What is AI regulation in Brunei?
AI regulation: countries and regions
Brunei does not have a dedicated AI law as of June 2026. AI is governed mainly through soft-law guidance, especially AITI's Guide on AI Governance and Ethics for Brunei Darussalam, together with broader data protection rules. The main hard-law development is the Personal Data Protection Order, 2025, in force from 1 January 2026 for organisations. National policy has also shifted from the Digital Economy Masterplan 2025 toward Digital Brunei 2030, which includes a Data and AI pillar.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Brunei's current AI position is practical rather than statute-led. Official sources point to guidance, digital strategy and data protection law, not to an AI Act or a dedicated AI-only regulator. The centre of gravity is AITI, which has published AI governance guidance and also administers Brunei's new personal data protection regime.
That means most organisations should think in layers. First, use AITI's AI guide as the baseline for responsible design, deployment and human oversight. Second, if the AI system uses personal data, apply the Personal Data Protection Order, 2025. Third, place the project in the wider national digital direction, which started with the Digital Economy Masterplan 2025 and is now being carried forward through Digital Brunei 2030.
One important boundary is that Brunei's data protection law is not a full public and private sector code. Its core obligations apply to organisations, while public agencies are excluded from those main parts. So a private company using AI on customer or employee data faces clearer binding duties than a public agency using AI inside government.
Why it matters
If you buy, build or deploy AI in Brunei, the legal question is not only "is there an AI law?" but also "what duties attach through data, governance and digital policy?" A company that uses personal data in AI now has concrete obligations around internal accountability, transparency, security, retention, overseas transfers and notifiable breaches.
The practical effect is that Brunei can look light-touch at first glance, but the workload is real once personal data is involved. Boards, founders, procurement teams and governance leads should treat Brunei as a jurisdiction where soft-law AI guidance and hard-law data duties sit side by side. That matters even more for cross-border groups, because Brunei-facing AI deployments may need local data handling controls even when the model provider or cloud stack sits elsewhere.
How it works
No dedicated AI statute
As of June 2026, the official Brunei materials reviewed for this article do not show a dedicated AI Act, AI licensing regime or AI-only regulator. The legal picture is therefore mixed: a soft-law AI guide, a new personal data protection order, and broader national digital policy. If you are used to the EU AI Act model, Brunei is not that. Its architecture is lighter and more principle-led.
AITI's guide is the main AI governance text
AITI set up an AI Governance and Ethics Working Group in 2024, consulted publicly on a draft guide in July 2024, released the final Guide on Artificial Intelligence Governance and Ethics for Brunei Darussalam in April 2025, and now lists a Second Edition on its site. The guide is principles-based and gives organisations a baseline way to govern AI.
Official AITI materials describe themes such as transparency and explainability, data protection and data governance, security and safety, robustness and reliability, fairness and equity, human centricity, and accountability and integrity. The consultation draft also shows how AITI thinks operationally: map controls across the AI system lifecycle, use risk-based human involvement, and build governance through people, process and technology. In practical terms, this is soft law. It is guidance, not a statute, but it is the clearest official statement of Brunei's expected AI practice.
Personal data law now creates binding duties
The Personal Data Protection Order, 2025 is the main hard-law development. It took effect on 1 January 2026, and AITI administers it. The Order imposes its core obligations on organisations, not on public agencies. That point is easy to miss, but it matters: Brunei's strongest binding AI-adjacent rules currently sit mainly on the private side.
For organisations, the duties are concrete. They must designate one or more responsible individuals, publish contact details, implement internal policies and complaint handling, protect personal data with reasonable security arrangements, stop retaining it when no longer needed, and ensure comparable protection when personal data is transferred outside Brunei. If there is a data breach that is notifiable, the organisation must notify AITI as soon as practicable and no later than 3 days after its assessment that the breach is notifiable. AITI can issue directions and financial penalties, with the statutory cap set at up to 10 percent of Brunei turnover for larger organisations, or BND 1,000,000 in other cases.
The digital strategy gives policy direction
Brunei's Digital Economy Masterplan 2025 set the original smart nation roadmap. Official MTIC speeches describe it as the main reference document for "Smart Nation through Digital Transformation", with four strategic thrusts: industry and business digitisation, government digitisation, a thriving digital industry, and manpower and talent development. Those same materials flagged data governance and cybersecurity frameworks as key enablers.
By June 2026, MTIC stated that Digital Brunei 2030 had been published as the next national digital plan. It is presented as building on the earlier masterplan and bringing Digital Government, Digital Society, Digital Business, and Data and Artificial Intelligence into one national direction. For AI governance, that means the current public policy signal is not a stand-alone AI law. It is AI inside a wider state-led digital transformation programme.
