What is AI regulation in Belarus?
AI regulation: countries and regions
Belarus has no dedicated, in-force artificial intelligence law as of mid-2026. AI is governed indirectly through the 2021 Law on Personal Data Protection (Law No. 99-Z), the Hi-Tech Park and digital economy decrees, cybersecurity and information-security rules, and emerging technical standards. A national AI bill, concept and strategy are being drafted, with the National Academy of Sciences earmarked as the proposed sectoral regulator, but none had been enacted at the time of writing.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Belarus does not yet have a single statute that defines artificial intelligence, classifies AI systems by risk, or imposes specific duties on developers and deployers. Anyone asking "what is the AI law in Belarus?" should start from the honest answer: there is not one in force. What exists instead is a patchwork of general rules that apply to AI because AI processes personal data, runs on regulated information systems, and is built by companies that often sit inside a special tax and legal zone.
The most relevant binding rules come from data protection. Since 15 November 2021, the Law on Personal Data Protection has regulated how organisations collect and use personal data, which is the raw material for most AI. Separately, the Hi-Tech Park regime and the 2017 Decree on the digital economy created a favourable environment for IT and AI businesses, but that regime is about investment, tax and permitted activities, not AI safety.
Belarus is moving towards dedicated AI rules. The government has commissioned a draft AI bill, a development concept and a strategy, and is building a stack of technical standards. These are works in progress, not law, so leaders should treat any "AI framework" claim about Belarus with care and check the current status before relying on it.
Why it matters
For organisations that build, buy or deploy AI touching Belarus, the absence of a dedicated AI law does not mean an absence of obligations. If your system processes the personal data of people in Belarus, the data protection regime applies, with consent-heavy rules, a strict breach-notification clock, governance duties and tight controls on moving data abroad. The supervisory authority has real corrective and enforcement powers.
The stakes are also reputational and geopolitical. Belarus is under extensive Western sanctions, and state use of AI-enabled surveillance is well documented: Belarusian authorities deploy the Kipod facial-recognition platform built by Hi-Tech Park resident LLC Synesis, which the Council of the EU sanctioned on 17 December 2020 for providing "a surveillance platform, which can search through and analyse video footage and employ facial-recognition software, making the company responsible for the repression of civil society and democratic opposition by the state apparatus in Belarus". Belsat reports roughly 60,000 cameras nationwide. Buyers and investors weighing Belarusian AI vendors or development centres should factor in export-control, sanctions, human-rights and data-localisation exposure that has little to do with any future AI statute. Because dedicated AI rules are being drafted, organisations with a long-term presence should track the pipeline now so they are not caught out when duties land.
How it works
No dedicated AI statute yet
As of mid-2026 there is no enacted Belarusian law specific to artificial intelligence. AI is regulated by general instruments: data protection law, information and cybersecurity law, the Hi-Tech Park and digital economy decrees, intellectual property rules and sector regulation. This is the durable starting point and the single most important fact for readers.
The data protection backbone
The Law of 7 May 2021 No. 99-Z "On Personal Data Protection" entered into force on 15 November 2021 and is the first comprehensive Belarusian data protection statute. It uses its own vocabulary: an "operator" is broadly equivalent to a controller, and an "authorised person" to a processor. Processing generally requires the data subject's consent, which must be free, unambiguous and informed, unless one of the listed exceptions applies (for example, administration of justice, national security, or performance of duties set by law). "Special personal data" includes biometric and genetic data, which is directly relevant to AI such as facial recognition and voice systems.
The law imposes governance duties: operators that are Belarusian legal entities or public bodies must appoint a person or unit responsible for internal control over processing, publish a processing policy, train staff, apply access controls, and use technical and cryptographic protection. Breaches of the protection system must be notified to the supervisory authority promptly, within three working days. The statute does not require a formal data protection impact assessment and does not, of itself, mandate a maintained processing record, which marks a difference from the EU model.
