What is AI regulation in Kyrgyzstan?
AI regulation: countries and regions
Kyrgyzstan now regulates artificial intelligence through its Digital Code (No. 178 of 31 July 2025), which entered into force on 6 February 2026. The Code contains a dedicated chapter on AI systems that takes a risk-based approach, plus a consolidated personal data regime. There is no separate standalone AI statute. A National Council on AI Development advises on policy, and a draft national AI Concept is still being finalised.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
For most of the past decade Kyrgyzstan had no specific rules for artificial intelligence. AI was touched only indirectly, mainly through the 2008 Law on Personal Data and a series of digital strategy documents. That changed with the Digital Code, adopted by parliament (the Jogorku Kenesh) on 18 June 2025, signed by President Sadyr Japarov on 31 July 2025, and brought into force on 6 February 2026.
The Digital Code is a single consolidating law for the digital environment. It pulls together rules that used to sit in separate statutes covering personal data, digital services, telecommunications and now artificial intelligence. Chapter 23 of the Code sets principles and duties for AI systems and introduces a risk classification, with stricter requirements for high-risk systems. Personal data, previously governed by the standalone 2008 law, is now regulated inside the Code.
Alongside the Code sits a policy layer. The Concept for the Digital Transformation of the Kyrgyz Republic for 2024 to 2028 sets out national AI ambitions, a National Council on AI Development was created to steer strategy, and a separate national AI Concept was in draft as of late 2025. So Kyrgyzstan has moved from having almost nothing specific to AI to having binding AI provisions inside a code, supported by strategy and an emerging self-regulatory model.
Why it matters
If you build, buy or deploy AI in Kyrgyzstan, the legal baseline has shifted. Until early 2026 you could largely rely on general data protection duties and contract terms. Now the Digital Code imposes direct obligations on AI systems, including a duty to assess risk, heightened requirements for high-risk systems, and transparency duties when certain AI is used (relevant to chatbots and deepfakes). At the same time, the 2008 personal data law has been repealed and its successor rules live inside the Code, so existing privacy documentation needs to be re-mapped.
The practical stakes are real even though enforcement is young. Mandatory registration of personal data holders began on 23 November 2025, with administrative liability for handling personal data without registration. The institutions that will supervise the digital environment, including the State Agency for Personal Data Protection, are still building capacity, so the gap between what the law says and what is enforced in practice is wide. Organisations that prepare early will avoid being caught out as supervision matures.
How it works
The Digital Code as the central instrument
The Digital Code of the Kyrgyz Republic (No. 178 of 31 July 2025) is the country's primary digital statute. It was adopted by the Jogorku Kenesh on 18 June 2025 and brought into force on 6 February 2026 by a companion enabling law (No. 179 of 31 July 2025). The Code claims priority over other laws regulating the digital environment, meaning other statutes must not contradict it. It is structured as a consolidating code, covering digital actors, data processing, telecommunications, digital services and AI systems within one framework.
Artificial intelligence provisions
AI is regulated mainly in Chapter 23 of the Code, titled Artificial Intelligence Systems, which runs across Articles 191 to 197. The Code defines an AI system as a digital technological system that, on the basis of digital data and a human-defined set of goals, can with a degree of autonomy form forecasts and recommendations or make decisions that affect people or the external environment. The architecture is risk-based. The Code distinguishes ordinary AI systems from high-risk systems (rendered in the Russian text as systems of heightened danger), defined as those whose use increases the probability of harm to protected interests such as life, health, rights and freedoms, the environment, national security and public order. The articles cover the principles of design, development and application of AI; limitations and liability; a risk assessment duty; the regime for high-risk systems including conformity confirmation with mandatory requirements; and disclosure duties when certain AI is used.
The personal data regime, now inside the Code
Kyrgyzstan's first data protection statute was the Law on Personal Data (commonly the Law On Personal Information), No. 58 of 14 April 2008, amended in 2017 and 2021. It set out familiar duties: lawful basis and consent, purpose limitation, data minimisation, security measures, data subject access and rectification rights, mandatory registration of data holders, and conditions for cross-border transfer based on adequate protection. That law was repealed on 6 February 2026 and its subject matter folded into the Code, which now contains the personal data chapter, including an impact assessment provision and rules on a sectoral data regulator.
