Twenty-seven jurisdictions, four major frameworks, one compliance question. This map catalogues the AI regulatory posture of every jurisdiction covered in this publication, grouped by region, with the operator's operative question for each market and links to the full country guide.

Key takeaways

  • The European Union is the only jurisdiction with a comprehensive, binding, horizontal AI statute in force in mid-2026. Regulation (EU) 2024/1689 applies extraterritorially to any provider or deployer whose AI output reaches a person in the Union, regardless of where the company is established.
  • China has the most operationally dense non-EU AI law stack: three separate enforceable instruments (Generative AI Measures 2023, Algorithmic Recommendations Provisions 2022, Deepfakes Provisions 2022) each with distinct filing and content-labelling obligations, enforced by the Cyberspace Administration of China.
  • The United States has no federal AI statute as of mid-2026. Compliance exposure runs through sector regulators (SEC, FTC, FDA, OCC), state law (Colorado SB 24-205 is the most operator-consequential statute), and common-law negligence claims in which NIST AI RMF adherence is emerging as a reasonableness benchmark.
  • South Korea, Brazil, Canada, and Saudi Arabia have enacted or substantially progressed binding AI legislation; none is fully in force as of mid-2026. Japan and Singapore operate mature voluntary frameworks with sectoral mandatory overlays.
  • The EU's extraterritorial reach under Article 2(1)(c) of Regulation (EU) 2024/1689 functions as a de facto global minimum for any operator with EU market exposure. Operators should structure global compliance programmes with the EU Act as the spine and layer domestic obligations on top.
  • Risk transfer through AI liability insurance (Munich Re aiSure, Armilla, Lloyd's bespoke, Counterpart, HSB) is available but coverage scope tracks documented compliance posture; an undocumented deployment is an uninsurable deployment.

In this guide: the jurisdiction cluster

This pillar links to every country-level and framework-level operator guide on this site. The cluster is organised by region. Each link points to the full guide for operators who need depth beyond the one-line posture summary below.

Europe and the EU

Americas

Asia-Pacific

Middle East, Africa, and Israel

Cross-Jurisdictional Frameworks and Standards

Jurisdiction index: one-line posture per country

The table below gives each jurisdiction's current posture, the operative legal instrument, and the primary compliance question for operators. It is a navigational index, not a compliance opinion. Follow the country guide link for the full analysis.

Europe

Jurisdiction Posture (June 2026) Operative instrument Primary operator question
European Union Binding horizontal statute, extraterritorial Regulation (EU) 2024/1689 Does my AI output reach any person in the Union? If yes, Article 2 applies regardless of where you are established.
Germany EU Act applies; DPA enforcement (BfDI, LfDI) active; sector rules for financial services and healthcare Regulation (EU) 2024/1689; BDSG; BaFin guidance Is the AI system used in an employment, credit, or biometric context subject to BaFin or sector rules layered on top of the EU Act?
France EU Act applies; CNIL is designated national supervisory authority; active enforcement track record in AI and data Regulation (EU) 2024/1689; CNIL guidelines 2023 Has the CNIL designated this AI use as within its enforcement priority for 2026 (automated decisions, profiling, facial recognition)?
Netherlands EU Act applies; Autoriteit Persoonsgegevens (AP) issued first AI fine in 2024; active on algorithmic decision-making Regulation (EU) 2024/1689; AP guidance on ADM 2023 Does the system make or substantially influence individual decisions? AP's ADM framework creates disclosure obligations beyond the EU Act's baseline.
Spain EU Act applies; AESIA (Spanish AI Supervisory Authority) established 2024; national sandbox operational Regulation (EU) 2024/1689; AESIA mandate under Royal Decree 729/2023 Is the system in scope for the AESIA national sandbox, and does the intended deployment require prior registration with AESIA as the national competent authority?
Italy EU Act applies; Garante active on AI and data; sectoral rules in financial services (Banca d'Italia) Regulation (EU) 2024/1689; Garante enforcement decisions 2023-2024 Has the system been reviewed against Garante guidance on automated profiling, and is the intended use within the financial services perimeter of Banca d'Italia supervision?
Switzerland Non-EU; voluntary AI governance framework; revised Federal Act on Data Protection (revFADP) in force; monitoring EU Act for alignment revFADP (in force September 2023); AI principles from FDPIC Does EU Act exposure arise through output used in the Union? Switzerland's revFADP creates DPIA-equivalent requirements for profiling; no AI-specific statute yet.
United Kingdom Sectoral, pro-innovation approach; no horizontal AI statute; ICO, FCA, and AISI each operate within their sector; Bletchley Declaration signatory AI Opportunities Action Plan (January 2025); ICO guidance; FCA PS23/22; AISI evaluations Which UK sector regulator has jurisdiction over the deployment context, and does EU AI Act exposure arise through output used in the Union by UK-based deployments serving EU clients?
Council of Europe Framework Convention on AI (CETS 225) open for signature May 2024; signatories include EU member states, US, UK, Canada, Japan, Israel CETS 225 (Framework Convention on AI and Human Rights, Democracy and the Rule of Law) Has your home jurisdiction ratified CETS 225, and does it create obligations that supplement or pre-empt existing domestic AI rules?

