Log in
Sign up
Gouache illustration of a heavy stone legal seal carved with overlapping continental borders, symbolising the global compliance landscape for artificial intelligence laws

Sections

Artificial Intelligence Laws in 2026: A Global Compliance Map

Key takeaways

  • The United States has no comprehensive federal artificial intelligence statute in 2026. A December 2025 executive order asserts federal preemption over state laws that compel AI models to alter truthful outputs, and Colorado’s flagship SB 24-205 was stayed by a federal magistrate in April 2026.
  • The EU AI Act becomes the global reference point on 2 August 2026, when high-risk obligations and Commission fines take effect.
  • Three roles, not three flags, decide what you must do: provider, deployer, and general-purpose AI provider. The same role carries similar duties whether you ship into the EU, Korea, or Brazil.
  • ISO/IEC 42001 and the NIST AI Risk Management Framework form the operational denominator that satisfies most jurisdictions in one motion.
  • AI Sigil maps this entire compliance map to operational controls, evidence, and an AI inventory so that the move from regulation text to audit-ready proof becomes a workflow, not a research project.

The legal map of AI in 2026

The global picture today is binary. On one side, comprehensive risk-based regimes structure AI obligations around how a system is used: the EU AI Act, Korea’s AI Basic Act effective 22 January 2026, and Brazil’s PL 2338/2023 draft. On the other side, a sectoral and state-level patchwork relies on existing consumer protection, civil rights, and financial regulation to cover AI risks: the United States, the United Kingdom, and Canada at the federal level.

The practical effect is that companies shipping AI into more than one market need a single internal compliance model that can plug into either type of regime. Geography no longer drives the substance of what you have to do. The role you play in the AI value chain does.

This is also why the December 2025 White House executive order on national AI policy matters. It signals that the United States will resist a fragmented state-by-state regime and will lean on sectoral federal agencies, principally the FTC, EEOC, CFPB, and HHS. The order directs the executive branch to identify state laws that compel models to alter truthful outputs and to challenge them as obstacles to federal interests.

The EU AI Act: the global benchmark

The EU AI Act entered into force on 1 August 2024 and applies through staggered effective dates. Its structure rests on four risk tiers and a parallel regime for general-purpose AI models.

Risk tiers

Prohibited practices, listed in Article 5, ban manipulative or exploitative AI, social scoring by public authorities, untargeted scraping of facial images for recognition databases, emotion inference in workplaces and schools, and most real-time remote biometric identification in public spaces. These bans have applied since 2 February 2025.

High-risk AI systems are listed in Annex III and cover, among others, biometric identification, critical infrastructure, education and vocational training scoring, employment selection and management, access to essential services, law enforcement, migration, and the administration of justice and democratic processes. High-risk obligations apply from 2 August 2026.

Limited-risk systems trigger transparency duties under Article 50: a user must know that they are interacting with an AI system, and synthetic content must carry machine-readable marks. The grace period for synthetic content labelling ends on 2 December 2026.

General-purpose AI models, whether or not they are placed on the EU market, face documentation and copyright transparency duties from 2 August 2025. Models classified as presenting systemic risk face additional evaluation, red-teaming, and serious incident reporting duties.

Provider and deployer obligations in practice

A provider of a high-risk AI system in the EU must operate a risk management process, maintain technical documentation aligned with Annex IV, ensure data quality and governance, design for transparency and human oversight, run a conformity assessment, register the system in the EU database where required, and operate post-market monitoring. A deployer must ensure human oversight in operation, follow the provider’s instructions for use, run a fundamental rights impact assessment where required by Article 27, and log automated operations.

The Council and Parliament agreed on a simplification package on 7 May 2026, focused on reducing duplication with sectoral product safety law and clarifying GPAI documentation. The risk-based structure, the August 2026 dates, and the role categories remain unchanged.

Penalties

Maximum administrative fines reach EUR 35 million or 7 percent of global annual turnover, whichever is higher, for prohibited practices. Other violations carry up to EUR 15 million or 3 percent of turnover. Misleading information to authorities carries up to EUR 7.5 million or 1 percent. The Commission’s enforcement powers over GPAI providers take effect on 2 August 2026.

The United States: federal preemption meets sectoral enforcement

No comprehensive federal AI statute exists in 2026. The Congressional Research Service describes the federal landscape as a layered set of executive orders, agency rulemaking, and sectoral statutes.

Federal action

Executive Order 14110, signed in 2023, was revoked in early 2025. The December 2025 executive order on a national policy framework replaced it. It instructs the Attorney General to evaluate state AI laws that interfere with federal interests, with particular concern for laws that compel models to alter truthful outputs. The order is the immediate cause of the federal magistrate’s stay of Colorado SB 24-205 on 27 April 2026.

