What is AI regulation in Costa Rica?
Global AI regulation
Costa Rica does not yet have a single, enacted AI law. As of 5 June 2026, its AI governance model is built from the National Artificial Intelligence Strategy 2024-2027, existing laws such as personal data protection rules, sector-specific guidance, and two competing AI bills, Expediente 23.771 and Expediente 23.919. In other words, Costa Rica has an emerging national approach to AI governance, but not a settled, fully enacted AI regulatory regime.
What this means
In Costa Rica, "AI regulation" currently means a mix of public policy, existing horizontal law and proposed legislation. The clearest official framework is the National Artificial Intelligence Strategy, known as ENIA, which was launched in October 2024 and sets a 2024-2027 roadmap for ethical, safe and responsible AI use.
That is different from having a dedicated AI statute. Costa Rica already has binding rules that matter for AI, especially on personal data, and some public institutions have started issuing their own internal AI rules. At the same time, Congress has been considering two broad AI bills that would regulate the field in quite different ways.
So the practical position is this: organisations cannot assume there are no rules, but they also cannot treat Costa Rica as if it already had a final AI Act. It is better understood as a jurisdiction in transition, with a strategy in force, baseline legal duties already active, and legislation still contested.
Why it matters
This matters because organisations deploying AI in Costa Rica need to make decisions before Congress settles the bigger legislative debate. Founders, buyers, public bodies, advisers and vendors may already be handling personal data, automating parts of services, testing generative AI in staff workflows, or selling AI-enabled products into regulated sectors. In all of those cases, governance work cannot wait for a future headline law.
Costa Rica is also using AI policy as part of a broader digital-state and economic-development agenda. ENIA links AI to public service modernisation, talent, infrastructure, 5G, research, international cooperation and an eventual regulatory sandbox. That makes the country relevant not only for local compliance, but also for market entry, public procurement, public-private projects, and regional policy comparison.
The strategic risk is misreading the jurisdiction. If you assume Costa Rica already has a settled AI statute, you may overstate current legal duties. If you assume it has no meaningful AI governance at all, you may miss existing data protection duties, sector rules and future-proofing steps that both pending bills would make more important.
How it works
Current legal position
Costa Rica does not appear to have a dedicated AI statute in force as of 5 June 2026. The official legal picture is instead made up of three layers. First, there is ENIA 2024-2027, which is government policy rather than an act of parliament. Second, there are existing binding rules, above all the personal data regime under Law No. 8968 and the authority of PRODHAB. Third, there are pending legislative proposals that would create a more explicit AI framework if passed.
That distinction is important. A strategy can guide ministries, budgets, public projects and later regulation, but it does not do the same legal work as an enacted statute. For now, Costa Rica's AI model is best described as policy-led and institutionally active, with legislation still unsettled.
ENIA is the policy backbone
The National Artificial Intelligence Strategy 2024-2027 is the clearest official statement of Costa Rica's direction of travel. MICITT presents it as the country's roadmap for responsible AI adoption and development. It is framed around ethical, inclusive and sustainable use, with strong emphasis on human dignity, transparency, equity, human supervision, risk management and cybersecurity.
The published action plan gives this strategy real operational content. It is organised into seven axes: ethical, safe and responsible AI; territorial articulation and economic development; research, development and innovation; smart government; talent and training; digital infrastructure and enabling technologies; and international leadership. This is why ENIA matters even though it is not itself a statute. It says which institutions are meant to act, what kinds of projects are expected, and which deadlines and metrics the government is using to track progress.
The action plan also shows that Costa Rica is trying to build an AI governance model, not just issue principles. It includes work on an AI regulatory sandbox, a proposed ethical and normative framework for AI-assisted clinical diagnosis in health, institutional AI policies, training for public officials, local-government AI deployments, a national centre of excellence, and links to 5G and digital infrastructure.
Existing binding law already shapes AI use
The most important currently binding baseline is Costa Rica's personal data regime. Law No. 8968 applies to automated and manual processing of personal data in both public and private databases. It protects informational self-determination, requires notice about data collection and purpose, generally requires express consent unless a legal exception applies, and gives people rights of access, rectification and deletion. It also restricts data transfers and empowers PRODHAB to inspect, order corrective measures and impose sanctions.
For AI governance, that means a simple but important point: if your AI system uses personal data, Costa Rican law already applies. Organisations do not need to wait for a future AI act before dealing with lawful basis, notices, data quality, storage discipline, access rights, and internal accountability.
Sector institutions can also move ahead on their own. A good example is the judiciary. In February 2026, the Corte Suprema de Justicia issued ethical rules and guidelines for judicial staff using generative AI tools such as ChatGPT, Gemini and NotebookLM. That does not create a general national AI law, but it does show how Costa Rica is already producing sector-level AI governance in practice.
