What is AI regulation in Iran?
AI regulation: countries and regions
Iran does not yet have a standalone AI law. Instead, its AI policy is set out in a national strategy and ongoing legislation. In 2025-26 Iran's parliament approved a National AI Plan and is establishing a National AI Organization under the President to coordinate AI across government. In the meantime, AI activities are subject to Iran's existing laws (cybersecurity, privacy, media laws etc.) and guidance from that strategy.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Iran's AI regulation is centred on a top-down government framework. In 2024-25, Iran's Supreme Leader and senior councils directed the creation of a "National Artificial Intelligence Document" (a strategy) and a formal plan for AI development. In 2025, the parliament reviewed and approved a National AI Plan, which formally establishes a National AI Organization (NAIO) and a high-level steering council to oversee AI. The NAIO will sit under the President's office and coordinate AI policy across ministries.
No dedicated AI law is in force yet. Rather, Iran relies on this strategy and existing regulations. AI development is guided by state priorities (e.g. health, education, industry) and by embedding local ethical, cultural and religious values into AI use. Islamic principles and national security concerns are explicitly highlighted as part of Iran's approach, in line with the country's focus on technology "sovereignty."
Why it matters
For organizations operating in Iran, this means AI projects will be shaped by state strategy rather than independent markets. The government prioritises state control and national goals, so companies must work with new state bodies (like the NAIO) and align with approved AI uses (healthcare, industry, etc.). Data residency and using Iranian infrastructure may become mandatory as part of "AI sovereignty." Also, existing laws on privacy, national security and media apply: for example, generating false or politically sensitive content via AI could attract penalties under Iran's cyber and propaganda laws. In short, developers must navigate a strict, state-led ecosystem where AI must serve approved national interests.
How it works
National AI Strategy and Institutions
Iran's AI framework is built around a national strategy and new institutions. In 2024-25 leaders approved a National AI Document (a supra-ministerial strategy) and instructed the government to implement it. This strategy calls for a multi-layer governance structure, including a National AI Organization (NAIO) and a high-level AI Steering Council. The NAIO (now in creation) will be an executive body under the President, responsible for coordinating AI development, setting standards, and engaging with international AI forums. Line ministries (Science, ICT, Health, Education etc.) have defined roles to implement AI programs in priority sectors.
Legislative and Regulatory Framework
There is no single "AI Act" yet. Instead, Iran's parliament is drafting a national AI bill. In 2025 it approved the general outline of a National AI Plan which includes reviving the NAIO and establishing a secretariat for an AI Steering Council. Under this plan, Iran will formalise AI rules through sectoral regulations and possibly administrative fines, but new penalties will largely rely on existing laws. The official summary of the AI document notes that enforcement of AI policy will use existing cybersecurity, privacy and other legal frameworks. For example, misuse of AI-generated content may be prosecuted under Iran's cybercrime laws or other statutes dealing with "misinformation" and national security.
Data Protection and Ethics
Iran does not have a comprehensive personal data law. Its Constitution and various sector laws offer some privacy protections, but no unified data-protection regulation exists. There is also no independent data protection authority. In practice, data used in AI projects (especially public-sector data) is managed under national data policies and cyber regulations. The national AI strategy explicitly calls for embedding ethical and religious values into AI policy. Iran cites Islamic and cultural principles as guiding AI development, reflecting an emphasis on national moral values. On the global stage, Iran participates in initiatives like the UNESCO AI Ethics Recommendation to signal commitment to ethical AI principles (though specific domestic rules are still being developed).
Examples
- A public health agency deploying AI. For example, Iran's Ministry of Health might launch an AI-based medical imaging system. This project would align with the national strategy's priority on healthcare. It would use data hosted on approved national platforms and follow standards set by the NAIO or Health Ministry. Even without a specific AI law, the agency would ensure compliance with Iran's medical data rules and cybersecurity laws while proceeding under the guidance of the national AI strategy.
- A technology company seeking to commercialize AI solutions. A startup developing Persian-language AI tools would coordinate with Iran's National AI Organization (once operational) and relevant ministries (such as Communications or Science) for permissions or funding. It would need to host data locally per "AI sovereignty" policy and certify that its AI outputs do not violate content rules. If the product uses personal data, the company must still respect Iran's general privacy requirements and the constitution's privacy guarantees, even though there is no specific GDPR-style law.
- AI-generated media and misinformation. For instance, a news outlet using generative AI to create images or videos would fall under Iran's existing media and cybersecurity laws. Although no AI-specific regulations on watermarking are codified yet, regulators have signalled that fake content is heavily monitored. Iran's broad laws against "spreading falsehood" can be applied to penalize synthetic media that the state deems misleading. Thus, in practice, content creators must self-regulate or adhere to any forthcoming guidelines on AI content to avoid prosecution under the country's cyber and national security statutes.
