Council of Europe Framework Convention on AI. The first binding international treaty on artificial intelligence, and what it means for global operators.

Most AI governance analysis focuses on the EU AI Act, national legislation, or sector-specific regulatory guidance. CETS 225 sits above all of these as the first instrument to create legally binding international standards for AI at the treaty level. It does not replace the EU AI Act or national laws. It creates a baseline that signatory states must achieve and maintain, and it requires states that have ratified it to ensure both their public sector and private sector AI activities meet the Convention's human rights, democracy, and rule of law standards. For operators active across multiple signatory states, understanding CETS 225 is necessary to understand the minimum floor that national implementing measures must reach.

The origins and structure of CETS 225

The Council of Europe began formal work on a binding AI convention in 2019 through the Ad Hoc Committee on Artificial Intelligence (CAHAI), which was subsequently replaced by the Committee on Artificial Intelligence (CAI). The drafting process involved 46 Council of Europe member states alongside non-member observer states from North America, the Middle East, and the Pacific. The resulting text was adopted by the Committee of Ministers on 17 May 2024 and opened for signature in Vilnius, Lithuania, on 5 September 2024.

The Convention is structured in eight chapters. Chapter I establishes the object, scope, and definitions. Chapter II sets out the core obligations Parties must implement regarding the entire lifecycle of AI systems. Chapter III addresses specific fundamental rights safeguards. Chapter IV covers procedural safeguards for persons affected by AI decisions. Chapter V establishes oversight mechanisms. Chapter VI requires Parties to establish remedies. Chapter VII contains governance provisions including the Conference of the Parties. Chapter VIII contains the standard treaty provisions on signature, ratification, reservations, and amendments.

The Convention's scope is defined at Article 3. It applies to activities within the lifecycle of AI systems that affect human rights, democracy, and the rule of law. A key structural choice is that the Convention applies its obligations to Parties at the state level, requiring those Parties to implement equivalent measures in their jurisdictions through domestic law. This is in contrast to the EU AI Act's direct applicability as Union law.

Core obligations: what Parties must implement

Chapter II of the Convention requires Parties to adopt measures addressing six core areas. The measures must be implemented through domestic legal instruments, which may include new legislation, regulatory guidance, sectoral frameworks, or administrative measures. No specific implementation form is required.

The first core area is assessing the potential impacts of AI on human rights, democracy, and the rule of law throughout the system's lifecycle. This is an impact assessment obligation that applies before deployment and on an ongoing basis. The Convention does not prescribe a specific impact assessment methodology, leaving Parties to determine the appropriate form for their legal tradition and administrative capacity.

The second core area is measures to prevent, detect, and address adverse impacts on fundamental rights, including the right to privacy, freedom of expression, freedom of assembly, the right to a fair trial, and the right to non-discrimination. This is broader in scope than the GDPR's data protection framework and addresses AI effects that do not involve personal data processing.

The third core area is measures ensuring that AI use respects the integrity of democratic institutions, processes, and deliberation. The election influence subcategory in this area is of direct relevance to operators providing AI tools used in political advertising, voter contact, or public information contexts.

The fourth core area is ensuring that AI does not undermine the rule of law, access to justice, or the accountability of public bodies. This targets AI used in judicial and administrative settings and reinforces the obligations already present in the EU AI Act's Annex III Category 8 for justice administration systems.

The fifth core area is transparency measures ensuring that persons affected by AI decisions receive meaningful information about the AI's role and about their right to seek review. This is a transparency obligation that applies broadly to AI affecting individuals, not only to high-risk AI in the EU AI Act sense.

The sixth core area is establishing or designating independent oversight mechanisms to monitor compliance with the Convention's implementing measures. Parties must ensure that these mechanisms have adequate powers and resources, and are operationally independent from the entities they oversee.

Private sector application: Article 3 and the opt-in mechanism

The Convention's treatment of private sector activities is one of the most significant design choices in CETS 225. Article 3(1) allows Parties to limit the formal application of the Convention's obligations to AI activities of public authorities and private actors acting on their behalf. Article 3(2) requires any Party that makes this choice to ensure that private sector AI activities are subject to equivalent safeguards through other legal instruments.

In practice, this creates two categories of signatory state. States that apply the full Convention to both public and private sectors are fully implementing states. States that apply the Convention to the public sector and rely on existing legislation, such as the EU AI Act or GDPR, to satisfy the equivalent safeguard requirement for private sector activities are partial implementation states.

The European Union and its member states are expected to satisfy the private sector equivalent safeguard requirement through the EU AI Act for in-scope AI systems. However, the EU AI Act's high-risk category is narrower than the Convention's scope. AI systems that do not fall within Annex III or Annex I of the EU AI Act are not subject to the full Chapter III Section 2 obligations, but they may still affect the rights protected by CETS 225. For those systems, it is less clear that the EU AI Act alone satisfies the equivalent safeguard requirement.

