— Edition 1.247 52 verified trackers
ES EN
Politics · Technology · Digital regulation  ·  where data speaks before headlines
Snapshot data
AML/OFAC enforcement against banks and fintech — 418 penalties documented 418 AML/OFAC penalties documented across 177 countries and 379 regula… Corporate bankruptcy and insolvency (Chapter 11) — 4 major corporate bankrup… Corporate bankruptcies hit decade highs: over 717 in the year per S&P… High-impact litigation risk index — 4 high-impact litigations… The risk index (0-100) aggregates five objective factors —procedural … Merger control: multi-jurisdiction competition … — 9 decisions and jurisdict… Merger control diverges by jurisdiction in 2026: the Trump administra… PEPs and sanctions networks · Ibero-American graph — 40 PEP/company nodes with … Ibero-American PEP→company→sanction graph (core: Mapa del Poder, 424 … Sovereign debt distress and restructurings — 5 distress/restructuring … The IMF's 6th Global Sovereign Debt Roundtable report (April 15, 2026… Forced labor in supply chains: entity lists — 4 forced-labor exposure i… Upstream exposure intelligence densifies: the UFLPA Entity List reach… EU AI Act — designation of national authorities — 3/10/14 / 27 Member States Tracker's first event: 3 states with both authorities / 10 partial / … AI Act · Notified bodies for conformity assessment — 1 body with AI-specific a… Ecosystem 'not ready' as of Mar-2026 (standards unpublished, insuffic… Scandal → conviction gap — — milestones logged +1 mirror case: Uribe — 7 years to convict, 8 weeks to reverse, open-… Technology ↔ regulation gap — 26 regulatory milestones +1: Peru closes the generative-AI gap in ~3 years (DS 115-2025-PCM), … CNMC Spain · the Digital Services Coordinator g… — 6 documented milestones The gap becomes chronic: Congress struck down the CNMC's legal empowe… Corporate data breaches: from incident to response — 11 breaches documented +1: Canvas/Instructure, the largest known education breach (≈275M rec… Migration friction in corporate and event mobility — 3 incidents and policies … The 2026 World Cup works as a live stress test: 39 countries under fu… Power and corruption in the courts in Ibero-Ame… — 29 documented cases Jun-2026 review: Uribe updated — first-instance conviction overturned… Crypto · Licenses and authorizations by jurisdi… — 40+ CASPs with full MiCA au… July 1, 2026 cliff: the transitional regime expires (ESMA, Apr 17) wi… Data breaches · Class-action settlements — 5 settlements and mass ca… 271 million dollars across four settlements approved or with deadline… Digital regulatory risk index by country — 16 countries profiled Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 20… Digital services taxes (DST) by country — 3 tax-map milestones docu… About half of European OECD countries have a DST announced, proposed … Global election risk 2026: democracy and digita… — 32 elections profiled 32 electoral processes of 2026 profiled by political regime and digit… ESG · Greenwashing enforcement — 3 enforcement milestones … The legal floor arrives Sep 27, 2026 (ECGT across the 27; transpositi… EU · Digital & sustainability regulatory deadli… — 6 calendar milestones doc… Next critical deadlines: Jun 23, 2026 closes the high-risk classifica… Export controls · Entity List and advanced chips — 6 regime milestones docum… The 2026 shift: licensing for H200/MI325X and equivalents to China mo… GDPR · International transfers and adequacy dec… — 6 framework milestones do… The EU-US DPF remains in force after surviving its first judicial cha… LATAM · AI bills in legislative process — 150+ bills identified 150+ count re-verified; milestones: Peru only country with a regulate… LATAM · Judicial and regulatory sanctions on pl… — $5,2M USD · fine on X Corp. i… Paradigm shift: the STF declared Art. 19 of the Marco Civil partially… Digital political ad spending 2026 — 6 country-platform observ… AdImpact's revised projection (Jun 11): $11.6bn for the 2026 cycle — … Shadow fleet · Sanctioned vessels and enablers — 632 vessels designated by t… +46 vessels in the 20th package (Reg. 2026/506/509/511) to 632; Art. … Whistleblower awards · SEC, CFTC and equivalent… — 3 program milestones docu… The SEC awarded over $60M to 48 whistleblowers in fiscal year 2025 (2… AI Act · Sanctions regime and its actual enforc… — 0 documented AI Act fines… 0 AI Act penalties issued to date: enforcement of high-risk obligatio… Beneficial ownership transparency (UBO / CTA / … — 4 transparency milestones 4 beneficial-ownership transparency milestones documented; the EU req… Crypto industry: collapses, sanctions and convi… — 13 documented cases 13 cases of collapses, sanctions and convictions in the crypto sector… AI harms in court — litigation, rulings and set… — 103 documented cases 103 AI-related harm and rights lawsuits documented; 2026 milestones: … DMA · designated gatekeepers and real compliance — 9 documented DMA acts 9 DMA compliance actions documented against gatekeepers; 2026 develop… Documented electoral disinformation 2026 — 7 documented campaigns 7 electoral disinformation campaigns or patterns documented with open… GDPR · which national authority really sanctions — 11 authorities profiled 11 GDPR enforcement country profiles and milestones documented; 2026 … LATAM · Internet shutdowns and platform blocks — 8 documented events · 202… 8 internet shutdown and blocking episodes documented in Latin America… Operational resilience & cyber (DORA / NIS2 / SEC) — 4 regulatory milestones 4 operational-resilience milestones documented; 2026 is the first rea… Digital fines actually imposed — 61 sanctions recorded 61 high-value penalties across 18 jurisdictions and 6 continents; cov… Commercial spyware: documented cases worldwide — 23 documented cases 23 spyware and surveillance cases documented across the Ibero-America… Trade compliance & forced labor (UFLPA) — 4 actions documented 4 trade-compliance actions on forced labor documented; under UFLPA ar… US · the state AI regulation patchwork — 10 laws and milestones 10 state AI laws or milestones documented in the U.S.; 2026 developme… Electoral digital integrity 2026 — 13 elections profiled 13 elections profiled by digital integrity; 5 with transparent politi… Climate: the gap between pledge and action — 12 countries assessed 12 countries assessed by the Climate Action Tracker: 10 with insuffic… Content moderation: appeals and reversals — 19 documented decisions 19 appealed and reviewed moderation decisions, with their policy, ori… Public AI spending — global government contracts — 50 documented contracts 50 public AI contracts across 15 jurisdictions on 5 continents (45 wi… Campaign promises → fulfillment — 29 term evaluations 29 terms evaluated across 25 countries on five continents EU · Consolidated DSA enforcement decisions — €120M first DSA fine · X · 5 … 5 Member States referred to CJEU for insufficient DSC implementation LATAM · Digital spending in 2026 electoral camp… — $14.794M COP · highest declared … Only 8 of 13 campaigns had reported in Cuentas Claras by mid-May Ibero-America · documented public contracts wit… — 3 contracts verified with… DC registry kickoff · ongoing monthly manual sweep RSF · Press freedom in Latin America — 144 Peru's rank (the region… AR -11 · PE -14 · SV -8 · EC -31 · USA -7 AML/OFAC enforcement against banks and fintech — 418 penalties documented 418 AML/OFAC penalties documented across 177 countries and 379 regula… Corporate bankruptcy and insolvency (Chapter 11) — 4 major corporate bankrup… Corporate bankruptcies hit decade highs: over 717 in the year per S&P… High-impact litigation risk index — 4 high-impact litigations… The risk index (0-100) aggregates five objective factors —procedural … Merger control: multi-jurisdiction competition … — 9 decisions and jurisdict… Merger control diverges by jurisdiction in 2026: the Trump administra… PEPs and sanctions networks · Ibero-American graph — 40 PEP/company nodes with … Ibero-American PEP→company→sanction graph (core: Mapa del Poder, 424 … Sovereign debt distress and restructurings — 5 distress/restructuring … The IMF's 6th Global Sovereign Debt Roundtable report (April 15, 2026… Forced labor in supply chains: entity lists — 4 forced-labor exposure i… Upstream exposure intelligence densifies: the UFLPA Entity List reach… EU AI Act — designation of national authorities — 3/10/14 / 27 Member States Tracker's first event: 3 states with both authorities / 10 partial / … AI Act · Notified bodies for conformity assessment — 1 body with AI-specific a… Ecosystem 'not ready' as of Mar-2026 (standards unpublished, insuffic… Scandal → conviction gap — — milestones logged +1 mirror case: Uribe — 7 years to convict, 8 weeks to reverse, open-… Technology ↔ regulation gap — 26 regulatory milestones +1: Peru closes the generative-AI gap in ~3 years (DS 115-2025-PCM), … CNMC Spain · the Digital Services Coordinator g… — 6 documented milestones The gap becomes chronic: Congress struck down the CNMC's legal empowe… Corporate data breaches: from incident to response — 11 breaches documented +1: Canvas/Instructure, the largest known education breach (≈275M rec… Migration friction in corporate and event mobility — 3 incidents and policies … The 2026 World Cup works as a live stress test: 39 countries under fu… Power and corruption in the courts in Ibero-Ame… — 29 documented cases Jun-2026 review: Uribe updated — first-instance conviction overturned… Crypto · Licenses and authorizations by jurisdi… — 40+ CASPs with full MiCA au… July 1, 2026 cliff: the transitional regime expires (ESMA, Apr 17) wi… Data breaches · Class-action settlements — 5 settlements and mass ca… 271 million dollars across four