Common misunderstandings
- **"Iran has a comprehensive AI law already."** In fact, Iran is still working on its first AI law. It currently uses a high-level AI strategy and existing regulations; a formal AI Act is under parliamentary review.
- **"Existing data protection laws in Iran fully cover AI."** There is no single data protection law in Iran. Data privacy issues are handled by a patchwork of rules (e.g. constitution, e-commerce law). This means companies can't rely on something like an EU-style law, although basic privacy protections still apply.
- **"AI development is unrestricted and independent."** On the contrary, Iran's approach is tightly state-managed. AI projects must fit national priorities and are overseen by new institutions (like the National AI Organization). Foreign control of AI technology is limited by policies emphasizing "sovereignty," so companies face local restrictions and requirements.
- **"The UNESCO AI ethics recommendation is optional for Iran."** While UNESCO sets voluntary guidelines, Iran (as a UNESCO member) formally supports ethical AI principles. Iran's strategy explicitly mentions aligning AI with human rights and ethical standards, consistent with UNESCO's global framework.
- **"AI in Iran is only for military uses."** Although Iran has military AI applications, its national strategy also stresses civilian sectors: education, health, industry and public services are named as priority domains. The goal is broad technological development, not solely defence.
Risks and boundaries
Iran's AI regulation is currently framed in national-security and cultural terms. It should not be mistaken for a rights-based, flexible regime; it is highly centralized and prescriptive. The NAIO and other bodies are accountable to the President, not an independent regulator. The laws in place (cyber, content control) are often used to enforce political conformity. Until a clear law exists, compliance means following government guidance and existing statutes, not expecting the neutral, risk-tiered rules seen in some jurisdictions. Also, due to sanctions and "digital sovereignty" policy, foreign technology may be restricted or require local hosting. The status of the AI bill is still evolving, so businesses and policymakers should track developments closely: new provisions could introduce harsher penalties or requirements over time.
What to do next
- **Watch for new legislation and engage early.** The National AI Plan and supporting bill are a major shift. Organisations should monitor the bill's progress and prepare to work with the National AI Organization once it's fully established. Input from industry and academia may be sought in upcoming regulations, so staying informed is vital.
- **Align with government priorities.** Tailor AI projects to Iran's stated objectives (healthcare, education, etc.) to take advantage of public support or funding. Identify how the project advances national goals or ethical standards, as these are likely required in approvals and oversight.
- **Ensure data and content compliance.** Even without a GDPR, err on the side of strong privacy measures (consent, data minimisation) to avoid future legal issues. Implement content checks to prevent "untrue news" outputs, since Iran strongly polices false or politically sensitive information.
- **Adopt international best practices.** Familiarise yourself with the UNESCO Recommendation on AI ethics and other global guidelines. Incorporate those principles (transparency, fairness, human oversight) to demonstrate good faith and prepare for Iran to reference those standards in its own rules.
- **Prepare for technology requirements.** Plan for local compute and data storage needs, given Iran's emphasis on domestic infrastructure. Investigate any necessary registration or certification with Iranian regulators for AI systems.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
**Does Iran have a specific AI law?**
Not yet. Iran is developing one. It has approved a national AI strategy and a draft AI bill, but no dedicated AI law has come into force. Current AI use is governed by existing laws (cybersecurity, privacy, media) and the new National AI Plan.
**Who is responsible for AI regulation in Iran?**
The President's office and related councils. A National AI Organization (NAIO) is being set up under the President to oversee AI programs, in coordination with the Supreme Council for Cyberspace and various ministries.
**What about data privacy and AI?**
Iran has no comprehensive data privacy law. In practice, personal data used in AI projects falls under general rules (e.g. the constitution's privacy guarantee, consumer protection, and cybersecurity laws). Companies should still apply strong privacy measures even though there is no single AI-specific data law.
**Are there requirements for AI-generated content (like watermarking)?**
No specific rule is in force, but Iran's focus on "synthetic misinformation" suggests strict control. Existing laws against false news or propaganda could be applied to AI content. In the future, Iran may mandate clear labeling or other controls to flag AI-generated media, but details will depend on the final AI regulations.
**How does international AI ethics come into play?**
Iran participates in global AI discussions (e.g. UNESCO's ethics recommendation). Its own guidelines reference ethical and cultural values. While Iran tailors policy to local norms, it generally endorses the idea of human-centred, fair AI. Following UNESCO and OECD principles is a good guide for compliance.