What is AI regulation in San Marino?
AI regulation: countries and regions
As of June 2026, San Marino has no dedicated artificial intelligence statute. AI is governed indirectly through its GDPR-aligned data protection law (Law no. 171 of 21 December 2018), enforced by the Autorita Garante per la protezione dei dati personali, plus sector rules from the central bank. San Marino signed the Council of Europe Framework Convention on AI on 5 September 2024 but has not yet ratified it, and is not bound by the EU AI Act.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
San Marino is a small, sovereign republic enclaved within Italy. It is a member of the Council of Europe but not the European Union. That distinction shapes everything about how AI is governed there: regional human rights instruments apply directly, while EU digital law applies only at the border, when San Marino actors reach into the EU single market.
There is no San Marino AI Act. No AI-specific bill has been passed by the Grand and General Council, and there is no published national AI strategy. Instead, AI sits inside a patchwork of existing law: data protection, financial supervision, criminal law and the general constitutional and human rights framework. Political parties and business bodies have called for a national AI framework, but as of mid-2026 these remain proposals rather than law.
In practice, the most active controls on AI today are the data protection regime and the central bank's supervisory role over finance. The country is also pursuing an EU Association Agreement that, once in force, would require it to take on parts of EU law over time, which could eventually pull EU-style AI obligations into San Marino's own statute book.
Why it matters
For anyone deploying or buying AI that touches San Marino, the absence of a dedicated AI law does not mean an absence of rules. The binding constraints are data protection law, sector supervision and the human rights baseline that flows from Council of Europe membership. Getting this wrong creates real exposure: the data protection authority can investigate, order changes and sanction, and the central bank supervises AI use inside regulated finance.
The bigger strategic point is reach. Because San Marino is surrounded by Italy, shares a customs union with the EU and uses the euro, many San Marino businesses sell into the EU. The moment an AI system is placed on the EU market or its output is used in the EU, the EU AI Act (Regulation (EU) 2024/1689, in force since 2 August 2024) can apply regardless of where the provider sits. So San Marino operators often face two regimes at once: light domestic rules at home, and the full weight of EU law when they serve customers next door. Treating San Marino as a regulation-free zone is a mistake that compounds quickly across borders.
How it works
No AI-specific statute, but a clear governing baseline
San Marino has not enacted an AI law and has not published a national AI strategy. This should be stated plainly rather than dressed up. What governs AI instead is the combination of: data protection law; financial, banking and insurance supervision; general criminal and civil law; and the constitutional and international human rights commitments that bind the Republic. These instruments were not written for AI, but they apply to AI systems whenever those systems process personal data, make or support decisions, or operate inside a regulated sector.
Data protection: Law no. 171/2018 and the Garante
The central pillar is Law no. 171 of 21 December 2018 on the protection of individuals with regard to the processing of personal data. It is closely modelled on the EU General Data Protection Regulation and uses the same architecture: lawful basis, transparency, purpose limitation, data minimisation, security, accountability, data protection by design and by default, data protection impact assessments and prior consultation, and rights for individuals. Crucially for AI, the regime carries protections around automated decision-making and profiling, mirroring the GDPR approach.
The law is enforced by the Autorita Garante per la protezione dei dati personali (the San Marino data protection authority). Its powers include advising controllers through prior consultation, issuing opinions to the Grand and General Council and the Congress of State, approving codes of conduct, accrediting certification bodies, handling complaints and exercising corrective and sanctioning powers. For most organisations using AI on personal data in San Marino, this authority is the regulator they will actually encounter.
Council of Europe instruments: Convention 108+ and the AI Framework Convention
San Marino's Council of Europe membership matters more here than EU proximity. San Marino has been a Party to Convention 108 (data protection) since 1 September 2015, signed the modernising Protocol (Convention 108+) on 16 July 2019, and deposited its instrument of ratification on 16 November 2023, when Foreign Minister Luca Beccari deposited the instrument and San Marino became the 31st state to join modernised Convention 108+. Convention 108+ already speaks to algorithmic processing, automated decisions, transparency and proportionality, so it is part of the durable legal backdrop for AI.
