What is AI regulation in Serbia?
AI regulation: countries and regions
Serbia does not appear to have a dedicated AI law in force on the official sources reviewed as of 7 June 2026. Instead, AI is governed through a 2025 to 2030 national strategy, 2023 ethics guidelines, the Law on Personal Data Protection, Commissioner oversight, and a small number of sector-specific rules. The overall direction is increasingly shaped by EU-accession alignment, but Serbia still relies on its own national instruments.
What this means
If you ask whether Serbia has its own AI Act, the honest answer is no clear standalone act appears on the official sources reviewed. What Serbia does have is a real, mixed framework: strategy at the top, ethics guidance beneath it, hard-law pressure from personal data rules, and a few specific rule sets in particular sectors.
That means Serbia is not a no-rules jurisdiction, but it is also not yet organised like the EU AI Act. For most deployers, the first practical questions are whether the system touches personal data, whether it materially affects people, and whether it sits in a regulated context such as public services, transport, health or security.
EU accession is part of the story. Serbian official materials repeatedly frame AI governance through gradual alignment with EU, UNESCO and Council of Europe approaches. So the Serbian position is best understood as nationally run, but increasingly shaped by European norms.
Why it matters
Organisations using AI in Serbia can get the legal position wrong in two opposite ways. Some assume there is no AI regulation because there is no AI Act. Others assume the EU AI Act already does the whole job. Both are risky. In practice, founders, buyers, product teams, public bodies and compliance leads still need governance, documentation, privacy checks, human review, and a plan for transparency, complaints and control. The cost of getting this wrong is not only future law reform. It can already mean unlawful personal data processing, weak audit trails, unfair or non-transparent use, procurement friction, or a project that stalls when it reaches a regulator, buyer or ministry.
How it works
No standalone AI Act yet
There is no clear official sign of an adopted omnibus Serbian AI law on the sources reviewed. Instead, the government adopted a Strategy for the Development of Artificial Intelligence for 2025 to 2030, and official 2024 materials show a working group was formed to draft an AI law. The government also described the strategy as a roof document and a starting point for further legislative and planning documents. So the direction of travel is visible, but the hard-law codification is still incomplete.
Strategy and ethics shape the national framework
Serbia's strategy is a policy instrument, not a full rulebook for every deployer. The more operational AI-specific text is the Ethical Guidelines for Development, Implementation and Use of Robust and Accountable Artificial Intelligence. Those guidelines set out seven recurring requirements: human agency and control; technical reliability and security; privacy, personal data protection and data management; transparency; diversity, non-discrimination and equality; social and environmental wellbeing; and accountability. They also include a questionnaire designed to be used early in planning and then repeated across the system life cycle. That makes the ethics material more than a values statement. It is a practical governance checklist, even though it is not a substitute for law.
Data protection is the main hard-law control
For many real deployments, the main legally binding layer is the Law on Personal Data Protection and the Commissioner's supervisory powers. The Commissioner supervises the law, handles complaints, conducts inspection supervision and issues opinions and related compliance instruments. The Commissioner also states that controllers must carry out a processing impact assessment before starting processing where the intended processing, especially with new technologies, is likely to create a high risk to people's rights and freedoms. In other words, if your AI system uses personal data and can materially affect people, data protection analysis is not optional.
Sector rules and institutional practice fill some gaps
Serbia has also started building AI-adjacent rules in specific areas. A clear example is autonomous driving, where Serbia has a regulation and permit process for testing certain automated vehicles. That does not amount to a general AI Act, but it shows how Serbia can regulate particular use cases one by one. The broader institutional picture is therefore layered: strategy and ethics guidance at the centre, personal-data enforcement as the main hard-law lever, and sector rules where the state has chosen to move faster.
EU alignment shapes the direction
Serbia is not an EU member state, but its official AI and enlargement materials openly frame legislative development through gradual approximation to the EU acquis. The Ethical Guidelines cite the Stabilisation and Association Agreement and EU AI rulemaking as reference points. The European Commission's 2025 Serbia Report says the personal data protection framework is mostly aligned with GDPR and the Law Enforcement Directive, but still needs further alignment and stronger institutional capacity. So organisations should watch Serbian national law first, while also expecting continued movement toward European models.