Institutions and supervision
The supervisory architecture is built around a coordinating body designated by the Cabinet of Ministers and sectoral regulators in defined spheres, including personal data, the national digital ecosystem and telecommunications. The State Agency for Protection of Personal Data was created by Presidential Decree No. 391 of 14 September 2021 and operates under the Cabinet of Ministers. The Ministry of Digital Development and Innovative Technologies leads digital policy; it was renamed and given an expanded mandate in March 2025. A National Council on AI Development was established by Resolution of the Cabinet of Ministers No. 29 of 22 January 2025, signed by Cabinet Chairman Adylbek Kasymaliev, as an advisory body; its meetings have been chaired by Deputy Chairman of the Cabinet of Ministers Edil Baisalov.
Strategy and self-regulation
The binding rules sit on top of a policy framework. The Concept for the Digital Transformation of the Kyrgyz Republic for 2024 to 2028 was approved by presidential decree (No. 90 of 5 April 2024) and sets out AI priorities including a National AI Platform, AI competence centres, high-performance computing, and AI tools in healthcare, education, agriculture and public administration. It succeeds the earlier Digital Kyrgyzstan 2019 to 2023 concept. A draft national Concept for AI Development was reviewed by the National Council during 2025 but was not yet adopted; per AKIpress, the Council discussed a strategic document that sets goals for increasing labour productivity, strengthening the country's competitiveness, and building a modern infrastructure for the national economy. Kyrgyzstan has also leaned toward self-regulation: the Association of AI System Proprietors and Developers (AIDA), led by Irina Baikulova and, per Eurasianet, set up alongside the adoption of the Digital Code, developed its own AI Code of Ethics, although the World Bank notes that government adoption of it was still pending.
Regional context: EAEU and Central Asia
Kyrgyzstan is a member of the Eurasian Economic Union (EAEU) alongside Armenia, Belarus, Kazakhstan and Russia. At the Fifth Eurasian Economic Forum in Astana in May 2026, EAEU leaders adopted a joint statement on the responsible development of AI, and President Japarov proposed pooling EAEU computing capacity and data centres. This is intergovernmental cooperation rather than binding supranational AI law. Regionally, Kazakhstan adopted Law No. 230-VIII On Artificial Intelligence, signed by President Tokayev on 17 November 2025 (passed by Parliament on 29 October 2025) and entering into force on 18 January 2026 per the US Library of Congress Global Legal Monitor, a standalone-statute model that differs from Kyrgyzstan's code-based, self-regulation-leaning approach.
Examples
A bank deploying an AI credit-scoring or fraud-detection tool: under the Digital Code the bank must consider whether the system is high-risk, because automated decisions can affect individuals' rights. It should run a risk assessment, document the system, and align processing of customer data with the Code's personal data chapter, including the impact assessment provision. It must also be registered as a personal data holder following the 23 November 2025 registration requirement.
A public agency using AI in tax or customs: Kyrgyzstan already runs AI-assisted systems in the fiscal sphere, described by officials as detecting fraudulent operations and building risk profiles of taxpayers, and in customs for document extraction and goods classification. Such public-sector deployments fall under both the Code's AI principles and its rules on automated decision-making, and they should be tested against the disclosure and human-oversight expectations the Code sets for higher-risk uses.
A startup building a Kyrgyz-language assistant or generative tool: developers such as The Cramer Project, which per AIDA's Irina Baikulova has launched AkylAi, described as the first AI assistant for the Kyrgyz-language community, must comply with the Code's AI disclosure provision when output could be mistaken for human-produced or authentic content, which is directly relevant to synthetic media and deepfakes. Baikulova notes the ecosystem is small, with around 40 AI companies in total including both users of AI tools and three or four developers. Such startups should also note there is no data localisation requirement, so data may be stored abroad, subject to the Code's cross-border transfer rules.
