What is AI regulation in Kazakhstan?
AI regulation: countries and regions
AI regulation in Kazakhstan is anchored by Law No. 230-VIII "On Artificial Intelligence", signed on 17 November 2025 and in force from 18 January 2026, making Kazakhstan the first Central Asian state with a dedicated AI statute. It is a state-led, risk-based framework that classifies AI systems by impact and autonomy, bans manipulative and social-scoring uses, mandates labelling of synthetic content, and is overseen by the Ministry of Artificial Intelligence and Digital Development. It sits alongside the 2013 personal data law and a new Digital Code.
What this means
Kazakhstan treats artificial intelligence as a national development priority and has built a layered legal architecture around it. The centrepiece is a dedicated AI statute, Law No. 230-VIII "On Artificial Intelligence", which President Kassym-Jomart Tokayev signed on 17 November 2025 after Parliament approved it on 29 October 2025. The law came into force on 18 January 2026. A companion law, No. 231-VIII, amended a string of existing acts (personal data, consumer protection, mass media, informatisation and digital assets) to align them with the new AI rules.
The AI Law works in tandem with two other instruments. The Law "On Personal Data and Their Protection" (No. 94-V of 2013) supplies the data-protection backbone, including a data-localisation rule and consent-based cross-border transfer. The Digital Code (No. 255-VIII), enacted on 9 January 2026 and entering into force on 11 July 2026, provides a broader "digital constitution" within which AI systems are treated as digital objects, adding rules on automated decisions, digital sovereignty and cybersecurity.
In practice this means Kazakhstan has moved quickly from strategy to binding law. The model is explicitly state-led: the government runs a National AI Platform, a sovereign supercomputer and national large language models, while a single ministry both promotes adoption and supervises compliance. The drafting borrows the risk-based logic of the EU AI Act but is leaner, shorter and weighted more towards enabling state-driven AI deployment than towards fundamental-rights protection.
Why it matters
For any organisation building or deploying AI that touches Kazakhstan, the rules are now binding rather than aspirational. The AI Law imposes concrete duties on owners, holders and users of AI systems: classify systems by risk, run continuous lifecycle risk management, keep documentation proportionate to risk, label synthetic content in machine-readable form, and inform users when they are interacting with AI. Administrative liability now applies for failures to label synthetic content or to manage high-risk systems. Because the data-protection law also requires storage of Kazakhstani citizens' personal data on databases inside the country and consent-based cross-border transfer, multinational AI deployments must plan data architecture, vendor contracts and disclosure notices around Kazakhstan-specific constraints. Firms targeting access to state compute, public-sector contracts or "trusted" high-risk listings face an additional layer of audit and documentation expectations. The combination of a dedicated AI law, a sweeping Digital Code and an active data-protection regulator means compliance is no longer optional for serious market participants.
How it works
The core instruments
Kazakhstan's AI governance rests on four pillars. First, the strategy layer: the Concept for the Development of Artificial Intelligence for 2024-2029, approved by Government Resolution No. 592 of 24 July 2024, sets targets and mandates infrastructure such as the National AI Platform. Second, the dedicated statute: Law No. 230-VIII "On Artificial Intelligence" (signed 17 November 2025, in force 18 January 2026), consisting of seven chapters and 28 articles. Third, the amendment law No. 231-VIII, which aligned the personal data law, consumer-protection law, mass-media law, informatisation law and digital-assets law with the AI rules. Fourth, the Digital Code No. 255-VIII (enacted 9 January 2026, effective 11 July 2026), which regulates the broader digital environment and treats AI systems as "digital objects". The older Law "On Informatization" (2015), which had introduced the concept of an "intelligent robot" and a national AI platform, previously provided the only indirect AI rules.
Legal status and effective dates
The AI Law is in force as of 18 January 2026; its subordinate regulatory framework is being built out progressively through 2026 under an implementation plan approved by Prime Minister's Order No. 2-r of 14 January 2026. Some implementing acts, such as criteria for classifying informatization objects as AI systems, have been adopted, while others remain in development. The Digital Code is enacted but not yet applicable, taking effect on 11 July 2026. The 2013 personal data law remains in force and was amended by No. 231-VIII. Leaders should treat the AI Law itself as settled but expect the detailed by-laws (documentation lists, audit rules, machine-readable form standards) to keep arriving through 2026.
