What is AI regulation in Afghanistan?
AI regulation: countries and regions
Afghanistan has no dedicated artificial intelligence law, no national AI strategy and no AI regulator. It also has no general data protection law and no data protection authority. The de facto Taliban administration governs communications through the Ministry of Communications and Information Technology (MCIT) and the Afghanistan Telecom Regulatory Authority (ATRA) under the 2005 Telecommunications Services Regulation Law. In practice, technology is shaped by sharia-based decrees, censorship and internet shutdowns rather than any structured AI framework.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no specific AI rulebook in Afghanistan. Unlike the European Union, the United Kingdom or many of Afghanistan's neighbours, the country has not passed an AI statute, published an AI strategy, or named any body to oversee AI systems. There is also no general data protection law and no privacy regulator, which means the personal data that feeds AI systems is not governed by a dedicated framework.
What does exist is a telecommunications regime built before the AI era. The 2005 Telecommunications Services Regulation Law created ATRA, the telecom regulator, which sits within MCIT. That law covers licensing, spectrum, competition and some user confidentiality duties, but it says nothing about AI. A cybercrime chapter added to the 2017 Penal Code criminalised certain online conduct, and a 2014 National Cybersecurity Strategy and a draft ICT Law also pre-date the current administration.
The bigger complication is the August 2021 Taliban takeover. The de facto authorities suspended the 2004 Constitution and announced that Republic-era laws would be reviewed for compliance with their interpretation of sharia. The institutions and statutes still nominally exist and ATRA and MCIT still operate, but their legal status, enforcement and continuity are uncertain. Governance of technology now runs largely through leadership decrees and morality rules rather than codified, predictable regulation.
Why it matters
For founders, operators, advisers and buyers, the absence of an AI framework is not a green light; it is a risk. There is no statutory basis you can rely on for lawful data processing, no regulator to grant approvals or resolve disputes predictably, and no impact-assessment regime to demonstrate compliance. At the same time, the de facto authorities exercise broad, discretionary control over connectivity and content, including the power to order internet shutdowns and to demand access to communications. That combination, sweeping state power plus minimal legal protection for individuals, is precisely the environment in which AI-driven data collection, profiling or surveillance can cause serious harm with little recourse. Organisations weighing any deployment, donor programme or data transfer touching Afghanistan need to plan around legal uncertainty, sanctions exposure, human rights risk and the real possibility that services can be cut off without notice.
How it works
No dedicated AI law or regulator
Afghanistan has no AI statute, no AI bill in any visible legislative pipeline, no national AI strategy and no authority charged with supervising AI. International trackers reflect this: the UNIDIR AI Policy Portal entry for Afghanistan, last reviewed in August 2025, carries no national strategy, governance body or military-AI content, and Afghanistan does not appear among the countries engaging UNESCO's Readiness Assessment Methodology. AI therefore falls, by default, under general law and whatever decrees the de facto authorities issue.
The telecommunications framework
The closest thing to relevant regulation is the telecoms regime. The Telecommunications Services Regulation Law, published in the Official Gazette in 2005, created ATRA as the sector regulator operating within MCIT, with powers over licensing, spectrum, type approval of equipment, competition and tariffs. The law contains limited data clauses: Article 53 obliges operators and service providers to keep user information confidential and not to disclose it without consent or legal basis, while other provisions allow surveillance of traffic under a court order and require operators to give authorities access in national security or criminal matters. These are telecoms duties, not a general data protection regime, and they were drafted for the pre-AI internet.
Data protection: a gap, not a framework
Afghanistan has no comprehensive personal data protection law and no data protection authority. The 2004 Constitution protected confidentiality of correspondence and communications in Article 37, and sector rules in telecoms and banking touch on confidentiality, but there is no horizontal data protection statute comparable to UK GDPR. Human Rights Watch, in its 30 March 2022 report, stated plainly that "Afghanistan currently has no data protection law" and documented how that gap left sensitive biometric systems, built with donor support, exposed when the Taliban took control of them in 2021.
Cybercrime and content controls
A cybercrime chapter was incorporated into the Penal Code that took effect in 2018, criminalising acts such as unauthorised access, network disruption and certain online content. A National Cybersecurity Strategy was adopted in 2014. Under the de facto authorities, content and connectivity are increasingly governed by leadership decrees, including the Law on the Propagation of Virtue and Prevention of Vice, a 35-article code signed by supreme leader Hibatullah Akhundzada on 21 August 2024, which the Associated Press described as the first formal declaration of vice and virtue laws in Afghanistan since the takeover, and which regulates personal conduct and media. Connectivity is also governed by direct orders to restrict or shut down internet access.
Who the institutions are
MCIT is the communications ministry; ATRA is the telecom regulator within it; Afghan Telecom (Salaam) operates the state fibre backbone; and the Afghanistan National Data Center provides government hosting. All now operate under the de facto administration. None has a published AI mandate, and the broader legal order in which they sit is contested following the suspension of the 2004 Constitution.
Examples
Deploying an AI service that processes Afghan users' data
A company offering an AI-driven app to Afghan users will find no local data protection law to comply with and no regulator to register with, but also no legal protection if data is demanded by authorities or exposed. The telecoms law's confidentiality duties bind licensed operators, not foreign software providers, and surveillance powers and shutdown orders mean continuity and confidentiality cannot be assumed. Sensible practice is to apply external standards (for example a recognised data protection baseline and an AI impact assessment) as self-imposed controls.
