What is AI regulation in Moldova?
AI regulation: countries and regions
Moldova has no dedicated, in-force AI law. As of June 2026 it has no AI Act, no standalone AI statute and no designated AI regulator. AI is governed indirectly through data protection law, a national digital strategy, a 2024 White Paper on AI and data governance, and Moldova's EU-accession commitment to align with the EU acquis. The binding rules organisations must plan for sit in data protection: the GDPR-aligned Law No. 195/2024, which takes effect on 23 August 2026 and already covers automated decision-making and profiling.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Moldova has not yet written its own rules for what artificial intelligence may or may not do. Instead, AI is governed by a layered combination of existing law and policy: data protection legislation, a national digital transformation strategy, a non-binding White Paper, sectoral digital laws, and the obligations that come with seeking EU membership. There is no AI Act in force and no body designated as the AI regulator.
The most concrete step toward AI-specific law is a draft bill, prepared by the Ministry of Economic Development and Digitalization (MDED) with the e-Governance Agency, that would let public institutions use AI in delivering public services under conditions of transparency, equal treatment, preserved human control and a right to appeal automated decisions. It is expected to enter into force on 1 January 2027 but remains a draft as of June 2026, with some provisions tied to the date of EU accession.
For organisations operating in Moldova today, the practical centre of gravity is data protection. Law No. 195/2024, which transposes much of the EU GDPR, becomes applicable on 23 August 2026 and already contains AI-relevant rights, including a right not to be subject to solely automated decisions. Even without an AI Act, AI systems that process personal data will be subject to GDPR-style obligations once that law applies.
Why it matters
Moldova matters as a clear example of a candidate country building its AI governance through the front door of EU accession rather than through a standalone AI statute. For organisations deploying AI in or into Moldova, the immediate significance is that the binding obligations are in data protection law, not in any AI-specific regime, and those obligations are about to tighten.
Law No. 195/2024 becomes applicable on 23 August 2026, replacing the older Law No. 133/2011. It introduces GDPR-style duties: a lawful basis for processing, data minimisation, accountability, data protection impact assessments and prior consultation with the regulator for high-risk processing, and a right not to be subject to a decision based solely on automated processing, including profiling, with safeguards for human intervention and the ability to contest the decision. Any AI system touching personal data in Moldova will fall within this framework.
The forward-looking stakes are shaped by accession. Moldova has been an EU candidate since June 2022, opened negotiations in June 2024, completed bilateral screening in September 2025 and targets accession by 2028. Because accession requires alignment with the full EU acquis, the EU AI Act functions as a planning baseline: organisations that build EU-AI-Act-aligned governance now, risk classification, technical documentation, human oversight and transparency, are making a defensible investment against future requirements rather than reacting later.
How it works
No AI statute in force, but legislation is being drafted
As of June 2026 Moldova has no comprehensive AI Act, no in-force AI-specific law and no designated AI regulator. The most concrete step is a draft bill from the MDED and the e-Governance Agency that would authorise public institutions to use AI in service delivery, provided citizens' rights, transparency and equal treatment are respected, human control and the possibility of human intervention are preserved, and citizens can appeal decisions made using automated systems. The draft reportedly bans fully automatic decisions in sensitive areas such as restricting rights and freedoms, stopping social payments, child custody and the protection of vulnerable groups. It is expected to enter into force on 1 January 2027, except for provisions tied to EU accession, but it remains a draft and its final text and timing may change. Separately, MDED began work in April 2026 on a National Programme on Artificial Intelligence and Data Management for 2026 to 2030, also at the drafting stage.
Data protection: the operative framework
The binding legal framework most relevant to AI today is data protection law. Law No. 133 of 8 July 2011 currently governs. Its GDPR-aligned successor, Law No. 195 of 25 July 2024, was published on 23 August 2024 and becomes applicable on 23 August 2026, replacing the 2011 law. It transposes much of Regulation (EU) 2016/679 while introducing some provisions that deviate from the GDPR. Crucially for AI, it gives data subjects the right not to be subject to a decision based solely on automated processing, including profiling, where that produces legal effects, with safeguards including the right to human intervention, to express a view and to contest the decision. It also defines profiling, requires data protection impact assessments and prior consultation with the regulator for high-risk processing, and mirrors GDPR principles. The regulator is the National Centre for Personal Data Protection (NCPDP), an autonomous public authority based in Chisinau.