How AI is defined
The AI Law defines artificial intelligence as "the functional ability to imitate cognitive functions characteristic of humans, providing results comparable to or exceeding the results of human intellectual activity". An "AI system" is an informatization object functioning on the basis of one or more AI models; an "AI model" is a software product able to learn from experience and adapt. "Synthetic outputs" are images, video, audio or text created or modified by an AI system that imitate a real person's appearance, voice or behaviour, or events that did not occur. The law also defines "data library" (a collection of structured data suitable for training models) and "machine-readable form".
The risk-based and autonomy classification
The law uses a two-dimensional classification. By impact on safety and rights, AI systems are minimal, medium or high risk: minimal where failure has little user impact; medium where failure could cause material damage or moral harm; high where disruption could trigger a social or man-made emergency or significant harm to defence, security, the economy, infrastructure or individuals. Classification is performed by the owner or holder under informatization-object rules. Separately, systems are classified by autonomy: low (human takes all final decisions), medium (autonomous decisions that a human can correct or cancel) and high (human correction excluded or technically impossible). High-risk and high-autonomy systems attract additional requirements, and special rules for high-autonomy systems are to come through separate legislation.
Prohibited practices
The law bans creating or operating AI systems that use subliminal or manipulative techniques that distort behaviour and impair informed decision-making; exploit vulnerabilities of age or disability to cause harm; perform social scoring based on behaviour or personal characteristics (except where law permits); determine emotions without consent (with legal exceptions); classify people by biometric data for discriminatory purposes; or collect and process personal data in breach of the data-protection law. These prohibitions mirror the EU AI Act's banned-practices list.
Duties on developers, owners, holders and users
The law assigns responsibility by role across the lifecycle. Owners and holders must manage risks continuously (identifying foreseeable risks, assessing misuse, applying mitigations and updating at least annually); ensure security and reliability, including protection from unauthorised access; maintain documentation proportionate to the system's impact; support users; and provide the user agreement before use begins. Where prohibited-practice risks emerge, they must act immediately to prevent harm, including suspending the system. Users have rights to review the user agreement, have personal data protected, receive explanations of AI decisions affecting them, request information on the data underlying decisions, object to automated processing and decline AI interaction unless legally required.
Transparency, labelling and synthetic content
Synthetic outputs may only be distributed if labelled in machine-readable form and accompanied by a visible or otherwise perceptible warning, with special attention to deepfakes involving real people's images or voices. Users must be told when goods, works or services are produced using AI, and the responsibility for informing users about synthetic outputs rests on owners and holders. Mass-media products created using AI may only be distributed with the required disclosure. Labelling can take forms such as a "Created with AI" mark, a text notice, or an audio message.
Institutions and the National AI Platform
The authorised body is the Ministry of Artificial Intelligence and Digital Development, created by Presidential Decree No. 997 of 18 September 2025 from the former Ministry of Digital Development, Innovations and Aerospace Industry. It exercises strategic, regulatory, implementation and supervisory functions, approves the documentation list and sets classification criteria. The Government approves the list of priority economic sectors for AI and designates the National AI Platform operator; National Information Technologies JSC is the designated operator. Sector-specific state bodies compile and publish lists of "trusted" high-risk AI systems and create industry data libraries. The platform provides a controlled environment for development, training and pilot operation, and routes access to compute via Alem.Cloud, built on 64 HGX servers with 512 NVIDIA H200 GPUs and delivering up to 2 exaflops at FP8; it is described as the most powerful supercomputing cluster in Central Asia and was ranked 86th in the global TOP500 list. It is hosted at the Alem.AI centre.
Trusted high-risk systems and audit
For high-risk systems seeking inclusion on a sector "trusted" list, the owner or holder must submit an application, proof of intellectual-property rights and a positive audit conclusion. Audits follow the rules for auditing information systems and additionally assess the quality and lawfulness of training data libraries and the absence of prohibited functional capabilities. The relevant agency reviews within 10 working days and publishes approved entries. Participation in trusted lists is a route to building confidence rather than a universal prerequisite, though high-risk systems forming part of critical digital infrastructure face mandatory obligations.
