What is AI regulation in Micronesia?
AI regulation: countries and regions
The Federated States of Micronesia (FSM) has no dedicated AI law, no national AI strategy and no AI regulator. Artificial intelligence is governed indirectly by general law: the constitutional privacy protection, telecommunications confidentiality duties in the FSM Code, the Telecommunications Regulatory Authority's sector powers, and regional and international commitments such as the Pacific 2050 Strategy and the UNESCO AI ethics recommendation. A Personal Data Protection Act bill is pending but not yet enacted.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
The Federated States of Micronesia is a sovereign country in the western Pacific, made up of the four states of Yap, Chuuk, Pohnpei and Kosrae, with its capital at Palikir on Pohnpei. It should not be confused with the wider geographic region of Micronesia, which also includes Kiribati, the Marshall Islands, Nauru, Palau, Guam and the Northern Mariana Islands. This article is about the FSM as a jurisdiction.
For AI, the practical position is simple: there is no statute, regulation or published policy in the FSM that names artificial intelligence and sets rules for it. There is no AI office, no AI risk classification and no AI register. That places the FSM among the many small states where AI is, for now, governed by whatever general law happens to apply: the Constitution, telecommunications law, contract and tort principles, and a small number of pending bills.
What the FSM does have is a developing digital and cybersecurity agenda, driven heavily by donors and regional bodies, plus membership of the United Nations and UNESCO that brings it within the scope of global AI governance instruments even though those instruments are not binding domestic law.
Why it matters
For anyone deploying or governing AI that touches the FSM, the absence of a dedicated framework is itself the key fact. It means you cannot rely on a local AI rulebook to tell you what is permitted, and you cannot point to a domestic regulator's guidance to justify a design choice. Obligations instead come from general instruments: the constitutional privacy protection (which binds government, not private parties), telecommunications confidentiality duties on licensed operators, sector rules, and any contractual or donor conditions attached to a project.
It also means the ground may shift. The FSM Congress is considering a Personal Data Protection Act and has long had a draft cybercrime bill in the pipeline. If either passes, the compliance picture changes quickly for organisations handling personal data or operating online services. Operators who build to a defensible international baseline now will adapt far more easily than those who assume a permanent regulatory vacuum.
How it works
No dedicated AI law: the honest baseline
There is no AI-specific statute, no national AI strategy and no AI regulator in the FSM. This is the durable, central fact of this page. The national ICT instrument, the FSM National ICT and Telecommunications Policy of 2012, predates the current AI debate and does not address AI. The country's broader long-term plan, the FSM Strategic Development Plan 2024 to 2043, was formally launched on 18 February 2026 during the 4th Chief Executive Council meeting in Kosrae and covers nine thematic areas, but it is not an AI law.
The Constitution and privacy
Article IV, Section 5 of the FSM Constitution protects the right of the people to be secure against unreasonable search, seizure or invasion of privacy. FSM courts have read this as a protection against governmental intrusion only: in FSM Development Bank v. Adams the appellate court confirmed the Declaration of Rights protects persons from acts of government, not from intrusions by private persons. For AI, this matters in two ways. It can constrain state use of surveillance or automated profiling, but it does not by itself regulate private-sector AI or commercial data processing.
Telecommunications confidentiality and the sector regulator
The closest thing to a data rule in force is in telecommunications law. Sections 349 and 350 of Title 21 of the FSM Code require telecommunications providers to keep customer information and communications confidential, and section 349 precludes the collection, use, maintenance or disclosure of customer information without consent, with a duty to apply appropriate security safeguards. These are narrow, sector-specific duties on licensed operators, not a general data protection regime.
The FSM Telecommunications Act of 2014 (Public Law 18-52) created the Telecommunication Regulatory Authority (TRA), ended the incumbent monopoly and opened the sector to competition. The TRA licenses operators, manages radio spectrum, sets interconnection and access rules and protects consumers. A government-owned wholesale entity, the FSM Telecommunications Cable Corporation (CableCorp, also called the Open Access Entity), is building open-access fibre and is barred by law from offering retail services. None of this is AI regulation, but it is the institutional machinery through which connectivity, and therefore AI services, reach the islands. Satellite reach has widened rapidly: SpaceX announced the FSM as a Starlink-available country on 28 April 2024, and a Starlink community gateway in Kosrae went operational on 21 February 2025, commissioned by Vice President Aren Palik and Kosrae Governor Tulensa Palik with World Bank funding.