What bill 23.771 would do
Expediente 23.771, "Ley de Regulacion de la Inteligencia Artificial en Costa Rica", is the more recognisably risk-based of the two broad proposals. The substitute text described in official university consultation materials would make MICITT the rector for AI policy, plans and guidance, and would give it functions of registration, supervision and auditing for AI systems. In areas within its competence, SUTEL would provide technical criteria, and the bill envisages regulation making to define some of the details.
Its architecture is comparatively compact. It includes ethical principles, human supervision, data protection, sector-specific application areas, impact assessment for high-risk systems, and a risk taxonomy. The categories resemble the logic found in other comparative AI bills: unacceptable risk, high risk, limited risk and minimal risk. Under that approach, certain manipulative or rights-threatening practices would be prohibited; high-risk systems would face stricter duties; chatbots and deepfakes would need disclosure; and low-risk systems would face lighter treatment.
The practical appeal of 23.771 is clarity of structure. It gives operators a more familiar compliance map: identify the risk level, document the use case, assess human-rights and discrimination impacts, build human oversight, respect data rules, and use transparency rules for customer-facing or synthetic-content systems. The practical weakness is that important details are still left to later regulation, and sanctions are less fully developed than in some other models.
What bill 23.919 would do
Expediente 23.919, "Ley para la Promocion Responsable de la Inteligencia Artificial en Costa Rica", takes a different path. It is broader, more institutional and more governance-heavy. It also gives MICITT the rector role, but it goes further by creating the Comision Interinstitucional para el Desarrollo de la Inteligencia Artificial, or CIDIA, and a separate ethical, technical and scientific advisory committee.
This proposal does not just state principles. It builds a governance apparatus. Under the substitute text described in official consultation materials, CIDIA would be able to promote AI initiatives, propose regulations, support public-private cooperation, keep a national register for public-interest AI projects, support training, and approve a high-risk certificate for certain projects. The advisory committee would examine proposals and produce the ethical and technical basis needed for CIDIA decisions.
The bill also reaches more deeply into operational governance. It includes transparency and explainability duties for public institutions and recipients of public funds, reporting to CIDIA and annual onward reporting to the Contraloria General, registration of projects declared to be of public interest, cybersecurity obligations, complaint procedures through MICITT, worker-related protections and information duties, and administrative fines, including for operating without the required high-risk certificate or for using AI to misinform or to produce deceptive synthetic media.
For operators, that makes 23.919 look less like a simple AI principles law and more like a procedural governance system. It would likely matter most where AI is publicly funded, declared to be of public interest, used in sensitive settings, or linked to labour, transparency, or public administration.
Institutions and practical enforcement
Today, the most important public institution for national AI policy is MICITT. For binding privacy issues, PRODHAB is central. Sector bodies also matter where they already supervise important workflows, such as the courts. If bill 23.771 became law, MICITT and SUTEL would become more central to risk-based oversight. If bill 23.919 became law, MICITT would remain central but CIDIA and its advisory committee would become key procedural gateways.
This matters in practice because the same AI system can sit in more than one governance lane. A public-sector tool may engage ENIA as policy, Law 8968 as binding privacy law, internal sector rules, procurement rules, and then eventually a new AI statute if one passes. That is another reason Costa Rica should be treated as an emerging model rather than a single-code regime.
Where the model is still unsettled
Costa Rica's current model is not settled for three reasons. First, the two big bills do not point in exactly the same direction. One is more risk-classification and oversight oriented. The other is more institutional and procedural. Second, official bodies have already flagged coordination issues. The Contraloria General warned that bill 23.919 needed better alignment with existing digital-government structures and broader public policy, rather than simply adding new bodies without clear system design. Third, parts of ENIA's action plan are easier to identify as policy commitments than as final binding instruments.
A practical example is health. ENIA's action plan set a target for a normative and ethical framework for AI-assisted clinical diagnosis in health, but that is easier to trace as a policy target than as a clearly enacted final instrument in the official legal database at the time of research. The same is true of the AI regulatory sandbox. The strategy clearly points towards it, and government planning documents show work on its design, but that is not the same thing as a fully operational sandbox with published entry criteria and rules.
Examples
A hospital, clinic or medtech supplier using AI-assisted diagnosis in Costa Rica cannot wait for Congress to finish the broader AI debate. Personal data duties already apply under Law No. 8968, and ENIA's action plan specifically earmarks a normative and ethical framework for clinical diagnosis software using AI. The practical reading is that privacy, human review, security and clinical accountability should be built now, even though the final health-specific AI instrument was not clearly identifiable as an enacted general rule during this research.
A ministry, municipality or state supplier piloting AI for service delivery is already operating inside ENIA implementation. The official action plan includes municipal AI service improvements, AI functionality for the Ministry of Finance, and AI-enabled pre-evaluations in emergency management. If either major bill advances, these kinds of projects are exactly the sort most likely to face formal governance expectations, whether through a risk-based impact model under bill 23.771 or a CIDIA-led approval and reporting path under bill 23.919.