Biometric and identity data already in country
Human Rights Watch reported in 2022 that donor-built digital identity and payroll systems, including the Afghan Automatic Biometric Identification System and the Afghan Personnel and Pay System, fell under Taliban control after August 2021, with no data protection law in place to constrain use. Those systems held, in HRW's words, "iris scans, fingerprints, photographs, occupation, home addresses, and names of relatives", and one former commander recounted the Taliban scanning his irises with a handheld biometric device during a 12-day detention. As senior HRW researcher Belkis Wille put it, "Governments and organizations that helped amass vast quantities of personal data on large numbers of Afghans may be inadvertently assisting the Taliban repression." This illustrates the practical stakes of the legal vacuum for any data-intensive or AI-enabled system: governance failures, not the technology alone, drive the harm.
Connectivity risk during shutdowns
From 16 September 2025, beginning in Balkh, the de facto authorities banned fibre-optic internet in as many as 15 provinces citing morality concerns, escalating to a roughly 48-hour nationwide blackout from 29 September to 1 October that the monitoring group NetBlocks described as a "total internet blackout" in a nation of 43 million, with connectivity dropping to around one percent of normal. As CNN reported, "Banking services froze, businesses ground to a halt, flights to and from major airports were canceled, money markets failed" before access was restored. Any cloud-hosted or AI service depending on Afghan connectivity must treat abrupt, unexplained shutdowns as a live operational risk.
Common misunderstandings
"Afghanistan must have some AI rules by now." It does not. There is no AI law, strategy or regulator, and no AI bill visibly in progress.
"No AI law means anything goes." The opposite is closer to the truth: broad state powers over connectivity and communications coexist with very weak legal protection for individuals and businesses, so risk is high rather than low.
"At least the data protection law protects users." There is no general data protection law and no data protection authority. Only narrow sector clauses and constitutional language exist, and the constitutional position is itself uncertain.
"The pre-2021 laws clearly still apply." The de facto authorities suspended the 2004 Constitution and said Republic-era laws would be reviewed for sharia compliance. Many instruments nominally survive, but their status, enforcement and continuity are unclear.
"ATRA is an AI or data regulator." ATRA is the telecom regulator. It licenses operators and manages spectrum; it has no AI mandate and is not a data protection authority.
Risks and boundaries
This article describes the governance situation, not a settled legal code, and it is not legal advice. Several points are uncertain and could change. The legal status of pre-2021 statutes is contested: the 2004 Constitution was suspended and Republic-era laws are subject to sharia-compliance review, so even where a law remains on paper its enforceability is unclear. There is no AI-specific regime to describe, so the analysis rests on telecoms, cybercrime and constitutional fragments plus de facto decrees. Information from inside the country is limited, official publication is irregular, and decrees can be issued or applied unpredictably. Sanctions and non-recognition of the de facto administration add further legal and practical constraints for foreign organisations. Readers should verify current status before acting and should not assume that the existence of an institution such as ATRA implies functioning, predictable regulation of AI or data.
What to do next
Treat Afghanistan as a no-framework, high-risk environment and govern by your own standards rather than relying on local law. Apply a recognised data protection baseline and a documented AI impact assessment to any system touching Afghan data, on the assumption that no local regime will protect data subjects or your organisation. Map human rights risk explicitly, especially for biometric, location, identity or profiling data that could expose vulnerable people if accessed by authorities. Build for disruption: assume internet and telecom shutdowns can happen without notice, and design continuity, data minimisation and offline fallbacks accordingly. Check sanctions and counterparty exposure before engaging MCIT, ATRA or state-owned operators. Finally, monitor primary sources (MCIT, ATRA, UN bodies) for any move toward a formal data or AI framework, and revisit your position if one emerges.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Afghanistan have an AI law?
No. There is no dedicated AI statute, no national AI strategy and no AI regulator.
Is there a data protection law in Afghanistan?
No. There is no comprehensive personal data protection law and no data protection authority; only narrow sector clauses and constitutional language exist.
Who regulates communications and technology?
The Ministry of Communications and Information Technology (MCIT) and, within it, the Afghanistan Telecom Regulatory Authority (ATRA), under the 2005 Telecommunications Services Regulation Law.
Do pre-2021 laws still apply under the Taliban?
It is uncertain. The de facto authorities suspended the 2004 Constitution and said Republic-era laws would be reviewed for sharia compliance, so the status of many instruments is unclear.
Has Afghanistan engaged with international AI governance?
There is no evidence of substantive engagement. Afghanistan is not listed among UNESCO Readiness Assessment Methodology countries, and the UNIDIR AI Policy Portal entry is effectively empty.
Can the government shut down the internet?
Yes. In September 2025 the de facto authorities cut fibre-optic internet and imposed a roughly 48-hour blackout that NetBlocks described as a total internet blackout in a nation of 43 million, with connectivity dropping to about one percent of normal, citing morality concerns.
Is there any rule on personal data in the telecoms law?
Yes, but it is limited. The 2005 law requires operators to keep user information confidential, while also allowing court-ordered surveillance and state access in security or criminal matters.
Should organisations rely on local law for AI compliance?
No. With no AI or data framework, organisations should apply their own external standards, including data protection baselines and AI impact assessments.