What is AI regulation in Peru?
AI regulation: countries and regions
AI regulation in Peru is a layered framework built around Law No. 31814, its implementing regulation approved in 2025, Peru's wider digital transformation regime and the country's personal data rules. It gives the Presidency of the Council of Ministers, through the Secretariat of Government and Digital Transformation, the lead role; classifies AI uses as prohibited, high risk or acceptable risk; imposes transparency, oversight and governance duties; and relies on existing sector and data protection authorities for much of the enforcement.
What this means
Peru does have binding AI regulation, but not in the form of one self-contained AI code. The 2023 statute is relatively short and principle-led. The 2025 regulation does the practical work: it sets the risk categories, identifies prohibited and high-risk uses, allocates responsibilities and adds implementation timetables.
The model is risk-based. Some AI uses are banned outright, some are allowed only with stronger controls, and lower-risk uses are generally allowed if they still respect the law, privacy and fundamental rights. That makes Peru's framework closer to a graduated governance model than a blanket licensing model.
It also sits alongside other legal regimes. If an AI system touches personal data, consumer relationships, public administration, cyber incidents or intellectual property, the relevant Peru rules and authorities still apply. So AI compliance in Peru is wider than the AI law alone.
Why it matters
Peru's framework matters because it turns AI from a pure innovation topic into a governance and accountability topic. A bank using AI for credit scoring, a hospital using it in triage or diagnosis, a ministry building an AI-backed public service, or an employer using screening tools now needs to ask not only whether the system works, but whether it falls into a prohibited or high-risk category, what transparency must be given, who can override it, how its data is handled and which authority may review complaints. The phased rollout means some deadlines still lie ahead, but boards, founders, procurement teams and public officials should already be inventorying uses, assigning responsibility and building evidence that controls exist.
How it works
The core legal architecture
Peru's AI regime now has several layers. First, Law No. 31814 declares the promotion of AI to be in the national interest and sets broad principles such as risk-based security, plurality of participants, ethical development and privacy. Second, Supreme Decree No. 115-2025-PCM turns that high-level law into operative rules on risk classification, transparency, governance and obligations. Third, Peru's wider digital transformation architecture gives institutional footing to the AI regime. Fourth, the National AI Strategy 2026-2030, approved in 2026, provides the current strategic roadmap. In day-to-day practice, the regulation is the main compliance text. It also arrived later than the timetable originally set in the law, but it is the operative framework now in force.
Who is in charge
Peru did not create a standalone AI super-regulator. The lead authority is the Presidency of the Council of Ministers, acting through the Secretariat of Government and Digital Transformation, or SGTD. The SGTD is the national technical and normative authority for AI. It can issue complementary rules and binding interpretive opinions, monitor prohibited and high-risk uses, coordinate capacity building, support controlled testing environments and act as a national contact point.
Other public bodies keep their own lanes. Personal data issues remain with the national personal data authority in the Ministry of Justice. Consumer, competition and some intellectual property matters may fall to INDECOPI. Public-sector failures can be escalated to the Comptroller General. Criminal matters may move toward cybercrime or other competent authorities. That means Peru's AI model is centralised at the policy and coordination level, but distributed at the enforcement level.
How Peru classifies AI risks
Peru's regulation divides AI into three broad groups: prohibited misuse, high-risk use and acceptable-risk use.
Prohibited misuse includes manipulative or deceptive systems that distort decision-making; autonomous lethal capability in the civil sphere without human supervision; mass surveillance without a legal basis or with disproportionate impact on fundamental rights; discriminatory inference of sensitive traits from biometric data; certain real-time biometric categorisation of natural persons in public spaces; and crime prediction based on profiling or personality traits. The biometric rule is not absolute, because the regulation preserves narrow exceptions for digital identity authentication and preliminary investigation of listed serious crimes.
High-risk uses include management of critical assets that support essential services; educational assessment of children; employment selection, evaluation, recruitment and dismissal; access to social programmes; consumer credit scoring other than fraud detection; access to healthcare and clinically significant diagnosis or triage; emotion inference at work or in schools except for narrow medical or safety reasons; and other uses that place life, liberty, dignity or fundamental rights at material risk while remaining hard to supervise meaningfully.
Everything else is treated as acceptable risk, but not as unregulated. Lower-risk systems still need to respect the law, the regulation's general principles and other applicable regimes, especially privacy, security and sector rules.
What high-risk systems must do
For high-risk AI, Peru's regulation emphasises transparency, human oversight and documented governance rather than an all-purpose licensing scheme. Developers or implementers must give users prior, clear information about the system's purpose, main functions and the kinds of decisions it may make. Visible labelling may be needed when relevant to the interaction. When automated decision-making affects human rights, the affected user should be able to receive an accessible explanation of the key criteria behind the result.
