What is AI regulation in Israel?
Global AI regulation
Israel does not yet regulate AI through a single binding AI Act. Instead, it uses a layered model: a 2023 national policy on AI regulation and ethics, existing laws such as privacy and sector rules, regulator-led guidance, and a 2025 public-sector Responsible AI Guide. The model is risk-based, sector-specific and aligned with OECD principles. In practice, the applicable duties depend on the use case, the sector, the data involved and whether the user is a public body.
What this means
In Israel, "AI regulation" mostly means policy plus existing law, not one new omnibus statute. The state has chosen a flexible model that tells regulators to work through current legal frameworks where possible, add sector-specific measures where risk is real, and use tools such as guidance and regulatory sandboxes instead of rushing to a single cross-economy AI law.
That makes Israel different from jurisdictions that rely on one dedicated AI statute. It also means AI governance in Israel is not just an ethics discussion. It can engage privacy law, data security duties, financial supervision, health regulation, administrative law and public procurement rules, depending on the setting.
For most organisations, the practical question is not "Is there an AI Act?" It is "Which Israeli rules already apply to this AI use case, who enforces them, and what governance evidence should we be able to show?"
Why it matters
If you build, buy or deploy AI in Israel, the absence of one headline AI statute does not mean low regulatory exposure. Legal and governance risk still arises through existing binding rules, especially where AI affects people, uses personal data, supports public decisions, or sits inside a regulated sector such as finance or health.
The Israeli model also puts a premium on judgement and documentation. Public bodies are now being told to use a structured responsible-AI process. Private organisations can expect similar expectations to appear through sector guidance, regulator engagement, due diligence, customer demands and government contracting. In other words, Israel is lighter on one-size-fits-all AI legislation, but not light on governance discipline.
How it works
Israel has policy architecture, not a single AI statute
Israel's current framework starts with the 2023 policy document "Israel's Policy on Artificial Intelligence Regulation and Ethics". That document is the state's main national statement on how AI should be governed. It is important, but it is not the same thing as a binding AI act.
That distinction matters. Official audit material from the State Comptroller has said that Israel still lacks specific AI legislation and that the policy principles had not received full government approval. So the current model is best understood as a policy-led framework that guides regulators and public bodies, rather than a complete statutory code.
The model is sector-specific and risk-based
The 2023 policy rejects an immediate move to broad horizontal AI legislation. Instead, it prefers sector-specific regulation, alignment with leading international approaches, and a risk-based method that adjusts legal and governance intervention to the seriousness of the use case.
In practice, that means Israeli authorities are expected to ask where the AI is being used, what risks it creates, which existing laws already apply, and whether flexible tools can address the issue before new legislation is written. This is a more incremental model than the EU AI Act, even though it follows some of the same broad themes, such as risk differentiation, human oversight and the protection of rights.
The policy also explicitly aligns Israel with the OECD AI Principles. That matters for two reasons. First, it gives regulators and organisations a stable reference point. Second, it helps explain why Israeli documents keep returning to ideas such as trustworthiness, accountability, human-centred use, transparency and risk management.
Public-sector responsible AI has its own guide
In June 2025, Israel published its first official Responsible AI Guide for the public sector. The guide was launched by the National Digital Agency together with legal and financial authorities across government, and it was issued as a public consultation draft.
The guide is important because it turns broad principle into process. It is not just a statement that AI should be used responsibly. It sets out a structured way for public bodies to assess, manage and monitor AI use. Official descriptions of the guide say it covers organisational, technological and business considerations, and that it aims to preserve human judgement, professional oversight and a culture of responsible use.
For a ministry, regulator, municipality or government supplier, this is the clearest sign of where Israeli public-sector governance is heading. It points towards named internal responsibility, structured risk review, documented decisions, and continuing oversight after deployment. Even though the guide is directed at the public sector, private firms that sell AI into government should expect these expectations to shape procurement and assurance discussions.
Privacy law already does much of the legal work
Because Israel has no single AI act, a large share of current hard-law pressure comes from existing privacy rules. The Privacy Protection Authority is the main regulator and enforcement body for personal digital information in Israel.
That matters for AI because many AI systems are built, trained or used with personal data. In 2025, the Authority published draft guidance on the application of the Privacy Protection Law to AI systems. The key message is straightforward: an organisation needs a lawful basis for processing personal data at each stage of the AI lifecycle, not just when the live system is already in use.