Federal enforcement runs through general-purpose authorities. The Federal Trade Commission uses Section 5 of the FTC Act to act on unfair or deceptive AI practices. The Equal Employment Opportunity Commission applies Title VII and the Americans with Disabilities Act to AI-driven employment decisions. The Consumer Financial Protection Bureau supervises AI used in credit and underwriting. Health and Human Services applies HIPAA and Section 1557 to clinical decision support.

State and city laws

State activity peaked in 2024 and 2025 and has since slowed under federal pressure. The most cited measures include:

  • Colorado SB 24-205, the first comprehensive US state AI law. It was set to take effect on 1 February 2026, then postponed to 30 June 2026 by SB 25B-004, then stayed by a federal magistrate on 27 April 2026. The Colorado legislature passed a replacement, SB 189, on 7 to 9 May 2026.
  • New York City Local Law 144, which requires annual bias audits and candidate notice for automated employment decision tools.
  • Illinois Artificial Intelligence Video Interview Act, which requires consent for AI analysis of interviews.
  • California SB 53, which mandates developer disclosure of large AI models.
  • Tennessee ELVIS Act, which protects voice and likeness against AI cloning.
  • Utah Artificial Intelligence Policy Act, which adds disclosure duties for generative AI in regulated professions.

State laws survive in narrower domains: bias audits, deepfake disclosure, and protections for voice and likeness. Comprehensive state regimes face the harder federal headwind.

The rest of the world: comparable but not identical

A short tour confirms how role-based duties travel.

The United Kingdom runs a principles-based regime. There is no AI Act. Existing regulators, the Competition and Markets Authority, the Financial Conduct Authority, the Information Commissioner’s Office, and Ofcom, apply five common principles to AI in their sectors. The ICO has the strongest enforcement teeth, with fines up to GBP 17.5 million or 4 percent of global turnover under the UK GDPR.

China has the densest stack of AI-specific rules. The Algorithm Recommendation Management Rules (2022), the Deep Synthesis Provisions (2023), and the Interim Measures for the Management of Generative AI Services (2023) cover labelling, filing, and content moderation duties. Providers must file algorithms with the Cyberspace Administration of China and apply real-name identity verification.

Japan moved from a soft-law AI Strategy to a statutory AI Promotion Act in 2025. The regime emphasises innovation and voluntary compliance with the Ministry of Economy, Trade and Industry guidelines. Hard duties focus on transparency for generative AI and on government procurement.

Brazil is debating PL 2338/2023, a risk-based bill that mirrors the EU structure with adapted thresholds. The bill is expected to pass in 2026 with a transition period.

Korea enacted the AI Basic Act, which became the first comprehensive AI law in Asia when it took effect on 22 January 2026. It introduces a high-impact AI category broadly aligned with EU high-risk and requires risk management, transparency, and impact assessment.

Canada has paused federal action: the Artificial Intelligence and Data Act bundled in Bill C-27 died with parliamentary prorogation. Quebec’s Law 25 continues to govern automated decisions that significantly affect individuals.

Obligation map: provider vs deployer vs GPAI provider

The deepest practical insight from a multi-jurisdiction read is that obligations cluster by role.

Providers of AI systems carry the heaviest documentation load. Across the EU AI Act, the Korean AI Basic Act, and the spirit of US sectoral enforcement, providers must:

  • Operate a risk management process across the system lifecycle.
  • Maintain technical documentation that traces design choices, training data governance, evaluation results, and known limits.
  • Apply data governance, including provenance, representativity, and bias controls.
  • Build for transparency to deployers, with instructions for use, intended purpose, and known constraints.
  • Run a conformity or impact assessment before placing the system on the market.
  • Operate post-market monitoring and report serious incidents to regulators.

Deployers carry the operational duties:

  • Use the system only within the intended purpose set by the provider.
  • Maintain human oversight proportionate to risk.
  • Run a fundamental rights impact assessment where required, for example under Article 27 of the EU AI Act for public bodies and certain private deployers of high-risk systems.
  • Log automated outputs to enable audit and incident response.
  • Inform affected individuals when AI is materially involved in a decision about them, where local law requires it.

General-purpose AI providers sit on top of both:

  • Document model design, training data overview, and copyright posture.
  • Support downstream providers with model cards and capability summaries.
  • For models with systemic risk, run model evaluations, red-teaming, cybersecurity assessments, and serious incident reporting.

A company can be more than one role at once. A SaaS vendor that fine-tunes an open model and embeds it in a hiring tool is provider, deployer, and downstream GPAI integrator at the same time. Each duty applies in its own column.