Enforcement and penalties
Administrative liability sits in the Code of Administrative Offences and covers two failures: not informing users about misleading synthetic outputs, and not managing high-risk-system risks where harm, prohibited or false information, discrimination or rights violations result (and the conduct is not a crime). Fines run from 15 monthly calculation indices for individuals up to 100 for large businesses on a first offence, rising on repeat offences within a year, with possible suspension or prohibition of the system. The monthly calculation index is 4,325 tenge effective 1 January 2026 (up from 3,932 tenge in 2025), set by the 2026-2028 Republican Budget Law and equivalent to about USD 8.5. Compensation for harm caused by AI systems follows the Civil Code, and liability insurance follows insurance legislation; the Senate added a mandatory liability-insurance requirement during passage.
Copyright and training data
Works made with AI are protected by copyright only where there is human creative contribution; purely autonomous outputs are not protected, since authorship remains reserved for natural persons. Creatively formulated prompts can themselves be copyright objects. Using works to train AI is permitted only where the rights-holder has not set a machine-readable prohibition (an opt-out), and training does not fall under free-use exceptions for education or science.
The data-protection framework and how it meets AI
The Law "On Personal Data and Their Protection" (No. 94-V of 2013) is the data backbone. It requires personal data to be stored in databases located in Kazakhstan (the localisation rule effective 1 January 2016) and permits cross-border transfer only to states ensuring adequate protection, or otherwise with the data subject's consent, under ratified treaties or specified public-order grounds. Processing generally rests on consent, and consent validity may not exceed the period needed to achieve the collection purpose. A breach-notification duty requires notifying the authorised body within one working day of detection, effective 1 July 2024. The authorised body is the Ministry of Artificial Intelligence and Digital Development (operating through its Information Security Committee), while the Prosecutor General's Office exercises supreme supervision. The amendment law No. 231-VIII updated the personal-data definition to include biometric data, introduced rules on automated processing and tightened consent-withdrawal handling.
Comparison with the EU AI Act and international standards
The drafting is explicitly inspired by the EU AI Act and by OECD and UN frameworks, sharing a risk-based structure and a banned-practices list. But it is materially leaner: the EU Act runs to 113 articles and 13 annexes against Kazakhstan's 28 articles, and the Kazakh law leans towards a user-centred model rather than the EU's detailed split between providers, importers and deployers. Kazakh scholars have flagged gaps relative to the EU model, including a less detailed risk-classification system, weaker transparency obligations for generative models, limited personal-data safeguards and thinner enforcement institutions. Kazakhstan has endorsed OECD AI principles as part of its OECD-accession ambitions and positions the Digital Code as a model for Eurasian Economic Union digital harmonisation.
Central Asian and state-led context
Kazakhstan frames AI as a state-building project. It established a dedicated AI ministry, launched Central Asia's most powerful supercomputer in July 2025 at the Alem.AI national centre in partnership with the UAE firm Presight (part of the G42 group), built sovereign large language models (KazLLM, developed at the Institute of Smart Systems and Artificial Intelligence at Nazarbayev University, and AlemLLM) and piloted government AI agents. The President declared 2026 the Year of Digitalization and Artificial Intelligence, and a unified "Digital Qazaqstan" strategy is in development. Kazakhstan ranked 24th of 193 countries (up from 28th in 2022) and 10th globally on the Online Services Index in the UN E-Government Survey 2024, and presents itself as the regional digital frontrunner.
Examples
A bank deploying an AI credit-scoring tool in Kazakhstan must classify the system by risk and autonomy, run continuous risk management, and recognise that a decision significantly affecting an individual cannot rest on AI alone without consent or a legal basis; the customer can object to automated processing, demand a human review and request the data underlying the decision.
A media company distributing AI-generated video or audio of real people must label the content in machine-readable form and give users a visible warning, because the AI Law and the amended mass-media law make labelling of synthetic outputs mandatory and put the disclosure duty on the system's owner or holder.
A health-tech vendor wanting its high-risk diagnostic AI listed as "trusted" by the relevant sector agency must submit an application with proof of IP rights and a positive audit conclusion, where the audit assesses the lawfulness and quality of training data libraries and the absence of prohibited functions; the agency reviews within 10 working days and publishes approved systems. Kazakhstan has piloted an AI Therapist tool in clinics in the Akmola region.