National strategy and AI policy (soft law)
The Digital Transformation Strategy of the Republic of Moldova 2023 to 2030, approved in September 2023, sets six objectives spanning digital society, a competitive ICT sector, a digital economy, an efficient digital state, a safe and inclusive digital environment, and Moldova as a Digital Nation, explicitly aligned with EU integration. It does not itself regulate AI. The White Paper on Artificial Intelligence and Data Governance, released by MDED in October 2024, is described as the first policy framework document setting the government's strategic direction for AI; it is a soft-law document with recommendations toward a future legislative framework, not binding law.
The forming institutional layer
Moldova established a Sub-Council on AI and Data Governance in 2024, with members drawn from public institutions, the ICT business community, international stakeholders and civil society. In April 2026 a related consultative body, the Sub-Council for Artificial Intelligence and Applied Research, was launched jointly by MDED and the Ministry of Education and Research, with tasks including implementing a future Law on AI in national legislation and appointing a body responsible for implementing and monitoring AI policy. Officials have stated that this future AI authority has not yet been designated.
EU accession as the shaping force
Moldova was granted EU candidate status in June 2022, formally launched accession negotiations in June 2024 and completed bilateral screening on 22 September 2025, with a government target of accession by 2028. The EU-Moldova Association Agreement, in force since July 2016, already requires Moldova to approximate its legislation to EU acts on the information society and electronic communications. Moldova is actively transposing EU digital law, including a new Law on Electronic Communications in force from January 2026. Because accession requires alignment with the full acquis, the EU AI Act functions as a future baseline, and the Sub-Council's mandate explicitly includes adapting it to national legislation.
Council of Europe instruments
Moldova signed the Council of Europe Framework Convention on Artificial Intelligence (CETS No. 225) on 5 September 2024 but has not ratified it, and the Convention is not yet in force globally, since entry into force requires five ratifications including at least three Council of Europe member states. Moldova ratified the modernised data protection convention, Convention 108+ (CETS No. 223), on 15 May 2026, becoming the 34th state party; that convention is also not yet in force, as its threshold is 38 ratifications.
Examples
A software vendor selling a profiling-based credit tool into Moldova treats Law No. 195/2024 as the binding requirement rather than waiting for an AI Act. Ahead of the 23 August 2026 application date, it maps its personal-data processing, documents a lawful basis, prepares a data protection impact assessment for the high-risk profiling, and builds in human intervention and a contest route, because the law gives individuals the right not to be subject to solely automated decisions with legal effects.
A government agency planning an AI tool for public-service triage tracks the draft AI-in-public-services bill targeted for 1 January 2027. It designs the deployment around the bill's expected requirements, transparency, equal treatment, preserved human control and an appeal route, and it ensures the tool never makes fully automatic decisions in sensitive domains such as social payments or child custody, which the draft is reported to prohibit outright.
A multinational preparing a multi-year Moldova roadmap uses the EU AI Act and the Council of Europe Framework Convention as design references. Given the 2028 accession target, it builds risk classification, technical documentation, human oversight and AI impact assessments into its governance now, treating EU-AI-Act alignment as a forward investment that reduces the cost of retrofitting once Moldova transposes the acquis.
Common misunderstandings
"Moldova has an AI law."
It does not. As of June 2026 there is no in-force AI statute and no designated AI regulator. A draft AI-in-public-services bill exists, targeted for January 2027, but it is not yet law.
"There are no binding rules on AI in Moldova."
There are, through data protection law. Law No. 195/2024, applicable from 23 August 2026, imposes GDPR-style duties and a right not to be subject to solely automated decisions, which directly affects AI that processes personal data.
"GDPR compliance is automatically Moldova compliance."
