Israel is one of the world's most concentrated technology and AI ecosystems by output per capita. It hosts hundreds of AI companies, a mature deep tech investment market, and a government that has actively promoted AI development through the Innovation Authority and the National AI Programme. What Israel does not have in 2026 is a comprehensive AI statute. AI governance operates instead through the Privacy Protection Law, sector-specific financial and health regulation, and a principles-based national programme aligned with OECD AI Principles. For operators deploying AI in Israel or exporting AI to EU markets from Israel, the regulatory picture is distinct from any other jurisdiction covered in this series. This guide explains the architecture, the obligations, and what EU regulatory exposure looks like for Israeli AI companies.

Key takeaways

  • Israel has no comprehensive AI law equivalent to Regulation (EU) 2024/1689. The primary binding instrument governing AI-related data processing in Israel is the Privacy Protection Law 5741-1981 and the Privacy Protection Regulations (Data Security) 5777-2017, enforced by the Privacy Protection Authority (Reshut HaGanat HaPratiyut).
  • The EU AI Act applies to Israeli AI companies whose systems affect persons in the EU or are placed on the EU market, regardless of where the company is located. This extraterritorial obligation is the most significant compliance risk for Israeli AI exporters in 2026.
  • Israel received an EU adequacy decision for personal data transfers in 2011, recognised under GDPR Article 45. This facilitates EU-Israel data flows but does not affect the EU AI Act's application to Israeli companies placing AI systems in EU markets.
  • The Bank of Israel, the Capital Market, Insurance and Savings Authority (CMISA), and the Ministry of Health have each published AI governance guidance specific to their sectors. Operators in financial services or health technology face binding expectations from sector regulators in addition to general privacy law.
  • Israel is a member of the OECD and has committed to the OECD AI Principles (2019, updated 2024). Israel's National AI Programme, co-led by the Israel Innovation Authority and the Ministry of Innovation, Science, and Technology, uses the OECD Principles as its primary reference standard for responsible AI development.

The regulatory architecture: no horizontal AI law, but layered governance

Israel's regulatory architecture for AI in 2026 differs from every jurisdiction covered in this series. Unlike the EU, which operates a comprehensive horizontal regulation, unlike the UK, which operates a sector-based model with named regulator responsibilities, and unlike the US, which operates a fragmented federal plus state system, Israel operates a combination of general privacy law, sector regulatory guidance, and a government-led voluntary responsible AI programme. There is no dedicated AI supervisory authority, no mandatory AI registration or notification system, and no AI-specific penalty framework.

This does not mean the governance landscape is empty. Three distinct layers apply in practice. The first is general privacy law, which is binding and enforced. The second is sector regulatory guidance from financial and health regulators, which is binding on regulated entities. The third is the national responsible AI programme, which is voluntary but is increasingly referenced in public procurement and enterprise governance frameworks.

For operators assessing Israel's compliance burden in isolation, the picture is less demanding than the EU or Korea. For Israeli AI companies with EU market exposure, the dominant compliance obligation is not domestic at all: it is the EU AI Act's extraterritorial application, which applies regardless of where the AI company is incorporated.

The Privacy Protection Law and its application to AI

Israel's Privacy Protection Law 5741-1981 is the foundational instrument governing the collection, use, storage, and transfer of personal information in Israel. The law predates the internet, but has been updated through regulations and official interpretations to address digital information processing. The Privacy Protection Regulations (Data Security) 5777-2017 establish security requirements for databases of personal information classified by sensitivity level.

The law applies to any database of personal information held in Israel and to databases held abroad where those databases primarily contain information about Israeli residents. An AI system that processes personal information about Israeli individuals, whether operated by an Israeli company or by a foreign operator targeting Israeli users, falls within the law's scope.

For AI operators, the most significant obligations under the Privacy Protection Law are the database registration requirement, the data subject access and correction rights, the prohibition on using personal information for purposes other than the purpose for which it was collected, and the security obligations in the 2017 Regulations. The Privacy Protection Authority has published guidance confirming that automated decision-making systems, including AI tools that make or substantially influence decisions about individuals, must satisfy the same purpose limitation, data minimisation, and security obligations that apply to any personal information database.

Israel's data protection framework received an EU adequacy decision under Directive 95/46/EC in 2011, which was carried forward under GDPR Article 45. This adequacy decision facilitates the transfer of personal data from EU member states to Israel without requiring additional safeguards such as standard contractual clauses. The adequacy decision is periodically reviewed by the European Commission: Israel's adequacy status has been maintained through the 2026 review cycle. However, the adequacy decision addresses data protection law, not AI governance. It does not affect the EU AI Act's application to Israeli AI providers whose systems affect EU persons.