settlements approved or with deadline… Digital regulatory risk index by country — 16 countries profiled Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 20… Digital services taxes (DST) by country — 3 tax-map milestones docu… About half of European OECD countries have a DST announced, proposed … Global election risk 2026: democracy and digita… — 32 elections profiled 32 electoral processes of 2026 profiled by political regime and digit… ESG · Greenwashing enforcement — 3 enforcement milestones … The legal floor arrives Sep 27, 2026 (ECGT across the 27; transpositi… EU · Digital & sustainability regulatory deadli… — 6 calendar milestones doc… Next critical deadlines: Jun 23, 2026 closes the high-risk classifica… Export controls · Entity List and advanced chips — 6 regime milestones docum… The 2026 shift: licensing for H200/MI325X and equivalents to China mo… GDPR · International transfers and adequacy dec… — 6 framework milestones do… The EU-US DPF remains in force after surviving its first judicial cha… LATAM · AI bills in legislative process — 150+ bills identified 150+ count re-verified; milestones: Peru only country with a regulate… LATAM · Judicial and regulatory sanctions on pl… — $5,2M USD · fine on X Corp. i… Paradigm shift: the STF declared Art. 19 of the Marco Civil partially… Digital political ad spending 2026 — 6 country-platform observ… AdImpact's revised projection (Jun 11): $11.6bn for the 2026 cycle — … Shadow fleet · Sanctioned vessels and enablers — 632 vessels designated by t… +46 vessels in the 20th package (Reg. 2026/506/509/511) to 632; Art. … Whistleblower awards · SEC, CFTC and equivalent… — 3 program milestones docu… The SEC awarded over $60M to 48 whistleblowers in fiscal year 2025 (2… AI Act · Sanctions regime and its actual enforc… — 0 documented AI Act fines… 0 AI Act penalties issued to date: enforcement of high-risk obligatio… Beneficial ownership transparency (UBO / CTA / … — 4 transparency milestones 4 beneficial-ownership transparency milestones documented; the EU req… Crypto industry: collapses, sanctions and convi… — 13 documented cases 13 cases of collapses, sanctions and convictions in the crypto sector… AI harms in court — litigation, rulings and set… — 103 documented cases 103 AI-related harm and rights lawsuits documented; 2026 milestones: … DMA · designated gatekeepers and real compliance — 9 documented DMA acts 9 DMA compliance actions documented against gatekeepers; 2026 develop… Documented electoral disinformation 2026 — 7 documented campaigns 7 electoral disinformation campaigns or patterns documented with open… GDPR · which national authority really sanctions — 11 authorities profiled 11 GDPR enforcement country profiles and milestones documented; 2026 … LATAM · Internet shutdowns and platform blocks — 8 documented events · 202… 8 internet shutdown and blocking episodes documented in Latin America… Operational resilience & cyber (DORA / NIS2 / SEC) — 4 regulatory milestones 4 operational-resilience milestones documented; 2026 is the first rea… Digital fines actually imposed — 61 sanctions recorded 61 high-value penalties across 18 jurisdictions and 6 continents; cov… Commercial spyware: documented cases worldwide — 23 documented cases 23 spyware and surveillance cases documented across the Ibero-America… Trade compliance & forced labor (UFLPA) — 4 actions documented 4 trade-compliance actions on forced labor documented; under UFLPA ar… US · the state AI regulation patchwork — 10 laws and milestones 10 state AI laws or milestones documented in the U.S.; 2026 developme… Electoral digital integrity 2026 — 13 elections profiled 13 elections profiled by digital integrity; 5 with transparent politi… Climate: the gap between pledge and action — 12 countries assessed 12 countries assessed by the Climate Action Tracker: 10 with insuffic… Content moderation: appeals and reversals — 19 documented decisions 19 appealed and reviewed moderation decisions, with their policy, ori… Public AI spending — global government contracts — 50 documented contracts 50 public AI contracts across 15 jurisdictions on 5 continents (45 wi… Campaign promises → fulfillment — 29 term evaluations 29 terms evaluated across 25 countries on five continents EU · Consolidated DSA enforcement decisions — €120M first DSA fine · X · 5 … 5 Member States referred to CJEU for insufficient DSC implementation LATAM · Digital spending in 2026 electoral camp… — $14.794M COP · highest declared … Only 8 of 13 campaigns had reported in Cuentas Claras by mid-May Ibero-America · documented public contracts wit… — 3 contracts verified with… DC registry kickoff · ongoing monthly manual sweep RSF · Press freedom in Latin America — 144 Peru's rank (the region… AR -11 · PE -14 · SV -8 · EC -31 · USA -7
/ trackers / digital-regulatory-risk-index
Country risk · Digital governance

