What is AI regulation in Maldives?
AI regulation: countries and regions
The Maldives has no dedicated artificial intelligence law and, as of June 2026, no enacted comprehensive data protection statute. AI and data are governed by a patchwork: the 2008 Constitution's privacy right, the Cyber Security Act 2023, the Communications Authority of Maldives Act, and sector rules. A government Personal Data Protection Bill is before Parliament, and a National AI Masterplan 2025 to 2035 is being drafted, but neither is yet in force.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
If you are looking for a single Maldivian "AI Act" or a data protection regulator with a published rulebook, there is not one yet. The Maldives governs AI indirectly, through general law and sector rules, while it builds dedicated frameworks. The most important point for any organisation is that the headline instruments, a comprehensive data protection law and a national AI plan, are still proposals rather than binding law.
What does exist is a foundation. The 2008 Constitution protects private life and private communications. The Cyber Security Act of 2023 created the National Cyber Security Agency and rules for critical information infrastructure. The Communications Authority of Maldives (CAM) regulates telecommunications, post and info-communications. A Cybercrime Act was enacted in December 2024. These were not written for AI, but they apply to AI systems that touch communications networks, personal data or critical systems.
On top of this, the government is moving quickly under its "Maldives 2.0" digital agenda. It completed a UNESCO AI readiness assessment, is drafting a National AI Masterplan, and submitted a Personal Data Protection Bill to Parliament. The direction of travel is clear, but the binding rules are not settled.
Why it matters
For founders, operators and governance leads, the practical stakes come from the gap between fast digital adoption and slow legal hardening. The state is building large data-sharing systems (digital identity, a planned data exchange, integrated public services) while the law that would govern personal data is still a bill. That means today you cannot rely on a statutory data protection regime to define your duties; you must lean on the Constitution, sector licences, contracts and international good practice instead.
It also matters because the rules are likely to change soon and could apply retroactively in spirit. Organisations that process Maldivian personal data, run AI in regulated sectors such as banking or telecoms, or operate critical infrastructure should expect new duties: lawful basis and consent rules, breach notification, cross-border transfer controls and the possible appointment of data protection officers. Building to those expectations now reduces rework later. Finally, because the Maldives is a small, highly connected society, the social impact of biased or opaque automated decisions can be concentrated and visible, which raises reputational risk well before the law catches up.
How it works
No dedicated AI statute, and no comprehensive data law in force
There is no AI-specific Act in the Maldives. There is also no enacted, comprehensive data protection law. Claims that a "Data Protection Act 2017" exists are not supported by official sources; they appear only on low-quality aggregator sites. The accurate position is that data protection is still at the bill stage, and AI sits under general and sector law.
The constitutional and sector law that does apply
Article 24 of the 2008 Constitution protects private and family life, the home and private communications. The Cyber Security Act (Law No. 17/2023) protects information systems and critical information infrastructure and underpins the National Cyber Security Agency. The Communications Authority of Maldives Act and the Maldives Telecommunications Act (both 2015) give CAM powers over licensing, spectrum and technical standards, including administrative fines. A Cybercrime Act was enacted in December 2024. Sector regulators, notably the central bank for financial services, apply their own rules to AI-enabled services such as fraud detection and digital payments.
The Personal Data Protection Bill before Parliament
The government submitted a Personal Data Protection Bill to the People's Majlis in May 2026, sponsored on the government's behalf by West Henveiru MP Ali Ibrahim. It would set principles for lawful, fair processing, define data controllers and processors, create data subject rights, require breach response, control cross-border transfers and require data protection officers in some cases. On enforcement, the bill proposes a Privacy Commissioner, with those functions to be carried out initially by the existing Information Commissioner appointed under the Right to Information Act. An earlier 2023 consultation draft had instead proposed a Data Protection Authority housed under the technology agency, a design criticised for weak independence. As of June 2026 the bill is not enacted; verify the current text and status against the People's Majlis record before relying on it.
The National AI Masterplan and UNESCO readiness work
President Dr Mohamed Muizzu announced a National AI Masterplan 2025 to 2035 on the Cabinet's recommendation after deliberations at the Cabinet meeting held on 16 October 2024, with stated aims of managing AI risk and designing a legal framework for AI technology. It is led by the National Centre for Information Technology (NCIT) under the Ministry of Homeland Security and Technology. On 31 July 2025 the Maldives launched a UNESCO Readiness Assessment Methodology report, the first such assessment completed in South Asia, at a ceremony attended by Minister of State for Homeland Security and Technology Dr Mohamed Kinaanath, UN Resident Coordinator Hao Zhang and UNESCO South Asia Regional Director Tim Curtis. The report recommends finalising the masterplan, creating an independent AI governance body and a multistakeholder advisory council, building talent, and developing Dhivehi-language AI. It also documents real gaps: the Maldives ranks 177th out of 194 globally in the ITU's Global Cybersecurity Index, and recorded only seven scholarly AI publications in 2022 with no dedicated academic centres for AI ethics. These are recommendations and plans, not binding rules.