For operators in non-EU signatory states, the implementation picture is more varied. The United States signed as a non-member observer state but has not ratified CETS 225. The US federal regulatory framework for AI does not yet have a comprehensive statute equivalent to the EU AI Act. Executive Order 14110 (October 2023) and OMB Memorandum M-24-10 address federal government AI use but create no direct private sector obligations. State-level legislation, such as Colorado SB 24-205 and C.R.S. section 6-1-1701 et seq., addresses some of the CETS 225 themes at the state level but does not constitute full implementation of the Convention across US territory.

The relationship between CETS 225 and other international frameworks

CETS 225 sits within a broader landscape of international AI governance initiatives. The OECD AI Principles, adopted in 2019 and revised in 2024, provide a non-binding framework covering trustworthy AI characteristics, transparency, accountability, and human-centred values. The G7 Hiroshima AI Process, concluded in 2023 with an International Code of Conduct for Advanced AI Systems, added governance commitments for advanced AI development. The United Nations has adopted a resolution on AI and the General Assembly has established an advisory body on AI governance. ISO/IEC 42001:2023 provides a voluntary management system standard applicable globally.

CETS 225 is the only instrument in this landscape that is both legally binding as a matter of international treaty law and applies across a geographically diverse group of signatories spanning Europe, North America, the Middle East, and the Pacific. The OECD Principles, G7 Code of Conduct, and UN resolutions are all non-binding. ISO/IEC 42001 is a voluntary standard. CETS 225 creates binding obligations at the state level in a way none of these other instruments does.

The extraterritorial reach of the EU AI Act already means that many operators outside the EU face EU-derived compliance obligations through the Act's market access provisions. CETS 225 adds a second international dimension: operators in non-EU signatory states must also monitor domestic implementation of the Convention in those states as ratification processes advance and implementing legislation is adopted.

Transparency, appeal mechanisms, and the individual rights dimension

Chapter IV of the Convention addresses procedural safeguards for individuals affected by AI decisions. The obligations in this chapter are among the most directly relevant to operators.

Article 14 requires Parties to ensure that individuals are able to obtain explanations about AI decisions that significantly affect them. This is a transparency obligation analogous to GDPR Article 22's explanation requirement for automated decisions, but it is broader in that it applies to AI-assisted decisions, not only to fully automated decisions.

Article 15 requires Parties to ensure that individuals have access to remedies, including the ability to challenge AI-influenced decisions. Where an AI decision has a significant effect on a person's legal or practical situation, that person must be able to obtain review of the decision by a competent authority, whether human or otherwise.

Article 16 addresses the use of AI in proceedings before courts and administrative bodies. Parties must ensure that judicial and administrative processes are not compromised by AI systems that operate without appropriate oversight, and that individuals are informed when AI is used in these contexts.

These procedural safeguards are operational requirements for any organisation deploying AI in contexts where it affects individual rights. Compliance teams should confirm that their AI deployment policies include documentation of which systems affect individuals significantly, how those individuals are informed, and what appeal pathway is available. The Article 26 analysis on agentliability.eu covers the EU AI Act dimension of the same requirements in detail.

What global operators should do now

The practical steps for global operators are grounded in monitoring and documentation rather than immediate statutory compliance. The Convention's obligations apply to Parties at the state level, and private sector obligations flow through national implementing legislation. Until a given state has ratified and implemented CETS 225 in its domestic law, the Convention does not directly create enforceable private sector obligations in that state.

However, four preparatory steps are well-founded. First, identify which of your AI deployments fall in jurisdictions that have ratified CETS 225 and have adopted implementing legislation. For EU member states, this means reviewing whether the combination of the EU AI Act, GDPR, and any national AI legislation satisfies the Convention's requirements in the specific sectors you operate in. For UK and US deployments, monitor domestic implementation as ratification processes advance.

Second, conduct an AI impact register that maps each significant AI deployment against the categories of fundamental rights the Convention is designed to protect: privacy, non-discrimination, freedom of expression, access to justice, and democratic participation. This exercise will identify deployments that may be in scope for CETS 225-derived obligations even if they fall outside the EU AI Act's Annex III categories.

Third, review your transparency practices for AI decisions affecting individuals. The Article 14 explanation requirement under CETS 225 applies broadly. Any deployment that makes or materially influences a significant decision about an individual should come with a user-facing explanation of the AI's role and an appeal or review pathway.

Fourth, engage with the certification and documentation infrastructure that makes compliance demonstrable. A structured AI governance framework, such as ISO/IEC 42001 or the Agent Certified assessment available at agentcertified.eu, produces documentation that is directly usable as evidence of CETS 225-aligned governance in any jurisdiction where the Convention's implementing measures require such evidence.