What is AI regulation in Andorra?
AI regulation: countries and regions
Andorra has no dedicated, binding artificial intelligence law and no AI-specific regulator. AI is governed indirectly through the Andorran data protection law (Llei 29/2021, as amended by Llei 12/2024), enforced by the Agencia Andorrana de Proteccio de Dades (APDA), plus a voluntary national AI ethics code adopted in 2024. As a Council of Europe member, Andorra signed the 2024 Framework Convention on AI, and as an EU-adequate non-member it tracks European standards.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
If you are looking for an Andorran equivalent of the EU AI Act, there is not one. The Principality of Andorra, a small European microstate between France and Spain, has not enacted a statute that classifies AI systems by risk, imposes conformity assessments or creates an AI market surveillance authority. What exists instead is a combination of data protection law, soft policy and international commitments.
The practical backbone is data protection. The Llei 29/2021 qualificada de proteccio de dades personals (often abbreviated LQPD), in force since May 2022 and amended by Llei 12/2024, is closely modelled on the EU General Data Protection Regulation. It is enforced by an independent supervisory authority, the APDA. Because most consequential AI involves processing personal data, this law already reaches profiling, automated decision-making and large-scale data analysis.
On top of that, the Govern d'Andorra adopted a voluntary Andorran Code of Ethics for Artificial Intelligence in 2024, sits within the Council of Europe treaty framework, and is negotiating closer ties with the European Union. So the honest answer is that Andorra governs AI through adjacent law and policy, not through a bespoke AI statute, and treats an ethics code as a first step toward possible future regulation.
Why it matters
For founders, operators and governance leads, the absence of a dedicated AI statute does not mean the absence of rules. If your AI processes personal data of people in Andorra, or uses processing means located in Andorran territory, the LQPD applies, complete with duties around lawful basis, transparency, data protection impact assessments, breach notification and meaningful limits on solely automated decisions. The APDA can investigate and sanction.
Two further pressures matter. First, Andorra holds an EU adequacy decision, so personal data flows freely from the European Economic Area; preserving that status keeps Andorran law converging with EU standards, which over time will include AI-adjacent rules. Second, the EU AI Act (Regulation (EU) 2024/1689, in force since 1 August 2024) can reach Andorran organisations extraterritorially when the output of their AI system is used inside the Union. So an Andorra-based provider selling into the EU may face the AI Act even though Andorra itself has not legislated. Planning to the higher European bar is the safer commercial posture.
How it works
No dedicated AI statute, but real adjacent law
There is no Andorran AI act, no statutory risk tiers and no AI conformity regime. The governing instruments are the data protection law and a voluntary ethics code. This is the single most important fact for any reader: build your compliance on data protection law and European standards, not on an Andorran AI statute that does not exist.
The data protection law (LQPD) and the APDA
The Llei 29/2021, qualificada de proteccio de dades personals replaced the earlier Llei 15/2003 and entered into force in May 2022. It was amended by Llei 12/2024, del 15 de juliol, qualificada de modificacio de la Llei 29/2021, which reorganised the supervisory authority. The law is built on GDPR-style concepts: controllers and processors, lawful basis, data minimisation, protection by design and by default, the data protection officer, records of processing, a 72 hour breach notification duty, codes of conduct and rules on international transfers. It expressly addresses data protection impact assessments where processing, especially using new technologies, is likely to result in a high risk to rights and freedoms, and it regulates solely automated individual decisions. These hooks are how Andorran law touches AI today.
The APDA is the independent supervisory authority. It predates the current law and operates as a public body with its own legal personality, independent of the administration, with powers of inspection, investigation, resolution and sanction. It has publicly flagged AI-related processing, for example automated chat systems used by political parties, as falling within its remit.
The voluntary AI ethics code
In 2024 the Govern d'Andorra approved the Andorran Code of Ethics for Artificial Intelligence. It is a guidance document, not binding law, although the government has indicated adherence is required for certain public-sector processes and voluntary for everyone else. It promotes trustworthy and human-centred AI, a Human Rights by Design approach, transparency, oversight, non-discrimination and data protection, and it sits within Andorra's Digital Transformation Programme. It explicitly aligns itself with UNESCO, the United Nations, the OECD, the Council of Europe and the EU AI Act, and it describes itself as a basis for Andorra's possible future AI regulation.
Digital institutions: strategy, not enforcement
Andorra has built digital governance bodies, but none is a binding AI regulator. The Agencia d'Intelligencia de la Dada (Data Intelligence Agency), created by Decret 327/2024, del 21 d'agost del 2024, de govern de dades i de creacio de l'Agencia d'Intel.ligencia de la Dada (published in the Butlleti Oficial del Principat d'Andorra on 28 August 2024), deploys the national data and AI governance strategy and is tasked with promoting ethical AI. But it was created by executive decree rather than by qualified law and has no statutory power to license, conduct AI market surveillance or sanction AI systems; it must work in alignment with, and jointly with, the APDA, which remains the only data authority with enforcement powers. Related bodies include the national cybersecurity agency (Agencia Nacional de Ciberseguretat del Principat d'Andorra, ANC-AD, created by Decret 346/2021) and the public company Andorra Digital, SA, constituted by Llei 19/2025, del 13 de novembre, de creacio de la societat publica Andorra Digital, SA.
Council of Europe commitments
Andorra is a Council of Europe member, and this is where its most concrete AI-specific commitment sits. When the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225) opened for signature in Vilnius on 5 September 2024, it was signed that day by Andorra, Georgia, Iceland, Norway, the Republic of Moldova, San Marino, the United Kingdom, Israel, the United States of America and the European Union. The convention is technology-neutral and risk-based, covering the AI lifecycle. Signature is not the same as binding domestic effect: the convention enters into force only after at least five signatories, including at least three Council of Europe member states, have ratified it, and a signatory must still implement it domestically. Andorra has also ratified the modernised data protection Convention 108+, depositing its instrument on 18 October 2022.