Sector regulatory guidance: financial services and health technology

Two sectors in Israel have received specific AI governance attention from their regulators. Financial services firms and health technology companies face expectations beyond the general privacy framework.

The Bank of Israel, which supervises commercial banks and credit card companies, has published supervisory guidance on the use of algorithmic decision-making in credit. The guidance requires banks using AI in credit scoring or decision-making to ensure explainability of decisions to customers, to document model validation procedures, and to implement governance frameworks proportionate to the systemic risk of the model. Banks are expected to assess algorithmic bias and to maintain human oversight of consequential decisions. These expectations parallel the model risk management frameworks operated by US and EU financial regulators and create a substantive compliance burden for Israeli banks deploying AI in credit workflows.

The Capital Market, Insurance and Savings Authority regulates insurance companies, pension funds, and investment managers. CMISA has published guidance on AI use in underwriting, customer segmentation, and investment management. The guidance emphasises transparency to customers about AI-assisted decisions, documentation of model limitations, and senior management oversight of AI governance. Insurance companies using AI in underwriting are expected to assess whether algorithmic outputs could produce discriminatory pricing and to document the steps taken to address that risk.

The Ministry of Health and the Israel Medical Association have addressed AI in clinical decision support and diagnostic tools. Health technology operating in Israel that incorporates AI diagnostic or therapeutic recommendations faces registration requirements under the Medical Devices Law and is subject to Ministry of Health guidance on clinical validation standards for AI-assisted medical tools. The guidance emphasises that AI in health must not replace clinical judgment without explicit regulatory approval and must be validated for the specific clinical population and context in which it is deployed.

The National AI Programme and OECD alignment

Israel's National AI Programme, first published in 2021 and updated through the National Economic Council and the Ministry of Innovation, Science, and Technology, sets out the government's strategic approach to AI. The programme is co-led by the Israel Innovation Authority, which administers grants and investment incentives for AI research and development, and the National Economic Council, which coordinates cross-ministry AI policy.

The programme commits Israel to responsible AI development aligned with the OECD AI Principles, which Israel endorsed as an OECD member in 2019. The 2024 revision of the OECD AI Principles added provisions on trustworthy AI development, AI systems safety, and AI incident reporting that reflect the maturation of the international policy debate. Israel's programme references these updated principles as the normative framework for responsible AI without translating them into mandatory requirements.

For private sector operators, the National AI Programme creates no binding compliance obligations. Its relevance is primarily in three contexts: government procurement of AI systems, where programme alignment may be a qualification criterion; eligibility for Israel Innovation Authority grants, where responsible AI commitments may be assessed; and commercial due diligence, where enterprise customers or investors increasingly ask about voluntary AI governance programme alignment. The programme functions similarly to Australia's Voluntary AI Safety Standard: it represents the government's position on best practice without legal enforcement mechanisms behind it.

The EU AI Act and Israeli operators: extraterritorial exposure

The single most significant AI regulatory obligation for Israeli AI companies in 2026 is not domestic. It is the EU AI Act's extraterritorial application to Israeli providers whose AI systems are placed on the EU market or affect persons in the EU.

Article 2(1) of Regulation (EU) 2024/1689 applies the regulation to providers placing AI systems on the market in the EU regardless of whether those providers are established in the EU. An Israeli AI company that sells an AI product to a European customer, that provides an AI service accessed by EU users, or that operates AI infrastructure that European enterprises use in their workflows is within scope as a provider under the EU AI Act. The obligations that apply to providers include technical documentation requirements under Article 11, transparency and instructions for use requirements under Article 13, post-market monitoring under Article 72, and serious incident reporting to market surveillance authorities under Article 73.

For high-risk AI systems as defined in Article 6 and Annex III of the EU AI Act, the obligations are significantly more demanding. High-risk AI used in employment, credit, insurance, medical devices, critical infrastructure, or biometric identification must undergo conformity assessment before being placed on the EU market, must comply with the risk management, data governance, accuracy, and human oversight requirements in Articles 9 through 15, and must carry CE marking issued by a notified body or through a self-declaration conformity assessment. Israeli AI companies providing high-risk AI to EU customers without an EU representative appointed under Article 25(1) may also be required to appoint such a representative.

