What is AI regulation in Jordan?
AI regulation: countries and regions
Jordan does not yet have a dedicated AI law in force. Instead, AI in Jordan is governed through a mix of policy and general law: the Jordanian Artificial Intelligence Policy 2020, the AI Strategy 2023 to 2027, the National AI Code of Ethics, and the Personal Data Protection Law No. 24 of 2023. In practice, the data protection regime is the clearest binding layer for most AI uses involving personal data, profiling, cloud processing, or transfers abroad.
What this means
Jordan's AI framework is still mainly policy-led. The Ministry of Digital Economy and Entrepreneurship, or MoDEE, sets direction through the AI policy, the national AI strategy, and an ethics code. These materials show what the government wants AI to do, where it wants it used, and which institutions are meant to steer it. They do not amount to a standalone AI Act.
The hard-law part is mostly the Personal Data Protection Law. That matters because many AI tools rely on personal data, automated profiling, external vendors, or cross-border cloud services. Once that happens, consent, transparency, security, transfer rules, complaint handling, breach reporting, and penalties can all come into play.
Jordan's wider digital-government programme is part of the same picture. Official strategy documents link AI to digital trust, privacy, cybersecurity, open data, cloud infrastructure, and unified public services. So AI governance in Jordan sits inside a broader digital-state architecture, not in a separate legal silo.
Why it matters
If you build, buy, sell, or govern AI in Jordan, the main risk is assuming that "no AI Act" means "no rules". Existing duties already affect customer analytics, scoring, recommendation systems, document automation, public-sector tools, incident response, and cross-border data use. In practice, the key question is not whether Jordan has a headline AI law. It is whether your system touches personal data, profiling, sensitive data, government procurement, or data hosted outside Jordan. If it does, Jordan already has binding duties that can shape design, contracts, governance, and launch timing.
How it works
There is no standalone AI statute
From the official Jordanian materials reviewed, I could not verify a dedicated AI statute or a standalone AI regulator in force. What Jordan clearly has is a ministry-led AI policy, a national strategy, and an official ethics code. That means the AI-specific layer is still developing, and much of it is governance-focused rather than codified in one AI-only law.
Policy and strategy set national direction
The Jordanian Artificial Intelligence Policy 2020 is the baseline document. It frames AI as a national development priority, creates a ministerial governance model, and calls for measures such as an ethics charter, risk review, data governance, and an experimental regulatory sandbox for public-sector AI. The later strategy for 2023 to 2027 turns that direction into an implementation programme with five strategic objectives, priority sectors, project planning, follow-up, and measurement. Official MoDEE material also presents a governance model, a National Steering Committee for AI, and a National AI Code of Ethics.
AI policy is mostly soft law
This matters because the AI policy, strategy, and ethics code guide behaviour, but they are not the same thing as a dedicated AI statute. They tell you the state's priorities: capacity building, research, investment, a safer legislative environment, and wider use of AI in priority sectors such as digital government services, health, education, energy, water, agriculture, labour, transport, telecommunications, smart cities, cybersecurity, and finance. In regulatory terms, Jordan currently leans more on coordination, ethics, data governance, and programme delivery than on AI-only legislation.
The strongest binding rules come from data protection law
For most practical AI use, the Personal Data Protection Law No. 24 of 2023 is the key binding instrument. Official MoDEE materials state that the law took effect on 17 March 2024, and that entities had until 16 March 2025 to rectify compliance. The law defines "profiling" as automated processing used to identify a person's trends, preferences, choices, or behaviour. It also gives data subjects rights to access their data, withdraw consent, correct or update it, limit processing, erase or conceal it in certain cases, and object to processing and profiling where those are unnecessary, excessive, discriminatory, prejudiced, or otherwise unlawful.
Controllers have duties that map closely to AI practice
Before processing starts, controllers generally have to tell the person what data will be processed, why, for how long, who the processor is, what security measures apply, and whether profiling is involved. The law also requires controllers to appoint a data protection officer in several cases, including where the primary activity involves personal data processing, sensitive personal data, data about people lacking legal capacity, financial data, or transfers to databases outside the Kingdom. This makes the law highly relevant to AI systems used in customer analytics, health, finance, education, and large-scale digital services.
Risk review, transfers, contracts, and incident reporting already apply
Jordan's 2025 security, technical, and organisational measures instructions make the framework more operational. They require a data protection impact assessment when sensitive personal data is processed or when data is transferred outside the Kingdom, and they allow the council to require one in other cases as well. Those instructions also require controllers to build security, retention, deletion, and breach terms into contracts with processors and recipients. Cross-border transfers are restricted if the foreign recipient offers a lower level of protection than Jordan's law requires, subject to listed exceptions. If a serious breach of data security and safety could cause significant harm, the controller must notify affected people within 24 hours and the unit within 72 hours. The law also allows administrative measures and fines, and it provides judicial penalties for violations.
Institutions sit inside MoDEE's digital-government system
The law creates a Personal Data Protection Council and places the operational data-protection unit inside MoDEE. Current official MoDEE materials also describe the operational arm as the Personal Data Protection Directorate, and MoDEE publishes regulations, instructions, forms, and guidance through that channel. On the AI side, the ministry's official AI page presents a governance model, a National Steering Committee for AI, and the National AI Code of Ethics. This is why Jordan's current AI governance is best understood as part of a broader ministry-led digital policy framework.