Common misunderstandings
"Kazakhstan's AI law is still only a draft." It is enacted and in force: signed on 17 November 2025 as Law No. 230-VIII and effective from 18 January 2026. What remains in progress is the subordinate by-law framework, not the statute.
"It is just a copy of the EU AI Act." It borrows the EU's risk-based logic and banned-practices list but is far shorter (28 articles), more user-centred, and weighted towards enabling state-led AI adoption rather than fundamental-rights protection.
"The Digital Code is already in force." It was enacted on 9 January 2026 but does not apply until 11 July 2026, so its AI-relevant provisions on automated decisions and digital sovereignty are not yet operative.
"Risk classification is done by a regulator." Under the AI Law, the owner or holder classifies its own system; sector agencies then maintain the separate "trusted" high-risk lists.
"Data can flow freely out of Kazakhstan." Personal data of citizens must be stored in databases in Kazakhstan, and cross-border transfer is restricted to adequate-protection states or requires consent or another lawful basis.
Risks and boundaries
The framework is new and still consolidating. The AI Law is binding, but much operational detail depends on by-laws being issued through 2026, so specific documentation, audit and machine-readable-form requirements may shift. The Digital Code adds a parallel layer that does not take effect until 11 July 2026, and high-risk AI systems may simultaneously qualify as "critically important digital objects" under the Code, triggering mandatory cybersecurity and audit duties. The law is not a fundamental-rights instrument on the EU model: independent analysts and Kazakh scholars note thinner transparency, data-protection and enforcement provisions. Concentrating both AI promotion and AI oversight in one ministry raises questions about the separation of those functions. The data-localisation and consent rules constrain global AI architectures, and the regime should not be assumed to be GDPR-adequate. None of this is legal advice; verify current status against the official statute text on the adilet.zan.kz legal database before relying on it.
What to do next
Start by mapping where your organisation develops or deploys AI that touches Kazakhstan, and classify each system by the law's risk and autonomy tiers. Stand up a continuous risk-management process with at least annual review, and build documentation proportionate to each system's risk. Implement machine-readable labelling and user-notice practices for any synthetic content and AI-assisted services now, since labelling failures carry administrative liability. Review data flows against the localisation rule and consent-based cross-border transfer, and confirm a breach-notification process that can alert the authorised body within one working day. For high-risk systems, assess whether to pursue "trusted" listing and prepare for the data-library and prohibited-function audit. Track the 2026 by-laws and the Digital Code's 11 July 2026 commencement, and revisit your position whenever a new implementing act lands. Treat the official adilet.zan.kz text as the source of truth.
FAQs
Does Kazakhstan have an AI law?
Yes. Law No. 230-VIII "On Artificial Intelligence" was signed on 17 November 2025 and entered into force on 18 January 2026, making Kazakhstan the first Central Asian country with a dedicated AI statute.
Who regulates AI in Kazakhstan?
The Ministry of Artificial Intelligence and Digital Development, created in September 2025, is the authorised body; the Government sets priority sectors and designates the National AI Platform operator, and sector agencies maintain trusted high-risk lists.
Is the framework risk-based?
Yes. AI systems are classified as minimal, medium or high risk by impact, and as low, medium or high autonomy, with stricter obligations for high-risk and high-autonomy systems.
What AI practices are banned?
Manipulative or subliminal techniques, exploiting vulnerabilities, social scoring, determining emotions without consent, discriminatory biometric classification, and unlawful personal-data processing.
How does data protection interact with AI?
The 2013 personal data law requires local storage of citizens' data, consent-based cross-border transfer, and breach notification within one working day; it was amended in 2025 to add biometric data and automated-processing rules.
What are the penalties?
Administrative fines run from 15 monthly calculation indices for individuals to 100 for large businesses on a first offence, rising on repeat offences, with possible suspension of the system; harm compensation follows the Civil Code.
How does it compare with the EU AI Act?
It shares the EU's risk-based logic and banned-practices list but is much shorter and more user-centred, with analysts noting weaker transparency, data-protection and enforcement provisions.
What is the Digital Code?
A broad "digital constitution" (Law No. 255-VIII) enacted on 9 January 2026 and effective 11 July 2026, which treats AI systems as digital objects and adds rules on automated decisions and digital sovereignty.