Current AI laws and regulations globally, and where policy is likely to go next.
AI regulation is developing faster than almost any other technology policy area, but significant gaps remain. As of early 2025, the most comprehensive binding regulation is in the European Union. Other major jurisdictions have issued guidance, executive actions, and sector-specific rules but lack comprehensive AI-specific legislation.
This article covers what is currently in force or formally adopted, what is in progress, and what major AI companies are doing voluntarily.
The EU AI Act is the world's most comprehensive AI regulation, formally adopted by the European Parliament in March 2024 and entering into force in August 2024. It applies to AI systems placed on the market or put into service in the EU, and extraterritorial reach means it affects many non-EU companies.
The Act categorizes AI systems into four risk levels:
Unacceptable risk — outright prohibited. This includes AI systems that manipulate people through subliminal techniques, exploit vulnerable groups, use real-time biometric surveillance in public spaces by law enforcement (with narrow exceptions), use social scoring by governments, and AI for certain predictive policing uses. These prohibitions apply from February 2025.
High-risk — permitted but subject to significant requirements. High-risk categories include AI in critical infrastructure, education and vocational training, employment decisions, essential private and public services, law enforcement, border control, administration of justice, and AI embedded in safety-critical products (medical devices, vehicles). High-risk AI must meet requirements for risk management, data governance, transparency, human oversight, accuracy, and robustness. Providers must register systems in an EU database.
Limited risk — transparency obligations. Chatbots must inform users they are interacting with AI. Deepfakes must be labeled. General-purpose AI model providers have documentation and transparency requirements.
Minimal risk — no specific obligations. Most AI applications fall here.
The Act has specific provisions for general-purpose AI models — large language models and similar systems. Providers of GPAI models must provide technical documentation, comply with copyright law, and publish summaries of training data. Providers of GPAI models with "systemic risk" (roughly, the largest frontier models) face additional requirements including adversarial testing, reporting of serious incidents, and cybersecurity obligations.
Prohibitions on unacceptable-risk AI: February 2025. GPAI model obligations: August 2025. High-risk AI systems rules: August 2026. Full application: August 2027. Enforcement rests with EU member state national authorities and the newly established European AI Office.
Non-compliance can result in fines up to €35 million or 7% of global annual turnover, whichever is higher, for the most serious violations.
The US has not passed comprehensive federal AI legislation as of early 2025. Regulation is more fragmented:
Executive Order on AI (October 2023): President Biden issued an executive order establishing requirements for AI developers to report safety testing results to the government when models exceed certain capabilities thresholds, directing agencies to assess AI risks in their sectors, and establishing standards through NIST. The order's implementation has been ongoing through agency rulemaking.
NIST AI Risk Management Framework: Published in January 2023, this voluntary framework provides guidance for organizations developing and deploying AI systems. It covers identifying, assessing, and managing AI risks. It is not legally binding but is widely referenced.
Sector-specific regulation: The FDA has established pathways for AI-based medical devices and has issued guidance on AI/ML-based software. The FTC has indicated that AI systems making deceptive claims or causing consumer harm fall within its existing consumer protection authority. The EEOC has issued guidance on AI in employment decisions and Title VII compliance.
State-level action: In the absence of federal law, states have moved. California has passed several AI-related bills covering deepfakes, automated decision systems in employment, and AI disclosure requirements. Colorado, Texas, and Illinois have laws addressing specific AI applications. This creates a patchwork that industry groups argue creates compliance complexity.
Congressional activity: Multiple AI bills have been introduced in both chambers, covering areas including foundation model transparency, high-risk AI auditing, and generative AI disclosures. None had passed into law as of early 2025, though legislative activity was increasing.
China has been active in AI-specific regulation, taking a different approach that emphasizes content control and security alongside safety.
Generative AI Regulations (effective August 2023): These rules require providers of generative AI services to the Chinese public to conduct security assessments before launch, ensure training data and outputs comply with Chinese law (including content restrictions), protect user personal information, and label AI-generated content. Providers must be able to trace generated content and cooperate with government requests.
Algorithmic Recommendation Rules (effective March 2022): Require transparency about recommendation algorithms, prohibit certain manipulative practices, and allow users to opt out of personalized recommendations.
Deep Synthesis Regulations (effective January 2023): Cover deepfakes and synthetic media, requiring labeling and prohibiting certain uses.
China's approach prioritizes content that is "aligned with socialist core values" and national security requirements alongside more universally applicable safety concerns.
The UK has taken a principles-based, sector-specific approach, explicitly rejecting a new comprehensive AI law in the short term. The government's position, outlined in a 2023 white paper and maintained through 2024, is that existing regulators should apply existing laws to AI in their sectors, with the government providing cross-sector principles (safety, transparency, fairness, accountability, contestability).
The ICO (data protection), FCA (financial services), CQC (healthcare), and Ofcom (communications) are each expected to develop sector-specific AI guidance. The AI Safety Institute, established in 2023, conducts safety evaluations of frontier models.
This approach creates more flexibility but also more uncertainty about requirements.
In July 2023, major AI companies including Anthropic, OpenAI, Google, Meta, Amazon, Inflection, and Microsoft made voluntary commitments to the White House covering internal and external red-teaming, investment in cybersecurity and insider threat safeguards, transparency reporting, and research on societal risks.
Industry bodies including the Partnership on AI and the Frontier Model Forum have established shared norms and research efforts.
Model cards — structured documentation of model capabilities, limitations, and intended use cases — have become a common voluntary transparency practice, used by major labs when releasing new models.
Acceptable use policies specify what applications are prohibited by each provider. These are contractual conditions, not law, but they create a de facto governance layer.
Several regulatory trends are broadly expected across jurisdictions:
Mandatory safety evaluations before deployment for high-capability models — the EU AI Act establishes this framework; other jurisdictions are likely to follow.
Incident reporting requirements — mandatory notification to authorities when AI systems cause serious harm, analogous to existing requirements in aviation, pharmaceuticals, and financial services.
Liability frameworks — clearer legal rules about who is liable when AI systems cause harm: developers, deployers, or both.
Labeling requirements — expanded requirements to disclose AI-generated content, particularly in media and advertising.
Open questions remain significant: how to define high-risk AI across different legal systems, how to enforce rules extraterritorially, how to keep pace with capability improvements, and how to balance innovation-friendly frameworks against risk mitigation. These are unresolved policy challenges that will occupy regulators for years.
Have a follow-up question about this topic?
Ask AI