Digital regulatory risk index by country

Comparative index of the real state of digital regulation country by country, designed as regulatory-intelligence infrastructure. It measures not only whether a country has AI or data-protection laws, but the distance between three layers that rarely coincide: the law passed, the authority designated to enforce it and the real enforcement (sanctions actually imposed). That gap —between legislating and applying— is the metric that matters to anyone assessing the risk of operating technology in a jurisdiction. Each record profiles a country with the state of its AI framework, its data-protection regime, its enforcement capacity and a composite regulatory-risk level, with its sources. It connects with Diálogo Ciudadano's per-jurisdiction trackers (AI Act, GDPR, DSA, US and Latin American AI laws).

Snapshot · June 12, 2026
16
countries profiled
→ Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 2026 + platform regime rewritten by the STF); 16 countries covered

Evolution

Data analysis

Statistical readings derived from the attributes of each recorded case. All figures come from the documented events; amounts are computed only over cases with a sum expressed in the indicated currency, without converting between currencies.

AI framework status

Where each country stands: comprehensive law in force, bill, strategy/voluntary, or no framework.

Enforcement capacity

Whether the country enforces its rules with final sanctions (high), intermittently (medium) or almost never (low/symbolic).

Regulatory risk level

Composite regulatory risk for whoever operates technology: it reflects predictability, not democratic quality.

Region

Regional distribution of the countries profiled in the index.

Global incidence map

Choropleth by number of forensically or judicially documented cases. Countries with no verifiable public cases remain in the base colour — the absence of events does not equal the absence of surveillance. Hover or click a coloured country to see the cases.

Natural Earth 50m · Diálogo Ciudadano

Reading the data

For a company deploying technology in several countries, the question is not 'how many digital laws each one has', but the distance between the written law, the authority that should enforce it and the sanctions that actually fall. This index measures that gap across 16 jurisdictions in six regions, because that is where the real regulatory risk lives.

AM
Alexandra A. Medina · Technology expert · Ciudad de México
May 26, 2026 · 6 min read

More than seventy countries have already launched over a thousand AI policy initiatives, and almost all have some form of data-protection law. If one stopped at that count, one would conclude that the world is regulated. But that count is misleading, because it lumps together a binding law with fines of 7% of global turnover and a voluntary strategy without a single sanction. This index is built precisely to undo that deception: it separates three layers that rarely coincide.

The first layer is the law: whether there is a comprehensive AI framework in force, a bill in progress, a voluntary strategy or nothing. The second is the authority: whether there is a designated, operational body to enforce it. The third, the decisive one, is enforcement: whether that body imposes final sanctions regularly or the law lives on paper. A country is only regulatorily serious when the three layers align, and surprisingly few manage it.

The key to reading it: 'high regulatory risk' does not mean 'badly governed country'. The EU has the world's highest sanction risk —7% fines, active enforcement— and is, at the same time, the most predictable environment. The hardest risk to manage is not that of the country that sanctions a lot, but that of the one with many unenforced laws: there, unpredictability makes everything opaque.

Three risk profiles, not one scale

The index reveals that countries do not line up on a single 'more to less regulated' scale, but in distinct profiles. There are the high, predictable-enforcement ones —the EU, South Korea—, where the risk is sanctions but the rules are clear. There are the unpredictable ones —the United States with its disputed state patchwork, Mexico with its framework under reform—, where the problem is not strictness but not knowing which rule applies. And there are the state-control ones —China at the front—, where data regulation intertwines with forced localization and digital sovereignty.