The supervisory authority
The National Personal Data Protection Center was established to follow up the law by Presidential Decree No. 422 of 28 October 2021. It supervises operators and authorised persons, handles complaints, can demand that violations be eliminated or that processing be terminated, determines the list of foreign states with an adequate level of protection, issues permits for cross-border transfers, and gives guidance. The Operational and Analytical Center under the President is a separate body that sets technical and cryptographic protection requirements, maintains the register of personal data operators, regulates the ICT sphere and cybersecurity, and can restrict telecommunications networks on national-security grounds.
Cross-border data transfers
Belarus operates a gatekeeper model. Transfers flow freely only to countries that ensure an adequate level of protection, understood to include parties to the Council of Europe Convention 108 and members of the Eurasian Economic Union. Transfers to non-adequate destinations are prohibited unless a narrow gateway applies (such as the data subject's informed consent to the risks, contractual necessity, vital interests, or a treaty) or a permit is obtained from the supervisory authority. Belarus does not rely on EU-style standard contractual clauses or binding corporate rules.
The Hi-Tech Park and digital economy regime
The Hi-Tech Park (HTP) was created in 2005. Decree No. 8 of 21 December 2017 "On the Development of the Digital Economy" took effect on 28 March 2018, extended the HTP special legal regime to 1 January 2049, and widened the list of permitted resident activities to include artificial intelligence, machine learning, autonomous vehicle systems and blockchain. It also recognised smart contracts and tokens. Decree No. 102 of 12 April 2023 restructured the HTP administration. This regime is an investment, tax and activity framework: it offers residents tax relief and an extraterritorial principle (benefits apply regardless of where in Belarus the company sits), but it is not an AI safety or risk-management law.
Standards, strategy and the AI bill in the pipeline
Belarus is building AI governance from three directions. First, technical standards: Gosstandart First Deputy Chairman Aleksandr Burak told BELTA on 27 May 2026 that Belarus "will introduce 20-25 new standards in artificial intelligence by the end of the year", noting Belarus participates in CIS interstate technical committee 566 "Artificial Intelligence" and national technical committee BY 41 "Digital Development and Communications". Second, policy: AI features in the National Strategy for Sustainable Development through 2040 and in the Digital Belarus state programme for 2026 to 2030. Third, legislation: a dedicated working group of 42 cross-ministerial specialists has been formed to draft the legislation, per Sergei Kruglikov, Director General of the United Institute of Informatics Problems of the National Academy of Sciences of Belarus (NASB), on BELTA's The Nation Speaks (14 August 2025). The work is based on the CIS Model Law on Artificial Intelligence Technologies; as President Lukashenko put it at the 5th Eurasian Economic Forum in Astana on 28 May 2026, "It was in Belarus that a model law on artificial intelligence technologies had been developed. In 2025 it was approved by the CIS Interparliamentary Assembly." Ministries including the Economy Ministry, the State Committee for Science and Technology and the Education Ministry "endorsed designating the National Academy of Sciences as the sectoral regulator for AI", per Kruglikov, who added: "We have prepared the complete documentation package and submitted it to the National Center of Legal Information to ensure the AI technology bill is included in the 2026 legislative agenda"; the mandate came from two presidential advisory bodies, the Strategic Projects Council and the Legal and Judicial Policy Council. A development concept and strategy are also planned. None of these had been enacted as a binding AI law at the time of writing.
Examples
A software company developing a computer-vision product as a Hi-Tech Park resident benefits from the Decree No. 8 regime (tax relief, broad permitted activities including AI), but it still must comply with the Law on Personal Data Protection when its system processes images of identifiable people, because biometric data is "special personal data" requiring stronger safeguards.
A foreign business running an HR or CRM platform that processes data on staff or customers in Belarus must localise its consent wording to the detailed disclosures the law requires, appoint a responsible person or unit, and plan a transfer route: ship data only to adequate jurisdictions, fit a statutory exception, or apply to the National Personal Data Protection Center for a permit. A data-breach playbook must meet the three-working-day notification deadline.
A government or public-safety deployment of AI such as facial recognition operates against documented state surveillance practice and existing data protection and information-security rules rather than a bespoke AI statute. There is no in-force Belarusian AI law imposing risk classification, transparency or independent oversight specific to such systems.
Common misunderstandings
"Belarus has an AI law." It does not, as of mid-2026. AI is covered by general data protection, information-security and digital economy rules, with a dedicated bill still in drafting.
