What is AI regulation in Timor-Leste?
AI regulation: countries and regions
Timor-Leste has no dedicated AI law, regulator or binding national AI strategy. AI is governed indirectly through constitutional privacy rights, the 2024 electronic commerce and electronic signatures decree-law, telecommunications and sector rules, and soft commitments under the UNESCO Recommendation on the Ethics of AI and the voluntary ASEAN Guide on AI Governance and Ethics. A UNESCO AI readiness assessment, completed in 2025, is feeding a planned revision of the Timor Digital 2032 strategy to add AI.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Timor-Leste, one of Asia's youngest and smallest states with a population of about 1.3 million, regulates artificial intelligence by default rather than by design. There is no statute that defines an AI system, classifies AI by risk, or imposes duties on developers and deployers. Instead, anyone building or buying AI in the country relies on a patchwork: constitutional protections for privacy and personal data, a 2024 decree-law on electronic commerce and electronic signatures, telecommunications regulation, and general civil, criminal and consumer law.
The country has begun to engage with AI governance as a policy question. With UNESCO support, and through partners including the Ministry of Transport and Communications, TIC Timor and Catalpa International, Timor-Leste completed a national AI Readiness Assessment in 2025. Its findings are intended to inform a revision of the national digital strategy, Timor Digital 2032, so that AI is addressed explicitly.
Timor-Leste also became the eleventh member of ASEAN on 26 October 2025. That membership brings it within reach of regional soft-law instruments, notably the ASEAN Guide on AI Governance and Ethics. None of these instruments is binding, so for now AI regulation in Timor-Leste is best described as nascent: principle-led, diagnostic and largely aspirational rather than enforceable.
Why it matters
For organisations, the absence of a dedicated regime is itself the headline risk. There is no AI authority to register with, no statutory risk classification to map against, and crucially no general data protection law and no data protection authority to consult on cross-border data flows. That does not mean AI is unregulated: constitutional data protection rights, the e-commerce decree-law, sector rules and consumer law still apply, and foreign regimes such as the EU AI Act and GDPR may reach activities connected to Timor-Leste through their extraterritorial scope. Buyers and operators therefore carry more of the governance burden themselves, and should not assume a legal vacuum means a compliance holiday. As connectivity expands, with Starlink available since late 2024 and the submarine fibre-optic cable expected to come online during 2025, and as ASEAN integration deepens, the direction of travel points towards more structured rules, so early, principled governance choices will age better than reactive ones.
How it works
No dedicated AI statute
As of mid-2025, Timor-Leste had no standalone national AI law, no AI-specific bill before parliament, and no binding national AI strategy. The UNESCO readiness assessment notes that the existing legal and administrative framework, including laws on digital ICT and data privacy, conspicuously lacks specific provisions for AI, and that this absence, combined with limited political will and dedicated funding, hinders development of a comprehensive AI policy. This places Timor-Leste alongside most of ASEAN, where no member state has yet enacted dedicated, binding, horizontal AI legislation.
The constitution and personal data
The 2002 Constitution provides the deepest legal roots. Section 36 protects honour and privacy; Section 37 protects the home and correspondence; and Section 38 protects personal data, giving citizens a right to access data held about them, requiring the law to define personal data and the conditions for its processing, and prohibiting the processing of sensitive data (such as political, religious or trade union information, or ethnic origin) without consent. Critically, Section 38 anticipates an implementing law that, as of 2025, has not been enacted, so the constitutional right exists without a detailed statutory framework or supervisory authority to operationalise it.
The e-commerce decree-law
Decree-Law No. 12/2024 of 13 February 2024, which entered into force on 18 August 2024, establishes a general legal regime for electronic commerce and electronic signatures. It is technology-neutral, gives legal equivalence to electronic and paper transactions, draws on UNCITRAL model laws, regulates online disclosures and spam, and designates TIC Timor as the accrediting and supervisory authority for electronic signatures, with administrative fines for breaches. It is not an AI law, but it is the most directly relevant modern digital statute and shapes the environment for automated online services.
Sector and telecommunications regulation
The telecommunications sector is regulated by the Autoridade Nacional de Comunicacoes (ANC), a statutory authority established under Telecommunications Decree-Law No. 15/2012. The ANC licenses operators, manages spectrum and runs a consumer protection desk. Sectoral rules of this kind, together with general consumer, civil and criminal law, are the practical levers that would touch AI systems deployed in connectivity, finance or public services, in the absence of anything AI-specific.
Draft cybercrime and data protection laws
A draft Cybercrime Law and a draft Data Privacy and Protection Law have been in development for several years. The Ministry of Justice tabled a revised cybercrime draft in June 2024, and Minister of Justice Sergio Hornay confirmed progress to the national news agency Tatoli on 5 March 2025. Civil society groups have criticised the cybercrime draft for focusing on leaders' reputations: Valentim da Costa Pinto, director of NGO Forum Timor-Leste, told UCA News, "We acknowledge the need for a cybercrime law, but it should not be primarily about shielding national leaders from criticism." A comprehensive data protection law, if enacted, would be the single most consequential change for AI governance, because it would supply the missing implementing framework for Section 38 and likely a supervisory authority.
