What is AI regulation in Burundi?
AI regulation: countries and regions
Burundi does not yet have a dedicated AI law, AI regulator or published AI strategy. Since 10 March 2026, its main AI-relevant hard law is the personal data protection law, which covers personal data processing, automated decision-making, impact assessments, data transfers and breach notification. That law creates a personal data protection agency, but its missions and organisation are left to a later decree, so an operational data protection authority was not identified in the official materials reviewed.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Burundi is not yet running a standalone AI Act model. The hard law that matters most is Loi No 1/03 du 10 mars 2026 on personal data protection. If an AI system uses personal data, biometric data or health data, or helps make important decisions about people, that law is now the main legal reference point.
The law is broader than privacy notices. It regulates automated decision-making, gives people rights to information, access, correction, erasure, portability and objection, and requires stronger controls for higher-risk processing. It also creates a Personal Data Protection Agency in law, but leaves its detailed missions and organisation to a later decree, so operational status is still unclear from the official materials reviewed.
Beyond that, Burundi's AI picture is still mostly policy and institution building. Public-service digitalisation is being steered through national ICT and digitalisation bodies, and an official AI landscape workshop in 2025 was framed as groundwork for a future roadmap. The wider regional direction comes from the African Union's Continental AI Strategy and EAC work on data governance.
Why it matters
For organisations deploying AI in Burundi, the first compliance question is usually not whether a tool is labelled "AI". It is whether the tool handles personal data, sensitive data or biometrics, whether it sends data abroad, and whether it meaningfully affects people through scoring, selection, access, pricing or triage. If it does, the 2026 law can require a lawful basis, upfront notices, tighter security, possible impact assessment, human review for serious automated decisions and fast breach reporting.
This matters because Burundi still lacks a fuller AI-specific rulebook. There is no Burundi equivalent of a broad AI Act that classifies AI systems by risk across the whole economy. Teams therefore need to build governance internally, identify high-risk uses, decide when a human must stay in the loop, and prepare for a regulator that the law creates but official implementation materials have not yet fully clarified.
How it works
No dedicated AI framework yet
Burundi does not currently have a dedicated AI statute, a dedicated AI regulator or an officially published national AI strategy. The clearest official AI policy signal is a late-2025 government workshop to assess the country's AI landscape and feed a future strategic roadmap. So the present framework is thin: hard law on data protection, plus digital-policy and regional instruments.
Data protection now does most of the hard-law work
Loi No 1/03 applies to automated and non-automated processing by public and private actors. It also reaches some processing by actors outside Burundi when processing means are located in Burundi. It recognises familiar legal bases such as consent, contract, legal obligation, vital interests, public interest or official authority, and legitimate interests. It restricts sensitive and biometric data, controls transfers to foreign states or international organisations, and includes criminal penalties and fines for serious violations. It also requires notification of data breaches to the legal "organ" within 48 hours where rights and freedoms are at risk, and to affected people within 96 hours where the risk is high.
Consequential automation triggers the clearest AI rules
Burundi's most explicit AI-relevant rules sit around automated decisions. People must be told when their data are processed with AI for automated decision-making. If an automated decision produces legal effects or similarly important effects, the person must be told that automation is being used and the underlying logic must be explained in clear and simple terms. Such decisions are allowed only where a law or regulation provides for them, where the person has consented, or where the automation is strictly necessary to conclude or perform a contract. The person can then ask for the decision to be reformulated, and a new reasoned decision must be taken by a human. The law also says the reasons for the human decision cannot rest only on opaque automated processing.
Major controllers face extra governance duties
Burundi's law places extra obligations on "major" controllers. Broadly, this category covers public authorities and bodies, larger employers and some operators that regularly handle especially sensitive or life-critical data. Major controllers must register, keep a processing register and appoint a data protection delegate. They must also carry out a data protection impact assessment whenever planned processing is likely to create a high risk for rights and freedoms, with sensitive-data processing treated as a trigger. The assessment goes first to the delegate and then to the data-protection organ with a request for authorisation.
Digital strategy and regional context
Outside the data law, Burundi's digital governance sits in wider state planning rather than AI-specific legislation. The national development plan treats ICT infrastructure, universal access, broadband and digital innovation as development priorities. SETIC and the National Steering Committee for the Digitalisation of Public Services are part of the machinery for implementing public-service digitalisation, including the Plan directeur de digitalisation des services publics 2023-2033. Regionally, the AU's Continental AI Strategy encourages member states to develop national approaches to ethical and responsible AI, while the EAC is working on harmonised data-governance and protection frameworks. Those regional texts matter as direction of travel, but they are not the same thing as a Burundi AI Act.