Americas

Jurisdiction Posture (June 2026) Operative instrument Primary operator question
United States No federal AI statute; sector agency guidance; state law patchwork; Executive Order 14110 (October 2023) partially rescinded FTC Act s.5; SEC staff guidance 2023; FDA AI/ML action plan; Colorado SB 24-205; NIST AI RMF Which federal sector regulator has jurisdiction (FTC for deceptive AI claims, SEC for material AI risk disclosure, FDA for clinical AI, OCC for bank AI use), and does SB 24-205 apply through Colorado consumer exposure?
Colorado US-leading deployer obligations statute in force 2026; covers consequential decisions in employment, credit, education, insurance, housing Colorado SB 24-205 (Artificial Intelligence Act) Is the AI system used to make a consequential decision affecting a Colorado consumer? If yes, risk management documentation, impact assessment, and disclosure obligations apply to the deployer.
Canada AIDA (Artificial Intelligence and Data Act) proposed under Bill C-27; not yet in force; PIPEDA enforcement continues AIDA (proposed, not yet in force); PIPEDA; Quebec Law 25 Does Quebec Law 25 apply to the deployment (in force September 2023, covers automated decision-making with individual impact)? Is the system in a high-impact category that will require registration under AIDA when enacted?
Brazil PL 2338/2023 passed Brazilian Senate 2024; awaiting presidential signature as of mid-2026; LGPD enforcement active PL 2338/2023 (AI Bill, pending); LGPD Does the deployment constitute a high-risk AI use under the pending AI Bill (automated individual decisions with significant legal or equivalent effects)? LGPD creates data rights obligations that apply now.
Mexico No AI-specific statute; LFPDPPP and INAI oversight; constitutional reform on personal data 2023; informal working group on AI Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP); INAI guidance Does the AI system process personal data of Mexican residents? INAI's automated-processing guidance applies. No AI statute creates direct obligations, but data rights claims are the primary liability pathway.

Asia-Pacific

Jurisdiction Posture (June 2026) Operative instrument Primary operator question
China Three binding instruments active; the most operationally dense non-EU AI law stack in any jurisdiction CAC Generative AI Interim Measures (August 2023); Algorithmic Recommendations Provisions (March 2022); Deepfakes Provisions (January 2023) Does the system generate content for Chinese users (generative AI measures apply), operate a recommendation algorithm (algorithmic provisions apply), or produce synthetic media (deepfake provisions apply)? All three may apply simultaneously.
Japan AI Promotion Act 2024 enacted; pro-innovation posture; principles-based with sectoral mandatory overlays; governance guidelines from METI AI Promotion Act 2024; METI AI Governance Guidelines v2.0; APPI Is the AI system used in a sector with mandatory safety rules (financial services, medical devices, autonomous vehicles)? The AI Promotion Act creates a due-care framework; sector rules may be binding.
South Korea AI Basic Act enacted 2024; phased commencement; high-impact AI system obligations in force progressively from 2025 AI Basic Act (enacted December 2024); Personal Information Protection Act Is the system designated as high-impact AI under the Basic Act (systems affecting safety, fundamental rights, or public order)? Operators of high-impact AI must register, document, and allow human oversight.
Singapore Voluntary Model AI Governance Framework; no horizontal AI statute; MAS guidance for financial services; IMDA AI verify programme Model AI Governance Framework v2.0 (2020, updated 2024); MAS Fairness, Ethics, Accountability, Transparency guidelines; PDPA Is the deployment in the financial services sector (MAS FEAT guidelines are the operative standard)? For other sectors, the Model Framework is the practical benchmark for any procurement or vendor audit requirement.
Australia Voluntary AI Safety Standard (ten guardrails) published 2024; government adopting mandatory framework for high-risk AI in government use; Privacy Act reform pending Voluntary AI Safety Standard (DISR, 2024); Privacy Act 1988 (review underway) Is the system procured by or used in Australian government contexts (mandatory for agencies)? For private sector, the ten guardrails are voluntary but feature in procurement requirements and are emerging as a negligence benchmark.
India No horizontal AI statute; Ministry of Electronics and Information Technology (MeitY) advisory guidance 2024; Digital Personal Data Protection Act 2023 in force MeitY Advisory on AI (March 2024); Digital Personal Data Protection Act 2023 Does the AI system process personal data of Indian residents? DPDPA obligations apply. MeitY advisory (non-binding) directs platforms to label AI-generated content and obtain consent for training on Indian user data; enforcement mechanism is still developing.
Indonesia No horizontal AI statute; Government Regulation 71/2019 on electronic systems applies; National AI Strategy 2020-2045; data localisation obligations active Government Regulation 71/2019; Personal Data Protection Law 2022 (PDP Law) Does the AI system process personal data of Indonesian residents and require domestic data localisation under the PDP Law? Electronic system operators in strategic sectors face prior registration requirements with KOMINFO.

