What is AI regulation in Pakistan?
AI regulation: countries and regions
AI regulation in Pakistan is currently a mix of one approved national AI policy, a still-pending personal data protection bill, and broader digital and cyber governance rules. As of 6 June 2026, Pakistan does not have a single EU-style AI act in force. Its model is policy first: the state is promoting AI adoption, public-sector safeguards, data governance, sandboxes and local capability, while more concrete legal duties are expected to come mainly through data protection and related digital regulation.
What this means
Pakistan has moved from broad AI ambition to a clearer national direction, but not yet to a single binding AI law. The Ministry of IT and Telecommunication now records the National Artificial Intelligence Policy as approved, and the Ministry has publicly said the Federal Cabinet approved AI Policy 2025. Even so, public materials still show draft era pages and consultation documents, so the direction is clearer than the final legal rulebook.
For most organisations, the most important future legal layer is not the AI policy itself but the unfinished data protection regime. The Ministry's Personal Data Protection Bill would create a data protection commission, set rules for processing and breach reporting, limit some automated decisions, and restrict some cross-border transfers. But that bill is still not an enacted federal statute, so Pakistan's current AI compliance position still depends heavily on wider cyber, digital governance, procurement and sector rules.
That means Pakistan is best understood as an emerging AI governance jurisdiction, not yet a mature AI law jurisdiction. If you are operating there, the real question is how quickly today's policy direction may harden into binding duties tomorrow.
Why it matters
If you build, buy, deploy or supervise AI in Pakistan, you are working in a transition zone. The commercial issue is not only whether a model performs well. It is whether you can explain important decisions, govern training and inference data, map cross-border transfers, protect children and sensitive data, document human review for high-impact uses, and satisfy public-sector expectations around auditability, provenance and sovereign data handling.
This matters most for organisations touching government workflows, large citizen datasets, financial or telecom infrastructure, hiring and scoring systems, education, health, agriculture, or any service that could materially affect rights, access or trust. Pakistan's market direction now favours AI adoption, but it also favours stronger control over public data, more disciplined governance in government use, and a more formal privacy regime. Teams that prepare early will be in a better position if draft rules become enforceable law.
How it works
Policy first, statute later
Pakistan does not yet regulate AI through a single stand-alone act. As of 6 June 2026, the clearest official position is that the Ministry of IT and Telecommunication treats the National Artificial Intelligence Policy as approved, with the Ministry separately stating that the Federal Cabinet approved AI Policy 2025. That is important, but it is still a policy instrument, not a full AI code with the kind of direct conformity duties, regulator powers and penalty structure seen in the EU AI Act.
In practical terms, Pakistan is using a policy-led model. The state is setting national direction, building institutions, encouraging adoption and sketching governance architecture before it has finished building the harder legal layer.
The approved AI policy sets direction, not a full compliance code
The Ministry's approval notice describes AI Policy 2025 as a national roadmap built around six pillars: an AI innovation ecosystem, awareness and readiness, a secure AI ecosystem, sectoral transformation, AI infrastructure, and international partnerships. It also points to specific implementation levers such as a National AI Fund, centres of excellence, scholarships, internships, regulatory sandboxes, cybersecurity protocols, transparency frameworks, sector roadmaps and national compute capacity.
For operators, the practical reading is that Pakistan's AI policy is developmental and governance oriented. It aims to expand the market, strengthen local capability and shape safer public use. It does not, by itself, act like a finished licensing or prohibition system for all AI providers.
The public draft shows the likely governance machinery
Although the policy is now recorded as approved, the most detailed public text still comes from the consultation draft. That draft matters because it shows the machinery Pakistan has been considering. It proposes a National AI Fund, a network of Centres of Excellence in AI, public-private delivery models, data and compute infrastructure, regulatory sandboxes, working groups, a policy implementation cell and periodic review.
It also sketches a more specific governance design. The draft proposed an AI Regulatory Directorate linked to the future personal data protection architecture, with a role in data standardisation, safer access to public data, generative AI guidance and coordination with other regulators. The draft says public datasets could be standardised and made available through sandbox-based licensing for research, analysis and services, with scrutiny of participating tools and pseudonymisation of public data. It also proposes guidance for generative AI, especially around disinformation, privacy and academic use.
The key caution is that these are draft mechanics. Public materials suggest the final policy evolved between consultation and approval. For example, the consultation draft is structured around four broad pillars, while the Ministry's approval notice for AI Policy 2025 uses six. So the draft is useful for understanding direction, but not every institutional detail should be treated as final.
Data protection is the main future compliance layer
For most AI deployments, the most consequential future legal instrument is the Draft Personal Data Protection Bill, 2023. The bill is broad in scope. It applies to controllers and processors established in Pakistan, and in some cases to entities incorporated elsewhere that process personal data connected to activity in Pakistan. It requires lawful and fair processing, purpose limitation, notice, security, retention controls and breach notification. It also contains a 72 hour benchmark for delayed personal data breach notification to the Commission and the data subject.
