What is AI regulation in Bangladesh?

How it works

The current position as of June 2026

Bangladesh does not yet have a dedicated, enacted AI statute. The ICT Division published draft versions of National AI Policy Bangladesh 2026-2030 in early 2026 through the official AI policy site. The official consultation page now says feedback has closed, the committee is reviewing submissions and readers should await official adoption. As of 6 June 2026, no final adopted AI policy is posted there.

At the same time, the ICT Division's own laws page lists three enacted 2026 laws that already matter for AI practice: the National Data Management Act 2026, the Cyber Security Act 2026 and the Personal Data Protection Act 2026. So Bangladesh already regulates many AI use cases, but it does so mainly through horizontal digital laws rather than a single AI act.

What the draft AI policy would do

Draft V2.0 is explicit that Bangladesh wants a risk-based regime. It proposes four categories: prohibited, high-risk, limited-risk and low-risk AI. Prohibited or unacceptable uses include social scoring, indiscriminate biometric mass surveillance in public spaces without lawful authorisation, manipulative systems that exploit vulnerabilities, predictive profiling and other uses the draft says undermine human rights or democratic trust. High-risk uses include law enforcement, biometric identification, creditworthiness, welfare allocation, employment and access to essential public services.

For high-stakes decisions, the draft would give people the right to know when AI materially shapes a decision, to challenge it, and to obtain meaningful human review. It also proposes an explanation duty focused on the main factors behind the decision and what changes might have led to a different result. For high-risk AI harms, the draft points toward a strict-liability approach for deployers and asks the Ministry of Law to develop fuller AI liability legislation by 2028. Because the policy is still a draft, these are direction-setting proposals, not yet direct statutory duties.

Data governance is the legal core today

Bangladesh's enforceable AI baseline now sits mainly in its data laws. The Personal Data Protection Act 2026 takes an ownership-based view of personal data and builds the country's privacy regime around that premise. The published text defines personal data, biometric data, profiling, sensitive personal data, data subjects and personal data breaches.

That matters for AI because many models rely on training data, inference data, behavioural signals or biometric inputs. The gazetted text also points to security planning, audits and Chief Data Officers for important data-fiduciaries. Alongside it, the National Data Management Act 2026 creates the wider national data architecture, including the central authority and interoperability framework that will shape how data can be shared, governed and fined. For AI teams, this makes data mapping, lawful processing, security, breach handling and governance staffing immediate priorities.

Cyber misuse, platform harms and election integrity are already in scope

Bangladesh's Cyber Security Act 2026 is not a general AI code, but it matters whenever AI is part of hacking, unlawful access, fraud, harmful synthetic content, attacks on critical information infrastructure or similar digital offences. In practical terms, some AI harms can already be prosecuted or restrained under cyber law without waiting for a final AI policy.

The legal picture also extends into democracy and information integrity. Bangladesh's 2026 amendment to election law reaches campaign material generated with AI tools when it is used to damage a candidate's reputation or to influence the election result. That is important because it shows Bangladesh is already using sector-specific law to regulate certain AI abuses.

How the public-sector model is developing

Bangladesh's draft policy gives the public sector a central role. It says public-service AI should be coordinated by the ICT Division, use shared APIs and sit inside a national governance framework built around transparency, fairness, data protection and mandatory human oversight. It also proposes a testing and evaluation unit at Bangladesh Computer Council to audit public-sector AI for accuracy, security and bias.

Operationally, the draft leans toward digital sovereignty. Sensitive government datasets would be kept under stronger domestic control, insecure foreign AI services would be restricted in government settings, and the first flagship programme would be a government-led Bangla language model. Bangladesh Computer Council is named as lead implementing agency for that model under an ICT Division project cell. For suppliers to government, this points to stricter expectations around hosting, documentation, testing and interoperability.

Who enforces the rules and what could change next

Today, enforcement is split by subject matter. The ICT Division leads policy. The data laws create the authority structure for data governance and administrative fines. Cyber offences sit under the cyber security law. Courts and sector-specific authorities still matter where AI affects finance, employment, elections, public administration or consumer-facing services. There is therefore no single AI regulator that covers the whole field today.

The draft AI policy would add more AI-specific machinery, including an Independent Oversight Committee, annual reporting, public audit summaries, regulatory sandboxes and a review cycle through 2030. It also says a comprehensive AI law could later replace the policy. The main uncertainty is sequencing: the February 2026 AI draft predates the April 2026 data and cyber acts, so the final policy will need to fit the newer statutory stack.