The institutions
The Ministry of Homeland Security and Technology sets digital and technology policy. CAM is the technical communications regulator. The National Cyber Security Agency, established by presidential directive in March 2024, leads cyber security. In 2026 the government dissolved the National Centre for Information Technology and created the Maldives Digital Service to deliver the Maldives 2.0 roadmap. A National AI and Data Competency Centre, known as the Maldives AI Lab, was launched as a public-private platform and was scheduled to begin operations in April 2026.
Regional and international context
The Maldives anchors its approach to soft-law international standards rather than a binding regional regime. Its readiness work aligns with the UNESCO 2021 Recommendation on the Ethics of Artificial Intelligence and references the OECD AI Principles. As a South Asian state, it sits in a region where SAARC has produced no operative AI framework. As a Commonwealth member and small island developing state, it is a natural participant in Commonwealth AI capacity-building efforts aimed at small states.
Examples
A tourism group deploying an AI booking and guest-personalisation system: there is no data protection statute to map to yet, so the operator relies on the constitutional privacy right, contractual data terms with cloud and model vendors, and voluntary alignment to international principles. Because the pending bill would control cross-border transfers, the prudent step is to document where guest data is processed and to prepare transfer safeguards now.
A bank using AI for fraud detection and credit scoring: the central bank's financial-sector rules and the Cyber Security Act's critical infrastructure duties apply today. The bank should maintain human oversight of automated decisions, keep model documentation, and prepare for breach notification and data protection officer duties that the bill would introduce.
A government agency automating eligibility checks under Maldives 2.0: the UNESCO readiness report and UNDP analysis flag the risk of an implementation body also acting as its own data regulator. An agency should separate operational ownership from oversight, log decisions for auditability, and run an impact assessment before deploying automated decision-making that affects citizens.
Common misunderstandings
"The Maldives has a Data Protection Act from 2017." It does not. No official source supports an enacted 2017 data protection law; data protection remains at the bill stage.
"There is a Maldivian AI Act." There is not. AI is governed through general and sector law while a National AI Masterplan is drafted.
"The data protection bill is already law." It was submitted to Parliament in May 2026 and is not enacted; its text and status can still change.
"There is an independent data protection regulator." Not yet. The current bill would give Privacy Commissioner functions to the existing Information Commissioner, which critics say is not fully independent for this task.
"CAM regulates AI." CAM regulates communications, spectrum and info-communications. It touches AI only where AI runs on communications networks or licensed services, not as a general AI regulator.
Risks and boundaries
This article describes a fast-moving, partly unsettled landscape and is not legal advice. The central limit is that the two instruments most readers will care about, a comprehensive data protection law and a national AI framework, are not yet in force. What is confirmed: there is no dedicated AI statute; there is no enacted comprehensive data protection law; the Constitution, the Cyber Security Act 2023, the CAM and telecommunications laws, and a December 2024 Cybercrime Act do apply. What is pending: the Personal Data Protection Bill (submitted May 2026) and the National AI Masterplan 2025 to 2035. What could change: the enforcement model (Privacy Commissioner versus an independent authority), transfer rules, definitions and effective dates. Institutional arrangements are also shifting, including the 2026 replacement of the technology centre with the Maldives Digital Service. Treat dates and the regulator design as provisional and confirm against primary sources.
What to do next
Map your data flows now: know what Maldivian personal data you hold, where it is processed, and which vendors and countries are involved, so you can meet transfer and record-keeping duties when the bill becomes law.
Build to international good practice in advance: adopt lawful-basis and consent discipline, breach response, and human oversight of automated decisions, drawing on the UNESCO ethics recommendation and OECD AI Principles, and consider running an AI impact assessment for higher-risk uses.
Watch three triggers that should change your posture: enactment of the Personal Data Protection Bill, publication of the finalised National AI Masterplan, and any move to create an independent data protection or AI authority. Each would convert today's voluntary preparation into concrete compliance work.
Track the official record: confirm status and effective dates through the People's Majlis, the President's Office, CAM and the relevant ministry rather than secondary commentary.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does the Maldives have an AI law?
No. There is no dedicated AI statute. AI is governed through the Constitution, the Cyber Security Act 2023, communications law and sector rules while a National AI Masterplan is drafted.
Does the Maldives have a data protection law?
Not an enacted comprehensive one. A Personal Data Protection Bill was submitted to Parliament in May 2026 but is not yet law. Claims of a "Data Protection Act 2017" are unfounded.
Who would enforce data protection if the bill passes?
The bill proposes a Privacy Commissioner, with those functions performed initially by the existing Information Commissioner appointed under the Right to Information Act.
What is the National AI Masterplan?
A strategic framework for 2025 to 2035 that President Muizzu announced on the Cabinet's recommendation in October 2024, aiming to manage AI risk and create a legal framework. It is being drafted, not yet adopted as binding law.
What does the Communications Authority of Maldives regulate?
CAM regulates telecommunications, post and info-communications, including licensing, spectrum and technical standards. It is not a general AI regulator.
Is the Maldives covered by any regional or international AI rules?
There is no binding SAARC AI framework. The Maldives aligns with soft-law standards such as the UNESCO ethics recommendation and OECD AI Principles, and participates in Commonwealth small-states efforts.
What should businesses do now?
Map data flows, adopt consent, security and human-oversight practices, prepare for cross-border transfer controls, and monitor the bill and masterplan for effective dates.