If an organisation is unsure whether a system is prohibited or high risk, it can consult the SGTD for classification guidance. That is useful because some boundaries, especially around biometrics, education, health and public services, require judgement rather than a quick label.
The regulation also ties AI to privacy. If a system processes personal data, it must comply with Peru's separate data protection regime. So a compliant AI programme in Peru needs to connect its AI controls with its privacy controls, instead of treating them as separate workstreams.
What the public and private sectors must do
Peru draws an important distinction between public and private obligations. Public bodies must adopt an institutional policy on safe, responsible and ethical AI use; use the NTP-ISO/IEC 42001:2025 AI management standard when developing AI systems; form multidisciplinary teams; strengthen staff capabilities; include AI projects in digital government planning; and, for systems financed with public funds, publish source code under a free or open licence on the national public software platform. For public-sector high-risk AI, human oversight, security controls, privacy by design, security audits and an impact assessment before development or implementation are mandatory.
Private organisations also face real duties, but the design is lighter. For high-risk AI they must keep records on system functioning, data sources, algorithmic logic and expected social and ethical effects; adopt internal security, privacy, transparency and accountability procedures; train staff; and ensure human oversight where the system may materially affect rights in areas such as health, education, justice, finance and access to basic services.
One detail matters in practice: the regulation makes the high-risk impact assessment mandatory for public-sector high-risk AI, but frames it as voluntary for private-sector high-risk AI. Even so, private organisations should not treat that as a reason to skip it. In Peru's model, documentation is one of the clearest ways to show that human oversight, privacy and fairness were taken seriously.
The regulation also points organisations toward recognised standards and best practices. The SGTD promotes the use of standards such as ISO/IEC 38507, ISO/IEC 23053, ISO/IEC 27002 and ISO/IEC 27005, often through Peruvian adoptions approved by INACAL. For the public sector, some of those standards matter more directly because the regulation makes them compulsory or strongly embedded in implementation.
How supervision, complaints and rollout work
Supervision in Peru is decentralised. The SGTD can request information, issue technical recommendations and alerts, and monitor prohibited and high-risk AI through national digital security structures. If it identifies a possible breach of privacy, intellectual property or other rights, it refers the matter to the competent authority for investigation and sanctions. Citizens can file alerts through the digital AI channel at gob.pe/iaperu, and people who believe they were harmed can also complain to the relevant authority, including the personal data authority, INDECOPI or cybercrime bodies, depending on the issue.
This is why Peru's framework should not be mistaken for a single-fine-code regime. There is no standalone AI penalty schedule covering every breach. Instead, Peru relies heavily on the SGTD for coordination and monitoring, then leans on existing authorities and sanctioning regimes for much of the legal force.
The framework is already in force, but many of the most concrete obligations are phased. For public bodies, the transparency rule and the main public-sector obligations roll out gradually over one to three years, with some smaller local authorities only encouraged rather than compelled depending on capacity. For private actors, rollout is also staggered by sector, with the first wave covering health, education, justice, security, economy and finance after one year, and later waves extending to other sectors. As of June 2026, that means the architecture is live, but many of the first hard deadlines are still approaching from September 2026 onwards.
How Peru compares with Chile and Colombia
Peru sits ahead of two close regional neighbours in one important respect: it already has a dedicated statute plus an implementing regulation. Chile has a national AI policy and a dedicated AI bill with a risk-based design, but that bill is still moving through Congress in its second constitutional stage. Colombia has taken a more policy-led route so far, with the 2025 CONPES National AI Policy, official data protection guidance on AI and active legislative proposals, including Project of Law 043/25, which was still pending at the Senate first-debate stage in the official legislative status report updated in March 2026.
So Peru is currently more legally consolidated than Chile or Colombia. At the same time, Peru's model is not necessarily more punitive or more centralised in enforcement. It uses the SGTD as the system coordinator, but leaves many investigative and sanctioning decisions to existing authorities. That makes the framework practical and relatively deployable, but it also means organisations need to watch not only AI-specific rules, but neighbouring regimes on privacy, consumer protection, public integrity, cyber incidents and intellectual property.
Examples
A bank introduces an AI model to score consumer credit applications. In Peru, credit evaluation is treated as high risk, except where AI is used only for financial fraud detection. The bank should therefore classify the system formally, document data sources and algorithmic logic, prepare user-facing transparency notices, preserve meaningful human review for material decisions and align the programme with Peru's personal data rules. A private-sector high-risk impact assessment is not mandatory on the face of the regulation, but it is a strong governance step.
