What is AI regulation in Monaco?
AI regulation: countries and regions
Monaco has no dedicated artificial intelligence statute. AI is governed by existing law, principally Law no. 1.565 of 3 December 2024 on the protection of personal data, enforced by the Autorite de Protection des Donnees Personnelles (APDP), together with sector rules and Monaco's Council of Europe commitments. Monaco ratified Convention 108+ on 6 March 2025 but, as of June 2026, has not signed the Council of Europe Framework Convention on AI.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Monaco is a sovereign microstate and a member of the Council of Europe, but not a member of the European Union. It does not have a standalone law that regulates artificial intelligence as such. There is no Monegasque equivalent of the EU AI Act, and no risk tiers, conformity assessments or AI-specific regulator.
Instead, AI is governed by the laws that already apply to whatever the AI system does. The most important of these is data protection law: Law no. 1.565 of 3 December 2024, which replaced the older Law no. 1.165 of 1993. Where an AI system processes personal data, it must comply with that law and with the supervisory authority, the APDP, which replaced the former CCIN. Other rules, such as financial-sector supervision, consumer protection, civil liability and the criminal law, apply to AI in the same way they apply to any other tool.
Monaco's approach is therefore best described as governance through existing horizontal and sectoral law plus regional commitments, rather than a bespoke AI regime. Its data protection reform is explicitly aligned with European standards, and its broader posture is shaped by its Council of Europe membership and its close practical ties to France and the EU.
Why it matters
For an operator, adviser or buyer, the practical point is that the absence of an AI-specific law in Monaco does not mean an absence of legal obligation. Any AI system touching personal data falls squarely within Law no. 1.565, which carries administrative fines of up to 10 million euros or 4 per cent of total worldwide annual turnover, whichever is higher, for the most serious breaches under Article 54 (with lesser breaches under Article 53 attracting up to 5 million euros or 2 per cent), backed by a meaningful enforcement track record under its predecessor. Because Monaco is a small, internationally exposed economy built around private banking, wealth management and tourism, most AI deployments here will involve personal or financial data and so will be in scope.
There is also a cross-border dimension that matters more in Monaco than almost anywhere. Monaco sits inside the EU customs and VAT territory through France, uses the euro, and is de facto within Schengen. Many Monaco firms serve EU residents, which can pull them into the EU GDPR and, where they place AI systems on the EU market or their output is used in the EU, potentially the EU AI Act, regardless of Monaco's own quieter rulebook. Understanding what governs AI in Monaco is therefore as much about the European instruments that reach into the principality as about Monegasque law itself.
How it works
No dedicated AI statute
As of June 2026 Monaco has not enacted, and has not published a bill for, a horizontal AI law. There is no Monegasque risk-based AI classification, no AI conformity assessment regime, and no dedicated AI regulator. This should be stated plainly: AI in Monaco is regulated by general law, not by a special AI code. Commentary describing a Monegasque "risk-based AI framework" overstates the position; what exists is a modern data protection law that happens to bite hard on data-driven AI.
The core instrument: data protection law
The central instrument is Law no. 1.565 of 3 December 2024 on the protection of personal data, adopted by the National Council on 28 November 2024, published in the Journal de Monaco on 13 December 2024 and in force from 14 December 2024. It replaced Law no. 1.165 of 23 December 1993. The reform is consciously modelled on European standards: Council of Europe Convention 108+, the EU GDPR and the Law Enforcement Directive. Its stated aim is to secure an EU adequacy decision so that personal data can flow from the EU to Monaco without additional safeguards, a process that had been suspended since 2012.
For AI specifically, several features of Law no. 1.565 do the regulatory work: a lawfulness, fairness and transparency requirement; data protection impact assessments for high-risk processing; obligations around security and breach notification (the breach notification mechanism sits in Article 32); record-keeping duties for larger organisations; and a move away from the old system of prior declarations towards accountability, while retaining prior APDP opinion or authorisation for the most sensitive processing such as biometric identification and certain video surveillance. The law has both a territorial and an extraterritorial reach: it covers controllers and processors established in Monaco, and those established elsewhere who process the data of people in Monaco in connection with offering goods or services or monitoring behaviour. Transitional periods soften the landing: regular processing already under way before entry into force has one year to comply, and high-risk processing requiring an impact assessment has a three-year window.