The pending Personal Data Protection Act
The most consequential near-term development is Congressional Bill No. 24-17, introduced in the 24th FSM Congress on 17 May 2025, which would enact the FSM Personal Data Protection Act of 2025 as a new Title 16 chapter of the FSM Code. As drafted, it applies to core National Government departments and agencies that collect, use, store, process, disclose or transfer personal data of natural persons, and it does not bind the four states for purely intrastate activity. It names the National Statistics Office under the Department of Resources and Development as the competent authority, sets out data protection principles (legitimate purpose, minimisation, accuracy, retention limits, security and accountability), and creates a private right of action, though it does not permit compensatory damages. Its effective-date clause provides for the law to take effect 18 months after approval.
As of the latest FSM public law list (running through Public Law 24-64, effective February 2026), this bill has not been enacted. There is a separate, unrelated Public Law 24-17 (an appropriations amendment); the data protection measure is the bill of the same number and should not be confused with it. Until and unless it passes, the FSM has no comprehensive data protection statute outside the telecommunications context. This bears directly on AI, because data protection law is the principal channel through which many jurisdictions regulate automated processing, profiling and training data.
Cybercrime and cybersecurity
The FSM Cybersecurity Roadmap of 2021, produced with the Asia-Pacific Telecommunity and the Oceania Cyber Security Centre, set out a staged plan: establish a national cybersecurity strategy and a computer emergency response team, identify critical infrastructure, pass cybercrime legislation aligned with the Budapest Convention, and enact personal data protection legislation. A draft Cybercrime Bill has been referenced since around 2019 but has not been enacted. The Council of Europe records that the FSM does not currently have legislation implementing substantive or procedural cybercrime powers. At the executive level, the FSM has stood up a Cyber Security and Intelligence Bureau within the Department of Justice by executive order. The exposure these gaps leave open is not theoretical: a ransomware attack detected on 11 March 2025 forced the Yap State Department of Health Services to take its entire network offline, disrupting services for the island's roughly 12,000 residents, with no group claiming responsibility.
Regional commitments
The FSM is a member of the Pacific Islands Forum, which it rejoined following the Suva Agreement that resolved the 2021 to 2023 membership dispute. The Forum's 2050 Strategy for the Blue Pacific Continent includes a Technology and Connectivity thematic area that stresses appropriate regional regulatory arrangements, data sovereignty and cyber security. The FSM participated in the Pacific ICT Ministers Dialogue process, whose Lagatoi Declaration on Digital Transformation of the Pacific, signed on 28 August 2023 at APEC Haus in Port Moresby by 13 Pacific countries and territories, set six priority areas including Digital Transformation, Digital Infrastructure and Digital Security and Trust. The FSM attended the second Dialogue, which opened on 7 August 2025 in Suva, Fiji, ahead of the Pacific Islands Forum Leaders Meeting. These are political commitments and shared agendas, not binding AI law, and the Pacific has not yet adopted a common AI regulatory instrument.
International instruments
As a UNESCO member state, the FSM is within the scope of the 2021 UNESCO Recommendation on the Ethics of Artificial Intelligence, the first global standard-setting instrument on AI ethics, adopted by all member states. The Recommendation is soft law: it guides national policy rather than creating directly enforceable duties. The FSM does not appear on UNESCO's public list of countries that have started or completed the Readiness Assessment Methodology. As a UN member, the FSM is also covered by the Global Digital Compact, adopted within the Pact for the Future in September 2024, which commits states to govern AI in the public interest, and by the UN General Assembly's 2025 decision to create an Independent International Scientific Panel on AI and a Global Dialogue on AI Governance.
Examples
A vendor selling an AI-enabled citizen-services tool to an FSM national agency will find no AI procurement rule and no statutory algorithmic-accountability duty to satisfy. The binding constraints are likely to be contractual, plus the constitutional privacy protection on the government customer and, if the pending Personal Data Protection Act passes, its principles applied to that national department.
A telecommunications operator deploying AI for network management or customer analytics is already bound by the confidentiality and consent duties in sections 349 and 350 of Title 21 of the FSM Code and by TRA licence conditions. These existing duties, not any AI-specific rule, govern how customer data may be used.
