What is AI regulation in Papua New Guinea?
AI regulation: countries and regions
Papua New Guinea has no AI-specific statute. As of June 2026, AI is governed indirectly through the Digital Government Act 2022, the Cybercrime Code Act 2016, the constitutional right to privacy and sector rules, plus a finalised but not-yet-enacted data protection policy. A draft Government AI Adoption Framework and a draft National Sovereign Digital Transformation and AI Strategy, both out for consultation, propose a National Artificial Intelligence Act and new oversight bodies, but none is yet law.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
AI regulation in Papua New Guinea (PNG) means the rules, policies and institutions that govern how artificial intelligence is built, bought and used in the country. The important point for any operator is that PNG is a thin-source jurisdiction: there is no dedicated AI law, no AI regulator and no enforceable AI code. What exists instead is a mix of general laws, a recently finalised data policy, and a set of draft government strategies that signal where the country intends to go.
The centre of gravity is the executive, not the legislature. The Department of Information and Communications Technology (DICT) coordinates the national approach and administers the Digital Government Act 2022, which standardises government ICT. The National Information and Communications Technology Authority (NICTA) regulates telecommunications and ICT equipment under the National ICT Act 2009. The National Cyber Security Centre handles cyber coordination. None of these has an AI-specific mandate yet.
In 2026 the government published two draft instruments for consultation: a Government AI Adoption Framework expressed as the formula "Digital Government x Digital Public Infrastructure ^ Artificial Intelligence", and a broader National Sovereign Digital Transformation and Artificial Intelligence Strategy. Both are about how the state will adopt AI on its own "national rails", and both propose future legislation. They are policy direction, not binding law.
Why it matters
For anyone deploying or governing AI touching PNG, the practical stakes flow from the gaps. Because there is no AI statute and no general data protection law in force, there is no statutory transparency duty, no automated-decision right, no AI conformity assessment and no data protection authority to register with or complain to. That is a compliance vacuum, not a safe harbour: liability still arises under the Cybercrime Code Act 2016, contract, the constitutional right to privacy, sector regulation (banking, health, telecommunications) and general law.
The direction of travel also matters. The government has signalled that AI will become central to public administration, and its draft framework sets firm boundaries on state use of AI, including a rule against AI-only decisions on rights, benefits or penalties. Vendors selling to government should expect procurement conditions, risk classification and human-accountability requirements to harden quickly, even before primary legislation arrives. Organisations that build now to credible international baselines, rather than to the current thin local floor, will be best placed when the proposed National Artificial Intelligence Act and a data protection law eventually land.
How it works
No dedicated AI law: what governs AI instead
PNG has no AI-specific legislation. The United States International Trade Administration's country commercial guide states plainly that PNG "does not have any specific AI regulation or legislation". In the absence of a statute, AI is governed by general and sector instruments. The Constitution confers a qualified right to privacy under Section 49, enforceable through the National Court. The Cybercrime Code Act 2016 (certified December 2016) criminalises unauthorised access, interception, data interference and content offences, and reaches AI-enabled conduct such as fraud and harmful synthetic content. The Protection of Private Communications Act 1973 governs interception. Sector regulators apply existing law to AI used in their domains.
The Digital Government Act 2022 and DICT
The Digital Government Act 2022 was certified on 19 July 2022 and came into force on 8 August 2022. It provides for digital government through ICT, applies to public bodies (excluding state-owned enterprises), and is administered by DICT. It centralises government ICT procurement and design through a Certificate of Compliance regime, with offences for non-compliance. The Act is the main legal anchor for state data handling and the platform on which government AI adoption is being built, but it is not an AI law and does not regulate private-sector AI.
NICTA and the National Cyber Security Centre
NICTA regulates the ICT and telecommunications sector under the National ICT Act 2009, including operator licensing and equipment type approval; its type-approval process can require privacy impact assessments for high-risk devices. The National Cyber Security Centre coordinates cyber defence and runs the national computer emergency response capability. Neither has a dedicated AI remit, but both touch AI systems through connectivity, equipment and cybersecurity.
Data protection: policy finalised, law still absent
PNG has no general personal data protection statute and no data protection authority. DICT finalised a National Data Governance and Data Protection Policy in 2024, setting principles for data handling, cross-border transfers and data sharing. As of mid-2026 the policy was awaiting endorsement by a ministerial committee before going to Cabinet, and had not been enacted as law. This matters for AI because training data, profiling and automated processing currently fall outside any comprehensive data protection regime. (This page does not duplicate general privacy material; the data point here is its interaction with AI governance.)