Examples
An employer or lender uses an AI model to screen applicants or score risk. If the model's output determines who gets hired, financed or refused in a way that has important effects, the organisation cannot hide behind the model. It must tell people automation is in play, explain the logic in understandable terms and keep a real human path for a fresh decision.
A hospital, insurer or research team wants to use patient files, biometric identifiers or other sensitive data to train or operate an AI tool. That is not ordinary data processing under Burundi law. Sensitive and biometric data sit behind tighter restrictions, and the organisation may need extra safeguards such as encryption, access controls, secure storage, a data protection delegate and an impact assessment.
A business wants to host training data or an AI service on infrastructure outside Burundi. The issue is not only vendor procurement. The transfer must go to a destination with adequate protection or with safeguards approved by the data-protection organ. If a breach then creates risk, the controller must notify quickly and, where the risk is high, also tell the affected people.
Common misunderstandings
Misconception: Burundi already has an AI Act. Correction: No. The main hard law now is the 2026 personal data protection law.
Misconception: ARCT is Burundi's AI regulator. Correction: No dedicated AI regulator was identified. ARCT is a telecommunications regulator, while the 2026 data law creates a separate personal-data agency in principle.
Misconception: The 2026 data law only matters for tech companies. Correction: No. It applies much more broadly to public bodies and private organisations that process personal data.
Misconception: Automated decisions are banned. Correction: No. They are allowed only in defined cases, with transparency and a right to seek a fresh human decision.
Misconception: If data leave Burundi through a cloud provider, Burundi law stops mattering. Correction: No. Cross-border transfer rules still apply.
Risks and boundaries
This remains a thin framework. Burundi's current hard law is a general personal data statute, not a full AI law with detailed model-risk classes, safety standards, product rules or sector-specific AI approval paths.
There is also an institutional gap to watch. The 2026 law creates a Personal Data Protection Agency, but the law itself says a later decree will set its missions, composition, organisation and functioning. I did not identify that implementing decree, nor an officially published national AI strategy, in the official materials reviewed. That means enforcement practice, forms, approvals and guidance may still change.
Regional documents from the AU and EAC help show direction, but they do not replace Burundi domestic law. Organisations still need to read the Burundi statute first and track later decrees or sector rules.
What to do next
Start with a practical inventory of every AI use that touches people in Burundi. Separate ordinary data uses from sensitive, biometric or health-related uses, and flag any system that can shape hiring, lending, access, pricing, public-service eligibility or other serious decisions. Decide the lawful basis for each workflow, rewrite notices so they mention automation where required, and design a genuine human review route for consequential decisions. Then test whether you qualify as a major controller, prepare a data protection impact assessment for higher-risk processing, check cross-border vendor arrangements, and build a 48 hour breach-escalation process. Finally, monitor for the decree that operationalises the data-protection agency and for any published national AI roadmap.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Burundi have an AI Act?
No. Burundi has no dedicated AI Act, AI regulator or officially published national AI strategy in the official materials reviewed.
What is the main law that affects AI in Burundi?
Loi No 1/03 du 10 mars 2026 on personal data protection is the main hard-law instrument affecting AI that uses personal data.
Does Burundi have a data protection authority?
The 2026 law creates an agency for personal data protection, but its detailed setup is left to a later decree, so an operational authority was not clearly identified in the official materials reviewed.
Does the law mention AI directly?
Yes. It requires notice where personal data are processed with AI for automated decision-making and sets safeguards for automated decisions with legal or similarly important effects.
Are automated decisions banned?
No. They are allowed only in limited cases, with transparency and a right to seek a fresh human decision.
When is an impact assessment needed?
For major controllers, an impact assessment is required when planned processing is likely to create a high risk for rights and freedoms, and sensitive-data uses are treated as a trigger.
Can personal data be transferred outside Burundi?
Yes, but only where protection is adequate or another approved safeguard is in place.
Is Burundi's AI policy linked to African regional frameworks?
Yes. The AU Continental AI Strategy and EAC work on data governance form part of the regional context, but they are not themselves a Burundi AI Act.