which is the central executive body responsible for leadership and inter-sectoral coordination in the field of digitalization, exercising strategic, regulatory, implementation, and supervisory functions over the digital environment, including digital systems (which encompass AI systems).

The Architectural Coordination Center:⁴⁰ A legal entity designated by the Government, responsible for ensuring the integrity, compatibility, and effectiveness of the digital architecture of state bodies. The Center expressly participates in implementing state policy in the sphere of digitalization and artificial intelligence;⁴¹ participates in developing standardization documents in the sphere of artificial intelligence;⁴² and provides consulting, methodological, and practical assistance to state bodies in the area of artificial intelligence.⁴³

Enforcement powers and penalties 

Specific administrative sanctions are set out in Article 641-1 of the Code of Administrative Offenses of the Republic of Kazakhstan. The following two categories of conduct are subject to administrative liability:

1. Failure by owners or holders of AI systems to inform users about synthetic AI outputs that may mislead them
2. Failure by owners or holders to manage risks of high-risk AI systems resulting in harm to health or wellbeing, creation or distribution of prohibited or false information, discrimination, or human rights violations, where the conduct does not constitute a criminal offense.

Penalties:

_{1 Order of the Prime Minister of the Republic of Kazakhstan No. 2-r dated 14 January 2026 "On Measures for Implementation of the Laws of the Republic of Kazakhstan dated 17 November 2025 'On Artificial Intelligence' and 'On Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan on Artificial Intelligence and Digitalisation'"
2 Article 1(3) of the AI Law.
3 Art. 17(1) of the AI Law.
4 Art. 19(1) of the AI Law.
5 Art. 17(2) of the AI Law.
6 Art. 33(1) of the Digital Code.
7 Art. 7(1) of the AI Law.
8 Art. 7(2) of the AI Law.
9 Art. 21(1) of the AI Law.
10 Art. 21(2) of the AI Law.
11 Art. 21(3) of the AI Law.
12 Art. 18(1) of the AI Law.
13 Art. 18(2) of the AI Law.
14 Art. 20(1) of the AI Law.
15 Art. 20(2) of the AI Law.
16 Art. 10 of the AI Law.
17 Art. 21(4) of the AI Law.
18 Art. 24(1) of the AI Law.
19 Art. 24(2) of the AI Law.
20 Art. 8(2) of the AI Law.
21 Art. 23(1) of the AI Law.
22 Art. 23(5) of the AI Law.
23 Art. 22(1) of the AI Law.
24 Art. 43(2) of the Digital Code.
25 Art. 43(3)-(4) of the Digital Code.
26 Art. 67(3) of the Digital Code.
27 Art. 97(1)-(2) of the Digital Code.
28 Art. 99(1) of the Digital Code.
29 Art. 100(4) of the Digital Code.
30 Art. 13(1) of the Digital Code.
31 Arts. 1(10), 13 of the AI Law.
32 Art. 13(1) of the AI Law.
33 Art. 12 of the AI Law.
34 Art. 12 of the AI Law.
35 Arts. 13(2), 19(1) of the AI Law.
36 Arts. 13(2) of the AI Law.
37 Art. 19(1) of the AI Law.
38 Art. 14 of the AI Law.
39 Art. 14 of the Digital Code.
40 Art. 72 of the Digital Code.
41 Art. 72(2)(1) of the Digital Code.
42 Art. 72(2)(14) of the Digital Code.
43 Art. 72(2)(10) of the Digital Code.
44 Art. 24(1) of the AI Law.}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2026 White & Case LLP}