Middle East, Africa, and Israel

Jurisdiction Posture (June 2026) Operative instrument Primary operator question
United Arab Emirates Actively building AI leadership posture; no horizontal AI statute; sector-level rules in financial services (CBUAE), healthcare, and financial free zones (DIFC, ADGM) DIFC AI Principles 2024; ADGM AI Guidance; CBUAE AI governance requirements Is the deployment in DIFC or ADGM (where AI principles create governance obligations)? Is it in financial services regulated by CBUAE? Free-zone AI governance is more developed than mainland UAE rules.
Saudi Arabia National AI Strategy operational; draft AI regulation in development under SDAIA; Personal Data Protection Law (PDPL) in force August 2023 PDPL (in force August 2023); SDAIA draft AI framework (expected 2025-2026); National AI Strategy 2030 Does the system process personal data of Saudi residents? PDPL creates consent, transparency, and cross-border transfer obligations. Draft AI framework (when enacted) will require impact assessments for automated decisions affecting individuals.
South Africa No AI statute; POPIA (Protection of Personal Information Act) in force 2021; POPIA section 71 restricts purely automated consequential decisions; draft National AI Policy Framework 2023 POPIA section 71; draft National AI Policy Framework (Department of Communications and Digital Technologies, 2023) Does the system make purely automated consequential decisions about South African data subjects? POPIA section 71 requires a human review process or opt-out right. The draft AI Policy Framework signals future mandatory obligations.
Israel No horizontal AI statute; Privacy Protection Authority guidance on automated decisions; active in AI safety research; signatory to Council of Europe AI Convention (CETS 225) Privacy Protection Law 1981 (amended); Privacy Protection Authority position papers on AI (2024); CETS 225 (signed) Does the system process personal data of Israeli residents and make automated decisions with individual impact? PPA position papers create expectations (disclosure, human review access) that may be enforced through existing privacy law before a dedicated AI statute is enacted.

EU extraterritorial reach: the operative rule for global operators

The single most consequential provision for any operator with global exposure is Article 2(1)(c) of Regulation (EU) 2024/1689. It reads: the regulation applies to providers and operators established in third countries where the output of an AI system is used in the Union.

Output, in the regulation's meaning, is what the AI system produces: a score, a ranking, a recommendation, a generated document, a classification, a pricing decision, a content moderation result. The trigger is not EU establishment, EU contracts, EU data processing, or EU employees. The trigger is whether a person in the Union receives and acts on the output.

This makes the EU AI Act function as a de facto global minimum floor for any operator that cannot guarantee its AI outputs never reach an EU person. In practice, operators in the following situations are within scope regardless of their home jurisdiction:

  • SaaS platforms with any EU subscriber, whether direct or through a reseller.
  • API providers whose downstream customers include EU-incorporated entities.
  • US or UK analytics firms whose model outputs are used by EU clients in consequential decisions (credit, hiring, insurance, content moderation).
  • Multinational enterprises whose US or UK AI systems are shared with EU subsidiaries for HR, finance, or customer operations.
  • AI model providers whose foundation models are accessed by EU developers via API, even if the provider has no EU contract directly.

