What is AI regulation in El Salvador?
AI regulation: countries and regions
Unlike most of Central America, El Salvador has a dedicated AI statute. The Ley de Fomento a Inteligencia Artificial y Tecnologias (Legislative Decree 234), approved in February 2025, is an explicitly pro-innovation law that created the Agencia Nacional de Inteligencia Artificial (ANIA) under the Presidency. It sits alongside the 2024 Personal Data Protection Law. The framework favours light-touch promotion, voluntary registration and sector-specific duties rather than the EU style of broad prohibitions.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
El Salvador is one of the few countries in the world, and the first in Central America, to enact a standalone law specifically about artificial intelligence rather than relying only on a strategy or on general data and consumer rules. The Legislative Assembly approved the Ley de Fomento a Inteligencia Artificial y Tecnologias on 26 February 2025. It was published in the Diario Oficial on 3 March 2025 and took effect on 11 March 2025. The law's stated purpose is to promote development, research and application of AI to drive technological advancement and economic growth, while managing associated risks and providing safeguards for developers.
The law created a single regulator, the Agencia Nacional de Inteligencia Artificial (ANIA), attached to the Presidency of the Republic. ANIA runs a National Registry for AI Development, Innovation and Application, designs a risk assessment framework, and acts as a one-stop contact point for procedures. In August 2025 ANIA issued detailed implementing provisions (Resolution 0001/2025) that set out registration triggers, sector duties and compliance routes. These provisions took effect on 2 September 2025.
Separately, El Salvador passed its first comprehensive Personal Data Protection Law (Decree 144) in November 2024, supervised by the State Cybersecurity Agency (ACE). Together with the older Access to Public Information Law and the broader digital agenda, these instruments form the legal backdrop against which AI is governed. The orientation throughout is deliberately permissive: El Salvador markets itself as an "AI-first" jurisdiction that contrasts its model with stricter regimes elsewhere.
Why it matters
For organisations deploying or governing AI, El Salvador now presents a concrete compliance surface rather than a regulatory vacuum. The practical stakes are threefold. First, there are real registration duties: operators of AI systems that make "consequential decisions" in defined sectors (health, finance and insurance, public biometrics, government services, employment, and education or licensing) must register with ANIA before deployment, and conduct algorithmic impact assessments. Second, anything touching personal data must also satisfy the 2024 Data Protection Law, which carries tiered fines and a 72-hour breach notification duty enforced by ACE. Third, the regime is explicitly designed to attract investment, so it offers liability safeguards, a regulatory sandbox and recognition of international standards (such as ISO/IEC 42001) as a presumption of conformity. Companies that map their use cases against these triggers early can gain certainty, while those that assume "no rules apply" risk non-compliance with a framework that is already in force.
How it works
The governing statute
The core instrument is the Ley de Fomento a Inteligencia Artificial y Tecnologias, enacted as Legislative Decree 234 of 26 February 2025 and published in the Diario Oficial No. 43, Tomo 446, on 3 March 2025, taking effect on 11 March 2025. Article 1 states the law's object: to contribute to technological advancement and economic growth by promoting the development, research and application of AI, through an integral regulatory framework that manages associated risks and generates relevant safeguards. Article 5 lists guiding principles: equity, transparency, responsibility, informed consent, data minimisation, inclusion and non-discrimination. The law applies to any natural or legal person, national or foreign, that develops, researches, implements, processes or uses AI, machine learning, generative models and similar technologies in connection with El Salvador. This is binding law (hard law), not a strategy or policy paper. Article 27 gave ANIA a 90-day period from the effective date to issue technical security criteria and registration rules.
The regulator: ANIA
Article 7 created the Agencia Nacional de Inteligencia Artificial (ANIA) as the rector authority for promotion of AI development, research and application, related to the Executive through the Presidency of the Republic. A reform in July 2025 (Decree 363) strengthened ANIA's status, defining it as a decentralised public-law institution with its own legal personality, assets and administrative, budgetary, functional and technical autonomy, headed by an Executive Director. President Nayib Bukele named Mario Jose Flamenco Rivas, who had led the National Bitcoin Office's CUBO+ programme that trained more than 300 Salvadorans, as ANIA's first director on 23 June 2025. ANIA's implementing provisions organise it into divisions for Technical Standards, Registry and Support, Innovation and Education, and International Cooperation, supported by a Technical Advisory Committee drawn from academia, industry and the public sector.
