What is AI regulation in Iceland?
AI regulation: countries and regions
Iceland has no dedicated, standalone AI law. As a European Economic Area (EEA) state, it regulates AI today mainly through data protection law (Act No. 90/2018, implementing the GDPR and enforced by Personuvernd) plus a non-binding national AI Action Plan. The EU AI Act (Regulation (EU) 2024/1689) has not yet been incorporated into the EEA Agreement; it remains under scrutiny by the EEA EFTA states, so it does not yet apply as Icelandic law.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no Icelandic "AI Act". Iceland governs artificial intelligence through existing horizontal laws and a policy strategy. The most important binding rules come from data protection law: Act No. 90/2018 on Data Protection and the Processing of Personal Data, which implements the EU GDPR via the EEA Agreement and is supervised by Personuvernd, the Icelandic Data Protection Authority. Sector laws and the constitutional right to privacy also apply.
Iceland is not an EU member, but it is part of the EEA. EU single-market law becomes Icelandic law only after the EEA Joint Committee adopts a decision incorporating it into the EEA Agreement. The EU AI Act has been marked EEA-relevant and is being processed for incorporation, but no Joint Committee decision has yet been adopted.
Alongside this, the government has published Iceland's AI Action Plan 2025 to 2027, released in English on 10 October 2025 by the Ministry of Culture, Innovation and Higher Education. It is a policy document rather than a statute. It sets out funded measures to encourage responsible adoption, build skills and protect the Icelandic language, and it signals that Iceland will apply the EU AI Act once incorporated.
Why it matters
For organisations building or buying AI in Iceland, the practical message is that the binding rules today are data protection rules, not AI-specific rules. If your system processes personal data, GDPR obligations apply in full: lawful basis, transparency, data minimisation, data protection impact assessments for high-risk processing, and safeguards around automated decision-making. The EU AI Act is coming via the EEA, so forward-looking organisations should prepare now, but they should not assume the Act is already enforceable in Iceland. The government frames its strategy in similar terms: Minister of Culture, Innovation and Higher Education Logi Einarsson described the AI Action Plan as a crucial step, saying "Iceland needs to act quickly and take advantage of our unique position as a small but technologically advanced nation".
How it works
Data protection as the binding core
Act No. 90/2018 entered into force on 15 July 2018 and implements the GDPR. Personuvernd is the independent supervisory authority. It can investigate, order processing to stop and impose administrative fines. Where an AI system uses personal data, the controller must have a lawful basis, provide transparency, and run a data protection impact assessment for high-risk processing. Rules on automated individual decision-making give people the right to human intervention.
The EEA route for the EU AI Act
The EU AI Act (Regulation (EU) 2024/1689) entered into force in the EU on 1 August 2024. For Iceland it is not automatically law. EU acts marked EEA-relevant must be incorporated into the EEA Agreement by a decision of the EEA Joint Committee before they bind the EEA EFTA states (Iceland, Liechtenstein and Norway). According to EFTA's EEA-Lex factsheet, the AI Act is currently under scrutiny for incorporation and is slotted into Annex XI of the EEA Agreement (Electronic Communication, Audiovisual Services and Information Society). No Joint Committee decision incorporating it has been adopted yet. As one tracker puts it, "The AI Act has been proposed with possible EEA relevance and is currently under scrutiny by the EEA EFTA for incorporation into the EEA Agreement. Norway, Liechtenstein and Iceland are participating in AI Board meetings as observers."
National policy: the AI Action Plan
The government has published Iceland's AI Action Plan 2025 to 2027 through the Ministry of Culture, Innovation and Higher Education. It outlines 20 fully funded actions across five key areas: "AI for the Good of All", "Competitive Business", "Education in Step with the Times", "New Approaches to Public Service" and "The Healthcare System of the Future", with a strong emphasis on Icelandic language technology. It will be reviewed every six months, with a full review due by mid-2027. It is not binding law and creates no penalties, but it states that Iceland will align with and implement the EU AI Act once it is incorporated into the EEA Agreement.