"The Hi-Tech Park decree regulates AI safety." Decree No. 8 is a tax, investment and permitted-activity regime. It lists AI as an allowed activity for residents; it does not impose AI risk-management or transparency duties.
"Belarus is just like the EU because its data law looks similar." The Law on Personal Data Protection borrows GDPR-style concepts but differs: it is consent-centric, uses "operator" and "authorised person", does not require impact assessments, and rejects standard contractual clauses for transfers.
"The 2026 draft AI law with a public consultation is Belarusian." A draft "Law on Fundamentals of State Regulation of the Fields of Application of Artificial Intelligence Technologies" consulted in spring 2026 is a Russian Federation initiative, not Belarus's. Do not conflate the two.
"No AI law means no compliance risk." Untrue. Data protection, cybersecurity, sanctions and export-control exposure all apply now regardless of any future AI statute.
Risks and boundaries
This article describes the governance architecture, not legal advice. The central limit is that Belarus has no enacted, dedicated AI law, so there is no formal risk-tiering, conformity assessment or AI-specific transparency duty in force. Statements that Belarus is "developing a comprehensive regulatory framework for AI" describe work in progress (a bill, a concept, a strategy and standards), not binding rules, and timelines can slip; the Academy of Sciences is the proposed, not confirmed and operating, regulator.
What is confirmed: the data protection law and its supervisory authority, the Hi-Tech Park and digital economy decrees, and the information-security and cybersecurity regime. What is pending: the national AI bill, concept and strategy, and most national AI standards. What could change: the regulator's identity and powers, definitions of AI, and any risk-based duties, all of which depend on instruments not yet adopted. Readers should also note the human-rights and sanctions context, which materially affects real-world AI use and vendor diligence.
What to do next
Treat Belarus today as a data protection and information-security compliance problem, not an AI-specific one. If you process personal data linked to Belarus, map your processing, localise consent to the statutory disclosure list, appoint a responsible person or unit, document technical and cryptographic controls, and build a breach process that meets the three-working-day deadline.
Plan cross-border data routing deliberately: prefer adequate destinations, otherwise fit a statutory exception or budget time for a supervisory permit. Do not assume EU standard contractual clauses will work.
Run sanctions, export-control and human-rights due diligence on any Belarusian AI vendor, development centre or Hi-Tech Park resident before contracting.
Track the AI pipeline: monitor the draft AI bill, the AI development concept and strategy, and Gosstandart's AI standards. Reassess when a bill is published for consultation or adopted, when a regulator is formally empowered, or when risk-based duties take effect.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Belarus have a dedicated AI law?
No. As of mid-2026 there is no enacted AI-specific statute. AI is governed by general data protection, information-security and digital economy rules, with a dedicated bill in drafting.
Which law most affects AI in Belarus today?
The Law of 7 May 2021 No. 99-Z "On Personal Data Protection", in force since 15 November 2021, because AI systems typically process personal data, including biometric "special personal data".
Who is the data protection regulator?
The National Personal Data Protection Center, established by Presidential Decree No. 422 of 28 October 2021. It supervises operators, handles complaints, issues transfer permits and can order violations to stop.
Is there an AI regulator?
Not in force. The National Academy of Sciences has been endorsed as the proposed sectoral regulator for AI, but this depends on legislation that has not yet been enacted.
What does the Hi-Tech Park regime do for AI?
Decree No. 8 of 2017 lets HTP residents conduct AI and machine-learning activities and grants tax and legal benefits to 2049. It is an investment and tax regime, not an AI safety law.
Can I transfer personal data out of Belarus freely?
Only to countries deemed to have adequate protection, including Convention 108 parties and Eurasian Economic Union members. Otherwise you need a statutory exception or a permit from the supervisory authority.
Is the 2026 draft AI law a Belarusian law?
No. The "Law on Fundamentals of State Regulation of the Fields of Application of Artificial Intelligence Technologies" consulted in spring 2026 is a Russian Federation draft, not Belarus's.
When will Belarus have an AI law?
There is no confirmed date. A bill, concept and strategy are being drafted, with documentation submitted toward the 2026 legislative agenda, but adoption timing is uncertain.