The responsible institution: the APDP
The supervisory authority is the Autorite de Protection des Donnees Personnelles (APDP), which succeeded the Commission de Controle des Informations Nominatives (CCIN) in 2025. The APDP advises controllers, processors and individuals, handles complaints and breach notifications, and enforces Law no. 1.565. Its powers are materially stronger than the CCIN's: it can order processing to be brought into compliance, impose temporary or permanent limits on processing, withdraw certifications, suspend cross-border data flows and impose administrative fines of up to 10 million euros or 4 per cent of worldwide annual turnover for the most serious breaches. The CCIN had already shown willingness to act, including a public sanction of the Minister of State over pandemic-era health data handling.
Regional and international commitments
Monaco joined the Council of Europe in 2004 as the 46th member state and, in 2026, holds the presidency of the Committee of Ministers. On the data side it ratified the Convention 108+ amending protocol (CETS No. 223) on 6 March 2025, becoming the 33rd Party to do so; the Council of Europe notes that Convention 108+ will enter into force once it reaches 38 ratifications, so five further ratifications were still needed at that point. Convention 108+ directly strengthens protections around automated processing, including automated decision-making relevant to AI.
On AI specifically, the position is more limited. The Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225) opened for signature on 5 September 2024 and entered into force on 1 November 2025, after it crossed the threshold of five ratifications including at least three Council of Europe member states (early ratifiers including the United Kingdom, France and Norway). As of June 2026, Monaco has neither signed nor ratified it. The day-one signatories on 5 September 2024 were Andorra, Georgia, Iceland, Norway, the Republic of Moldova, San Marino, the United Kingdom, Israel, the United States of America and the European Union; comparable microstates Andorra and San Marino were among them, while Monaco was not. This is a notable gap for a Council of Europe member chairing the Committee of Ministers, and is the single clearest indicator that Monaco has not yet committed to an AI-specific legal instrument.
The EU dimension and extraterritoriality
Monaco is not in the EU and the GDPR and EU AI Act do not apply automatically. But Monaco is inside the EU customs and VAT territory via its customs union with France, uses the euro under a monetary agreement, and is administered as part of Schengen. Because of the GDPR's extraterritorial scope, a Monaco controller or processor that targets EU residents can be directly subject to the GDPR in addition to Law no. 1.565. The same extraterritorial logic can, in principle, draw Monaco-based AI providers and deployers into the EU AI Act where their systems are placed on the EU market or their output is used in the EU.
Strategy and soft governance: Extended Monaco
Monaco's visible AI activity is in policy and capability-building rather than binding regulation. The Extended Monaco programme, launched on 30 April 2019 by Prince Albert II and run through the Interministerial Delegation for Digital Transition, frames AI as a driver of innovation and underpins it with sovereign cloud and secure-data infrastructure. For 2026 the enterprise strand made AI its primary focus through training formats such as Digital FlashUp and FlashLearn AI. The APDP itself has deployed an AI virtual assistant, hosted in France and designed not to collect personal data. These are soft-law and capacity measures, not statutory AI rules.
Examples
A Monaco private bank deploying an AI tool for KYC screening, transaction monitoring or client profiling is not operating in a vacuum. The processing falls under Law no. 1.565, very likely triggering a data protection impact assessment for high-risk profiling, and the bank remains subject to Monegasque financial supervision and to the AMAF industry working group's expectations on model validation and human oversight. Where it serves EU-resident clients, GDPR obligations can apply in parallel.
A Monaco e-commerce or marketing business using AI chatbots, content generation or analytics on customer data must comply with Law no. 1.565 on lawful basis, transparency and security, and update its privacy documentation to reference the APDP rather than the defunct CCIN. If it targets customers in France or Italy, the EU GDPR can apply on top of Monegasque law.
A public body or healthcare provider in Monaco using automated processing, for example biometric identity checks or video surveillance, must seek the APDP's prior opinion or authorisation before deployment, reflecting the law's retained preventive control over the most sensitive categories of processing.
Common misunderstandings
"Monaco has an AI law." It does not. There is no dedicated AI statute or bill. AI is governed by general and sectoral law, chiefly data protection.