The full analysis of extraterritorial reach, including the five routes under Article 2(1), the authorised representative requirement under Article 22, and penalty exposure under Article 99, is in the dedicated guide: EU AI Act extraterritorial reach: US and UK companies.

The Digital Omnibus: what changed and what did not

On 7 May 2026, the European Council and European Parliament reached trilogue agreement on the Digital Omnibus, a package that includes proposed amendments to the high-risk obligations timetable in Regulation (EU) 2024/1689. The key proposed change is moving the 2 August 2026 activation date for high-risk AI system obligations to 2 December 2027.

Three things operators must understand about the Omnibus status as of mid-2026:

  1. The 2 August 2026 date remains legally binding until the Omnibus is formally adopted and published in the Official Journal. Trilogue agreement is a political agreement; it does not have legal effect until the full legislative procedure is complete. Companies that pause high-risk compliance work on the basis of the proposed change before the Official Journal publication are taking a legal risk.
  2. The prohibitions in Article 5, the transparency obligations in Article 50, and the GPAI model obligations in Articles 53 and 55 are not affected by the Omnibus. These are in force on their original dates and are not proposed to be amended. The Omnibus changes only the high-risk Annex III activation date.
  3. The extraterritorial scope in Article 2 is unchanged. The Omnibus does not alter who the regulation applies to. It addresses only when certain obligations become mandatory. Article 2's scope provisions apply now, regardless of when the Omnibus is adopted.

Cross-border deployments: the conflict-of-laws problem

When an AI system operates across multiple jurisdictions simultaneously, no automatic rule resolves which country's law applies to a liability claim or a compliance obligation. The conflict-of-laws analysis depends on the claim type, the parties, and the relevant choice-of-law rules of the forum.

For tort claims (negligence, product liability), the general rule is lex loci delicti: the law of the place where the harm occurred. For an AI-generated credit decision that harms a French consumer, French law (and through it, EU law) applies to the harm, regardless of where the AI system was operated. The cases that have shaped this analysis in AI-adjacent contexts include Moffatt v. Air Canada (British Columbia Civil Resolution Tribunal, 2024), in which Air Canada was held liable for an AI chatbot's incorrect statement, and Mata v. Avianca (S.D.N.Y., 2023), in which AI-generated case citations were found to be fabricated, resulting in sanctions. Neither case resolved a multi-jurisdictional conflict of laws, but both established that AI outputs generate legal responsibility for the deployer without requiring a new theory of liability.

For regulatory compliance obligations, the applicable law is determined by each regime's own scope rule. The EU AI Act applies its own Article 2 scope rule; it does not yield to a private choice-of-law agreement. An operator that writes a US-law governing clause into its AI service agreement does not thereby remove itself from EU AI Act scope if its output reaches EU persons. China's CAC instruments apply to systems that provide information services to users in China, again through their own scope rule, not through contract choice. The full treatment of these multi-layer scope conflicts is in the guide on cross-border AI agent liability and conflict of laws.

Operators running global AI deployments should maintain a jurisdiction matrix that maps each deployment context to the applicable regulatory scope rules, the operative liability frameworks, and the insurance coverage that applies in each. A deployment that is covered under US common law but outside the EU AI Act's scope in one configuration may be inside EU scope in another configuration that routes the same output to EU clients. The configuration determines the exposure, not the operator's intent or establishment.

Liability allocation across the AI supply chain

Global AI regulation does not converge on a single model for allocating liability between foundation model providers, fine-tuning operators, and deployers. The EU AI Act separates duties by role: providers bear the conformity assessment and technical documentation burden; deployers bear the use-within-intended-purpose and human oversight burden. The revised Product Liability Directive (Directive 2024/2853) extends product liability to AI systems as products and to standalone software, removing the earlier requirement for physical damage.

