What is AI regulation in Montenegro?
AI regulation: countries and regions
Montenegro has no dedicated AI law. As of mid-2026, artificial intelligence is governed by general rules: the constitutional right to data protection, the Personal Data Protection Law, sector statutes (information security, electronic communications, copyright, consumer and criminal law) and the courts. Montenegro signed the Council of Europe Framework Convention on Artificial Intelligence in November 2024 but has not ratified it, and is drafting its first National AI Strategy (2026 to 2030) while preparing to align with the EU acquis, including the EU AI Act, as an accession candidate.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
AI regulation in Montenegro is best described as an emerging, framework-by-default model rather than a single statute. There is no Montenegrin AI Act and no binding AI-specific code. What governs AI today is the ordinary law that already applies to any technology: the Constitution, data protection rules, sector regulation and the general law of contract, liability and consumer protection. When an AI system processes personal data, makes automated decisions or causes harm, those existing rules are what bite.
Two things are moving in parallel. First, Montenegro is building soft and strategic infrastructure: a UN-supported readiness assessment presented in May 2025 and a National AI Strategy for 2026 to 2030, coordinated by the Ministry of Public Administration. Second, Montenegro is bound to a regulatory destination by its politics: it is the frontrunner candidate for EU membership, so it expects to adopt the EU AI Act and related digital acquis on or before accession.
For now, the honest summary is that Montenegro has commitments and plans, but little hard AI-specific law. Organisations should treat data protection law, sector regulation and international commitments as the operative framework, and watch the strategy and EU alignment timetable for what comes next.
Why it matters
The practical stakes are about uncertainty and direction of travel. Because Montenegro has no AI statute, there is no local risk classification, no AI conformity assessment and no AI regulator to consult. That creates a compliance vacuum: questions about liability, automated decision-making, training data and consumer protection have to be answered from general law that was not written with AI in mind. For deployers, that means more legal judgement and more reliance on contracts and internal governance.
At the same time, the destination is fairly predictable. Montenegro's data protection regime is being pulled towards the EU General Data Protection Regulation; the 2025 readiness report notes the current framework rests on the 2008 Personal Data Protection Law, soon to be replaced by a GDPR-aligned law, and accession will eventually import the EU AI Act. Organisations that build to EU-grade standards now (data protection by design, documentation, human oversight, transparency) are unlikely to waste effort, because that is the standard Montenegro is converging on. The risk is mainly for those who assume the current gap means no obligations: data protection duties, sector rules and human rights commitments already apply.
How it works
No dedicated AI statute, by default
Montenegro has not enacted an AI-specific law, bill or binding code, and at the time the first national readiness work was published it had no national AI strategy in force. AI activity is therefore governed by general legal principles drawn from existing laws. The 2025 readiness assessment rates Montenegro at the "Systematic" phase with a score of 2.4 out of 5 for government as an AI user, noting that the country lacks a national AI strategy or dedicated procurement systems and that public-sector AI use is mostly individual use of tools such as ChatGPT. This is a genuine gap rather than a deliberate light-touch design: legal commentary notes that areas such as contract, liability, labour and consumer protection are not adapted to AI, which creates uncertainty for investment and deployment.
The constitutional and data protection baseline
The starting point is constitutional. Article 43 of the Constitution guarantees the protection of personal data and prohibits using personal data for purposes other than those for which they were collected. Below the Constitution, the Personal Data Protection Law (Official Gazette of Montenegro numbers 79/08, 70/09, 44/12, 22/17 and 77/24), most recently amended in 2024, is the main instrument that touches AI, because most AI systems process personal data. It sets principles of legitimate purpose, proportionality and accuracy, requires notification of data filing systems to the regulator, and provides data subject rights. The regulator is the Agency for Personal Data Protection and Free Access to Information (AZLP).
There is a notable conflict in secondary sources about GDPR alignment. Most guides (and the European Commission's accession materials) state the current regime is not yet fully aligned with the GDPR and that a new, GDPR-aligned law is still being prepared; the UNDP readiness report describes the draft as having undergone public consultations and been under review by the AZLP, with a GDPR-aligned law expected to replace the 2008 law. At least one law-firm guide instead asserts a new act took effect in 2023. The weight of evidence, including EU accession reporting, supports the view that full GDPR alignment is still pending. This matters for AI because GDPR-style rules on automated decision-making, profiling and data protection impact assessments are the most likely near-term constraints on AI.