Penalties side by side

Quantifying exposure clarifies prioritisation:

  • EU AI Act: up to EUR 35 million or 7 percent of global annual turnover for prohibited practices; up to EUR 15 million or 3 percent for high-risk and GPAI violations; up to EUR 7.5 million or 1 percent for misleading information to authorities.
  • United States, federal sectoral: FTC consumer protection penalties scale with the number of violations and may be combined with disgorgement; EEOC remedies include back pay, reinstatement, and compensatory damages; CFPB consent orders frequently exceed USD 10 million in financial services.
  • United Kingdom, ICO: up to GBP 17.5 million or 4 percent of global annual turnover.
  • China, CAC: orders to cease, public censure, fines proportional to revenue, and personal liability for legal representatives.
  • Korea, AI Basic Act: fines up to KRW 30 million for procedural breaches and proportional fines for material breaches, with reputational sanctions through a public register.

Numbers vary, but operational cost dominates the picture: every regime forces the same evidence stack, and the company that can produce that stack on demand wins audits everywhere.

Why ISO/IEC 42001 and NIST AI RMF are the operational denominators

The convergence between regimes is not accidental. Regulators on both sides of the Atlantic referenced the same technical literature when they drafted their rules, and that literature crystallised into two standards.

ISO/IEC 42001:2023 specifies an AI management system, structurally identical to ISO 27001 for information security and ISO 9001 for quality. An organisation that runs an AIMS to ISO/IEC 42001 already has an AI policy, a defined scope, a risk and impact assessment process, a control catalogue with Annex A, a supplier oversight regime, and an internal audit cycle. Independent analysis estimates that this covers approximately 70 percent of EU AI Act high-risk system documentation duties.

The NIST AI Risk Management Framework version 1.0, released in January 2023, organises AI trustworthiness around four functions: Govern, Map, Measure, Manage. The July 2024 Generative AI Profile (NIST AI 600-1) layers 12 generative AI risk categories on top of the core framework, with more than 400 specific mitigation actions. Korean and Singaporean regulators cite the NIST AI RMF in their own guidance. US sectoral regulators look to it as a reasonable practice benchmark.

Two upcoming European harmonised standards complete the picture. CEN-CENELEC prEN 18228 covers AI risk management, and prEN 18282 covers AI cybersecurity. Once published, they will give EU high-risk providers a presumption of conformity with the corresponding EU AI Act articles.

The operational consequence is that an organisation running a serious ISO/IEC 42001 AIMS, mapped to the NIST AI RMF functions, with controls evidenced inside a single AI inventory, has done 80 percent of the work it needs to comply across the EU, the US sectoral regime, Korea, the UK, and the Brazilian and Japanese frameworks under preparation. The remaining 20 percent is jurisdiction-specific documentation, registration, and reporting.

2026 compliance checklist for AI providers and deployers

By 2 August 2026, any AI system placed on the EU market or that affects users in the EU must meet the high-risk regime, if it falls within Annex III, and the GPAI regime, if it qualifies. The following is the minimum motion to ship on time:

  1. Inventory. Build a single AI inventory that lists every AI system, every model variant, every deployment context, and every dataset. The inventory is the spine of every audit you will face from now on.
  2. Classify. For each inventory entry, decide the role you play (provider, deployer, GPAI provider, importer, distributor) and the risk tier under the EU AI Act (prohibited, high-risk, limited-risk, minimal-risk, GPAI, GPAI with systemic risk). Repeat the classification under the Korean AI Basic Act and any US state law that applies.
  3. Document. For every high-risk and GPAI entry, produce a technical documentation pack aligned with Annex IV. Reuse ISO/IEC 42001 Annex A controls as the spine, and complete the EU-specific sections (intended purpose, accuracy metrics, foreseeable misuse).
  4. Assess. Run a fundamental rights impact assessment for high-risk systems used in Article 27 contexts. Reuse the assessment for NYC Local Law 144 bias audits, Colorado-style algorithmic discrimination duties, and Korean impact assessments.
  5. Conform. Complete the conformity assessment route applicable to each high-risk system. For Annex III systems, that is the internal control route in most cases; for biometric identification and certain critical infrastructure systems, a notified body is required.
  6. Register. Register each high-risk system that requires it in the EU database. Register deployers in the public authority sub-database where applicable.
  7. Train. Train staff to the AI literacy standard required by Article 4 of the EU AI Act, which has applied since 2 February 2025. Train deployers in the provider’s instructions for use.
  8. Label. Implement machine-readable marks on synthetic content by 2 December 2026, the end of the Article 50 grace period.
  9. Monitor. Operate post-market monitoring on every high-risk system in the field. Wire serious incident reporting to a single intake.
  10. Audit. Set the internal audit cycle so that every AIMS control is sampled at least once per year and that internal audit findings drive management review.