Outside the EU, the allocation differs by jurisdiction:

  • In the United States, common law negligence allocates liability to the party that owed and breached a duty of reasonable care. Courts are currently developing what standard of care applies to AI deployments, and NIST AI RMF adherence is emerging as a benchmark for what a reasonable deployer does. See the guide on NIST AI RMF and the reasonable care standard.
  • In China, the CAC Generative AI Measures hold providers of generative AI services liable for harm caused by generated content, with a safe harbour only where the provider establishes that the content was produced entirely in response to user-provided prompts that the provider had no basis to predict would be harmful. This is a narrower safe harbour than US or EU deployer defences.
  • In the United Kingdom, the existing tort law framework applies. The ICO regulates automated decision-making under UK GDPR. There is no AI-specific liability statute. Courts will apply existing product liability and negligence law to AI harm cases, with the AI Safety Institute's evaluation findings potentially used as evidence of known risk.

The foundational analysis of supply-chain liability, including the question of who pays when a foundation model causes harm through a downstream deployer, is in the guide on AI agent liability: foundation model vs deployer.

Risk transfer and insurance architecture

AI liability insurance is no longer a theoretical product. As of mid-2026, operators have access to a range of products, though coverage terms remain heterogeneous and underwriting practice varies materially by deployment context and documented compliance posture.

The primary products available include:

  • Munich Re aiSure. Covers AI system performance risk for commercial deployers, including output errors that cause financial harm to downstream users. Underwriting requires documented conformity assessment or equivalent risk management evidence.
  • Armilla. Provides AI model performance insurance, primarily covering enterprise deployers of third-party AI systems. Policy structure tracks the deployer's contractual exposure to the model provider.
  • Lloyd's of London market syndicates. Bespoke AI liability policies for large enterprise deployers, including coverage for regulatory investigation costs, fines where insurable under the applicable law, and third-party harm claims. Policy structure and pricing vary by syndicate.
  • Counterpart. Technology directors and officers coverage with explicit AI liability extensions, covering executives whose decisions resulted in AI-related harm.
  • HSB (Hartford Steam Boiler). US-distributed technology errors and omissions coverage extended to AI-related claims in the manufacturing, energy, and critical infrastructure sectors; European availability is unconfirmed.

Coverage scope across all products shares one consistent characteristic: undocumented deployments are generally uninsurable or excluded. Insurers require evidence of risk assessment, intended use documentation, and in regulated jurisdictions, evidence of conformity with applicable law. The AIUC (Coalition for Artificial Intelligence Underwriting Criteria) is developing standardised underwriting criteria that are expected to become a baseline reference for AI liability underwriting globally.

For the dedicated insurance architecture analysis, see the agentinsured.eu coverage platform.

Risk index and tracking

The Agent Liability Risk Index at agentliability.co/risk-index/ provides a structured view of regulatory risk intensity by jurisdiction and deployment category. The index is updated quarterly to reflect legislative developments, enforcement actions, and changes in interpretive guidance from national supervisory authorities. It is the primary quantitative tool for operators building jurisdiction risk matrices.

The global regulation status tracker at global AI regulation status tracker 2026 gives a current legislative timeline for each jurisdiction, including bills pending, instruments in force, and enforcement activity. It is updated with each substantive legislative development and should be read alongside this pillar for current status.

Building a global AI compliance programme in 2026

Operators with multi-jurisdictional AI deployments face a structural compliance challenge: no two regimes use identical classification criteria, identical duty sets, or identical enforcement timelines. The following architecture is the practical minimum for a compliance programme that covers the major jurisdictions addressed in this guide.

  1. Use the EU AI Act as the spine. The Act's prohibited-practice prohibitions, high-risk classification framework, and technical documentation requirements represent the most demanding set of pre-deployment obligations in any current statute. A deployment that satisfies EU Act requirements will satisfy or substantially satisfy the requirements of most other jurisdictions. Exceptions: China's content-labelling and filing requirements have no EU equivalent and must be addressed separately; Colorado SB 24-205 has impact assessment and disclosure obligations that are distinct from EU deployer duties and require separate documentation.
  2. Map each deployment to each jurisdiction's scope rule independently. Do not rely on EU Act compliance to establish scope exclusion from other regimes. China's CAC instruments have their own scope rule based on whether the service is provided to users in China. Korea's Basic Act has its own high-impact classification. Each regime applies its scope rule independently.
  3. Maintain deployment-level documentation. A system-level technical file is necessary but not sufficient. Compliance documentation must be scoped to each deployment context: who uses the system, for what purpose, with what human oversight, in what jurisdiction, with what intended and foreseeable outputs. Deployment-level documentation is what enables conformity assessment, supports insurance underwriting, and provides the evidentiary basis for a due-diligence defence in litigation.
  4. Designate a contact point for each major regulatory jurisdiction. The EU Act requires an authorised representative (Article 22) for non-EU providers. Other jurisdictions have analogous requirements (China's ICP filing requirement, South Korea's registration for high-impact AI). Beyond legal requirements, a named contact for each regulator reduces response time when an authority initiates inquiry.
  5. Align insurance coverage to the jurisdiction matrix. Verify that insurance policies cover the jurisdictions in which the AI system is deployed and that the coverage applies to the types of harm that each jurisdiction's liability framework contemplates. EU policy may not cover US common-law negligence claims, and vice versa. Review exclusions for regulatory fines (insurable in some jurisdictions, not in others) and for claims arising from non-compliant AI deployments.