The Authority also published a guide on privacy-enhancing technologies for AI systems. That guide is operational rather than abstract. Its purpose is to help organisations reduce privacy risk across the AI lifecycle, using technical and organisational measures rather than relying only on policy wording. For organisations using AI in Israel, this combination of draft legal interpretation plus practical privacy tooling is one of the clearest signs that existing law is being adapted to AI step by step.
Institutions are distributed across government
Israel does not have one all-powerful AI regulator. Responsibility is distributed.
The Ministry of Innovation, Science and Technology has been the main policy lead. The Ministry of Justice, especially its legal policy functions, has worked with it on regulation and ethics. The National Digital Agency has taken the lead on public-sector responsible AI guidance. The Privacy Protection Authority handles personal-data issues. Sector regulators and ministries are then expected to apply current law and supervisory tools inside their own domains.
Official materials also describe a coordination or knowledge-centre function intended to support consistency across regulators, especially on cross-sector questions. That reflects Israel's broader structure: decentralised regulation, but with a central policy and coordination layer so that sectors do not drift too far apart.
Duties are created by use case, not by AI branding alone
Under the Israeli model, calling something "AI" does not by itself determine the rulebook. The practical duties arise from the use case.
If an AI tool processes personal data, privacy law is immediately in play. If it helps make or support public decisions, administrative fairness, accountability and human review become central. If it is used in finance, health or another supervised field, the relevant sector regulator may interpret existing duties in light of AI's specific risks. If it is introduced inside a public body, the Responsible AI Guide points toward internal governance, risk review and ongoing oversight.
This is one reason Israeli organisations need good internal mapping. You need to know what systems you use, what they do, who is affected, what data they rely on, who is accountable, and which existing legal regime governs each step. Without that map, the decentralised model becomes hard to manage.
Enforcement runs through existing powers
Because there is no single AI act, there is no single AI enforcement pathway. Enforcement comes through the powers that regulators and supervisors already have.
For data and privacy issues, that means the Privacy Protection Authority. For public bodies, accountability can also come through internal controls, administrative law, procurement scrutiny and audit. In regulated sectors, supervisors can use current legislation and rulebooks to address AI use within their remit. Official work in the financial sector points in exactly this direction: relying, as far as possible, on existing regulatory frameworks rather than assuming a new AI law is the only answer.
This matters operationally. An organisation cannot treat AI governance as a stand-alone side project. It has to connect AI oversight to existing legal, compliance, risk, security and audit structures.
Flexible tools are part of the model
Israel's approach does not rely only on policy papers and existing statutes. It also favours flexible tools. A good example is the Ministry of Health's regulatory sandbox for breakthrough AI technologies in the health system.
That sandbox is designed to let companies and healthcare organisations develop, test and implement AI in a supervised framework while protecting patients, privacy and procedural transparency. This is a strong illustration of the Israeli method: regulatory learning inside a sector, with experts close to the technology and the real-world setting, instead of waiting for a general AI law to answer every question in advance.
The same logic helps explain public-sector pilots and targeted regulator work in fields such as finance. Israel is trying to build AI governance through policy, guidance, supervision, experimentation and sector adaptation, not only through one top-level statute.
The direction of travel is clearer than the final legal endpoint
The broad trajectory is now visible. Israel wants AI governance that is pro-innovation, risk-based, internationally aligned and grounded in existing institutions. It wants public bodies to use AI with documented judgement and control. It wants sector regulators to address concrete risks with the tools they already have, supplemented where necessary.
What remains unsettled is the final legal form. The State Comptroller has said that the policy principles were not fully government-approved and that specific AI legislation is still absent. The public-sector guide was launched as a consultation draft, and the Privacy Protection Authority's AI-specific legal interpretation was also issued in draft form. So the architecture is real, but parts of it are still maturing.
Examples
One public-sector example is the 2024 government AI open call. Among the selected projects was an Israeli National Insurance initiative to streamline and shorten medical claims processes using AI. That is exactly the sort of workflow where Israel's current model matters: a public body introduces AI into a rights-sensitive administrative process, so governance cannot stop at technical performance. It needs internal ownership, review, documentation and human control.