The draft Government AI Adoption Framework
In February 2026 DICT released, for consultation, a Government Adoption Framework for Artificial Intelligence built on the formula "Digital Government x Digital Public Infrastructure ^ Artificial Intelligence". Its Part 1 Citizen Guide sets out red lines for state AI use: no AI-only decisions on rights, benefits or penalties; no secret citizen scoring; no use of personal data outside lawful purposes; no untested AI in high-impact services; and special protection for cultural heritage. It commits to a risk-based approach in which "AI systems will be assessed according to risk level" with stronger review for higher-impact systems, internal registers of AI systems in public services, and a principle that "people remain responsible". Part 2, a Government Implementation Pack, is said to contain the operational standards. The framework binds government policy, not private actors, and is a draft.
The draft National Sovereign Digital Transformation and AI Strategy
On 23 March 2026 DICT released a draft National Sovereign Digital Transformation and Artificial Intelligence Strategy for public consultation. It proposes a "single sovereign architecture" and four new laws: a Critical Digital Infrastructure Investment Act, a National Artificial Intelligence Act, a Digital Identity and Trust Framework Act, and a Data Governance and Protection Act. It also proposes new institutions: a Digital Transformation and AI Board, a restructured department, an independent National Digital Economy Authority for regulatory oversight, and a state-owned Kumul Digital Infrastructure Holding Company. None of these laws or bodies yet exists; they are proposals in a draft under consultation, with no published bill text and no confirmed legislative timeline.
Regional and international alignment
PNG's approach sits inside Pacific regional frameworks. The Pacific Islands Forum's 2050 Strategy for the Blue Pacific Continent includes a Technology and Connectivity thematic area emphasising culturally sensitive user protection and cybersecurity. PNG hosted the inaugural Pacific ICT Ministers' Dialogue on 28 August 2023 at APEC Haus, Port Moresby, where 13 Pacific countries and territories signed the Lagatoi Declaration on Digital Transformation of the Pacific (12 signing in person, with Marshall Islands, Cook Islands and Tuvalu joining remotely), a regional roadmap stressing digital sovereignty and cooperation. Internationally, PNG is among all 193 UNESCO member states that adopted the Recommendation on the Ethics of Artificial Intelligence by acclamation at the 41st General Conference in November 2021. There is no public record that PNG has undertaken UNESCO's Readiness Assessment Methodology. PNG has also engaged the Global Cross-Border Privacy Rules Forum.
Examples
A bank running automated know-your-customer (KYC) checks: PNG's digital public infrastructure programme is piloting remote KYC using SevisPass (the national digital ID built by Tech5 and launched nationally in November 2025), which enables consent-based electronic KYC with bank-account opening "in under ten minutes". MiBank launched a SevisWallet digital bank-account-opening pilot in March 2026, described by DICT as giving "practical effect to the National Digital Identity Policy 2025", while DICT's technical team separately met Bank South Pacific to scope SevisPass for KYC. AI-assisted identity and fraud checks here are governed by anti-money-laundering law, the Digital Government Act framework and contract, not by any AI statute, and the draft framework would require human accountability for adverse decisions.
A government agency deploying an AI assistant: under the draft AI Adoption Framework, an agency could use AI to guide citizens to services, flag missing documents or detect unusual fraud patterns, but it could not let AI alone decide rights, benefits or penalties, and it would have to log the system in an internal register and apply risk-based review. This is policy, so it currently binds through executive direction rather than enforceable statute.
A vendor selling AI tools into PNG government: procurement runs through the Digital Government Act 2022 Certificate of Compliance regime administered by DICT, and the proposed strategy signals future conformity, sovereignty and data-residency expectations. A vendor should expect human-oversight, security and cultural-heritage conditions in contracts well before a National Artificial Intelligence Act is passed.
Common misunderstandings
"PNG has an AI law." It does not. There is no AI-specific statute in force; AI is governed by general and sector law plus draft policy.
"There is no regulation, so anything goes." Wrong. Cybercrime, privacy, anti-money-laundering, contract and sector rules all apply, and government use of AI is also shaped by the draft framework's red lines.
"PNG has a data protection law like the GDPR." No. The National Data Governance and Data Protection Policy 2024 is a policy awaiting Cabinet approval, not enacted legislation, and there is no data protection authority.
"The DG x DPI ^ AI framework is binding law." No. It is a draft government policy document under consultation; it directs state adoption, not private actors, and has no statutory force yet.
