What is AI regulation in Georgia?
AI regulation: countries and regions
Georgia does not yet have a dedicated AI law. Today, AI is governed mainly through the Law on Personal Data Protection, which regulates automated decision-making, profiling, impact assessments, data security, international transfers and complaints. Policy direction comes from Georgia's 2025 to 2030 digital governance strategy, its EU association digital agenda and its signature of the Council of Europe AI Convention, but that is still short of a full domestic AI code.
What this means
Georgia does not yet have an AI Act of its own. The main binding rules today come from its personal data regime. That matters whenever an AI system uses personal data, profiles people, or makes decisions that can seriously affect them.
In those cases, Georgia's law can require notices, a lawful basis, security controls, a data protection impact assessment, and in some sectors a data protection officer. People also have a right not to be subject to certain solely automated decisions, and they must be able to seek human review and challenge the result.
Alongside that hard law, Georgia is moving in a more European direction. Its Digital Governance Agency has an EU-alignment role, the digital governance strategy says an ethical and legal AI framework should be developed, and Georgia has signed the Council of Europe AI Convention. But none of that yet amounts to a single, economy-wide AI rulebook.
Why it matters
For organisations, the practical point is simple: "no AI law" does not mean "no AI duties". If you buy or build AI for lending, insurance, telecoms, healthcare, employee screening, customer service, fraud checks or public services, Georgia's data protection duties can already bite. Vendor onboarding, transfer mapping, audit trails, human escalation routes and complaint handling all matter now, not after a future AI act arrives.
The strategic point is also important. Georgia's official digital policy is EU-facing, and the country has signed the Council of Europe AI Convention. So governance built only for today's minimum rules may age badly. A lighter, documented, risk-based governance model is a safer position for founders, operators, advisers and public bodies.
How it works
No dedicated AI statute yet
Georgia does not currently have a standalone AI act, a horizontal risk-classification scheme like the EU AI Act, or a single AI regulator identified in the official sources reviewed. The clearest official statement of direction is in the digital governance strategy, which says Georgia should prepare an ethical and legal framework for AI. That shows future intent, not a completed framework.
Personal data law does most of the current legal work
The Law on Personal Data Protection is where most binding AI-relevant duties currently sit. The main body of the law took effect on 1 March 2024, with the impact assessment and data protection officer provisions taking effect on 1 June 2024. It applies to automated and partly automated processing in Georgia and, in some cases, to controllers outside Georgia that use technical means available in Georgia.
For AI systems, the critical rule is the restriction on solely automated decisions, including profiling, that have legal or similarly significant effects on a person. Such decisions are allowed only in narrow cases, such as explicit consent, contractual necessity or where a law or authorised subordinate act provides for them. Even then, the person must be able to express a view and contest the decision, and human involvement must be available where the law requires it.
High risk uses must be assessed and documented
Controllers must build in technical and organisational safeguards, protect data security, notify serious incidents, and carry out a data protection impact assessment in advance where high-risk processing is likely. A DPIA is mandatory for fully automated decisions with legal, financial or other significant consequences, for large-scale processing of special category data, and for systematic large-scale monitoring in public gathering places. If the risk cannot be substantially mitigated, the processing must not go ahead.
The same law also imposes data protection officer duties on important categories such as public institutions, insurers, commercial banks, microfinance organisations, credit bureaus, electronic communications companies, airlines, airports and medical institutions, as well as very large-scale processors and monitors. For organisations buying AI from foreign vendors, international transfer rules also matter.
Enforcement currently sits in the data protection system
As the consolidated law now stands, complaints, inspections, permits, lists of adequate jurisdictions and sanctions are assigned to the State Audit Office. It may inspect controllers and processors on its own initiative or following a complaint, require remediation, suspend or terminate unlawful processing or transfers, and impose administrative fines. In a single matter, the total fine can reach GEL 20,000 for higher-turnover legal persons.
One practical complication is institutional presentation. Some official public pages still use the name "Personal Data Protection Service" on the State Audit Office domain. So the legal text is clearer than the public branding, and organisations should verify the current filing route and contact point before making a complaint or consultation request.
Georgia is moving toward a European model, but not there yet
Georgia's Digital Governance Agency sits under the Ministry of Justice and has a formal role in preparing draft legal acts in digital governance and cyber security and in supporting approximation with EU law under the Association Agreement and related agendas. The official digital governance strategy is explicitly tied to Georgia's European integration path.
At the wider regional level, Georgia is part of the EU's eastern digital cooperation framework through its Association Agreement, which covers electronic communications, digital trust and e-commerce. Georgia also signed the Council of Europe Framework Convention on Artificial Intelligence on 5 September 2024. These are important signals of direction, but they are not the same thing as a domestic Georgian AI code.