The bill would create rights that matter directly for AI systems. It provides for access, correction, withdrawal of consent, erasure, grievance redress, portability and protection against some decisions based solely on automated processing, including profiling, where those decisions create legal obligations or significantly harm the data subject without explicit consent. It also includes special treatment for children, banning tracking, behavioural monitoring and targeted advertising directed at children, and imposes added conditions for sensitive and critical personal data.
Cross-border rules are especially important. Under the 2023 draft, transfers outside Pakistan would depend on adequate legal protection in the receiving country and, where relevant, explicit consent. Critical personal data would have to be processed on servers or digital infrastructure located within Pakistan. The draft also establishes a statutory commission with complaint handling and penalty powers, including substantial proposed fines.
But none of that is fully live federal law yet. The Ministry hosts the 2023 text as a final draft, and Senate materials show further revisions, consultations and delay. So organisations should treat this bill as the clearest signal of future obligations, not as a settled compliance code already in force.
Existing hard law is broader than AI
Because Pakistan does not yet have a complete AI statute, current enforceable rules come from the wider digital governance and cyber framework. The Digital Nation Pakistan Act, 2025 is particularly important. It is in force, creates the National Digital Commission and the Pakistan Digital Authority, and requires a National Digital Masterplan. It also mandates a National Data Strategy and a data governance framework across government and public and private sectors. That does not amount to a dedicated AI act, but it creates a serious legal home for national digital governance, interoperable public infrastructure and state-led data stewardship.
This wider framework matters for AI because many AI systems depend on public data access, digital identity, secure data exchange, state infrastructure and cross-agency coordination. In other words, even before a dedicated AI law arrives, Pakistan's digital governance law is already shaping the environment in which AI is likely to be deployed, especially in and around government.
Pakistan's cyber regime also remains relevant. Senate committee materials explicitly linked current digital governance discussions to the Prevention of Electronic Crimes Act 2016, the National Cyber Security Policy 2021 and the CERT Rules 2023. These instruments are not AI-specific, but they still matter for incident response, harmful online activity, state systems, critical infrastructure and operational security.
Public-sector AI direction is becoming clearer
A further sign of direction came with the Islamabad AI Declaration of 9 February 2026. This is not a statute, but it matters because it sharpens the public-sector governance stance. It says AI should remain under accountable human oversight where public rights or public consequence are involved, and that government systems should be explainable, auditable and proportionate to risk. It also emphasises sovereign data stewardship, coordinated whole-of-government governance, responsible innovation through controlled environments, sovereign compute and a private-sector-led AI economy enabled by government.
For leaders selling into government, or building systems likely to touch state functions, this is a practical signal. Even before an AI act exists, the policy direction is moving toward explainability, auditable deployment, provenance and oversight in high-impact public uses.
Enforcement is indirect and still forming
Pakistan's responsibility map is still fragmented. The Ministry of IT and Telecommunication remains the main policy owner. The Federal Cabinet approves national policy. Parliament and its committees remain central to harder legislation. The Digital Nation Pakistan Act creates the National Digital Commission and Pakistan Digital Authority for broader digital governance. If the data protection bill passes, a dedicated data protection commission would become a major enforcement body. Sector regulators, especially in telecom and other regulated activities, will still matter.
What Pakistan does not yet have is a settled, stand-alone AI regulator with a fully enacted AI rulebook. That uncertainty is plain in the official record. In a Senate committee meeting, Ministry officials argued that creating a dedicated AI regulator might still be premature because the ecosystem is evolving. So enforcement today is mostly indirect: through wider digital law, sector supervision, contracts, procurement controls, content and cyber rules, and the governance expectations built into state policy.
Examples
A concrete workflow contemplated by Pakistan's public AI draft is government data sharing through controlled environments. The consultation draft says public authorities and state bodies could be directed to standardise data, then make it available through a sandbox based approach for research, analysis and service design, with scrutiny of participating tools and pseudonymisation of public data. If that model is used in practice, suppliers should expect onboarding checks, data handling conditions and controlled testing before scale deployment.
A second example is the cross-border AI vendor. The 2023 draft data protection bill is written broadly enough to catch some controllers or processors incorporated outside Pakistan if they process personal data connected to activities in Pakistan. The same draft would require adequate protection for cross-border transfers, and would keep critical personal data on infrastructure located in Pakistan. So an overseas provider serving Pakistani users should already be mapping where data is collected, stored, fine tuned and inferred, even though the bill is not yet enacted.
A third example is automated scoring or screening. The draft bill gives people rights where decisions are based solely on automated processing, including profiling, and the decision creates legal obligations or significantly harms the person without explicit consent. That makes hiring filters, risk scoring, access control and similar tools an obvious future compliance focus. The February 2026 AI Declaration points in the same direction for government use by insisting on accountable human oversight and explainable, auditable systems where public rights are at stake.
