AI Regulations Around the World: A Business Overview

AI regulation is no longer a future concern. Multiple major regulatory frameworks are in force or actively taking effect in 2026, and businesses operating across borders must manage compliance in several jurisdictions simultaneously.

The global AI regulatory landscape

AI regulation has moved from a handful of sector-specific rules to a broader set of AI-specific frameworks in a short time. The EU AI Act set a precedent for comprehensive AI regulation. Other jurisdictions are developing their own approaches, and the variation between them creates compliance complexity for international operations.

The common thread across most frameworks is a focus on high-stakes AI use: AI that influences decisions about individuals in sensitive domains like employment, credit, healthcare, and law enforcement. If your AI use touches these domains, you are likely within scope of multiple regulatory frameworks.

EU AI Act

The EU AI Act is the most comprehensive AI regulation currently in force. It applies to any organization deploying AI that affects EU residents, regardless of where the organization is based.

The Act’s high-risk category covers AI in employment, credit, education, critical infrastructure, and several other domains. High-risk systems require risk management documentation, technical documentation, automatic logging, human oversight, and conformity assessment before deployment.

Prohibited AI categories, including most real-time public biometric surveillance and social scoring, have been in effect since February 2026. High-risk system requirements fully apply in 2026.

For a full breakdown, see EU AI Act explained.

US AI regulation

The United States does not have a single federal AI law equivalent to the EU AI Act. Instead, US AI regulation operates through a combination of executive actions, sector-specific regulations, and an expanding set of state laws.

Federal level. The Biden Executive Order on AI (October 2023) required federal agencies to develop AI governance standards and sector-specific guidance. The subsequent Trump administration took a different approach, emphasizing AI innovation over regulation, but sector regulators have continued developing AI-specific rules.

Key sector regulators. The CFPB has issued guidance on AI in consumer finance. The EEOC has clarified that existing employment discrimination law applies to AI hiring tools. The FTC has taken enforcement action on AI-related deception. The FDA has frameworks for AI in medical devices.

State laws. Colorado’s AI Act, Illinois’ AI Video Interview Act, New York City’s Local Law 144 on automated employment decisions, and similar state and local laws create jurisdiction-specific requirements. For companies operating nationally, the patchwork of state laws requires a state-by-state compliance review.

UK AI governance approach

The UK has chosen a sector-based approach to AI governance rather than a single AI law. Existing regulators (the FCA, ICO, CMA, and others) have issued AI guidance for their respective domains.

The ICO has published detailed guidance on AI and data protection under UK GDPR. The FCA has issued guidance on AI in financial services, including model risk management and consumer duty implications.

The UK government has signaled interest in a more principles-based approach than the EU, which creates some divergence from EU AI Act requirements. Companies operating in both the UK and EU must track the requirements of both regimes.

China AI regulations

China has been active in AI-specific regulation, with a different emphasis than Western frameworks. Chinese AI regulations focus on algorithmic recommendations, deep synthesis (deepfakes), and generative AI.

Algorithmic Recommendation Provisions (2022). Require labeling of algorithmically recommended content, prohibit algorithmic practices that exploit users, and require providers to offer algorithm-free options.

Deep Synthesis Provisions (2023). Require labeling of AI-generated content, consent requirements for biometric deep synthesis, and registration for providers.

Generative AI Provisions (2023). Apply to providers of generative AI products to Chinese users. Require content safety assessments, prohibition on generating prohibited content categories, and training data documentation.

For businesses with Chinese operations or users, these regulations require specific compliance programs beyond what the EU AI Act requires.

Key cross-border considerations

Operating AI programs across multiple jurisdictions requires managing several cross-cutting issues.

Data localization. Some jurisdictions require that personal data processed by AI systems remain within national borders. China has strong data localization requirements. Russia, India, and others have similar provisions. Data localization requirements can conflict with centralized AI infrastructure.

Conflicting requirements. The EU AI Act and other jurisdictions’ requirements do not always align. An AI system that meets EU transparency requirements may not meet China’s content labeling requirements, and vice versa.

Third-party liability. Different jurisdictions allocate liability differently between AI providers and deployers. Understanding where liability sits in each jurisdiction is important for vendor contract design.

Regulatory coordination. International regulatory bodies are beginning to coordinate on AI. The G7 Hiroshima AI process and OECD AI Policy Observatory produce frameworks that are increasingly referenced in national regulations. Following these bodies helps anticipate where regulations are heading.

Building a global compliance approach

For businesses operating across multiple jurisdictions, a jurisdiction-by-jurisdiction compliance program quickly becomes unmanageable. A global compliance architecture is more sustainable.

Start with the strictest requirements. Designing to EU AI Act standards for high-risk AI produces a compliance baseline that meets or exceeds most other jurisdictions’ requirements. It is easier to apply additional jurisdiction-specific requirements to a strong base than to retrofit.

Build jurisdiction-awareness into your AI inventory. When documenting AI systems, record which jurisdictions they operate in and which regulations apply. This enables you to efficiently identify which systems require additional compliance work for each jurisdiction.

Assign jurisdictional compliance owners. For each major jurisdiction where you operate, assign a compliance owner who tracks regulatory developments and maintains the jurisdiction-specific compliance program.

Monitor regulatory change. AI regulation is still developing rapidly. Quarterly reviews of regulatory developments in each key jurisdiction are a minimum for organizations with significant AI use across borders.

For a broader AI governance program that accommodates these regulatory requirements, see AI governance and ethics guide.

Frequently asked questions

Which AI regulation is hardest to comply with?

The EU AI Act is currently the most detailed and demanding AI regulation for businesses. Its high-risk system requirements, including conformity assessments, technical documentation, and human oversight mandates, require more structured compliance programs than any other major jurisdiction. Meeting EU AI Act requirements typically produces a baseline that satisfies less detailed requirements in other jurisdictions.

Do US companies need to comply with the EU AI Act?

Yes, if they deploy AI systems that affect EU residents. The Act applies extraterritorially based on where the AI’s effects are felt, not where the company is incorporated. A US company offering services to EU customers using AI is within scope.

How do we manage compliance when regulations are still developing?

Build your compliance program on principles rather than only specific rules. The core requirements (document your AI systems, assess their risks, implement oversight, monitor their performance) appear in every major AI regulatory framework. A governance program built on these fundamentals is more resilient to regulatory change than one built only to check specific current requirements.

Is your international AI program compliant across jurisdictions?

Multi-jurisdictional AI compliance is a real operational challenge. Most organizations do not yet have the inventory, classification, and jurisdiction-specific tracking they need.

Path one: audit your AI regulatory exposure. An AI audit maps your AI systems to applicable regulations across your operating jurisdictions and identifies compliance gaps.

Path two: work with Phos AI Labs. If you want expert help building a global AI compliance program, Phos AI Labs is a CCA-F certified Claude implementation partner. Thirty minutes, no deck. Start here.