What is AI regulation in North Macedonia?
AI regulation: countries and regions
North Macedonia has no dedicated artificial intelligence law and no adopted national AI strategy. AI is governed indirectly, chiefly through the 2020 Law on Personal Data Protection, which mirrors the EU GDPR and is enforced by the Personal Data Protection Agency. As an EU candidate country, North Macedonia is expected to align with the EU acquis, including the EU AI Act, over time. Its SMART/MK 2030 ICT strategy treats AI as a policy priority rather than binding regulation.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is, as of mid 2026, no standalone AI statute in North Macedonia, no AI regulator, and no adopted national AI strategy. A government working group on a National Strategy for Artificial Intelligence was established in 2021, but only one meeting has been held since then. So when people ask about "AI regulation" in the country, the honest answer is that AI is regulated only indirectly, through laws written for other purposes.
The most important of these is the 2020 Law on Personal Data Protection, known locally as the ZZLP (Zakon za zastita na licnite podatoci). It is closely modelled on the EU General Data Protection Regulation and is enforced by the Personal Data Protection Agency, abbreviated AZLP in Macedonian and often rendered DZLP. Because most AI systems process personal data, this law is the practical backbone of AI governance today, covering profiling, automated decision making, transparency and data protection impact assessments.
The forward-looking layer is policy, not law. The Ministry of Digital Transformation, created in 2024, adopted the ICT Development Strategy SMART/MK 2030 in October 2025, which names artificial intelligence as one of four pillars. As an EU candidate, North Macedonia is also expected to converge over time with the EU acquis, which now includes the EU AI Act.
Why it matters
For organisations building or buying AI in North Macedonia, the key point is that the absence of an AI law does not mean the absence of rules. Any AI system that touches personal data falls squarely under the GDPR-aligned data protection regime, with real obligations and penalties. The data protection law stipulates three categories of fines: a first category for less serious breaches (such as failing to meet technical protection requirements or failing to appoint a data protection officer) of up to 2% of annual income; a second category for more serious breaches of up to 4% of annual income; and surveillance-related misdemeanours penalised at 1,000 to 10,000 euros.
The second reason it matters is market reach. The EU AI Act applies extraterritorially: it catches providers and deployers established in a third country where the output of the AI system is used in the EU. A Macedonian software company selling AI into the EU single market can therefore be in scope of the EU AI Act regardless of what its home country does. Given that North Macedonia is on an EU accession track, planning to the EU standard now is the pragmatic choice.
How it works
No dedicated AI law: the honest baseline
North Macedonia has not enacted an AI-specific statute and has no AI-specific regulator. A performance audit by the State Audit Office found that the public sector lacked a national strategy, a legal framework, a dedicated budget and qualified staff for AI. Any claim that the country has a binding AI rulebook is incorrect.
The data protection law as the working framework
The Law on Personal Data Protection was adopted in February 2020 and entered into force on 24 February 2020, with a transitional period for compliance. It is published in the Official Gazette of the Republic of North Macedonia, numbers 42/20, 294/21 and 101/25. It transposes GDPR concepts almost in full: lawful bases, data subject rights, transparency, data protection by design and by default, breach notification, and rules on profiling and automated decision making. Controllers must inform individuals where automated decision making, including profiling, takes place, and provide meaningful information about the logic involved.
The Personal Data Protection Agency
The Personal Data Protection Agency is the independent supervisory authority, accountable to the national Assembly. It was originally the Directorate for Personal Data Protection, established in 2005, and was renamed under the 2020 law. Its director is elected by Parliament. The Agency has issued guidance and adopted lists of processing that require a data protection impact assessment, including systematic profiling and automated decision making. In practice it has leaned on warnings and education rather than fines. The European Commission's 2025 enlargement report noted that the Agency continues to struggle with budgetary independence and funding, and that Parliament had not appointed a director since January 2025, factors that weigh on enforcement capacity.
Strategy and institutions: SMART/MK 2030 and the Ministry
The Ministry of Digital Transformation, established in 2024, leads digital policy. Its ICT Development Strategy SMART/MK 2030, adopted in October 2025, is built on four pillars, one of which is "Businesses, Innovation, Artificial Intelligence, and New Technologies", and is aligned with the EU Digital Decade 2030. The country also launched the Vezilka National Centre for Artificial Intelligence in October 2025. According to the Minister of Digital Transformation, Stefan Andonovski, the project has a total value of approximately 6 million euros, is implemented with EU support through the Horizon Europe programme and the EuroHPC initiative, and is co-financed by the Ministry together with FINKI as project leader. Vezilka is set up as an Antenna to the Pharos AI Factory based in Greece.