"Monaco follows the EU AI Act." Monaco is not an EU member and has not transposed the AI Act. The Act can reach Monaco firms only through its extraterritorial scope, not by domestic adoption.
"The GDPR applies in Monaco." Not directly. Monaco has its own law, Law no. 1.565. The GDPR applies only where its extraterritorial criteria are met, for example targeting EU residents.
"The regulator is still the CCIN." The CCIN was replaced by the APDP in 2025. Documentation naming the CCIN as the supervisory authority is out of date.
"Monaco has signed the Council of Europe AI treaty." As of June 2026 it has not signed or ratified CETS No. 225, although it ratified the related data protection Convention 108+ on 6 March 2025.
Risks and boundaries
The main boundary is conceptual: Monaco regulates AI indirectly. If an AI use case does not involve personal data and falls outside any sectoral rule, there may be no specific Monegasque instrument addressing it beyond general civil and criminal law. Conversely, treating the lack of an AI statute as a light-touch environment is a mistake, because Law no. 1.565 is demanding and the APDP's powers are significant.
Several points are genuinely uncertain or pending and should not be overstated. Monaco's pursuit of an EU adequacy decision was ongoing as of 2025 and had not been granted at the time of writing. The fine ceiling is tiered in the manner of the GDPR: up to 10 million euros or 4 per cent of worldwide annual turnover for the gravest breaches (Article 54) and up to 5 million euros or 2 per cent for lesser breaches (Article 53), the higher figure applying. Transitional periods under Law no. 1.565 (one year for existing processing and up to three years for impact assessments, measured from the 14 December 2024 entry into force) mean compliance timelines were still closing through 2025 and 2026. And Monaco's eventual stance on the Council of Europe AI Framework Convention remains open. Where these matters are unresolved, verify current status against the APDP and official sources before relying on them.
What to do next
Treat data protection law as your primary AI compliance anchor in Monaco. Map every AI system against Law no. 1.565: identify the lawful basis, run a data protection impact assessment where the processing is high-risk, and confirm whether prior APDP opinion or authorisation is required (for example biometric identification or video surveillance).
Update governance artefacts. Replace references to the CCIN with the APDP, refresh privacy notices and records of processing, and confirm whether you must appoint a data protection officer.
Assess your European exposure deliberately. If you target or monitor people in the EU, assume the GDPR may apply alongside Monegasque law, and consider whether the EU AI Act could reach your systems through their use or placement in the EU market.
Track the moving parts. Watch the EU adequacy decision, the transitional deadlines under Law no. 1.565, and any move by Monaco to sign the Council of Europe AI Framework Convention or publish AI-specific guidance. A signature on CETS No. 225, or a dedicated AI bill, would be the clearest signals that the architecture is changing.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Monaco have a law specifically regulating artificial intelligence?
No. As of June 2026 there is no dedicated AI statute or published AI bill in Monaco. AI is governed by general and sectoral law, principally data protection law.
What law governs AI in Monaco in practice?
Mainly Law no. 1.565 of 3 December 2024 on the protection of personal data, enforced by the APDP, supplemented by financial-sector supervision, civil liability and criminal law where relevant.
Who is the regulator?
The Autorite de Protection des Donnees Personnelles (APDP), which replaced the Commission de Controle des Informations Nominatives (CCIN) in 2025 with strengthened powers and fines of up to 10 million euros or 4 per cent of worldwide turnover for the gravest breaches.
Is Monaco bound by the EU AI Act?
Not directly. Monaco is not an EU member and has not transposed the AI Act. The Act can reach Monaco firms only through its extraterritorial scope.
Has Monaco signed the Council of Europe Framework Convention on AI?
No. As of June 2026 Monaco has neither signed nor ratified CETS No. 225, though it ratified the related data protection Convention 108+ on 6 March 2025.
Does the GDPR apply to Monaco businesses?
Only where its extraterritorial criteria are met, such as offering goods or services to, or monitoring the behaviour of, people in the EU. Otherwise Law no. 1.565 applies.
What is Extended Monaco?
A national digital programme launched in 2019 that promotes digital transformation and, in 2026, AI skills and adoption. It is a strategy and capability initiative, not a binding AI law.