Registration: voluntary and mandatory
ANIA's Resolution 0001/2025 (the implementing provisions, in force from 2 September 2025) splits registration into two tracks. Voluntary registration lets entities obtain the legal safeguards referenced in the law, such as exemption from liability for third-party misuse where reasonable security and ethical efforts are demonstrated. Mandatory registration applies only to operators whose system makes a "consequential decision" (where AI is the controlling factor materially affecting a person's legal status, rights or access to essential goods and services) in six listed uses: health diagnosis and treatment; credit, lending, pricing or insurance eligibility; real-time biometric identification in public spaces; exercise of public powers or access to government services and benefits; hiring, dismissal, promotion or compensation without meaningful human oversight; and admissions, large-scale grading, academic progression or professional licensing. General-purpose model providers, infrastructure and developer tools, pure research and training phases, and ordinary consumer productivity software are expressly excluded from mandatory registration.
Risk assessment and compliance routes
Operators subject to mandatory registration must carry out an algorithmic impact assessment that identifies risks to affected individuals, evaluates likelihood and severity, documents mitigation, sets monitoring procedures and includes bias and fairness testing appropriate to the sector. Compliance can be demonstrated through self-certification against ANIA-recognised standards (reviewed annually), third-party certification by an approved body, or participation in ANIA's supervised innovation sandbox. The implementing provisions grant a presumption of conformity to entities certified under recognised international standards, naming ISO/IEC 42001 (AI management systems), ISO/IEC 23894 (AI risk management), the NIST AI Risk Management Framework and several IEEE 7000-series standards. The sandbox offers a twelve-month grace period without sanctions plus expedited certification.
Automated decisions and human review
Where AI is used commercially or to grant access to rights or services, users must be told whether a decision was made entirely by AI or merely influenced by it, and mechanisms must allow a person to appeal the decision before a competent human authority who may confirm, modify or revoke it. This is a narrower, sector-triggered version of the human-in-the-loop protections familiar from data protection law elsewhere.
Data protection and cybersecurity backbone
The Personal Data Protection Law (Decree 144), published in the Diario Oficial No. 219, Tomo 445, on 15 November 2024 and in force from 23 November 2024, is El Salvador's first comprehensive data protection statute, following President Bukele's veto of an earlier 2021 bill. It establishes ARCO-POL rights (access, rectification, cancellation, opposition, portability, oblivion and limitation), requires informed consent and a Data Protection Officer, mandates breach notification within 72 hours, and is enforced by the State Cybersecurity Agency (ACE) created by the companion Cybersecurity and Information Security Law (Decree 143). Its sanctioning regime is tiered: minor infractions carry fines of 1 to 10 minimum monthly salaries (commerce sector), serious infractions 11 to 25, and very serious infractions 26 to 40. Any AI use of personal data must comply with this law and ACE security rules. Notably, the data law itself does not require data protection impact assessments, so that obligation arrives through the AI framework instead.
The digital agenda and innovation context
The AI law builds on an existing digital push. The National Digital Agenda 2020-2030, developed by the Presidency's Secretariat of Innovation, organises digital transformation around digital identity, innovation, education and competitiveness, and digital governance and state modernisation. El Salvador also has a Ley de Fomento a la Innovacion y Manufactura Tecnologica offering fiscal incentives. The AI agenda is closely tied to the country's high-profile technology branding, including its Bitcoin initiatives and the National Artificial Intelligence Laboratory, which in November 2025 made El Salvador the first Latin American country to receive NVIDIA's B300 (Blackwell Ultra) AI chips, deployed at a geothermal plant. Flamenco has cited NVIDIA, Google AI and ARK as ANIA partners.
Examples
A bank deploying an AI model to approve or deny consumer loans in El Salvador is making a consequential decision under Article 11 of ANIA's implementing provisions. The operator must register with ANIA before deployment, complete an algorithmic impact assessment covering bias and fairness, choose a compliance route (self-certification, third-party certification or sandbox), and ensure any personal data processing meets the 2024 Data Protection Law. Affected customers must be told an AI was involved and be able to appeal to a human reviewer.
A foreign software company offering a general-purpose AI model or cloud API to Salvadoran customers is expressly excluded from mandatory registration on that basis alone. If that same company later itself deploys the system for one of the six listed consequential uses, it must register before deployment. Foreign entities may register without forming a local subsidiary by naming a Designated Representative before ANIA.
A start-up testing a novel generative AI tool can enter ANIA's innovation sandbox by submitting a letter of intent, a basic risk-mitigation plan and a commitment to share lessons learned. In return it receives a twelve-month grace period without sanctions, ongoing regulatory feedback and an expedited certification route, before transitioning to a standard compliance path.
Common misunderstandings
"El Salvador has no AI law, only a strategy." Incorrect. It has a binding statute (Decree 234) in force since March 2025, with detailed implementing provisions in force since September 2025.
"The law is like the EU AI Act." Misleading. The Salvadoran law is promotional and light-touch, built on voluntary registration, liability safeguards and a sandbox, and it explicitly contrasts itself with stricter regimes. It does not impose the EU's broad list of prohibited practices or its horizontal high-risk obligations.