EU accession and the Western Balkans context
North Macedonia has been an EU candidate since 2005 and formally opened accession negotiations in July 2022, but no negotiating chapters have been opened because of a dispute over a constitutional amendment relating to the Bulgarian minority. The country participates in the EU Digital Europe Programme. The Western Balkans regional dialogue treats EU AI Act alignment as a direction of travel for the region. Convergence with the EU AI Act is therefore expected but not yet a binding domestic obligation.
Examples
Scenario 1: A Skopje fintech deploys an AI credit-scoring model on Macedonian customers. There is no AI law to comply with, but the model processes personal data and performs automated decision making with significant effects, so the data protection law applies: a lawful basis, transparency about the logic, and a data protection impact assessment that falls within the Agency's listed high-risk categories.
Scenario 2: A Macedonian SaaS vendor sells an AI recruitment tool to employers in Germany and Austria. Because the output is used in the EU, the vendor can fall within the extraterritorial scope of the EU AI Act and may need an EU authorised representative for a high-risk system, even though North Macedonia has no equivalent domestic law.
Scenario 3: A public body pilots an AI assistant for citizen services. The State Audit Office documented that, between 2018 and 2023, 48 AI projects were co-financed for over 6 million euros, yet none were implemented in the public sector. The first AI-based public sector digital assistant, ADA, was presented in April 2023 by then Prime Minister Dimitar Kovachevski, but was discontinued after two years. The lesson for public deployers is governance and continuity, not just procurement.
Common misunderstandings
1. "North Macedonia has an AI law." It does not. AI is governed indirectly through data protection and related laws and through non-binding strategy.
2. "The EU AI Act already applies in North Macedonia." It does not apply as domestic law. It can apply to Macedonian operators only through its extraterritorial reach when AI output is used in the EU.
3. "There is no privacy regulator, so AI is unregulated." There is a regulator: the Personal Data Protection Agency, which supervises any AI that processes personal data.
4. "GDPR applies directly because the country is in Europe." The GDPR is not directly applicable; North Macedonia is not an EU member. The domestic ZZLP mirrors it instead.
5. "SMART/MK 2030 is binding AI regulation." It is a strategy document, setting priorities and an action plan, not enforceable AI law.
Risks and boundaries
This article describes a policy and data protection landscape, not a dedicated AI legal regime, and it is not legal advice. The most significant uncertainty is institutional. The European Commission's 2025 report found that the legal framework for personal data protection was insufficient, that alignment legislation with the GDPR and the EU Law Enforcement Directive was still pending, and that the Agency's capacity needed improvement. The timing and form of any future AI law are unknown: North Macedonia could pass a comprehensive AI act or amend existing digital laws to align with the EU AI Act, but no bill, date or institution for AI-specific regulation is confirmed. Treat any AI-specific regulatory timeline as speculative until an official instrument is published in the Official Gazette.
What to do next
Map your AI systems against the data protection law first, because that is the binding regime today. Run a data protection impact assessment where the Agency's lists require one, especially for profiling and automated decision making. If you serve or plan to serve EU customers, build to the EU AI Act standard now, including risk classification and documentation, because the extraterritorial scope can reach you. Watch the Ministry of Digital Transformation and the Official Gazette for any move from strategy to binding AI rules, and treat EU accession progress as the leading indicator of when alignment obligations harden.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does North Macedonia have an AI law?
No. As of mid 2026 there is no dedicated AI statute and no AI-specific regulator. AI is governed indirectly, mainly through the 2020 data protection law.
Who regulates AI-related data processing?
The Personal Data Protection Agency, the independent supervisory authority accountable to the Assembly, supervises any AI system that processes personal data.
Is the country's data protection law the same as the GDPR?
It is closely modelled on the GDPR but is separate domestic law. The GDPR does not apply directly because North Macedonia is not an EU member.
Does the EU AI Act apply in North Macedonia?
Not as domestic law. It can apply to Macedonian operators through its extraterritorial scope when the AI output is used in the EU.
Is there a national AI strategy?
There is no adopted standalone AI strategy. AI features as a pillar in the SMART/MK 2030 ICT strategy adopted in October 2025.
What happens to AI regulation as North Macedonia joins the EU?
Accession requires aligning with the EU acquis, which includes the EU AI Act, so convergence is expected over time, though the timeline is uncertain.
What penalties apply under the data protection law?
The law sets three categories of fines: up to 2% of annual income for less serious breaches, up to 4% for more serious breaches, and 1,000 to 10,000 euros for surveillance-related misdemeanours, although the Agency has often used warnings.