For a compliance team, a fund assessing an investment or a vendor selling software to governments, this profile distinction is more actionable than any linear ranking. The risk of operating in a strict, predictable environment is not managed the same way as in a lax but unpredictable one. The index is designed for that decision: cross the three layers by country and, above all, connect with each jurisdiction's specific trackers —the AI Act one, the GDPR-by-country one, the US patchwork one— to descend from the general profile to the concrete case.

The Asian pattern: from state control to Singapore's balance

Expanding the index to Asia-Pacific reveals it is the most heterogeneous region of all. At one end, China combines regulatory tightening with forced data localization. At the other, Singapore exhibits the finest balance between innovation and regulation, with voluntary but sophisticated AI governance. Between them, India operationalized its data law in 2025 with a single authority —the Data Protection Board— but chose to govern AI with principles, not a comprehensive law; Japan and Australia remain in voluntary frameworks; and Indonesia and Vietnam are only now consolidating their data regimes.

That Asian diversity confirms the index's thesis: there is no single 'level' of regulation, but profiles. Two countries with the same 'no comprehensive AI law' —India and the United States— can have opposite risks depending on their data authority and enforcement. That is why the index does not rank on a scale, but profiles layer by layer, and lets each user weight the layers according to what matters to them.

Methodology note

Each country is profiled across three layers (AI framework, data protection, enforcement) from comparative sources (GDPR Local, Forcepoint, OneTrust, AskAjay) and Diálogo Ciudadano's per-jurisdiction trackers. The composite regulatory-risk level reflects predictability for whoever operates technology, NOT the country's democratic quality. The classification is a revisable comparative reading, not a single official figure; each layer is attributed to its source. No unpublished data is imputed. Initial coverage prioritizes the major technology jurisdictions and will expand quarterly.

This index is regulatory-intelligence infrastructure, not legal advice nor a sovereign rating. It is designed to feed risk analysis, due diligence and regulatory monitoring, connecting with the specific trackers by rule and jurisdiction.

Documented events (16)

May 26, 2026 VN confirmed

Vietnam: new comprehensive data-protection law since January 2026

Vietnam passed several laws in 2025, including a comprehensive personal-data-protection law in force since 1 January 2026, formalizing rights, controller obligations and transfer restrictions, alongside data-classification and security rules. Enforcement still to consolidate.

May 26, 2026 US confirmed

United States: no federal law, a disputed state patchwork

The US has no federal AI or privacy law: it operates with a state patchwork (California, Texas, Colorado…) and per-state privacy laws. Federal preemption and litigation add unpredictability. The risk is not high sanctions, but not knowing which rule applies or whether it will remain in force.

May 26, 2026 GB confirmed

United Kingdom: sector-by-sector approach and a fine-sceptical regulator

The UK regulates AI by delegating to sector regulators and applies the UK GDPR, amended by the Data Use and Access Act (DUAA, 2025). Its authority (ICO) is deliberately fine-sceptical. The European Commission extended its adequacy decision in December 2025. Medium risk, pragmatic approach.

May 26, 2026 SG confirmed

Singapore: the innovation-regulation balance as a model

Singapore stands out for balancing innovation and regulation, ranking among the top in the Oxford Government AI Readiness Index. Its AI governance is voluntary but sophisticated (Model AI Governance Framework), and its data law (PDPA) has an active authority. A low-friction regulatory profile with high institutional maturity.

May 26, 2026 SA confirmed

Saudi Arabia: 'Year of AI' and accelerating data enforcement

Saudi Arabia declared 2026 the 'Year of AI' and combines binding data legislation (PDPL) with AI soft-law instruments managed by the SDAIA authority, which issued 48 PDPL enforcement decisions in 2025. Transfer regime modeled on the GDPR. Growing regulatory maturity.

May 26, 2026 PE confirmed

Peru: one of the region's first AI laws, with limited enforcement

Peru passed and regulated Law 31814 promoting AI use for economic and social development, placing it among Latin America's first with a specific AI rule. Its data regime has an authority. But enforcement capacity is limited: the law is more promotional than punitive.

May 26, 2026 MX confirmed

Mexico: data framework under reform and no AI law

Mexico lacks a specific AI law and its data-protection framework is under reform after restructuring its authority. Enforcement capacity is limited. High technological exposure with institutional capacity in transition: medium-high risk from unpredictability.

May 26, 2026 KR confirmed

South Korea: the world's second country with a comprehensive AI law in force

South Korea became, with its AI Framework Act in force since January 2026, the world's second territory after the EU with comprehensive AI legislation, copying the European risk categories. Combined with its data regime, it is a high-enforcement, predictable environment.