Common misunderstandings
Pakistan already has a single AI law in force. It does not. The current position is a mix of approved policy, pending draft legislation and broader digital law.
AI Policy 2025 is the same thing as a binding AI act. It is not. It is an executive roadmap and governance framework, not a complete statute with sector-wide AI offences and penalties.
The Personal Data Protection Bill already applies. It does not yet apply as enacted federal law. It is still draft legislation and may still change.
Pakistan has definitively chosen a dedicated AI regulator. Not yet. The draft policy proposed one route, but Ministry officials have also said a dedicated AI regulator may be premature.
Only local companies need to care. Not necessarily. The draft data bill is written to reach some foreign controllers and processors handling personal data connected to activity in Pakistan.
Risks and boundaries
The biggest boundary is legal status. Pakistan's AI policy direction is now much clearer than it was a few years ago, but the rule set is still incomplete. If you read the consultation draft as if it were final legislation, you will overstate current duties. If you ignore it completely, you will miss where Pakistan is plainly heading.
There is also a documentation risk. Public official materials are not perfectly tidy. The Ministry records the AI policy as approved, while some public website references still point to draft-era materials. That means careful readers should separate three things: approved policy direction, consultation detail, and enacted law.
The same caution applies to privacy. The 2023 data bill is the strongest public signal of where AI related data rules may land, but it is still not an enacted federal act. Important points such as the final form of the Commission, transfer rules, penalty design, and the exact scope of automated decision safeguards could still change before passage.
Finally, Pakistan's current framework is not a complete risk taxonomy for AI. It does not yet give organisations a finished national ladder of risk classes, conformity routes, or one-stop AI regulator powers. That leaves room for interpretation, but also room for sudden movement. This article explains the position at a point in time and should not be treated as legal advice on a live matter.
What to do next
Treat Pakistan as a jurisdiction where policy has moved ahead of statute. That means you should prepare for change, not wait for a final AI act before doing anything.
Start by mapping every AI use case that touches Pakistan, especially anything involving government clients, citizen data, children, sensitive data, scoring, profiling, identity, telecom infrastructure, or decisions that could materially affect access, rights or trust. Then map the data path: collection, training, fine tuning, inference, storage, deletion, incident response and cross-border transfer.
Next, build controls that would still make sense if the 2023 data bill were enacted with only moderate revision. That includes clear notices, a lawful basis and consent model where needed, a human review route for important automated decisions, vendor due diligence, breach handling, child data controls, and a fallback plan for local processing if a use case could involve critical personal data.
For public-sector or high-impact deployments, design for explainability, auditability, provenance and accountable oversight now. In Pakistan, those are not abstract values anymore. They are increasingly visible in official policy direction.
Finally, monitor three channels closely: Ministry of IT and Telecommunication policy pages, parliamentary progress on privacy legislation, and implementation under the Digital Nation Pakistan Act. Those will tell you when Pakistan moves from AI governance signaling into firmer AI compliance law.
FAQs
Does Pakistan have an AI act like the EU AI Act?
No. As of 6 June 2026, Pakistan does not have a single stand-alone AI act in force. Its current position is an approved AI policy, an unfinished data protection bill, and wider digital and cyber law.
Is AI Policy 2025 legally binding on all AI providers?
Not in the way an act of parliament would be. It is a national policy roadmap and governance signal. It can still matter a great deal for public-sector priorities, procurement expectations and future rulemaking.
Is the Personal Data Protection Bill already law?
No. The public text is still a draft bill. It is the clearest source for likely future privacy duties around AI, but it is not yet an enacted federal statute.
Which institutions matter most right now?
The Ministry of IT and Telecommunication is the main policy owner. Parliament and its committees matter for legislation. The Digital Nation Pakistan Act has created the National Digital Commission and Pakistan Digital Authority for wider digital governance. A dedicated data protection commission would matter if the bill passes.
Do foreign AI providers need to pay attention to Pakistan's draft rules?
Yes. The 2023 draft data bill claims reach over some controllers and processors incorporated outside Pakistan when they process personal data connected to activity in Pakistan.
Does Pakistan's draft privacy bill deal with automated decision-making?
Yes. The draft gives a data subject rights where a decision is based solely on automated processing, including profiling, and creates legal obligations or significantly harms the person without explicit consent.
Does Pakistan already require localisation of AI data?
There is no general enacted AI localisation law. But the 2023 draft data bill would require critical personal data to be processed on servers or digital infrastructure located within Pakistan.
Is a separate AI regulator definitely coming?
Not yet. The consultation draft proposed an AI Regulatory Directorate, but officials have also said a dedicated AI regulator may be premature while the ecosystem is still developing.