What is AI regulation in Mongolia?
AI regulation: countries and regions
Mongolia currently has no dedicated AI law. Instead it relies on existing laws (especially its new data protection law) and policy strategy. In September 2025 the government adopted a National Strategy for Big Data and AI as part of its "Digital First" programme. This sets out principles (transparency, accountability, risk evaluation) and projects over five years. In practice, any AI system in Mongolia must comply with its personal data protection rules and other sector laws while the new strategy is rolled out.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Mongolia's approach to AI is largely policy-driven rather than regulatory. The country has not passed an AI-specific statute. Instead, it has updated its data protection and cybersecurity laws and launched a high-level AI strategy. In 2025 the Ministry of Digital Development introduced a national Big Data and AI Strategy under the "Digital First" policy. The strategy outlines goals (developing AI skills, infrastructure and exports) and embeds ethical principles, but it is not itself a binding regulation.
In the absence of a dedicated AI law, Mongolian organizations must follow existing laws. The main binding law is the Law on Personal Data Protection (effective 1 May 2022). This law governs how AI systems may collect and use personal data (requiring consent, purpose limits, security, etc.). Other tech laws (cybersecurity, e-signature, public information) form a general framework. Until formal AI regulations are enacted, AI use in Mongolia is governed by these data and sectoral laws plus the government's strategy guidance.
Why it matters
For businesses and public bodies, Mongolia's lack of an AI-specific law means they must interpret AI rules through existing legislation. Any organization deploying AI must ensure compliance with the Personal Data Protection Law and related rules - otherwise it risks fines or reputational damage. The new AI strategy signals future changes and government priorities: it includes 66 projects and ethical guidelines (e.g. algorithmic transparency and human rights alignment) for the next five years.
In practice, governments and companies should watch this space. The strategy implies new institutions (an AI Council, data repository, etc.) and possibly an AI bill to follow. Leaders need to prepare by auditing AI systems for privacy and bias, and by building governance around the declared ethics goals. Understanding Mongolia's current framework helps avoid compliance gaps and takes advantage of upcoming programs (for example, large-scale AI skills training with international partners) under the Digital First initiative.
How it works
National AI Strategy
Mongolia's AI policy is led by its 2025 "National Strategy on Big Data and Artificial Intelligence". Introduced at a cabinet meeting in September 2025, this 5-year strategy (2025-2030) aims to build an AI ecosystem and digital economy. It commits to 66 projects across four strategic objectives (for example, AI infrastructure, workforce training and international competitiveness). Notably, the strategy's second objective is to create an "ethical and responsible AI ecosystem" through public-private collaboration.
Key elements of the strategy include creating new institutions and infrastructure in 2025-26: for instance, a National Council on Artificial Intelligence, a GPU cluster-based AI Center, and a National Data Repository. By 2030, Mongolia expects to export AI products in the region and host major data centers. For now, these are policy goals rather than laws. The strategy itself was approved by government resolution, which means organizations should follow its principles as guidance but not as enforceable rules.
Data Protection and Related Laws
Since there is no AI law, Mongolia relies on its new personal data protection framework to govern AI. The Law on Personal Data Protection (effective 1 May 2022) replaced older privacy statutes. It applies to all processing of personal data in Mongolia, including by AI systems. Under this law, data controllers must collect data only with legal grounds (usually consent) and follow principles of transparency and purpose limitation.
In September 2023 the Digital Ministry issued an information security regulation requiring data controllers to follow explicit principles (including transparency, risk evaluation and accountability) when handling sensitive data. In practice, this means AI developers must build systems that clearly inform users and minimize risks. The law mandates onshore storage and robust security for Mongolian data. Violations of these rules (for instance unauthorized use of personal data) can incur fines or penalties. Until AI-specific rules appear, any AI project must fit within this existing cybersecurity and data-privacy framework.
Institutions and Oversight
The Ministry of Digital Development, Innovation and Communications (MDDIC) is the lead government body for AI and digital policy. It coordinated the national strategy and related programs, such as the AI training initiative with Oracle. Enforcement of data-related AI rules currently falls to MDDIC and the National Human Rights Commission. Under the data protection law, these authorities can investigate data violations and hear complaints.
Other bodies are involved: for example, Mongolia's General Intelligence Agency oversaw deleting unlawfully collected fingerprint data as part of the privacy rollout. Going forward, the strategy plans to establish a dedicated National Council on Artificial Intelligence to coordinate policy. However, no independent AI regulator exists yet. In short, AI oversight today is horizontal: existing agencies enforce data and cybersecurity laws, and strategic oversight is managed by the digital ministry.
Ethical Principles and International Norms
Mongolia's AI strategy stresses ethical AI and aligns with global frameworks. The strategy explicitly adopts human-rights-based principles (transparency, accountability, inclusivity, risk evaluation) for AI and data systems. These mirror international standards like UNESCO's 2021 Recommendation on the Ethics of AI (which Mongolia supports as a UNESCO member).
However, these ethics guidelines are policy commitments rather than binding laws. In other words, AI developers are expected to incorporate these principles voluntarily or through future regulation. Mongolia has also participated in UN and UNESCO programmes (for example a UNDP-MDDIC AI readiness project) to assess and improve its AI governance. Such international alignment helps shape national policy, but any enforceable rules must come from Mongolian legislation or administrative acts.