A second example comes from the same open call and from later audit material: the Israel Securities Authority advanced work using machine learning and natural language processing for automated market analysis. This shows Israel's sector-led method in practice. A regulator uses AI within an existing supervisory mission, rather than waiting for a general AI act to tell it how to proceed.
A third example is the Ministry of Health's regulatory sandbox for breakthrough AI technologies in the health system. The official description says the sandbox is meant to help organisations develop, test and implement AI while protecting patients, privacy and procedural transparency. That is a practical expression of Israel's wider approach: supervised experimentation, sector expertise and iterative governance.
Common misunderstandings
"Israel already has an AI Act." It does not. Israel currently relies on a policy-led, sector-specific framework plus existing law.
"If there is no AI statute, there are no binding duties." Wrong. Privacy, data security, administrative law and sector-specific rules can already apply to AI use.
"The 2023 AI policy is itself legislation." No. It is a national policy document and regulatory direction-setting tool, not a stand-alone statute.
"The public-sector Responsible AI Guide only matters to ministries." It is aimed at public bodies, but any private supplier selling AI into government may feel its effect through governance and assurance expectations.
"Israel has one AI regulator." It does not. Responsibility is distributed across ministries, the Privacy Protection Authority, sector regulators and public-sector governance bodies.
Risks and boundaries
The main boundary is legal status. Israel's 2023 AI policy is influential but not a full statutory regime. It helps explain the state's preferred model, but it does not replace binding legislation, case-specific legal analysis or sector supervision.
A second boundary is that some important texts are still non-final. The public-sector Responsible AI Guide was launched as a public consultation draft, and the Privacy Protection Authority's AI-specific interpretation of the Privacy Protection Law was also issued in draft form for comments. Those documents are strong indicators of direction, but parts of their wording and implementation route could still change.
A third boundary is fragmentation. A decentralised model can be practical and flexible, but it also creates uncertainty. Different sectors can move at different speeds, and organisations can miss real obligations if they look only for one AI law instead of checking the full stack of applicable rules. This article explains the framework, but it is not legal advice for a specific deployment.
What to do next
Start by building an AI register. List the systems you build, buy or use, what each system does, what data it uses, who is affected and which business or public function it supports.
Then assign accountability. Every material AI use case should have a named owner who can coordinate legal, privacy, security, operational and governance review.
Next, separate low-friction tools from higher-risk uses. A writing assistant for internal drafting is not the same as AI used in claims handling, market supervision, hiring, health or citizen-facing decisions. Israel's model is explicitly risk-based, so your internal governance should be too.
If personal data is involved, check lawful basis and privacy controls across the full lifecycle. Do not focus only on live deployment. Training, testing, fine-tuning, monitoring and vendor access can all matter.
If you work with public bodies, align now with the logic of the Responsible AI Guide. Expect requests for documented risk assessment, human oversight, internal governance and evidence that AI use is justified and controlled.
Finally, watch sector developments. In Israel, change is likely to appear through updated guidance, regulator practice, sandboxes and targeted sector measures before it arrives through a single all-purpose statute.
FAQs
Does Israel have a law equivalent to the EU AI Act?
No. Israel does not currently have a single AI statute equivalent to the EU AI Act. Its model relies on national policy, existing law, sector regulation and public-sector guidance.
Is the 2023 AI policy legally binding?
It is an important official policy document, but it is not a stand-alone AI statute. It shapes regulatory direction and public expectations more than it creates a full new legal code by itself.
Which authority matters most if our AI system uses personal data?
The Privacy Protection Authority is central. In Israel's present framework, privacy law is one of the main hard-law routes through which AI use is assessed and enforced.
Does the public-sector Responsible AI Guide apply to private companies?
Not as a general private-sector rule. But private companies supplying AI to government, or partnering with public bodies, should expect its governance logic to affect due diligence, contracting and assurance requests.
Is Israel's model anti-regulation?
No. It is better described as regulation through existing institutions and use-case-specific tools, rather than through one omnibus AI act.
Are generative AI systems covered?
Yes, in practical terms. Israel's policy and public-sector guidance address AI systems broadly, and privacy rules apply wherever personal data is processed across the AI lifecycle.
What is most likely to change next?
The most likely changes are more sector-specific guidance, refinement of public-sector responsible-AI practice, and further legal clarification from existing regulators. A future statute is possible, but it is not the current centre of gravity.