Sector law that catches AI
Several sector statutes apply to AI use even though none names it. The Law on Information Security (Official Gazette 113/2024) sets cybersecurity duties and established a national cyber security agency. The Law on Electronic Communications governs direct marketing, data retention and breach notification by communications providers. The Copyright and Related Rights Act is relevant to generative AI: commentary notes it lacks a commercial text-and-data-mining exception and that purely AI-generated works are treated as ineligible for copyright because protected works must originate from a natural person. The Criminal Code criminalises unauthorised collection and use of personal data. Innovation legislation and an Innovation Fund support AI projects but do not regulate AI risk.
Responsible institutions
No single AI regulator exists. The Ministry of Public Administration is the lead policy body: it presented the 2025 readiness assessment and coordinates the National AI Strategy working group. AZLP is the operative regulator for the data-protection dimension of AI. Sector bodies (the communications regulator, the cyber security agency, the audiovisual media regulator) cover their respective domains. The judiciary and a national high-performance computing competence centre are also involved in specific AI projects.
The National AI Strategy 2026 to 2030
The strategy is in development, not yet adopted. Its foundation was the Artificial Intelligence Landscape Assessment (AILA), a readiness report developed with the United Nations Development Programme and funded by the European Union, presented in Podgorica on 13 May 2025 jointly by the Ministry of Public Administration and UNDP. The report records foundational digital strengths, including roughly 80 per cent of households connected to the internet, mobile phone penetration reaching nearly 80 per cent of the population, and a median population age of 39.6 years. A working group coordinated by the Ministry of Public Administration held its constitutive session in October 2025, with later sessions and a workshop in early 2026. The emerging pillars include digital infrastructure and data, sectoral AI adoption, skills, and regulatory and ethical frameworks, with explicit intent to align with European and international standards.
Regional and international commitments
Montenegro is a Council of Europe member. It signed the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225) on 5 November 2024 in Strasbourg, signed by Deputy Prime Minister and Minister of Foreign Affairs Ervin Ibrahimovic, becoming the 11th signatory to the treaty; but it has not ratified it, so the Convention does not yet bind Montenegro in domestic law. On data protection, Montenegro is a Party to the original Convention 108 and its Additional Protocol (in force for Montenegro from 1 July 2010), but it has not signed the modernised Convention 108+ (CETS No. 223). As a UNESCO member, Montenegro is within the scope of the 2021 UNESCO Recommendation on the Ethics of Artificial Intelligence, a non-binding standard adopted by all member states. Montenegro is not an OECD member and is not among the adherents to the OECD AI Principles.
EU accession as the regulatory anchor
Montenegro is the most advanced EU accession candidate; it has announced that it wants to complete negotiations by the end of 2026, an aim the European Commission supports, and 14 of 33 chapters had been provisionally closed by March 2026. Chapter 10 (Information Society and Media) was provisionally closed in December 2024. On accession, Montenegro will be obliged to align its legislation with the EU acquis, including the EU AI Act. This is the single most important driver of Montenegro's AI regulatory trajectory: the eventual hard-law model is likely to be a transposition of the EU's risk-based regime rather than a home-grown design.
Examples
A company deploying an AI hiring or scoring tool in Montenegro has no local AI Act to follow, so its binding constraints come from the Personal Data Protection Law and the Constitution: lawful basis, purpose limitation, data subject rights and the AZLP's supervisory role. Prudent deployers build to GDPR-grade expectations on automated decision-making because that is the direction of alignment.
The Montenegrin justice sector has begun building governed AI capability. In 2026, infrastructure within the Judicial Council's data centre was reported to enable justice institutions to train and operate AI models tailored to the national legal framework, described as developed in accordance with national legislation, EU regulations and international best practice, and supported by international partners. This shows AI adoption proceeding under general governance and EU-aligned principles rather than a dedicated AI statute.
A public-sector body adopting AI relies on the readiness assessment and the forthcoming National AI Strategy for direction. The 2025 readiness report identified priority sectors (such as tourism, energy and environmental protection) and recommended a clear regulatory framework, ethical guardrails and data protection mechanisms, which is the policy scaffolding agencies are expected to use until binding rules arrive.