For the EU regulatory detail

The agentliability.eu EU Regulatory Desk carries the full Article-by-Article EU AI Act operator guidance, including the Article 26 deployer obligations, the Article 27 fundamental rights impact assessment procedure, and the GPAI model obligations under Articles 53 and 55. For operators whose primary exposure is EU-facing, the EU Regulatory Desk is the companion publication to this global map. See agentliability.eu.

Frequently asked questions

Which country has the strictest AI regulation in 2026?

The European Union has the most comprehensive binding AI regulation in force in mid-2026. Regulation (EU) 2024/1689 prohibits certain AI practices outright, classifies high-risk systems with mandatory conformity assessments, and imposes general-purpose AI model obligations. Penalties reach EUR 35 million or 7 percent of worldwide annual turnover. China follows with multiple enforceable instruments covering generative AI, algorithmic recommendations, and deepfakes, each with distinct filing and content-labelling obligations enforced by the CAC. The United States has no equivalent federal statute, operating through sector-specific agency guidance and state law.

Does the EU AI Act apply to companies outside the EU?

Yes. Article 2(1) of Regulation (EU) 2024/1689 extends to any provider placing an AI system on the EU market, any operator established or operating in the EU, and any third-country provider or deployer whose AI output is used in the Union. This output-in-the-Union trigger catches US, UK, and other non-EU companies that serve EU users or whose AI results affect EU persons, even without an EU establishment. Article 22 requires non-EU providers of high-risk systems to designate an authorised representative in the Union.

What is the compliance status of the EU AI Act high-risk deadline in 2026?

The original 2 August 2026 deadline for high-risk AI system obligations under Regulation (EU) 2024/1689 remains legally binding until formally superseded. The Digital Omnibus (trilogue agreement 7 May 2026) proposes moving the high-risk deadline to 2 December 2027, but has not yet been formally adopted or published in the Official Journal. Prohibited-practice prohibitions (Article 5), transparency obligations (Article 50), and GPAI model obligations (Articles 53 and 55) are unaffected and remain in force on their original dates.

Which countries have enacted binding AI legislation as of mid-2026?

Binding AI-specific legislation is in force or formally enacted in the European Union (Regulation 2024/1689), China (CAC Generative AI Measures 2023, Algorithmic Recommendations Provisions 2022, Deepfakes Provisions 2022), South Korea (AI Basic Act, enacted 2024, phased commencement), Brazil (PL 2338/2023, passed Senate 2024, pending presidential signature), Colorado in the United States (SB 24-205, in force 2026), and the Council of Europe AI Framework Convention (CETS 225, open for signature 2024). Most other jurisdictions operate through voluntary frameworks, sector guidance, or proposed legislation not yet adopted.

How does cross-border AI liability work when a system operates across multiple jurisdictions?

Cross-border AI liability follows no unified international rule. Conflict-of-laws analysis applies lex loci delicti (law of the place of harm), the law of the deployer's establishment, or a contractual choice-of-law clause where parties have agreed. The EU AI Act applies its own scope rule through Article 2 regardless of choice-of-law agreements. The revised Product Liability Directive (Directive 2024/2853) similarly applies to EU consumers regardless of contract. A multi-jurisdictional deployment may face simultaneous obligations under EU law, US sector rules, and local data protection frameworks, with no safe harbour created by compliance with any single regime.

Does ISO 42001 certification satisfy AI regulatory requirements?

No. ISO 42001 is a voluntary process standard. Certification demonstrates a structured AI management system but does not constitute legal compliance with the EU AI Act, satisfy a conformity assessment for high-risk systems, or substitute for obligations under national AI laws. ISO 42001 is not a designated harmonised standard under the EU Act as of mid-2026. Certification may serve as evidence of good-faith risk management in liability proceedings, but it does not create a safe harbour under any current binding AI regulation.