The practical implication for Israeli AI companies with EU revenue is that EU AI Act compliance is not optional. A company whose AI system classifies as high-risk under Annex III and is placed on the EU market without satisfying EU AI Act requirements can face penalties of up to EUR 15 million or 3 per cent of worldwide annual turnover for non-compliance with deployer obligations, or up to EUR 30 million or 6 per cent for provider violations. Israeli export-focused AI companies should treat the EU AI Act as a product compliance requirement analogous to the CE marking requirements that already apply to medical devices and safety-critical products they export to Europe. For a full analysis of what the EU regulatory framework requires, see the EU AI Act operator obligations guide at agentliability.eu.

The National Cyber Directorate and AI security

Israel's National Cyber Directorate, established in 2015 as the national authority for cybersecurity, has addressed AI security in several dimensions. The Directorate has published guidance on the security risks of AI systems including data poisoning, model extraction, adversarial inputs, and the security implications of AI integrated into critical infrastructure. The guidance is addressed primarily to operators of critical national infrastructure and to government bodies using AI in high-stakes contexts.

For private sector operators, the Cyber Directorate's AI guidance is not binding in the sense that a regulation is binding. However, operators in sectors designated as critical infrastructure under Israeli law, which includes financial services, telecommunications, energy, water, and healthcare, face Cyber Directorate expectations that operate through their sector regulator relationships. An AI system deployed in Israeli critical infrastructure that has not been assessed against the Directorate's AI security standards may face examination by the sector regulator as part of general cybersecurity oversight.

Operator obligations: a summary

For an operator deploying AI in Israel, the practical compliance picture organises around three questions. First, does the AI system process personal information about Israeli residents? If yes, Privacy Protection Law obligations apply: database registration where applicable, purpose limitation, data minimisation, subject access rights, and data security under the 2017 Regulations. Second, does the operator fall within a regulated sector? If yes, Bank of Israel, CMISA, Ministry of Health, or other sector regulator guidance applies, with specific documentation, explainability, and oversight expectations proportionate to the sector risk. Third, does the AI system affect EU persons or reach the EU market? If yes, EU AI Act obligations apply regardless of Israeli domestic requirements, and for high-risk AI systems, those obligations include conformity assessment, CE marking, and technical documentation that meets EU AI Act standards.

For operators deploying AI from Israel without EU market exposure, the domestic compliance burden in 2026 is comparatively limited. This is a window that is likely to narrow as Israel's government responds to EU and OECD pressure to formalise AI governance. The National Economic Council has indicated that a more structured AI governance framework is under consideration for 2027, potentially drawing on the OECD AI Principles and aligning with the Council of Europe Framework Convention on Artificial Intelligence (Council of Europe Treaty Series No. 225), which Israel has observer status to consider ratifying.

Penalties and enforcement

Enforcement of Israel's AI-relevant obligations operates through existing enforcement mechanisms rather than AI-specific penalty regimes. Privacy Protection Law violations are enforced by the Privacy Protection Authority, which can impose administrative penalties and refer cases for criminal prosecution in serious instances. The maximum criminal penalty under the Privacy Protection Law is five years imprisonment for severe violations and two years for standard violations, with civil remedies available to affected data subjects.

Sector regulatory enforcement is conducted by the relevant regulator: the Bank of Israel, CMISA, and the Ministry of Health can impose licence restrictions, conduct examinations, and refer violations for administrative or criminal proceedings under their respective enabling legislation. There are no AI-specific financial penalties separate from the general regulatory toolkit these bodies operate.

For EU AI Act violations by Israeli companies, enforcement is conducted by EU member state market surveillance authorities or by the EU AI Office for GPAI and systemic-risk matters. Israeli companies without a physical EU presence but caught by the Act's extraterritorial scope face the same penalty framework as EU-established companies, and enforcement can in practice be pursued through customs and market access controls on EU-bound products and services.

How Israel's approach compares to the EU AI Act

Israel's AI governance approach in 2026 is principles-based and sector-grounded rather than horizontal and prescriptive. The contrast with the EU AI Act's structure is significant. Where the EU AI Act classifies AI systems by risk level and assigns mandatory obligations to each class, Israel applies existing law to AI use cases without classification. Where the EU AI Act requires conformity assessment and CE marking for high-risk AI, Israel has no equivalent product-approval mechanism for AI. Where the EU AI Act creates a public database of registered high-risk AI systems, Israel has no such registry.