Common misunderstandings
"Montenegro has an AI law." It does not. There is no AI-specific statute or binding code as of mid-2026; AI is governed by general law and sector rules.
"Signing the Council of Europe AI Convention means it is in force in Montenegro." Signature is not ratification. Montenegro signed CETS No. 225 in November 2024 but has not ratified it, so it does not yet create domestic obligations there.
"Montenegro already follows the EU AI Act." Not yet. As a candidate, Montenegro expects to align with the AI Act on or before EU accession, but the Act does not currently apply.
"Its data protection law is just GDPR." The regime draws on EU standards and is converging on the GDPR, but most sources indicate it is not yet fully GDPR-aligned and a new law is still pending.
"There is a dedicated AI regulator." There is not. The Ministry of Public Administration leads policy and AZLP supervises data protection; AI oversight is spread across existing bodies.
Risks and boundaries
This page describes a jurisdiction with thin AI-specific law, and that is the central limit: there is no Montenegrin risk taxonomy, no conformity assessment regime and no AI enforcement track record to cite. Claims that Montenegro "regulates AI" should be read narrowly as applying general law to AI use.
Several statuses are pending or uncertain and could change. The National AI Strategy 2026 to 2030 is in drafting and not adopted. Ratification of the Council of Europe AI Convention has not occurred. Convention 108+ has not been signed. Full GDPR alignment of the data protection law is still expected rather than complete, and sources conflict on its current state, which is flagged honestly here. EU accession timing is a political variable that will determine when the EU AI Act becomes binding.
This article is general explanation, not legal advice. It does not assess any specific AI system against Montenegrin law, and organisations with real exposure should take local advice, especially on data protection and any sector licence conditions.
What to do next
Treat data protection law as your primary compliance anchor today. Map where your AI systems process personal data, identify a lawful basis, honour data subject rights and engage with the AZLP where notification or guidance is needed. Build to GDPR-grade expectations, because that is the standard Montenegro is converging on.
Build to the EU AI Act now if you can. Because accession will import the EU regime, designing for risk classification, documentation, human oversight and transparency is forward-compatible and reduces rework. Use recognised standards and the EU's risk-based logic as your internal benchmark.
Watch three triggers. First, adoption of the National AI Strategy 2026 to 2030 and any regulatory framework it proposes. Second, any ratification of the Council of Europe AI Convention, which would create binding human-rights duties. Third, the EU accession timetable and the point at which the AI Act becomes applicable. Each of these would change the compliance picture and should prompt a review of your governance posture.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Montenegro have an AI law?
No. As of mid-2026 there is no AI-specific statute or binding code. AI is governed by the Constitution, the Personal Data Protection Law, sector statutes and general civil, consumer and criminal law.
What governs AI in the absence of a dedicated law?
Mainly the constitutional right to data protection (Article 43), the Personal Data Protection Law enforced by the AZLP, plus sector rules on information security, electronic communications, copyright and the Criminal Code, applied case by case.
Did Montenegro sign the Council of Europe AI Convention?
Yes. Montenegro signed the Framework Convention on Artificial Intelligence (CETS No. 225) on 5 November 2024 as the 11th signatory, but it has not ratified it, so it does not yet bind Montenegro domestically.
Is Montenegro bound by Convention 108+?
No. Montenegro is a Party to the original Convention 108 and its Additional Protocol, but it has not signed the modernised Convention 108+.
Will the EU AI Act apply in Montenegro?
Not yet. As a leading EU accession candidate, Montenegro is expected to align with the EU acquis, including the AI Act, on or before membership, but the Act does not currently apply.
Who is responsible for AI policy and oversight?
The Ministry of Public Administration leads AI policy and the National AI Strategy; the AZLP supervises data protection; sector regulators cover communications, cybersecurity and media.
Is there a national AI strategy?
A National AI Strategy for 2026 to 2030 is being drafted by a working group coordinated by the Ministry of Public Administration, building on the AILA readiness assessment presented in May 2025, but it has not yet been adopted.
Has Montenegro endorsed international AI ethics standards?
As a UNESCO member it falls within the 2021 UNESCO Recommendation on the Ethics of AI, a non-binding standard. It is not an OECD member and is not an adherent to the OECD AI Principles.