ASEAN is the regional frame of reference
Brunei's AI guide is explicitly aligned with the ASEAN Guide on AI Governance and Ethics. That regional guide is voluntary and does not replace national law, but it matters because it encourages interoperable practice across ASEAN. For organisations operating around Southeast Asia, Brunei's approach therefore looks closer to a regional governance model than to a stand-alone command-and-control AI statute.
That regional context also explains why risk review, human oversight, internal governance structures and privacy controls show up so clearly in Brunei's own materials. Brunei is not legislating AI in isolation; it is borrowing from and aligning with an ASEAN governance vocabulary.
Examples
A healthcare technology provider offering predictive cost or triage tools in Brunei should treat AITI's AI guide as the governance baseline. The official consultation draft uses a healthcare prediction example to illustrate transparency and explainability, meaning users should be told an AI system is being used and should be able to understand, in plain terms, how the system reaches a recommendation.
A private employer or service business that uses AI on staff or customer data moves out of pure guidance and into binding law. Under the Personal Data Protection Order, 2025, it must designate a responsible individual, publish a contact point, protect the data, and handle access, correction, retention and breach issues in a documented way. If the AI is used to support decisions that affect an individual, data accuracy and governance become especially important.
A Brunei company using an overseas model provider or cloud vendor for AI can still transfer data abroad, but not freely. If personal data leaves Brunei, the organisation must meet the Order's cross-border transfer rule and ensure a comparable level of protection. If the vendor or processor suffers an incident, the Brunei-side organisation still has assessment and notification duties for any notifiable breach.
Common misunderstandings
"Brunei has no AI Act, so AI is unregulated." Not quite. There is no dedicated AI statute, but AI use can still be shaped by AITI guidance and by hard-law rules on personal data.
"AITI's AI guide is a binding law." No. It is guidance and a governance baseline, not a statute.
"The Personal Data Protection Order works like a full public and private sector code." No. Its core obligations do not apply to public agencies.
"ASEAN AI guidance is automatically law in Brunei." No. ASEAN guidance is voluntary and is meant to support alignment, not replace Brunei law.
"If our AI vendor is outside Brunei, local rules stop mattering." No. Cross-border transfers and local deployment can still trigger Brunei duties.
Risks and boundaries
Brunei's AI framework is still relatively light. The clearest official position is a principles-based guide plus general law, not a comprehensive AI statute. That means some issues common in other jurisdictions, such as high-risk AI categories, registration, conformity assessment, model-specific duties or AI-specific civil liability rules, are not clearly set out in the official Brunei materials reviewed here.
There is also an important public sector boundary. Because the Personal Data Protection Order excludes public agencies from its main operative parts, you cannot assume that private sector data rules map neatly onto government AI use. For public-sector projects, the legal picture is therefore less complete from the currently available sources.
The strategic architecture is evolving too. The Digital Economy Masterplan 2025 was the original roadmap; Digital Brunei 2030 is now presented as the next national plan with a Data and AI pillar. That is a clear policy direction, but it is still not the same thing as a dedicated AI statute.
What to do next
Treat AITI's AI guide as your baseline internal standard for Brunei, even where the law is thin.
Map every AI use case against one simple question early: does it use personal data, and does any of that data leave Brunei?
Nominate a clear accountable owner for data protection and AI governance. Do not leave AI procurement, legal review, security and operations in separate silos.
Use risk and impact assessment before deployment, especially for systems that affect hiring, health, finance, education or public-facing decisions.
Build minimal controls now: user notice where AI is being used, human review for sensitive decisions, vendor due diligence, retention rules, breach escalation and cross-border transfer checks.
If you work with government or regulated sectors, ask for project-specific governance requirements in writing. Brunei's public and private sector rules are not symmetrical.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Brunei have an AI law?
No dedicated AI law is in force as of June 2026. Brunei relies mainly on AITI guidance, data protection law and national digital policy.
Is AITI the AI regulator?
Official sources show AITI publishes the national AI guide and administers the Personal Data Protection Order, 2025. But the sources reviewed do not identify a separate AI-only regulator or AI licensing authority.
Does Brunei's data protection law apply to government agencies?
Not in the same way it applies to organisations. The Order says its core obligations do not apply to public agencies.
What is the biggest hard-law risk for AI deployers in Brunei?
Personal data handling. If your AI system uses personal data, you need to deal with accountability, security, retention, cross-border transfer and breach notification duties.
Are ASEAN AI guides binding in Brunei?
No. They are voluntary regional guidance. They matter because Brunei's own AI guide is aligned with them and because they shape expectations across Southeast Asia.
Is there a national AI strategy in Brunei?
The current public picture is best read through Digital Brunei 2030, which brings Data and AI into the national digital plan that follows the Digital Economy Masterplan 2025.
Do I need an AI impact assessment in Brunei?
Brunei's current framework does not impose a named AI impact assessment duty across the board. Even so, a structured risk and impact review is sensible and fits the direction of AITI and ASEAN guidance.