The judiciary has already moved ahead with its own guardrails. In February 2026, the Corte Suprema de Justicia issued rules for the use of generative AI by judicial staff. That is a concrete example of Costa Rica's current model in action: the country does not yet have one settled AI act, but institutions are already setting AI governance rules where they see operational need.
Common misunderstandings
A common mistake is to say that Costa Rica already has "the AI law". It does not. What it has is an AI strategy, existing baseline law, sector guidance and pending legislative proposals.
Another mistake is to treat ENIA as if it were the same thing as an act of parliament. It is important and operationally useful, but it is still a policy and implementation framework, not a single statute creating a complete AI compliance code.
It is also wrong to assume that the two broad AI bills are basically duplicates. They overlap, but their design logic is different. Bill 23.771 is closer to a risk-based oversight model. Bill 23.919 is broader and more institutional, with new bodies, registration, public-interest project governance and specific administrative sanctions.
Some organisations assume that only AI builders need to watch Costa Rica. That is too narrow. Buyers, deployers, public agencies, employers and cross-border vendors can all be affected, especially where systems process personal data or shape important services.
A final misunderstanding is that no enacted AI act means no current compliance work. In reality, privacy law already applies, sector bodies can issue their own AI rules, and the legislative direction of travel is clear enough that governance documentation done now is unlikely to be wasted.
Risks and boundaries
The main boundary is legal status. As of 5 June 2026, Costa Rica's broad AI framework is still emerging. ENIA is in force as policy. The two headline AI bills remain proposals. Because draft texts can change, organisations should avoid treating any pending obligation as if it were already binding law.
There is also a coordination risk. Official commentary on bill 23.919 has warned about possible overlap with existing digital-government structures and the need to align AI legislation with broader state modernisation plans. That is a reminder that Costa Rica is still working out not only what AI rules it wants, but also which institutions should own them.
Another boundary is implementation visibility. ENIA's action plan is detailed and ambitious, but not every planned instrument is easy to verify as a final norm in force. The safest reading is that the strategy sets direction and public commitments, while the harder legal edge still depends on existing laws, sector directives and any future legislation or regulation.
This article explains the public framework at a point in time. It is not legal advice, and it does not replace sector-specific review for health, finance, justice, labour, education or public procurement use cases.
What to do next
Treat Costa Rica as an emerging AI-governance jurisdiction, not a blank slate and not a finished code. Start by mapping which of your systems use personal data, automate decisions, generate synthetic content, support public services or operate in sensitive sectors. Apply Law No. 8968 now, especially on notices, consent where required, data quality, data subject rights and vendor data flows.
Then prepare for likely future duties that appear in both bills, even though the bills are not yet law: human oversight, explainability, risk screening, cybersecurity, governance records and clear responsibility lines. If you work with the public sector, or on projects that could be framed as high impact or of public interest, keep reusable documentation ready, including purpose statements, risk reviews, testing records, human-review procedures, data maps, incident escalation paths and synthetic-content labelling practices.
Finally, monitor MICITT, ENIA implementation updates and sector-specific rules. In Costa Rica, the practical compliance signal is coming from policy rollout and institutional guidance as much as from Congress.
FAQs
Does Costa Rica have an AI law in force?
Not a single dedicated national AI statute, based on the official sources reviewed as of 5 June 2026. The live framework is ENIA, existing laws such as Law No. 8968, sector guidance, and pending AI bills.
Is ENIA legally binding?
ENIA is a national strategy and action plan. It is highly relevant for public policy, implementation and future rulemaking, but it is not the same as an enacted parliamentary AI act.
Which Costa Rican AI bill is closer to a risk-based model?
Bill 23.771. It uses risk categories, impact assessment, human supervision and transparency duties for higher-risk or synthetic-content uses.
Which bill would create new AI governance bodies?
Bill 23.919. It would create CIDIA and an ethical, technical and scientific advisory committee, alongside registration, reporting and high-risk certification mechanisms.
Who are the main institutions to watch?
MICITT is the central policy actor. PRODHAB matters for personal data. Sector bodies also matter, and the judiciary has already issued its own generative AI rules. If bill 23.771 passed, SUTEL would gain a clearer technical role in certain areas.
Do foreign AI vendors need to adapt now, even before a new AI law is passed?
Yes. If they process personal data, support public services, or deploy tools in sensitive settings, they should already localise privacy, transparency, security, record-keeping and human-review practices.
Is there already an AI regulatory sandbox in Costa Rica?
ENIA's action plan clearly calls for one, and official planning documents show work on its design. But a clearly operational national AI sandbox with final public rules was not confirmed in force during this research.
Can organisations wait until Congress finishes the debate?
That would be risky. Existing law already matters, sector rules are appearing, and the direction of travel in both legislative proposals rewards organisations that have already built governance discipline.