May 26, 2026 JP confirmed

Japan: a voluntary, non-binding approach to AI

Japan bets on self-regulation: its AI Promotion Act (in force since June 2025) sets a non-binding framework focused on coordination, transparency and R&D, with no strong sanctions. Its data regime is aligned with international standards. Medium risk: few hard obligations.

May 26, 2026 IN confirmed

India: data law operational since 2025, but principle-based AI governance

India operationalized its Digital Personal Data Protection Act (DPDP Act 2023) in 2025 with its Rules, creating the Data Protection Board as a single authority, with fines up to ~$30 million. For AI it chose a principle-based techno-legal approach (November 2025 AI Governance Guidelines, non-binding) instead of an EU-style comprehensive law. Enforcement still nascent.

May 26, 2026 ID confirmed

Indonesia: recent data law and still-nascent AI governance

Indonesia has a relatively recent Personal Data Protection (PDP) law, with an authority under construction, but lacks a specific binding AI framework. High technological exposure and a growing digital market with developing regulatory capacity: medium-high risk from unpredictability.

May 26, 2026 EU confirmed

European Union: the most comprehensive framework and the most mature enforcement

The EU combines the AI Act (first comprehensive AI law, in force since August 2024) with the GDPR and active enforcement: over €7.1 billion in data-protection fines and the first DMA sanctions. Sanction risk is high, but predictable: the rules exist and are enforced.

May 26, 2026 CN confirmed

China: the world's most restrictive data-transfer regime

China tightened its Cybersecurity Law in January 2026 with AI requirements and data localization, and is processing an AI Law that would formalize obligations for high-risk systems. Its outbound data-transfer restrictions are the world's strictest, exceeding the GDPR. Critical risk from localization and state control.

May 26, 2026 CA confirmed

Canada: AI-strategy pioneer, but its law (AIDA) is still in progress

Canada was the world's first country with a national AI strategy (2017) and proposed an early law —the AI and Data Act (AIDA)— foreseeing an AI and Data Commissioner, but it remains in progress; meanwhile a voluntary code of conduct for generative AI applies. Its data regime (PIPEDA) is consolidated. Classic gap: early strategy, pending law.

June 12, 2026 BR confirmed

Brazil: consolidated LGPD, but the AI law is still in progress

Brazil has a consolidated data-protection law (LGPD) with its own authority (ANPD), but its AI bill (PL 2338, based on the European risk model) still lacks final approval after passing the Senate in December 2024. The region's classic gap: data yes, AI not yet. 2026 update: the map changed on two layers. On data, Brazil obtained the EU adequacy decision (Jan 26, 2026) — the first major Latin American market with free flow from Europe, crowning the LGPD/ANPD pairing. On enforcement, the STF judicially rewrote the platform-liability regime (Jun 26, 2025, Marco Civil Art. 19 partially unconstitutional: liability without a court order in certain cases, a proactive monitoring duty and 'systemic failure'), pushing the enforcement layer ahead of the legislative one. On AI, PL 2338 advances in the Chamber with entry into force expected in 2026. Brazil's regulatory risk is no longer one of vacuum but of velocity: the judiciary outruns Congress.

May 26, 2026 AU confirmed

Australia: focus on capabilities and infrastructure, no binding AI law

Australia bets on capability development with its National AI Capability Plan (2024), focused on skills and infrastructure rather than binding obligations. Its Privacy Act regulates data with its own authority. It is a pro-innovation profile with soft AI regulation.

Methodology

Type
event-log
Construction
Multi-source verified
Cadence
quarterly

Each record profiles a country across three layers: (1) AI framework status (comprehensive law in force, bill, strategy/voluntary, no framework); (2) data-protection status (GDPR-style law with active authority, law without strong enforcement, no law); (3) enforcement capacity (high = frequent final sanctions, medium, low/symbolic). From this a composite regulatory-risk level is derived that does NOT judge the country's democratic quality, but the regulatory predictability for whoever operates technology: a country may have very strict laws and high enforcement (high but predictable sanction risk) or many unenforced laws (unpredictability risk). Each layer is attributed to its source. The classification is a revisable comparative reading, not a single official figure. No unpublished data is imputed.

Sources consulted

  1. GDPR Local — AI Regulations Around the World 2026 ↗ academic
  2. Forcepoint / OneTrust — Global Data Protection Laws 2026 ↗ academic
  3. Diálogo Ciudadano — rastreos por jurisdicción (AI Act, GDPR, DSA, US/LATAM AI) ↗ official