Common misunderstandings
"Kyrgyzstan has no AI rules at all." This was broadly true until early 2026 but is now out of date. Since 6 February 2026 the Digital Code contains a dedicated AI chapter with a risk-based approach.
"Kyrgyzstan has a standalone AI Act like Kazakhstan." It does not. AI is regulated inside the consolidating Digital Code, not in a separate AI statute. Kazakhstan, by contrast, adopted a separate AI law in 2025.
"The 2008 Personal Data Law is still the main privacy rule." It was repealed on 6 February 2026; personal data is now governed by the Digital Code's data chapter.
"Data must be stored in Kyrgyzstan." There is no data localisation mandate; cross-border transfer is permitted subject to the Code's transfer rules and adequacy-style conditions.
"There is a single dedicated AI regulator." There is not. Supervision runs through a coordinating body and sectoral regulators (including for personal data), supported by an advisory National Council on AI Development.
Risks and boundaries
This article describes a framework that is new and still bedding in. The Digital Code only entered into force on 6 February 2026, much of its operation depends on secondary legislation and implementing acts that the Cabinet of Ministers is still issuing, and supervisory bodies are still building capacity. Enforcement practice is therefore limited, and detailed procedures for AI risk assessment and conformity confirmation may be elaborated further in by-laws.
The national AI Concept (a strategy document distinct from the Code) was in draft and not yet adopted as of late 2025, so its targets and institutional details could change. Several specifics circulating in commentary, such as the exact effective date, were initially reported imprecisely as "six months after signing" or December 2025; the legally correct date is 6 February 2026. This is not legal advice. Anyone with a live compliance question should obtain the current consolidated text of the Code and any implementing acts and seek qualified Kyrgyz legal counsel.
What to do next
Map your AI systems against the Digital Code's risk categories now. Identify which deployments could be high-risk because they affect rights, safety or critical interests, and document a risk assessment for each.
Re-base your privacy compliance on the Code, not the repealed 2008 law. Confirm your registration as a personal data holder (mandatory since 23 November 2025), refresh consent and transparency notices, and check cross-border transfer arrangements.
Build transparency into user-facing AI. Where systems generate content or interact with people in ways that could be mistaken for human or authentic, prepare disclosure consistent with the Code's AI disclosure provision.
Track secondary legislation and the national AI Concept. Implementing acts will fill in detail; assign someone to monitor the Ministry of Digital Development and the State Agency for Personal Data Protection.
Engage with self-regulation. Given Kyrgyzstan's preference for industry-led standards, align with the AIDA code of ethics and sector practice where relevant.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Kyrgyzstan have an AI law?
It does not have a standalone AI statute, but since 6 February 2026 the Digital Code contains a dedicated chapter on AI systems with a risk-based approach, so binding AI rules now exist inside that code.
What is the Digital Code?
It is the Digital Code of the Kyrgyz Republic (No. 178 of 31 July 2025), a consolidating law covering data, digital services, telecommunications and AI, in force from 6 February 2026.
What happened to the 2008 Personal Data Law?
It was repealed on 6 February 2026, and personal data regulation was consolidated into the Digital Code's data chapter.
Who supervises AI and data in Kyrgyzstan?
Supervision runs through a coordinating body designated by the Cabinet of Ministers and sectoral regulators, including the State Agency for Protection of Personal Data, supported by an advisory National Council on AI Development.
Is there a national AI strategy?
The Concept for Digital Transformation 2024 to 2028 sets AI priorities, and a separate national AI Concept was in draft during 2025 but not yet adopted.
Does Kyrgyzstan require data to be stored locally?
No. There is no data localisation requirement; cross-border transfer is allowed subject to the Code's transfer conditions.
How does the EAEU affect Kyrgyzstan's AI rules?
The EAEU adopted a joint statement on responsible AI development in 2026, but this is intergovernmental cooperation, not binding supranational AI law; Kyrgyzstan's binding rules are national.
How does Kyrgyzstan compare with its neighbours?
Kazakhstan adopted a standalone AI law in 2025 (in force 18 January 2026), while Kyrgyzstan regulates AI inside a code and leans toward industry self-regulation.