"The proposed National Artificial Intelligence Act is in force." No. It is a proposal within a draft strategy, with no published bill and no confirmed timeline.
Risks and boundaries
The central boundary is that PNG's AI governance is largely aspirational. The two flagship instruments, the AI Adoption Framework and the National Sovereign Digital Transformation and AI Strategy, are drafts under consultation. Treating them as enforceable obligations would be a mistake; treating them as a reliable signal of direction is reasonable.
The legal status of several items is uncertain or pending: the data protection policy is not yet law; the proposed AI, data, digital identity and infrastructure Acts are not drafted into public bills; and the proposed National Digital Economy Authority does not yet exist. Effective dates and final text could change materially through consultation and the legislative process.
Capacity and infrastructure are real constraints. As of 2025, only 48.2 per cent of PNG's population had active cellular mobile connections and online penetration was 24.1 per cent, per DataReportal's Digital 2026 figures. The PNG National Research Institute, in Spotlight Vol. 19, Issue 3 ("Opportunities and challenges for AI adoption in Papua New Guinea: insights from AI Summit 2026"), flagged that "PNG must tackle infrastructure challenges such as lack of reliable internet, electricity, and limited digital connectivity", adding that "weak data systems, lack of skilled personnel, and governance and trust issues are also barriers". These constraints brake both AI adoption and effective oversight. This page is not legal advice and should not be used to design firm-specific compliance; it explains the durable architecture, not transient commentary. Where commentators describe an enacted "PNG Data Protection Act", that is not corroborated by official sources and should be treated with caution.
What to do next
Map your AI uses to the laws that actually bind today: the Cybercrime Code Act 2016, the constitutional right to privacy, anti-money-laundering rules, sector regulation and contract. Do not assume the absence of an AI law removes liability.
If you sell to or operate within PNG government, build to the draft framework's expectations now: human accountability for consequential decisions, no AI-only determinations on rights or penalties, risk classification, an internal AI register and respect for cultural heritage. Expect these to appear as procurement conditions under the Digital Government Act regime.
Treat data protection as a "when, not if". Design to a credible international baseline (consent, purpose limitation, security, cross-border safeguards) so you are ready when PNG's policy becomes law and a data protection authority is stood up.
Engage the consultations. The AI Adoption Framework and the National Sovereign Digital Transformation and AI Strategy are open for comment; this is the cheapest moment to influence definitions, risk tiers and institutional design.
Watch the trigger points: Cabinet endorsement of the data protection policy, publication of any AI Act bill, creation of the National Digital Economy Authority, and any UNESCO readiness assessment. Each would change the compliance picture.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Papua New Guinea have a law specifically regulating AI?
No. As of June 2026 there is no AI-specific statute in force. AI is governed indirectly by the Digital Government Act 2022, the Cybercrime Code Act 2016, the constitutional right to privacy and sector law, alongside draft government strategies.
Who regulates AI in PNG?
There is no dedicated AI regulator. DICT coordinates the national approach and administers the Digital Government Act 2022; NICTA regulates ICT and telecommunications under the National ICT Act 2009; the National Cyber Security Centre handles cyber coordination. A National Digital Economy Authority is proposed but not yet established.
Is there a data protection law in PNG?
Not in force. DICT finalised a National Data Governance and Data Protection Policy in 2024, but it remains a policy awaiting Cabinet approval, and there is no data protection authority. A Data Governance and Protection Act is proposed.
What is the DG x DPI ^ AI framework?
It is a draft Government AI Adoption Framework that expresses PNG's approach as Digital Government multiplied by Digital Public Infrastructure to the power of AI. It sets red lines for state AI use and a risk-based approach, but it is a draft policy, not law.
Is the proposed National Artificial Intelligence Act in force?
No. It is one of four laws proposed in the draft National Sovereign Digital Transformation and AI Strategy released in March 2026. There is no published bill and no confirmed timeline.
How does PNG align with international AI norms?
PNG is among all 193 UNESCO member states that adopted the 2021 Recommendation on the Ethics of AI by acclamation. Regionally it works through the Pacific Islands Forum 2050 Strategy and the 2023 Lagatoi Declaration. There is no public record of a UNESCO readiness assessment for PNG.
What should companies do now?
Comply with the general and sector laws that already bind, build to the draft framework's human-accountability and risk expectations if selling to government, and prepare for a future data protection regime by adopting a credible international baseline.