What is AI regulation in Bhutan?
AI regulation: countries and regions
Bhutan does not have a dedicated AI Act or a single cross-sector AI regulator in the official materials reviewed. Instead, AI governance currently rests on GovTech's National AI Strategy 2025, interim generative AI guidance for the civil service, the Information, Communications and Media Act 2018, sector privacy and cybersecurity rules, and wider digital identity and digital transformation frameworks shaped by Gross National Happiness.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Bhutan has moved into AI policy, but not yet into a stand-alone AI statute. The clearest official AI document is GovTech's National AI Strategy 2025. It frames AI around Gross National Happiness, public service, ethics, transparency, accountability and citizen benefit. For government users, there is also an interim generative AI guideline for the civil service.
The binding rules that matter today come mainly from older ICT, privacy, data protection, cybersecurity and digital identity law. The Information, Communications and Media Act 2018 contains relevant privacy and data protection provisions, and BICMA can issue codes of practice under it. Bhutan's 2024 cybersecurity and privacy code already applies to some ICT and telecom operators.
In South Asian terms, Bhutan is still building core governance capacity. Its own data-governance baseline work places it in the middle of the SAARC pack on AI readiness and points to gaps in data governance, privacy and cybersecurity. So the current picture is best understood as strategy plus existing law, rather than a finished AI rulebook.
Why it matters
Organisations should not treat Bhutan as a no-rules market simply because there is no AI Act. If your AI uses personal data, supports citizen services, sits inside telecom or other critical digital infrastructure, or connects to Bhutan's digital identity stack, existing privacy, cybersecurity and identity duties may still apply. The practical challenge is that the regime is spread across strategy, guidance and older legislation, so governance failures can come from missing the right layer of rules rather than from one obvious AI prohibition.
How it works
No dedicated AI Act, but an official strategy
I found no stand-alone AI law or single AI regulator for Bhutan in the official materials reviewed. The main national AI document is GovTech's National AI Strategy 2025. It is policy, not a dedicated statute. It sets the vision, focus areas and guiding principles for national AI use, and it explicitly ties AI to GNH-centred design, a citizen-centric approach, and ethical and inclusive development.
Just as important, the strategy shows what is still missing. Its governance and regulations section calls for a national data governance framework, national ethical guidelines for responsible AI, review of existing legislation for AI adoption, and a national AI governing body and framework. That is strong evidence that Bhutan is still in a framework-building phase.
Existing hard law comes mainly through ICT and data rules
Bhutan's main binding legal base layer is the Information, Communications and Media Act 2018. It establishes the Bhutan InfoComm and Media Authority, or BICMA, and gives it power to issue directions, guidelines and codes of practice. The Act also contains relevant privacy and data protection rules.
For AI projects, the most useful point is that the ICM Act already regulates the collection, processing, disclosure, security and deletion of personal information in important ways. It requires express written permission for electronic collection, collation or processing of personal information unless another law permits it, restricts disclosure to third parties unless legally required or expressly authorised, and requires obsolete personal data to be deleted or destroyed. Earlier privacy provisions in the same Act also require privacy policies, purpose limits and protection of personal information by ICT and media providers and vendors.
BICMA can add sector-specific duties without a new AI statute
Bhutan does not need a fresh AI Act before more binding controls start to appear. Because BICMA can issue codes under the ICM Act, sector obligations can arrive through that route. A good example is the Code of Practice for Information Security, Cybersecurity and Privacy Protection for ICT and Telecommunication Service Providers, which came into force on 10 October 2024.
That code applies to telecom and other ICT service providers with critical information infrastructure. It requires information security management, protection of personal and sensitive data, privacy controls and related compliance steps. So if an AI feature is built into a telecom, hosting, platform or other critical digital service, the relevant question is not only "Is there an AI law?" but also "Which existing ICT and security rules already attach to this service?"
Government use is shaped by digital policy and interim guidance
For the public sector, Bhutan's broader digital architecture matters a great deal. GovTech's 2024 Digital Strategy, "Intelligent Bhutan", presents digital transformation as a whole-of-government project supported by infrastructure, skilled personnel and a conducive regulatory regime. It also says GovTech plays a key role in developing legal frameworks for emerging technologies including AI, and it treats National Digital Identity as a foundation of the national digital strategy.
Government use is also shaped by the Royal Civil Service Commission and GovTech's generative AI guideline. That document describes itself as an interim civil-service rule and says Bhutan does not yet have specific AI policy and regulations. In practice, it tells officials to verify AI-generated material, avoid feeding personal or confidential information into public tools, de-identify personal data where use cannot be avoided, and keep human oversight for consequential decisions such as recruitment, HR planning, financial planning or student evaluation.
Digital identity and data governance add separate control layers
Bhutan's National Digital Identity Act 2023 creates its own governing structure for identity-linked services. It provides for a Governing Body, an Administrative Body, a Governance Framework, trust-service roles and incident rules. If an AI-enabled service uses Bhutan's digital identity stack, wallet infrastructure or verifiable credentials, those identity-layer obligations matter alongside any AI policy.