Examples
- A private hospital in Ulaanbaatar plans to deploy an AI image-analysis tool for patient diagnosis. Under Mongolia's data protection law, the hospital must obtain informed consent from patients and ensure transparency about the AI tool's data use. The new information security requirements mean patient data must stay secure (and technically the server should be in Mongolia). The hospital must also conduct risk assessments and follow the strategy's emphasis on responsible AI deployment (accountable design and human oversight).
- A government agency wants to use an AI-based chatbot to deliver public services. Because no specific AI law exists, the agency follows the national AI strategy's ethics guidelines. It builds the chatbot with logging and audit trails so outputs can be explained (transparency) and reviews data privacy carefully. The deployment is overseen by the Ministry of Digital Development, reflecting the strategy's call for public-private collaboration on AI.
- A startup in Mongolia is building an AI platform that processes user data. Even if the code is developed abroad, the startup must adhere to Mongolian law. For example, any Mongolian personal data used by the AI must be stored and processed with consent as required by law. The technical security rules imply that critical data servers should be located in Mongolia. This ensures compliance with the strategy's and law's data security expectations.
Common misunderstandings
- *Mongolia has a dedicated AI law.* No, Mongolia has not enacted a standalone AI regulation. AI is currently governed through broader laws (particularly data protection) and policy strategies, not a specific AI statute. - *The AI strategy is legally binding.* The National Strategy for AI is a government policy, not legislation. It outlines goals and principles but does not impose legal penalties by itself. - *International AI standards automatically apply.* Global guidelines (e.g. UNESCO's AI ethics recommendation) guide Mongolia's approach, but they are not law in Mongolia until the country formally adopts measures based on them. - *Data protection doesn't affect AI because it's separate.* In fact, Mongolia's data protection law applies to any use of personal data - including by AI systems - so AI projects must comply with consent, security and usage restrictions. - *All sectors have special AI rules.* Currently Mongolia regulates AI horizontally (through general data and tech laws). No sector-specific AI regulations have been issued.
Risks and boundaries
Currently Mongolia's AI regulation regime is limited. It does *not* impose any blanket restrictions on AI development or use. There is no special approval needed for most AI applications, beyond normal data and sectoral compliance. That said, organizations should not assume AI is "unregulated" - misuse of personal data (for example training an AI on private data without consent) can violate existing laws.
Another boundary is that the strategy's ethical principles are aspirational. They are not yet enforceable rules; however, ignoring them could put a project at odds with future regulations. Also, privacy rules include a data localization requirement (servers in Mongolia), so companies cannot freely store Mongolian data abroad without meeting legal criteria.
Finally, Mongolia's AI governance may change soon: the government's own roadmap calls for new AI laws and an AI Council by 2026. Until that happens, stakeholders should be aware that current "AI regulation" is really existing law applied to AI and policy guidance. Any claims about AI legality should be checked against up-to-date statutes and cabinet resolutions.
What to do next
Leaders should start by ensuring that any AI system complies with Mongolia's Personal Data Protection Law. This means obtaining consent from data subjects, securing data within Mongolian territory where required, and conducting regular privacy impact assessments in line with the law's risk-based requirements.
They should also align projects with the national AI strategy's ethics guidelines. This involves building transparency (e.g. explaining AI decisions to users), accountability (documenting how models are trained), and fairness into AI products. Engaging with the Ministry of Digital Development or National Human Rights Commission can provide guidance on best practices and upcoming regulations.
It is wise to track new developments: Mongolia plans to formalise AI policy (including creating an AI Council and drafting AI laws) in the next few years. Teams should prepare by training staff (for example, by participating in government-led AI education programs) and by establishing internal governance that can adapt to future rules. In summary, adopt a cautious and compliant approach now, and stay informed on the evolving AI policy landscape in Mongolia.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Mongolia have an AI-specific law or regulation?
Not yet. Mongolia has no dedicated AI law. Instead it updated its privacy and tech laws and launched a national AI strategy in 2025. AI projects today must comply with the existing Personal Data Protection Law and related regulations.
Who enforces AI rules in Mongolia?
There is no separate AI regulator. The Ministry of Digital Development (in charge of digital policy) and the National Human Rights Commission enforce the data protection law. These bodies handle complaints or investigations about improper data use (including by AI systems). In the future, the strategy calls for a National AI Council, but it is not active yet.
What are the AI strategy's requirements?
The National Big Data and AI Strategy (2025) sets out goals for infrastructure, talent, and ethics. It emphasizes building an AI ecosystem with principles like transparency, accountability and risk-based evaluation. However, these are policy guidelines - not legal mandates - until they are implemented in law or regulation.
Are global AI standards like UNESCO's Recommendation binding?
Mongolia is a UNESCO member and its strategy reflects UNESCO's AI ethics principles, but international recommendations are not binding law. UNESCO's Recommendation on AI Ethics serves as guidance for Mongolia's policies. Any enforceable rule must be adopted by Mongolia's government or parliament.
What happens if an AI application violates data laws?
Violating Mongolia's Personal Data Protection Law (for instance, using personal data in AI without consent) can incur fines or other penalties. There are no separate AI fines yet. Organizations must follow the law for data use and security to avoid sanctions.
Will AI-generated data need to stay within Mongolia?
Under current rules, any controller handling Mongolian personal data generally must use Mongolian-based servers and secure data locally. This means foreign AI providers serving Mongolian users must comply with these localization and security requirements as if they were operating locally.
When will Mongolia pass an AI law?
Mongolia's AI strategy roadmap (2025-26) plans for new legislation on AI ethics and governance, but as of mid-2026 no bill has been enacted. It is expected that concrete AI regulations will follow the strategy's goals.