A public hospital or other state health body deploys AI to help prioritise care, suggest diagnosis or process sensitive health information. Those uses fit squarely inside Peru's high-risk category. Because the actor is public, the organisation must go further than a private firm would: it needs an institutional AI policy, the required management standard, multidisciplinary governance, security controls, privacy by design, ongoing audits and a high-risk impact assessment before development or implementation.
A municipality or operator wants to use real-time biometric categorisation in a public square. Peru generally treats that as prohibited misuse unless it falls within the regulation's narrow listed exceptions, such as digital identity authentication or preliminary investigation of specified serious crimes. The safest operational move is not to assume that a public-order objective makes the use lawful, but to seek classification clarity and test legality before deployment.
Common misunderstandings
"Peru has only a symbolic AI law." That is no longer right. The 2023 statute is broad, but the 2025 regulation adds binding risk classes, duties and rollout schedules.
"Every AI tool is high risk." No. Most systems fall into acceptable risk, while only listed or similarly harmful uses move into high-risk or prohibited categories.
"The SGTD can fine every breach itself." Not exactly. The SGTD leads coordination and supervision, but many investigations and sanctions still flow through existing authorities such as the personal data authority, INDECOPI and public control bodies.
"Private-sector impact assessments are mandatory for every high-risk system." The current regulation makes them mandatory in the public sector, but voluntary in the private sector.
"If a system uses no obvious personal data, privacy law is irrelevant." Wrong. Classification, transparency, security and fundamental rights still matter, and many AI systems indirectly involve personal or sensitive data anyway.
Risks and boundaries
Peru's framework has real limits. It is not a full AI Act style conformity-assessment regime, it does not create a single penalty schedule for all AI breaches, and it leaves important practical detail to later SGTD guidance on transparency, ethics and high-risk impact assessment. That means some compliance questions will still need judgement, especially for borderline uses in education, biometrics, health and public safety.
It is also easy to over-read the regime. Personal use is outside scope, and defence or national security uses are treated differently, although the regulation still points those uses back to core principles such as rights protection, non-discrimination, security, proportionality, supervision and accountability. Finally, the phased implementation matters. As of June 2026, the framework is legally established, but many operational deadlines have not yet matured. The safest reading is that organisations should prepare now, not wait for the first sectoral deadlines to arrive.
What to do next
Start with an AI use register. List every system you build, buy or materially rely on, then map each one against Peru's prohibited, high-risk and acceptable-risk categories. Do not forget embedded AI in HR tools, credit models, clinical tools, fraud engines, public-service chatbots and vendor features.
Then assign ownership. Legal, data protection, security, procurement and business leads should jointly decide who signs off on classification, transparency notices, human override design, incident handling and documentation retention. Public bodies should begin aligning their internal policy, digital government plan, standards use and publication duties now. Private organisations should treat the voluntary high-risk impact assessment as a strong governance tool rather than an optional extra.
Finally, keep watching the SGTD. Complementary guidance, ethical guidelines and practice-facing instructions will shape how the framework works day to day. In Peru, AI compliance is best approached as cross-functional governance, not a last-minute legal review.
FAQs
Does Peru already have binding AI regulation?
Yes. Peru has a binding statute and a binding implementing regulation. The law sets principles and authority, while the regulation contains the practical risk classes, duties and rollout timetable.
Who is the main AI authority in Peru?
The lead national authority is the Presidency of the Council of Ministers, acting through the Secretariat of Government and Digital Transformation. It coordinates AI governance, issues complementary rules and monitors prohibited and high-risk uses.
Is Peru's model risk-based?
Yes. The regulation separates prohibited misuse, high-risk use and acceptable-risk use, then attaches stronger duties where the risk to life, dignity, liberty or fundamental rights is greater.
Are there banned AI uses in Peru?
Yes. The regulation prohibits several uses, including manipulative systems, certain forms of mass surveillance, discriminatory biometric inference, certain real-time biometric categorisation in public spaces and crime prediction based on profiling or personality traits.
Are high-risk impact assessments mandatory?
They are mandatory for public-sector high-risk AI before development or implementation. For private-sector high-risk AI, the regulation frames them as voluntary, although they remain a sensible governance step.
Does Peru's AI law replace privacy law?
No. AI systems that process personal data must still comply with Peru's personal data regime and may face review by the personal data authority in the Ministry of Justice.
When do the main compliance deadlines arrive?
The framework is already in force, but many transparency and sector-specific duties are phased, with the earliest major deadlines landing from September 2026 and later waves following after that.
How does Peru compare with Chile and Colombia?
Peru is further ahead in having a dedicated AI law plus implementing regulation. Chile and Colombia both have active policy and legislative programmes, but their dedicated AI statutes were not yet fully enacted as of June 2026.