Digital government is part of the regulatory context
Jordan's Digital Transformation Strategy 2026 to 2028 explicitly links AI with privacy, digital trust, data governance, cybersecurity, digital infrastructure, and public-service delivery. In other words, AI is not being treated only as a private technology market issue. It is also a public-administration and digital-state issue. For organisations supplying AI into government, procurement, data handling, interoperability, trust, and service design all matter alongside any narrower AI question.
Examples
A public body introducing an AI tool for service delivery does not start with an AI licence application, because no dedicated AI Act has been verified. Instead, it starts inside MoDEE's policy and strategy framework. Official materials show a governance model, a steering committee structure, priority sectors, and public-sector readiness work. In practice, that means the first steps are usually institutional readiness, data governance, sector fit, and ministry oversight.
A hospital, insurer, bank, or large platform using AI on health, biometric, or financial data is already in the hard-law zone. Under the Personal Data Protection Law and the 2025 measures instructions, that organisation may need a data protection officer, must respect data-subject rights, and must prepare a data protection impact assessment if it is processing sensitive personal data. If the system relies on an overseas cloud provider, the cross-border transfer rules also apply.
A company using AI for scoring, recommendation, fraud detection, or behavioural analysis should treat profiling as a legal issue, not just a product feature. Jordanian law defines profiling, gives people a right to object in certain cases, and requires controllers to give information about profiling before processing starts. If a serious data breach later affects those systems, notice periods are short, 24 hours to affected people and 72 hours to the unit.
Common misunderstandings
Misunderstanding: "Jordan already has an AI Act like the EU." Correction: the official materials reviewed show an AI policy, an AI strategy, and an AI ethics code, but not a standalone AI statute in force.
Misunderstanding: "If there is no AI law, AI use is basically unregulated." Correction: the Personal Data Protection Law can already govern many AI uses involving personal data, profiling, cloud processing, transfers abroad, security controls, and breach reporting.
Misunderstanding: "Only tech vendors need to care." Correction: any organisation using AI in HR, finance, health, customer service, public services, risk scoring, or analytics can be caught by the same data and governance duties.
Misunderstanding: "Jordan's AI ethics code is the same as binding legislation." Correction: it is an official governance instrument and an important signal of state expectations, but it is not the same thing as a dedicated AI statute.
Misunderstanding: "Jordanian AI regulation is only about privacy." Correction: privacy is the clearest binding layer today, but the wider picture also includes digital-government strategy, data governance, cybersecurity, procurement, and ministry-led implementation.
Risks and boundaries
The biggest boundary is simple: Jordan's AI architecture is still incomplete if you are looking for a single AI law, a single AI regulator, or an EU-style risk classification statute. Official sources reviewed for this article do not confirm that kind of framework in force.
That does not mean the field is empty. It means the current regime is layered. The AI policy, strategy, and ethics code are directional and governance-focused. The Personal Data Protection Law and its secondary instruments are the binding layer for many day-to-day AI uses. Sector-specific rules in finance, health, telecommunications, cybersecurity, procurement, or public administration may also add duties that are not covered here.
Some implementation detail can still move. MoDEE's data-protection pages show an expanding set of regulations, instructions, forms, and guidance. So the durable answer is that Jordan already has a real compliance architecture for AI-related data use, but it is not yet a comprehensive AI-only legal regime.
What to do next
Map each AI use case against the Personal Data Protection Law before launch. Ask whether the tool processes personal data, involves profiling, uses sensitive data, or sends data outside Jordan.
Give one team clear ownership across legal, privacy, security, procurement, product, and data functions. Jordan's framework is cross-cutting, so fragmented ownership is a practical risk.
Build a data protection impact assessment habit now, even where you still debate whether it is strictly mandatory. That will improve records, vendor controls, risk review, and audit readiness.
Check contracts with cloud providers, processors, and AI suppliers for transfer, security, deletion, breach-notice, and role-allocation terms. Jordan's 2025 instructions make those contract mechanics important.
If you work with government or regulated sectors, track MoDEE and Personal Data Protection Council publications continuously. In Jordan, governance is moving through ministry pages, instructions, forms, and guidance as much as through headline legislation.
FAQs
Does Jordan have a dedicated AI law?
No dedicated AI law has been verified from the official materials reviewed. Jordan currently relies on AI policy and strategy documents, an ethics code, and more general binding laws, especially the Personal Data Protection Law.
What is the most important binding law for AI in Jordan right now?
For most organisations, it is the Personal Data Protection Law No. 24 of 2023, because many AI systems process personal data, involve profiling, use cloud vendors, or transfer data across borders.
When did Jordan's data protection law take effect?
Official MoDEE materials state that the law took effect on 17 March 2024, and that organisations had until 16 March 2025 to rectify their compliance position.
Does Jordanian law deal with profiling?
Yes. The law defines profiling as automated processing used to identify a person's trends, preferences, choices, or behaviour, and it gives people a right to object in certain cases.
Can AI-related data be sent outside Jordan?
Yes, but not freely. The law restricts transfers where the foreign recipient's protection is lower than Jordan's standard, subject to listed exceptions, and controllers must verify the protection level before transfer.
Does Jordan require impact assessments for AI?
Not as a general AI-only rule. But the 2025 data-security instructions require a data protection impact assessment when sensitive personal data is processed or when data is transferred outside the Kingdom, and the council can require it in other cases too.
Is there a standalone AI regulator in Jordan?
No standalone AI regulator has been clearly confirmed in force by the official sources reviewed. MoDEE leads the policy side, while the Personal Data Protection Council and the data-protection unit or directorate handle the personal-data side.