On AI specifically, San Marino was one of the first signatories of the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225), signing on 5 September 2024 in Vilnius. This is the first legally binding international treaty on AI. It is technology-neutral, adopts a risk and impact based approach across the AI lifecycle, and obliges Parties to ensure AI activities are consistent with human rights, democracy and the rule of law. Important caveat: signing is not the same as being bound. As of June 2026 San Marino has signed but not ratified CETS No. 225, so the treaty's obligations are not yet domestically in force in San Marino. The Convention entered into force generally on 1 November 2025 after ratification by the United Kingdom, France and Norway among the required five states. Ratification by San Marino, with the accompanying declaration on how it will treat private-sector actors, would be the trigger for binding domestic effect.
Institutions that would carry AI governance
Several bodies share the space that a dedicated AI regulator would otherwise occupy. The Autorita Garante is the data protection regulator. The Banca Centrale della Repubblica di San Marino supervises banking, finance and insurance and is actively engaging with AI in supervision and operations. Policy direction sits with the relevant Secretaries of State (the Segreteria di Stato portfolios covering foreign affairs and European integration, industry and digital matters). On the innovation side, the Istituto per l'Innovazione (San Marino Innovation), established by delegated decree, runs the country's Digital Agenda and acts as a prudential authority for parts of the innovation ecosystem, including distributed ledger technology.
Sector rules: finance and the central bank
The clearest sector-specific control is financial supervision. The Banca Centrale della Repubblica di San Marino supervises credit, financial and insurance activities and protects savers. It has set up an internal technical group on AI and is examining AI for data analysis, predictive supervision and cyber security. It has also acted on AI-driven harms: on 18 March 2026 it issued a public warning that social-media posts and videos were misusing the name and image of its President, Catia Tomasetti, in a form it described as evidently doctored and likely produced with deepfake techniques, to solicit fraudulent investments. None of this is an AI statute, but it shows AI being managed through existing supervisory and consumer-protection levers.
The EU dimension: extraterritorial reach and the Association Agreement
San Marino is not an EU member, so the EU AI Act does not apply domestically of its own force. But Regulation (EU) 2024/1689 has extraterritorial reach: it can apply to providers and deployers outside the EU where an AI system is placed on the EU market or where its output is used in the EU. Given the customs union with the EU since 1991, use of the euro, and the surrounding Italian market, many San Marino businesses fall within that reach in practice.
The longer-term shift is the EU Association Agreement. Negotiations with Andorra and San Marino concluded in December 2023; the European Commission proposed signature and conclusion in April 2024; and the European Parliament adopted an interim report (A10-0003/2026) in early 2026. The agreement would give San Marino access to the EU internal market comparable to Norway, Iceland and Liechtenstein, in exchange for continuous transposition of parts of the EU acquis across the agreement's technical annexes. Whether and how EU AI rules would be incorporated through that mechanism is not yet settled, so this should be treated as a direction of travel rather than a current obligation.
Examples
A San Marino software company sells an AI-driven analytics tool to customers in Italy and Germany. Domestically it must comply with Law no. 171/2018 when handling personal data. But because it places the system on the EU market, it also has to assess its obligations under the EU AI Act, which can apply to providers established outside the EU. The practical workflow is dual compliance: San Marino data protection plus EU AI Act classification.
A San Marino bank wants to use AI for fraud detection and credit-related analysis. There is no AI statute to follow, but the Banca Centrale della Repubblica di San Marino supervises the activity, and Law no. 171/2018 governs the personal data and any automated decision-making. The bank's controls therefore come from financial supervision and data protection working together, not from a standalone AI law.
The central bank warned on 18 March 2026 that deepfake videos misusing its President's image were circulating to solicit fake investments. Here the response ran through existing tools: a supervisory and consumer-protection warning, with the conduct addressable under general fraud and criminal law, rather than through any AI-specific offence in San Marino law.
Common misunderstandings
"San Marino has an AI law." It does not, as of June 2026. There is no enacted AI statute and no published national AI strategy. AI is governed through data protection, sector supervision and human rights commitments.