Examples
A ministry or municipality wants an AI-enabled service desk or decision-support tool. Serbia's current strategy openly pushes further AI use in the public sector, but the ethics guidelines still expect early planning checks on human control, transparency and whether people know they are interacting with AI. If the service processes personal data and creates high risk, the controller should complete a data protection impact assessment before launch.
A business wants to use AI for recommendations, ranking or financial risk analysis. The ethics guidelines treat these as systems needing continuous human monitoring and control, including procedures to stop staff from relying solely on the system. If personal data is processed and the risk is high, the data controller should screen for a prior impact assessment under the personal-data regime.
A mobility company wants to test an automated vehicle in Serbia. This is one area where Serbia already has a more specific rule set: testing certain Level 3 and Level 4 vehicles requires an application, a valid testing certificate from the Traffic Safety Agency, and a permit from the Ministry of Internal Affairs, which may set safety conditions. That is a good reminder that Serbian AI regulation is partly general and partly sector-specific.
Common misunderstandings
Misunderstanding: Serbia has no AI Act, so AI is unregulated. Correction: Serbia already has strategy, ethics guidance, data protection law, regulatory oversight and some sector-specific rules.
Misunderstanding: The ethics guidelines are the same thing as binding legislation. Correction: They are an important national framework, but they are not a complete substitute for statute, regulation or regulator enforcement.
Misunderstanding: Data protection only matters if an AI model is trained on sensitive data. Correction: Any personal data processing can trigger duties, and high-risk uses may require an impact assessment before processing starts.
Misunderstanding: EU alignment means the Serbian position is identical to the EU AI Act. Correction: Serbian policy is moving in that direction, but Serbian law still has its own structure and gaps.
Misunderstanding: Human review means letting a person click "approve" at the end. Correction: Serbian ethics materials push for meaningful control, monitoring, challenge and the ability to stop or override the system.
Risks and boundaries
Serbia's framework is still uneven. The strategy and ethics guidelines give direction, but they do not yet create the full kind of AI-specific statute found in a mature omnibus regime. Completing the ethics questionnaire helps, but the guidelines themselves say it does not relieve legal obligations and responsibilities. If you need a settled list of prohibited AI practices, mandatory conformity pathways or one dedicated AI supervisor, the official Serbian materials reviewed here do not provide that yet.
There are also moving parts. Official 2024 materials show drafting work on an AI law, and the European Commission's 2025 report says the personal data protection framework still needs further alignment and stronger capacity. The same report also flags unresolved legal questions in high-sensitivity areas such as public street video surveillance. So the safest reading is this: Serbia already has a meaningful governance stack, but its hard-law AI architecture is still being built.
What to do next
Map which systems influence or make decisions about people.
Use the Serbian ethics questionnaire at design stage and revisit it after pilot and before deployment.
Document legal basis, data flows and whether a high-risk DPIA trigger is present.
Set human intervention, escalation and termination controls for recommendation and risk-analysis systems.
Follow Serbian source material directly rather than assuming EU headlines answer the Serbian position.
FAQs
Does Serbia already have a dedicated AI Act?
Not on the official sources reviewed as of 7 June 2026. The framework is still built mainly from strategy, ethics guidance, data protection law and selected sector rules.
Is Serbia's AI strategy legally binding in the same way as a statute?
No. It sets direction and priorities for the state, but it is not the same as a full AI law with directly imposed obligations for every use case.
Are the ethics guidelines optional?
They are guidance rather than a full statute, but they are an official national benchmark and a practical reference for governance, procurement and internal controls.
Which institution matters most today for day-to-day compliance?
For most AI systems that process personal data, the Commissioner for Information of Public Importance and Personal Data Protection is the key supervisory authority to understand.
When should an impact assessment be considered?
Before processing starts where the intended processing, especially using new technologies, is likely to create a high risk to the rights and freedoms of natural persons.
Does the EU AI Act already apply inside Serbia as Serbian law?
Serbia is aligning with European norms, but Serbia still relies on its own national instruments. You should not assume that EU AI Act concepts automatically have identical legal force in Serbia.
Are there any AI-specific sector rules already?
Yes. Autonomous vehicle testing is one example where Serbia already has a specific regulation and permit route.