Relationship to the EU and the EU AI Act
Andorra is not an EU member. It has a customs union and a monetary agreement using the euro, and it concluded negotiations on an EU association agreement in December 2023; the European Commission proposed it to the Council in April 2024. The process is unfinished and politically conditional, including an Andorran referendum. The EU AI Act therefore does not apply in Andorra of its own force. However, its extraterritorial scope can catch Andorran providers and deployers when the output of their AI system is used in the Union. Separately, Andorra has held an EU data protection adequacy decision since 2010, reaffirmed in the European Commission's January 2024 review of pre-GDPR adequacy decisions.
Examples
An Andorran bank deploys an AI credit-scoring or fraud-detection tool. There is no AI act to comply with, but the LQPD applies in full: the bank needs a lawful basis, transparency to customers, a data protection impact assessment given the high-risk profiling, and safeguards around solely automated decisions, all overseen by the APDA.
An Andorran software company sells an AI product to customers in France and Spain. Andorra has no AI statute, yet because the output of the AI system is used inside the EU, the EU AI Act can apply extraterritorially, and the company may need an EU authorised representative for high-risk systems. The pragmatic course is to design to EU AI Act requirements from the start.
A government department adopts an AI assistant to draft administrative documents. Here the Andorran Code of Ethics for Artificial Intelligence bites hardest, because adherence is expected for public-sector use, alongside LQPD duties on any personal data processed and the human oversight and transparency principles the code promotes.
Common misunderstandings
"Andorra has its own AI Act." It does not. There is no dedicated, binding AI statute and no AI-specific regulator.
"Andorra is in the EU, so the EU AI Act applies directly." Andorra is not an EU member. The AI Act does not apply of its own force, though it can reach Andorran actors when AI output is used in the EU.
"The ethics code is law." The Andorran Code of Ethics for Artificial Intelligence is guidance. The government treats adherence as required for certain public-sector processes and voluntary otherwise.
"The Data Intelligence Agency regulates AI." It deploys data and AI governance strategy and promotes ethical AI, but it was created by decree and has no statutory enforcement power over AI. The APDA is the authority with sanctioning powers, and its remit is data protection.
"Signing the Council of Europe AI Convention means it is already binding in Andorra." Signature is a commitment, not immediate domestic enforcement. The convention must reach the required ratifications and be implemented domestically.
Risks and boundaries
This article describes the legal architecture, not legal advice. The central boundary is that Andorra has no bespoke AI law, so anyone expecting one will misjudge their obligations. The real duties today flow from data protection law, the voluntary ethics code for public bodies, and European reach via the EU AI Act's extraterritorial scope and the EU adequacy relationship.
Several things are pending or uncertain and could change the picture. The EU association agreement is not concluded and is subject to ratification and an Andorran referendum; its eventual content could pull more EU digital rules into Andorran law. The Council of Europe Framework Convention on AI is signed by Andorra but its domestic implementation and entry into force depend on ratifications. The ethics code itself signals that binding AI regulation may follow. Treat any claim of a finished Andorran AI statute, an AI regulator with enforcement powers, or automatic EU AI Act application as incorrect on the current evidence.
What to do next
Start from data protection, not from a hypothetical AI act. Map where your AI processes personal data, confirm lawful basis and transparency, and run a data protection impact assessment for high-risk uses such as profiling or large-scale monitoring, in line with the LQPD and APDA guidance.
If you sell into or serve the EU, design to the EU AI Act now, because its extraterritorial scope can apply when your AI output is used in the Union. Protecting Andorra's EU adequacy status is also a reason to keep practices European-grade.
For public-sector and public-facing work, align with the Andorran Code of Ethics for Artificial Intelligence: document human oversight, transparency and non-discrimination. Watch three triggers that would change your plan: conclusion and ratification of the EU association agreement, ratification and domestic implementation of the Council of Europe AI Convention, and any move from ethics code to binding Andorran AI law.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Andorra have an AI law?
No. Andorra has no dedicated, binding AI statute and no AI-specific regulator. AI is governed indirectly through data protection law and a voluntary ethics code.
Who regulates AI-related data processing in Andorra?
The Agencia Andorrana de Proteccio de Dades (APDA), the independent data protection authority, which enforces the Llei 29/2021 and can investigate and sanction.
Does the EU AI Act apply in Andorra?
Not directly, because Andorra is not an EU member. But it can apply extraterritorially to Andorran providers and deployers when the output of their AI system is used in the EU.
Has Andorra signed the Council of Europe AI Convention?
Yes. Andorra was one of the first ten states to sign the Framework Convention on Artificial Intelligence when it opened in Vilnius on 5 September 2024. Signature is a commitment, not immediate domestic enforcement.
Is the Andorran AI ethics code mandatory?
It is voluntary in general. The government has indicated adherence is required for certain public-sector processes and voluntary for other actors.
Can I transfer personal data from the EU to Andorra freely?
Yes. Andorra has held an EU adequacy decision since 2010, reaffirmed in the European Commission's January 2024 review, so data can flow from the EEA without additional safeguards.
What is the Data Intelligence Agency?
The Agencia d'Intelligencia de la Dada, created by Decret 327/2024 of 21 August 2024, deploys Andorra's data and AI governance strategy and promotes ethical AI. It is not an AI regulator with enforcement powers.