"Every AI deployment must register with ANIA." No. Registration is mandatory only for operators making consequential decisions in six defined sectors. Most uses, including general-purpose providers and ordinary productivity software, are not subject to mandatory registration.
"There is no data protection in El Salvador." Outdated. A comprehensive Personal Data Protection Law took effect in November 2024, enforced by the State Cybersecurity Agency, after an earlier bill was vetoed in 2021.
"ANIA is purely a promotional body with no teeth." Partly wrong. ANIA promotes and supports AI, but it also runs mandatory registration, sets the risk assessment framework, recognises standards and supervises sector compliance.
Risks and boundaries
The framework is new and still maturing, so several boundaries should be stated plainly. The headline law is pro-innovation by design: it emphasises promotion, free participation and developer safeguards more than enforcement, and much operational detail sits in ANIA's implementing provisions rather than the statute itself. Secondary technical guidance from ANIA (for example on data minimisation exceptions and recognised standards) is still being issued, so specific obligations may evolve. The regime is not a comprehensive risk-tiering system like the EU AI Act; its mandatory scope is limited to enumerated consequential-decision sectors. The data protection law is enforced by the State Cybersecurity Agency rather than an independent privacy authority, and Human Rights Watch has criticised the cybersecurity and data laws; its Americas director, Juanita Goebertus, warned that "these new laws could be used to delete online publications that are critical of the government under the guise of data protection. This is a recipe for censorship and opacity," noting that offending media outlets could face fines of up to 40 minimum monthly salaries. El Salvador has not adhered to the OECD AI Principles and has not signed the Council of Europe Framework Convention on AI; on the UNESCO Recommendation on the Ethics of AI it is at an early "in preparation" stage of the Readiness Assessment Methodology and has not published a completed country report. Readers should treat institutional arrangements as subject to change, since ANIA's status was already reformed once in July 2025.
What to do next
Start by mapping your AI use cases against ANIA's six mandatory-registration sectors and the "consequential decision" test; if any system is the controlling factor in a decision affecting Salvadoran residents' rights or access to essential services, plan to register before deployment. Run an algorithmic impact assessment for those systems, covering bias, fairness, mitigation and monitoring. Treat the 2024 Personal Data Protection Law as a parallel and independent obligation: appoint a Data Protection Officer, document lawful bases and consent, and build a 72-hour breach notification process for ACE. Where you qualify, consider voluntary registration to secure liability safeguards, and consider the ANIA sandbox for novel systems. Pursue certification against recognised international standards such as ISO/IEC 42001 to obtain the presumption of conformity. Finally, monitor ANIA guidance and watch the benchmarks that would change your posture: new sector triggers, published technical guidelines, fee schedules, and any move from a promotional model toward active enforcement.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does El Salvador have a dedicated AI law?
Yes. The Ley de Fomento a Inteligencia Artificial y Tecnologias (Decree 234) was approved on 26 February 2025, published on 3 March 2025 and took effect on 11 March 2025. It is binding law, not just a strategy.
Who regulates AI in El Salvador?
The Agencia Nacional de Inteligencia Artificial (ANIA), an autonomous public institution related to the Presidency of the Republic, is the rector authority. The State Cybersecurity Agency (ACE) enforces the data protection and cybersecurity laws.
Is registration with ANIA always required?
No. Registration is mandatory only for operators making consequential decisions in six defined sectors. It is voluntary for others, who can register to obtain legal safeguards. General-purpose providers and ordinary productivity software are excluded.
How does El Salvador's approach differ from the EU AI Act?
It is deliberately pro-innovation and lighter touch, relying on voluntary registration, liability safeguards, a sandbox and recognition of international standards, rather than the EU's broad prohibitions and horizontal high-risk obligations.
Does El Salvador have a data protection law?
Yes. The Personal Data Protection Law (Decree 144) took effect on 23 November 2024, establishing ARCO-POL rights, consent requirements, a Data Protection Officer duty and 72-hour breach notification, enforced by the State Cybersecurity Agency.
Are there rights against automated decisions?
Yes, in defined contexts. Where AI is used commercially or to grant access to rights or services, individuals must be told an AI was involved and may appeal to a competent human authority who can confirm, modify or revoke the decision.
Has El Salvador joined international AI instruments?
It has not adhered to the OECD AI Principles and has not signed the Council of Europe Framework Convention on AI. As a UNESCO member state it is covered by the 2021 Recommendation on the Ethics of AI and is at an early stage of the related Readiness Assessment.
When did ANIA's detailed rules take effect?
ANIA's implementing provisions (Resolution 0001/2025), which set registration triggers, sector duties and compliance routes, entered into force on 2 September 2025.