What risk transfer options exist for global AI liability exposure?

The AI liability insurance market is active in 2026. Products include Munich Re aiSure (AI system performance coverage), Armilla (model performance coverage for enterprise deployers), Lloyd's of London bespoke AI liability policies, Counterpart (D&O coverage with AI extensions), and HSB technology E&O coverage. Underwriting across all products requires documented risk assessment and compliance posture. Undocumented deployments are generally excluded from coverage. The AIUC is developing standardised underwriting criteria.

References

  1. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), OJ L, 2024/1689, 12.7.2024.
  2. Regulation (EU) 2024/1689, Article 2 (Scope) and Article 2(1)(c) (Output used in the Union).
  3. Regulation (EU) 2024/1689, Article 5 (Prohibited AI practices).
  4. Regulation (EU) 2024/1689, Article 22 (Authorised representative for non-EU providers).
  5. Regulation (EU) 2024/1689, Article 50 (Transparency obligations for providers and deployers).
  6. Regulation (EU) 2024/1689, Articles 53 and 55 (Obligations for providers of general-purpose AI models).
  7. Regulation (EU) 2024/1689, Article 99 (Penalties).
  8. Regulation (EU) 2024/1689, Annex III (High-risk AI systems referred to in Article 6(2)).
  9. Directive (EU) 2024/2853 of the European Parliament and of the Council on liability for defective products (Product Liability Directive recast), OJ L, 2024/2853, 18.11.2024.
  10. European Commission, Digital Omnibus on AI: Commission proposal to amend Regulation (EU) 2024/1689. Trilogue agreement confirmed 7 May 2026. Not yet adopted or published in the Official Journal.
  11. CAC Generative AI Interim Measures (Interim Measures for the Management of Generative Artificial Intelligence Services), Cyberspace Administration of China, effective 15 August 2023.
  12. CAC Algorithmic Recommendations Provisions (Provisions on the Management of Algorithmic Recommendations), Cyberspace Administration of China, effective 1 March 2022.
  13. CAC Deepfakes Provisions (Provisions on the Management of Deep Synthesis Internet Information Services), Cyberspace Administration of China, effective 10 January 2023.
  14. Colorado SB 24-205 (Artificial Intelligence Act), signed into law 17 May 2024, effective provisions operative from 1 February 2026.
  15. AI Basic Act, Republic of Korea, enacted 26 December 2024 (Act No. 20689).
  16. Brazil PL 2338/2023, approved by the Brazilian Senate, pending presidential signature as of June 2026.
  17. Japan AI Promotion Act (Act on Promotion of Utilization of Artificial Intelligence Technology for the Creation of a Sustainable Society), enacted 2024.
  18. Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS 225), opened for signature 5 September 2024.
  19. NIST AI Risk Management Framework (AI RMF 1.0), National Institute of Standards and Technology, January 2023.
  20. ISO/IEC 42001:2023 Information technology. Artificial intelligence. Management system. Geneva: International Organization for Standardization, 2023.
  21. OECD Recommendation of the Council on Artificial Intelligence (OECD/LEGAL/0449), as updated 2024.
  22. Moffatt v. Air Canada, 2024 BCCRT 149 (British Columbia Civil Resolution Tribunal, February 2024).
  23. Mata v. Avianca, Inc., No. 22-cv-1461 (S.D.N.Y. June 22, 2023).
  24. Munich Re aiSure product specification, available to institutional underwriting clients. Confirm current product name and terms with Munich Re directly.
  25. Coalition for Artificial Intelligence Underwriting Criteria (AIUC), interim principles document. Confirm current publication status and date with the consortium.
  26. Singapore Model AI Governance Framework, Second Edition, Personal Data Protection Commission, 2020 (updated 2024).
  27. Australia Voluntary AI Safety Standard (Department of Industry, Science and Resources, 2024).
  28. Digital Personal Data Protection Act 2023, India (Act No. 22 of 2023), notified 11 August 2023.
  29. South Africa Protection of Personal Information Act 4 of 2013 (POPIA), section 71 (automated decision-making).
  30. Canada Artificial Intelligence and Data Act (AIDA), as proposed under Bill C-27, tabled June 2022, not yet enacted as of June 2026.