Most of these steps are the same in Seoul, Brasilia, and Brussels. The differences sit in registration registers, the wording of the impact assessment template, and the language of the user-facing labels.

FAQ

Is there an AI law in the United States in 2026?

There is no comprehensive federal statute. AI is regulated through the FTC, EEOC, CFPB, HHS, and other sectoral agencies, and through a shrinking patchwork of state laws. The December 2025 federal executive order on national AI policy asserts preemption over state laws that compel models to alter truthful outputs and has already triggered a stay of Colorado SB 24-205.

What is the strictest AI law in 2026?

The EU AI Act carries the highest administrative fines, up to 7 percent of global annual turnover for prohibited practices, and applies extraterritorially when AI affects people in the EU. Korea’s AI Basic Act is structurally similar but with lower numerical fines. China’s regime is the most prescriptive on content but limits cross-border reach.

Which AI law applies if I build a model in the United States and sell it in the EU?

Both. The EU AI Act applies extraterritorially under Article 2(1)(c) when output of the system is used in the EU. You become a provider in the EU regardless of where you developed the model. US sectoral law applies in parallel because of your US activity.

When does the EU AI Act start fining companies?

Fines for prohibited practices have been available since 2 August 2025. The Commission’s enforcement powers over GPAI providers take effect on 2 August 2026. High-risk system enforcement also starts on 2 August 2026.

Do small businesses have to comply with the EU AI Act?

Yes, if they place a high-risk system on the EU market or operate one. The Act includes proportionality provisions and exemptions for free and open-source AI components that are not high-risk, but it does not exempt small businesses from high-risk duties. The May 2026 simplification package adds further proportionality measures.

What is the difference between a provider and a deployer of AI?

A provider develops or has developed an AI system and places it on the market under its own name. A deployer operates an AI system in a professional context. The same company can be both, in which case both sets of duties apply.

Does ISO/IEC 42001 certification make me EU AI Act compliant?

No, but it gets you most of the way. ISO/IEC 42001 covers around 70 percent of high-risk documentation requirements. Conformity assessment under the EU AI Act, EU database registration, and the Article 50 transparency obligations remain specific tasks. The future harmonised standards prEN 18228 and prEN 18282 will close more of the gap.

Conclusion

Reading AI laws in 2026 country by country is a losing game. The same duties travel across jurisdictions and cluster around three roles. The companies that win audits this year are the ones that built one AI inventory, one risk and impact assessment process, one set of controls, and one library of evidence, then mapped the EU AI Act, US sectoral enforcement, the Korean AI Basic Act, Chinese rules, and UK principles onto that single spine.

AI Sigil operates exactly on that spine. The platform turns regulation text into AI inventory entries, role classification, controls, evidence, audit trails, and one-click documentation packs that pass conformity assessments. If the next twelve months will be measured by what you can show on an audit day, the time to make AI compliance a workflow, not a research project, is now.

Dr. Sarah Mitchell

AI Governance & Risk Lead at AI Sigil. Sarah holds a PhD in Computer Science from Imperial College London with a thesis on machine learning model interpretability. Before joining AI Sigil she spent six years in Deloitte's AI Risk Advisory practice, leading high-risk AI system audits across financial services and healthcare. She is IAPP AIGP certified and a frequent contributor to industry working groups on the EU AI Act and NIST AI Risk Management Framework. Based in London.

Artificial Intelligence Laws in 2026: A Global Compliance Map

Provider, deployer or GPAI? See how the EU AI Act, US state laws, NIST AI RMF and ISO 42001 interact in 2026, with a concrete compliance checklist.

AI Governance Framework: The Complete Guide

Compare NIST AI RMF, ISO 42001, EU AI Act and OECD principles. Discover which framework fits your organization and how to implement them together.

Human-in-the-Loop vs Human-on-the-Loop: AI Oversight Guide

Compare human-in-the-loop and human-on-the-loop across 7 axes (latency, reversibility, audit, risk tier) and see how EU AI Act Article 14 maps to each.

AI Governance Frameworks: Cross-Mapping NIST AI RMF, ISO 42001, EU AI Act, and OECD Principles (2026)

Compare NIST AI RMF, ISO/IEC 42001, the EU AI Act, and OECD AI Principles, with a control-level cross-mapping and a framework selection decision tree.

ISO 42001 Won’t Make You EU AI Act Compliant. Here’s the Standards Stack That Will.

ISO 42001 alone won't make you AI Act compliant. Here's the full harmonised standards stack, prEN 18286, 18228, 18282, and how to implement it operationally.