Institutions and supervision
No single AI regulator exists. Personuvernd is the most active body where AI touches personal data. The Ministry of Culture, Innovation and Higher Education leads AI strategy. Other regulators cover their domains, such as the Electronic Communications Office for networks. When the AI Act is incorporated, Iceland will need to designate national competent and market surveillance authorities, as Norway has signalled it will do; Iceland has not yet formally designated such an authority.
Examples
A health-tech company deploying a diagnostic model in Iceland: because it processes health data, it must comply with Act No. 90/2018, run a data protection impact assessment, and document its lawful basis. The EU AI Act's high-risk rules do not yet bind it in Iceland, but the company should map against those rules in anticipation.
A public body using AI to triage citizen queries: Iceland's digital public services already use AI to draft responses and prioritise cases. Such use must respect data protection rules, human oversight and transparency. Government guidance for Stafraent Island (Digital Iceland) prohibits putting sensitive personal data, real identification numbers (kennitala) or development secrets into open or external AI tools.
An insurer making automated decisions on policy applications: in its 2024 annual report, Personuvernd noted that the largest Icelandic insurers, which make automated decisions on applications and quote requests for life and health insurance, broadly meet the requirements of data protection law, confirming that GDPR safeguards such as transparency and human review apply to such AI-driven decisions.
Common misunderstandings
"Iceland has its own AI Act." It does not. There is no standalone Icelandic AI statute. Regulation rests on data protection law and a policy strategy.
"The EU AI Act already applies in Iceland because Iceland follows EU rules." Not yet. The Act must first be incorporated into the EEA Agreement by the EEA Joint Committee, and that has not happened.
"AI is unregulated in Iceland." Wrong. If a system uses personal data, the GDPR as implemented in Act No. 90/2018 applies fully and is enforced by Personuvernd.
"Iceland has appointed an AI regulator." Not for the AI Act. Personuvernd regulates data protection, but no dedicated AI Act competent authority has been designated yet.
"The AI Action Plan is law." It is policy, not legislation, and carries no penalties of its own.
Risks and boundaries
This article describes the framework as of mid-2026 and is not legal advice. The key uncertainty is timing: the EU AI Act is under scrutiny for EEA incorporation but not yet adopted into the EEA Agreement, so its duties, including those on high-risk systems and general-purpose AI models, are not yet enforceable in Iceland. Once incorporated, adaptations and national implementing measures may apply, and Iceland will designate competent authorities. Until then, organisations face binding obligations chiefly under data protection law. The EU's own timeline (including amendments under the simplification package agreed in 2026) may also shift the dates Iceland eventually applies.
What to do next
Treat data protection compliance as the binding baseline now: confirm lawful basis, run data protection impact assessments for high-risk processing, and build human oversight into automated decisions. Track EEA incorporation of the AI Act through EFTA sources rather than assuming EU dates apply directly. Start mapping your AI systems against the EU AI Act's risk categories now so you are ready when incorporation lands. Watch for Iceland's designation of national AI authorities. Follow Personuvernd guidance and the national AI Action Plan for direction.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Iceland have a dedicated AI law?
No. Iceland has no standalone AI statute. AI is governed mainly through data protection law and a non-binding national AI Action Plan.
Does the EU AI Act apply in Iceland?
Not yet. The Act is under scrutiny for incorporation into the EEA Agreement and has not yet been adopted by the EEA Joint Committee, so it does not yet bind Iceland.
Who regulates AI in Iceland today?
There is no single AI regulator. Personuvernd, the Icelandic Data Protection Authority, is the most active body where AI involves personal data.
What law applies if my AI system uses personal data?
Act No. 90/2018 on Data Protection and the Processing of Personal Data, which implements the GDPR, applies and is enforced by Personuvernd.
When will the EU AI Act apply in Iceland?
There is no confirmed date. It applies once the EEA Joint Committee adopts a decision incorporating it into the EEA Agreement, which had not happened as of mid-2026.
What is the Icelandic AI Action Plan?
A government policy document for 2025 to 2027 setting 20 funded measures for responsible AI adoption, skills and Icelandic language technology. It is not binding law.
Has Iceland designated an AI Act competent authority?
Not yet. Iceland will need to designate national competent and market surveillance authorities once the Act is incorporated.