Not quite. Law No. 195/2024 transposes much of the GDPR but includes provisions that deviate from it, so EU-GDPR alignment does not guarantee full Moldovan compliance.
"Moldova has ratified the Council of Europe AI Convention."
It has signed CETS No. 225 but not ratified it, and the Convention is not yet in force globally. The convention Moldova ratified in May 2026 was Convention 108+ on data protection, which is also not yet in force.
"An AI regulator is already overseeing the market."
No AI authority has been designated. Data protection is supervised by the National Centre for Personal Data Protection, but the body to implement and monitor AI policy does not yet exist.
Risks and boundaries
Moldova's AI governance is assembled from data protection law, strategy and policy documents, and EU-accession obligations rather than a dedicated AI regime, so anyone looking for a single AI statute will not find one. The most concrete AI-specific instrument, the AI-in-public-services bill, is a draft: its 1 January 2027 target and its contents may change, and some provisions are tied to the date of EU accession.
The binding obligations sit in data protection law, and the key date is 23 August 2026, when Law No. 195/2024 becomes applicable. Because that law transposes the GDPR only partially, organisations should not assume EU-GDPR compliance equals Moldovan compliance. Treaty status is time-sensitive and should be reverified against the Council of Europe Treaty Office: Moldova has signed but not ratified the AI Framework Convention, and neither that convention nor Convention 108+ is yet in force. No national AI authority has been designated. Some details of the draft AI bill rest on Moldovan-language press reporting, so the primary text in the official register should be checked once published. None of this is legal advice; specific questions should be confirmed with the National Centre for Personal Data Protection or qualified counsel.
What to do next
Treat Law No. 195/2024 compliance as the priority rather than a hypothetical AI Act. Before it applies on 23 August 2026, map your personal-data processing, legal bases, retention and processors, and prepare records of processing, data protection impact assessments for high-risk or AI processing, and breach procedures.
Inventory any automated decision-making or profiling. Where decisions are based solely on automated processing with legal or significant effects, build in human intervention, an explanation and a contest route now, since this is a binding right under Law No. 195/2024.
If you are a public body or a vendor to one, track the draft AI-in-public-services law targeted for 1 January 2027 and design deployments around its expected requirements: transparency, equal treatment, preserved human control, appeal rights, and an absolute ban on fully automated decisions in sensitive domains.
Monitor the National Programme on AI and Data Management 2026 to 2030 and the Sub-Council outputs for the future regulatory architecture and the designation of an AI oversight body.
Use the EU AI Act and the Council of Europe Framework Convention as design references. Given the 2028 accession target, building aligned governance now, risk classification, technical documentation, human oversight and AI impact assessments, reduces future retrofit cost.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Moldova have an AI law?
No. As of June 2026 there is no in-force AI statute and no designated AI regulator. A draft AI-in-public-services bill is targeted for 1 January 2027 but is not yet law.
What rules govern AI in Moldova today?
Mainly data protection law. Law No. 195/2024, applicable from 23 August 2026, transposes much of the GDPR and includes a right not to be subject to solely automated decisions, including profiling.
Who regulates data protection in Moldova?
The National Centre for Personal Data Protection (NCPDP), an autonomous public authority based in Chisinau. No separate AI regulator has been designated.
When does the new data protection law take effect?
Law No. 195/2024 was adopted on 25 July 2024 and becomes applicable on 23 August 2026, replacing the 2011 law.
Is Moldova aligning with the EU AI Act?
Indirectly. As an EU candidate targeting accession by 2028, Moldova must align with the EU acquis, and the Sub-Council's mandate includes adapting the EU AI Act to national legislation.
Has Moldova ratified the Council of Europe AI Convention?
It signed CETS No. 225 in September 2024 but has not ratified it, and the Convention is not yet in force. Moldova ratified Convention 108+ on data protection in May 2026.
What should organisations do now?
Prioritise Law No. 195/2024 compliance, inventory automated decision-making and profiling, and use the EU AI Act as a design reference for forward-looking governance.