"San Marino is in the EU, so the EU AI Act applies." San Marino is not an EU member. It is a Council of Europe member with a customs union and monetary link to the EU. The AI Act applies to San Marino actors only through its extraterritorial reach, when they serve the EU market.
"Signing the Council of Europe AI Convention means San Marino is bound by it." Signature is a statement of intent. As of June 2026 San Marino has signed but not ratified the Framework Convention on AI, so its obligations are not yet domestically binding there.
"Data protection is a separate issue from AI." In a jurisdiction with no AI statute, data protection law is the main operative AI control. Law no. 171/2018 and Convention 108+ carry the rules on automated decisions, transparency and impact assessment.
"Nothing will change, so there is no need to prepare." The EU Association Agreement and possible ratification of the AI Convention both point towards more AI-specific obligation over time. Waiting until a statute exists leaves little time to adjust.
Risks and boundaries
This article describes a thin-source jurisdiction honestly: San Marino has no AI-specific law, and readers should not assume hidden detailed rules exist. The risk is two-sided. Some operators wrongly conclude that the absence of an AI statute means freedom to deploy without controls; in fact data protection law, financial supervision, criminal law and human rights commitments all apply. Others wrongly assume EU rules apply automatically; they do not, except through the AI Act's extraterritorial reach or future Association Agreement transposition.
Several points are genuinely uncertain and could change. The status of CETS No. 225 in San Marino is signature only, not ratification, so its binding effect domestically is pending. The Association Agreement is not yet in force and its treatment of EU AI rules is not settled. Calls for a national AI framework exist at the political level but have not become law. Where a status is pending, this article says so rather than presenting intention as fact. None of this is legal advice; organisations with real exposure should take qualified local and EU advice.
What to do next
Start by mapping where your AI actually operates. If you process personal data in San Marino, treat Law no. 171/2018 as your baseline and build GDPR-equivalent controls: lawful basis, transparency, impact assessments, and safeguards around automated decisions and profiling.
If you sell into or serve the EU, assume the EU AI Act may reach you and classify your systems under it now. Dual compliance, San Marino data protection plus EU AI Act, is the realistic posture for any San Marino business with EU customers.
If you operate in regulated finance, engage early with the Banca Centrale della Repubblica di San Marino on any material AI use, and document human oversight and risk controls.
Watch two triggers that would change your obligations: ratification of the Council of Europe AI Convention by San Marino, and entry into force of the EU Association Agreement with provisions touching AI. Either would move San Marino from indirect governance towards explicit AI duties. Build your governance to GDPR and Council of Europe standards now, because that is the architecture San Marino is most likely to adopt.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does San Marino have a dedicated AI law?
No. As of June 2026 there is no enacted AI statute and no published national AI strategy. AI is governed through data protection law, financial supervision, criminal and civil law, and human rights commitments.
What is San Marino's main data protection law?
Law no. 171 of 21 December 2018, which is closely aligned with the EU GDPR and is enforced by the Autorita Garante per la protezione dei dati personali.
Has San Marino joined the Council of Europe AI Convention?
It signed the Framework Convention on Artificial Intelligence (CETS No. 225) on 5 September 2024 but, as of June 2026, has not ratified it, so its obligations are not yet domestically binding there.
Is San Marino bound by Convention 108+?
Yes. San Marino has been a Party to Convention 108 since 2015 and deposited its ratification of modernised Convention 108+ on 16 November 2023.
Does the EU AI Act apply in San Marino?
Not domestically, because San Marino is not an EU member. It can apply to San Marino businesses through the AI Act's extraterritorial reach when they place AI systems on the EU market or their output is used in the EU.
Who would regulate AI in San Marino today?
In practice, the Autorita Garante for data protection and the Banca Centrale della Repubblica di San Marino for finance, with policy direction from the relevant Secretaries of State and innovation work through San Marino Innovation.
Could San Marino adopt EU-style AI rules?
Possibly, through the EU Association Agreement, which would require continuous transposition of parts of the EU acquis. How EU AI rules fit into that is not yet settled.
Are there sector rules touching AI?
Yes, mainly in finance. The central bank supervises AI use in banking, finance and insurance and has acted on AI-enabled harms such as deepfake investment fraud.