The practical effect is that an operator moving AI into the Israeli market from an EU AI Act compliance baseline will have documentation, governance, and oversight infrastructure that substantially exceeds what Israeli domestic law requires. The documentation challenges run the other direction: an Israeli AI company attempting to enter the EU market must build EU AI Act compliance infrastructure from a baseline where no equivalent domestic requirements have created the habit of technical documentation and conformity assessment. For Israeli AI companies expanding into Europe, EU AI Act compliance is therefore the primary regulatory investment, and building it proactively rather than reactively is the commercially rational approach. For a comparison with the UK's sector-based model, see the UK AI regulation guide. For the NIST AI RMF as a voluntary governance baseline that Israeli companies can use to structure their international compliance, see the NIST AI RMF analysis.

Frequently asked questions

Does Israel have a comprehensive AI law equivalent to the EU AI Act?

No. As of June 2026, Israel has no comprehensive AI statute. AI governance operates through the Privacy Protection Law 5741-1981, sector regulatory guidance from financial and health regulators, and a national AI programme aligned with OECD AI Principles. The approach is most comparable to the UK's sector-based model.

Does the EU AI Act apply to Israeli AI companies?

Yes, where the conditions for extraterritorial application are met. Article 2 of Regulation (EU) 2024/1689 applies to providers placing AI systems on the EU market and to providers whose AI systems affect persons in the EU regardless of where the provider is established. Israeli AI companies exporting to European markets are subject to EU AI Act obligations as providers.

How does Israel's Privacy Protection Law apply to AI systems?

The Privacy Protection Law 5741-1981 applies to any database of personal information held in Israel and to databases held abroad primarily containing information about Israeli residents. Automated decision-making that relies on personal information databases engages purpose limitation, data minimisation, subject access, and security obligations. The Privacy Protection Authority has confirmed that AI systems processing personal information must comply with these obligations.

What is the Israel Innovation Authority's role in AI governance?

INAI promotes responsible AI development and co-leads the National AI Programme. Its role is advisory and promotional rather than regulatory. INAI does not issue binding compliance requirements, conduct enforcement, or operate a registration regime for AI systems. Its responsible AI framework is relevant to public procurement and government-backed funding eligibility.

How does Israel's AI regulatory approach compare to the EU AI Act?

Israel's approach is principles-based and sector-specific without a horizontal AI statute, no AI risk classification system, no mandatory conformity assessment, and no AI-specific penalty framework. An operator meeting EU AI Act requirements will substantially exceed Israeli domestic obligations. The dominant compliance risk for Israeli AI exporters is the EU AI Act's extraterritorial application to their EU-market activities.

References

  1. Privacy Protection Law 5741-1981 (Israel). Primary data protection statute. Enforced by the Privacy Protection Authority (Reshut HaGanat HaPratiyut).
  2. Privacy Protection Regulations (Data Security) 5777-2017. Establishes security obligations for databases classified by information sensitivity. Three security levels: basic, medium, high.
  3. European Commission adequacy decision for Israel under Directive 95/46/EC (2011), carried forward under GDPR Article 45. Maintained through periodic review including 2024-2026 cycle.
  4. Regulation (EU) 2024/1689 of the European Parliament and of the Council (EU AI Act), Articles 2, 11, 13, 25, and Annex III. Extraterritorial application provisions binding on Israeli providers placing AI on the EU market.
  5. Bank of Israel Supervisor of Banks Directive 355 and related guidance on model risk management in credit decisioning. Covers validation, documentation, explainability, and governance requirements for banks using AI in credit workflows.
  6. Capital Market, Insurance and Savings Authority. Circular on algorithmic underwriting and customer segmentation in insurance. Sets transparency and documentation expectations for AI use in insurance pricing and underwriting.
  7. Israel National AI Programme. Published by the National Economic Council in coordination with the Israel Innovation Authority and the Ministry of Innovation, Science, and Technology. Aligned with OECD AI Principles (2019, 2024 revision).
  8. OECD AI Principles, adopted May 2019, updated 2024. Israel as OECD member has committed to implementation of the Principles including accountability, transparency, safety, and human oversight. OECD AI Policy Observatory tracks national implementation.
  9. Israel National Cyber Directorate. Guidance on AI security risks: data poisoning, model extraction, adversarial inputs, and AI in critical infrastructure security. Addresses operators in sectors designated critical under national cyber protection legislation.
  10. Council of Europe Framework Convention on Artificial Intelligence (CETS No. 225), opened for signature September 2024. Israel has observer status at the Council of Europe. Ratification of the Convention would create binding AI governance obligations including human rights safeguards and transparency requirements.