A regional donor-funded project, for example a climate or fisheries monitoring system using machine learning, will in practice be shaped by funder conditions, the data sovereignty themes in the Pacific 2050 Strategy and UNESCO ethics guidance, rather than by FSM domestic AI law, because none exists.
Common misunderstandings
"Micronesia has AI rules because it has a data protection law." It does not yet. The Personal Data Protection Act is a pending bill, and even if enacted it would bind core national government bodies, not the private sector across the board.
"Micronesia and the Federated States of Micronesia are the same thing." The FSM is one sovereign country; Micronesia is a wider region that also includes other states and US territories. This page concerns the FSM only.
"The constitutional privacy right controls private companies' AI." It does not. FSM courts have held that the Declaration of Rights protects against government intrusion, not intrusions by private persons.
"UNESCO or the Global Digital Compact gives the FSM enforceable AI rules." These are soft-law and political instruments. They guide policy and signal direction; they are not directly enforceable FSM statutes.
"There is a Micronesian AI regulator to approach." There is no AI regulator. The TRA regulates telecommunications, not AI as such.
Risks and boundaries
The central boundary is honesty about scope: the FSM has no dedicated AI framework, so this page describes what governs AI in the absence of one, not a bespoke regime. Several items here are pending or uncertain. The Personal Data Protection Act bill may be amended or may not pass; its 18-month delayed commencement means even rapid enactment would not bind immediately. The cybercrime bill has been in draft for years without enactment. Treat all forward-looking elements as proposals, not law.
This is not legal advice, and it is not an implementation design. Note too the federal structure: the FSM Constitution leaves substantial power with the four states, and the pending data bill is drafted to reach national government bodies rather than purely intrastate activity, so state-level rules and practice can differ. Finally, do not import another country's Micronesian-region rules: the FSM legislates for itself.
What to do next
Treat the FSM as a thin-law jurisdiction and govern to an external baseline. Do not wait for a local AI rulebook; adopt a recognised international reference such as the UNESCO ethics principles and a risk-based internal control set, and document your data handling as though a data protection law applied.
Map the law that does bind you: constitutional privacy if you serve government, Title 21 confidentiality and TRA licence terms if you are in telecommunications, and the specific conditions in any donor or government contract. Track the Personal Data Protection Act bill and the cybercrime bill through the FSM Congress, because their passage would be the trigger that changes your obligations.
Respect data sovereignty and connectivity realities. Pacific regional frameworks emphasise data sovereignty; design for local data control, meaningful consent and resilience given the islands' reliance on submarine cable and satellite links. Re-evaluate your position if the data protection bill is enacted, if a cybercrime law passes, or if the FSM undertakes a UNESCO Readiness Assessment or adopts a national digital or AI strategy.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does the Federated States of Micronesia have an AI law?
No. There is no AI-specific statute, no national AI strategy and no AI regulator. AI is governed indirectly by general law and by non-binding regional and international instruments.
Is there a data protection law in the FSM?
Not a comprehensive one. Outside narrow telecommunications confidentiality duties in Title 21 of the FSM Code, there is no general data protection statute. A Personal Data Protection Act bill is pending before Congress but not yet enacted.
What would the pending Personal Data Protection Act cover?
As drafted, it would apply to core national government departments and agencies handling personal data, name the National Statistics Office as the competent authority, set data protection principles and allow a private right of action without compensatory damages, taking effect 18 months after approval.
Who regulates technology in the FSM?
The Telecommunication Regulatory Authority regulates the telecommunications sector under the FSM Telecommunications Act of 2014. There is no equivalent body for AI.
Is the FSM bound by the UNESCO AI ethics recommendation?
As a UNESCO member state it is within the Recommendation's scope, but the Recommendation is soft law that guides policy rather than creating directly enforceable domestic duties.
How do Pacific regional commitments affect AI in the FSM?
The 2050 Strategy for the Blue Pacific Continent and the Lagatoi Declaration set shared digital priorities, including data sovereignty and cyber security, but they are political commitments, not binding AI legislation, and the region has no common AI law.
Is the FSM the same as the wider region of Micronesia?
No. The FSM is a single sovereign country of four states. The region of Micronesia also includes other countries and US territories that legislate separately.
What should organisations do given the absence of AI law?
Govern to a recognised international baseline, comply with the general law that does bind you, watch the pending data and cybercrime bills, and design for data sovereignty and connectivity constraints.