At the same time, Bhutan's data-governance architecture is still being built. GovTech's national data-governance baseline study says legal and policy gaps remain, compares Bhutan with SAARC peers, and recommends comprehensive data protection legislation together with a dedicated regulator or an expanded oversight role. That is why Bhutan currently looks more like a mixed hard-law and soft-law environment than a consolidated AI regulatory regime.
Examples
Example 1: A civil servant uses a public generative AI tool to draft a briefing note or summarise internal material. Bhutan's interim civil-service guideline says the user should make clear that generative AI assisted with the content, verify facts independently, avoid entering government data, personal information or confidential material into public tools, de-identify personal data if use is unavoidable, and keep a human decision-maker in the loop for consequential matters.
Example 2: A telecom or ICT operator wants to add AI for network monitoring, fraud checks or customer support. Even without an AI Act, that service can still sit inside the ICM Act and BICMA's 2024 cybersecurity and privacy code. In practice, the operator still needs privacy notices, lawful handling of personal information, security controls, and governance for critical infrastructure and third-party access.
Example 3: A digital public service wants to combine AI with Bhutan NDI credentials or wallet-based verification. That project is not governed by AI papers alone. The National Digital Identity Act 2023 adds its own governance framework, trust-service rules and incident duties, so the service must be designed around both identity-law requirements and the broader AI and data-governance picture.
Common misunderstandings
Misconception: Bhutan has no AI law, so AI use is unregulated. Correction: Existing privacy, data protection, cybersecurity, ICT and digital identity rules can still apply.
Misconception: The National AI Strategy 2025 is itself the binding AI law. Correction: It is an official strategy and roadmap, not a stand-alone Act with one economy-wide enforcement system.
Misconception: Bhutan already has a single AI watchdog. Correction: No single AI regulator is clearly designated in the official materials reviewed.
Misconception: Only the public sector needs to care about Bhutan's AI governance. Correction: Private operators may still fall under the ICM Act, BICMA codes, contract terms, sector rules and NDI requirements.
Misconception: A light-touch innovation agenda means privacy and security duties disappear. Correction: Existing legal and technical controls still need to be mapped before launch.
Risks and boundaries
The clearest boundary is that Bhutan does not yet appear to have a single, comprehensive AI statute or a cross-economy AI risk regime. Official materials still point forward to future ethical guidelines, legislative review, a national AI governing body, and broader data-governance architecture. So anyone looking for one neat AI code will not find it.
Coverage is also uneven. The civil-service generative AI guideline is narrow and applies to government officials, not to every private-sector AI deployment. The ICM Act and BICMA code matter most where ICT, media, telecom, online privacy, personal data or critical information infrastructure are involved. The NDI Act matters where digital credentials, wallets or trust services are involved. Other AI use cases may be governed only indirectly, through general law, contracts, procurement terms, sector controls and internal policy.
One more nuance matters for founders. Bhutan's digital strategy says some emerging-technology businesses may be approached on an "allow first and regulate later" basis. That should be read as policy posture, not as immunity. Existing privacy, security, identity and sector duties still need to be checked before launch.
What to do next
Start with a Bhutan-specific use-case map. Identify whether your system touches personal data, citizen services, ICT or telecom regulation, critical infrastructure, or Bhutan's digital identity stack. Then map the right legal layer: AI strategy, civil-service guidance, ICM Act, BICMA code, NDI law, and any sector controls that sit on top.
In practice, leaders should set a written AI use policy, classify data before prompting any model, block sensitive or identity-linked data from public AI tools unless there is a lawful route and adequate control, require human review for consequential decisions, and check vendor terms, access rights and incident handling. Because Bhutan's regime is still being built, a voluntary AI impact assessment is sensible even where no local rule yet compels one.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Bhutan have an AI law?
No dedicated AI Act or cross-sector AI regulation was identified in the official materials reviewed. Bhutan currently relies on strategy, guidance and existing ICT, privacy, cybersecurity and identity law.
Does Bhutan have an AI strategy?
Yes. GovTech has published the National AI Strategy 2025, which links AI to Gross National Happiness, public service, culture, environment and digital governance.
Is the National AI Strategy legally binding?
It is best read as an official policy roadmap, not as a stand-alone Act with one economy-wide enforcement system.
Who is the main AI authority in Bhutan?
No single AI watchdog is clearly designated. GovTech leads much of the digital and emerging-technology policy work, BICMA regulates parts of the ICT and media stack, and the RCSC with GovTech has issued government-use guidance.
Are there data protection rules relevant to AI?
Yes. The ICM Act 2018 contains privacy and data protection provisions, and BICMA has issued a cybersecurity and privacy code for certain ICT and telecom providers. That is not the same thing as a single comprehensive privacy statute, but it does create real duties.
Does Bhutan use a risk-based AI model?
Not yet as a national statute. The civil-service generative AI guideline uses risk categories and cautions officials against unacceptable-risk uses, but that is narrower than an economy-wide risk-based AI law.
What if my AI product uses Bhutan's digital identity stack?
Then the National Digital Identity Act 2023 also matters. It creates its own governance framework, service-provider roles and incident rules, so identity-linked AI projects need a separate legal check.