Sectoral activity is emerging, especially in finance
Instead of a general AI act, some sectors are moving through supervised experiments. The National Bank of Georgia launched an A.I. Sandbox within its Regulatory Laboratory in 2025 to let companies test advanced technologies, including AI, in a controlled and supervised financial environment. That is a sectoral governance tool, not a whole-of-economy AI statute.
Examples
A bank or fintech that wants to test an AI tool in the Georgian financial sector does not have to guess entirely in the dark. The National Bank's A.I. Sandbox gives it a controlled path to test and refine the technology under supervision inside the Regulatory Laboratory, rather than moving straight into ordinary live deployment.
A public institution, hospital, telecoms company or bank that plans to use a model for a solely automated significant decision about a person must look first at the personal data law, not for a separate AI act. If the system has legal, financial or similarly significant effects, it should be checked against the automated decision rule, given a human review route, and assessed through a DPIA where the law requires one.
A Georgian company that sends customer or employee data to an overseas AI provider also cannot treat the issue as mere procurement. It needs to check the international transfer basis, the safeguards in the destination jurisdiction, its contractual protections, its security measures and, where the chosen transfer route depends on contractual safeguards, whether a permit from the State Audit Office is required.
Common misunderstandings
"Georgia already has an AI Act." It does not. The official sources point instead to data protection law, digital policy and international commitments.
"If there is no AI Act, AI is basically unregulated." That is wrong. Georgia already has binding rules for personal-data AI, automated decision-making, security, transfers and enforcement.
"Only the public sector needs to care." No. Private sector controllers and processors can also face DPIA, DPO, transfer, complaint and sanction issues.
"Consent always makes automated decisions lawful." Not by itself in every case. The exceptions are limited, and significant automated decisions still need safeguards and challenge routes.
"Signing an international AI convention means Georgia now has a full domestic AI code." It does not. Signature is a direction-of-travel signal, not a complete national rulebook.
Risks and boundaries
The biggest boundary is scope. Georgia's current hard law is strongest where AI uses personal data. If a system does not process personal data, the official sources reviewed are much thinner, unless separate sector rules apply.
The second boundary is architecture. Georgia does not yet have a domestic AI framework with detailed prohibited use rules, general purpose AI rules, or economy-wide high-risk categories comparable to the EU AI Act. The digital governance strategy points toward future development, but it is still strategy.
The third boundary is institutional clarity. The consolidated personal data law now points to the State Audit Office, including for inspections, permits and complaints, yet some official web materials still present the function under the Personal Data Protection Service name. So the legal position is clearer than the public-facing branding.
Finally, parts of the practical regime still depend on implementing acts and supervisory practice. Organisations should treat Georgia as a jurisdiction with real present duties, but still an incomplete AI-specific framework that could tighten as policy turns into more detailed law.
What to do next
Map every AI use case, owner, data source, vendor and transfer route. Separate systems that merely assist staff from systems that can make solely automated, significant decisions about people.
For the second group, require a written DPIA before deployment, with the legal basis, necessity, proportionality, security controls, bias and error checks, human review path and complaint route. Confirm whether your organisation must appoint a DPO under Georgian law, and involve that person early.
Review foreign AI vendor contracts for transfer safeguards, audit rights, incident reporting, retention limits and clear responsibilities. Then monitor Georgian implementing acts, State Audit Office practice and any move from strategy to a dedicated AI framework.
FAQs
Does Georgia have a dedicated AI law?
No. Georgia's main binding AI-relevant duties currently come from personal data law and sector-specific governance.
Is the EU AI Act the law in Georgia?
No. Georgia is moving in an EU-facing digital direction, but its domestic position is still based on local data protection law, digital governance policy and international commitments that still need local implementation.
When does Georgian law care about AI most?
When the system uses personal data, profiles people, makes solely automated significant decisions, monitors behaviour at scale, or sends data abroad.
Do people in Georgia have a right against automated decisions?
Yes. The law gives a person the right not to be subject to certain solely automated decisions, including profiling, that have legal or similarly significant effects, except for limited exceptions.
Do I need a data protection impact assessment for AI?
Often yes for higher-risk personal-data uses. It is mandatory for fully automated decisions with significant consequences, large-scale special category data processing, and systematic large-scale monitoring in public gathering places.
Who supervises compliance now?
The consolidated personal data law points to the State Audit Office. But some official web pages still use the older Personal Data Protection Service branding, so verify the current contact route.
What if my AI vendor is outside Georgia?
Check the international transfer rules, the safeguards in the destination jurisdiction, the contract terms and whether your transfer route needs a permit from the State Audit Office.