International and regional instruments
Timor-Leste is among the UNESCO member states that adopted the 2021 Recommendation on the Ethics of Artificial Intelligence, the first global standard-setting instrument on AI ethics, built on human rights, transparency, fairness and human oversight, and operationalised through eleven policy action areas. The Recommendation is non-binding. As an ASEAN member from October 2025, Timor-Leste also sits within the scope of the ASEAN Guide on AI Governance and Ethics, endorsed at the Fourth ASEAN Digital Ministers Meeting on 2 February 2024, and its 2025 generative-AI expansion. The ASEAN Guide is voluntary, principle-based and built around seven guiding principles (transparency and explainability; fairness and equity; security and safety; robustness and reliability; human-centricity; privacy and data governance; and accountability and integrity), and it does not override national law.
The UNESCO readiness assessment and Timor Digital 2032
Timor-Leste's main governing digital instrument is Timor Digital 2032, the national strategic plan for digital and ICT development launched on 2 June 2023, which prioritises e-government, inclusive economy, health, education and agriculture. With UNESCO, the Ministry of Transport and Communications, TIC Timor and Catalpa International, the country ran its first AI Readiness Assessment using UNESCO's methodology, with consultation and validation workshops in April and May 2025 and a country report published in 2025. The assessment recommends boosting digital literacy and skills, developing clear governance and data-protection frameworks, and keeping communities and youth engaged; its findings are intended to feed the revision of Timor Digital 2032 to incorporate AI.
Examples
A foreign software vendor sells an AI-driven customer service tool to a Timorese bank. There is no AI law to comply with, but the e-commerce decree-law governs online disclosures, the Constitution's Section 38 frames personal data expectations, and because there is no local data protection law or authority, the vendor and bank must build their own safeguards for cross-border data transfers, since a foreign regime such as the GDPR may apply to the data flows.
A government ministry pilots an AI citizen-service chatbot in Tetum and Portuguese as part of Timor Digital 2032 priorities. The UNESCO readiness assessment flags linguistic exclusion of less-resourced languages and a weak data ecosystem, so the practical governance work is internal: data quality, human oversight and accessibility, guided by UNESCO and ASEAN principles rather than a binding statute.
AI is already in use for disaster resilience. Similie, working with Mercy Corps and with CISCO support, trialled AI to predict flood likelihood, and its Dili flood early-warning system serves over 275,000 people. Such projects operate under general law and donor governance standards, illustrating how AI is deployed ahead of any dedicated regulatory framework.
Common misunderstandings
"Timor-Leste has an AI law." It does not. There is no dedicated AI statute, no AI regulator and no binding national AI strategy as of 2025.
"There is no privacy protection at all." The Constitution protects privacy and personal data in Sections 36 to 38, but the implementing data protection law and supervisory authority that Section 38 anticipates do not yet exist.
"Joining ASEAN imposed binding AI rules." ASEAN's AI instruments, including the ASEAN Guide on AI Governance and Ethics, are voluntary and do not override national law.
"The UNESCO Recommendation is enforceable in Timor-Leste." It is a non-binding standard-setting instrument; it guides policy but creates no directly enforceable duties.
"No law means no compliance risk." Constitutional rights, the e-commerce decree-law, sector and consumer law all apply, and foreign regimes can reach Timor-Leste-connected activity extraterritorially.
Risks and boundaries
This page describes a jurisdiction with thin AI-specific sourcing, and it should be read that way. What is confirmed: no dedicated AI law, no AI regulator, constitutional privacy and data protection rights without an implementing statute, an in-force e-commerce decree-law, an active telecommunications regulator, voluntary UNESCO and ASEAN commitments, and a completed UNESCO readiness assessment feeding a strategy revision. What is pending: a draft cybercrime law and a draft data protection law, neither confirmed as enacted, and an AI-aware revision of Timor Digital 2032. What is uncertain: timing, content, and whether any future framework will be principle-based guidance or hard law. The single biggest variable is whether a comprehensive data protection law passes, because that would create the missing institutional architecture. This is not legal advice, and organisations should verify current status against primary sources before acting.
What to do next
Treat governance as your responsibility, not the state's. Adopt a recognised baseline now: the seven ASEAN Guide principles and the UNESCO Recommendation's policy areas are sensible reference points that will likely shape any future Timorese rules. Map and minimise the personal data your AI systems use, and because there is no local data protection authority, run transfer-focused impact assessments and use robust contractual safeguards for cross-border flows. Comply with the e-commerce decree-law where you operate online, and engage the ANC where telecommunications or spectrum issues arise. Watch two triggers closely: enactment of a comprehensive data protection law, and the AI-aware revision of Timor Digital 2032. If either lands, revisit your data governance and documentation. Build in human oversight, accessibility in Tetum and Portuguese, and auditability from the start, since these features age well across both ASEAN soft law and stricter foreign regimes.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Timor-Leste have a dedicated AI law?
No. As of 2025 there is no standalone AI statute, no AI-specific bill confirmed before parliament, and no binding national AI strategy.
What governs AI in the absence of a dedicated law?
Constitutional privacy and data protection rights (Sections 36 to 38), the 2024 electronic commerce and electronic signatures decree-law, telecommunications and sector regulation, consumer and general law, plus voluntary UNESCO and ASEAN commitments.
Is there a data protection law or authority?
No general personal data protection law and no data protection authority exist yet. The Constitution protects personal data, but the implementing law it anticipates has not been enacted. A data protection bill has been under development.
How does ASEAN membership affect AI rules?
Timor-Leste became ASEAN's eleventh member on 26 October 2025. ASEAN's AI instruments, including the ASEAN Guide on AI Governance and Ethics, are voluntary and do not override national law, but they offer a likely template for future rules.
What is the UNESCO AI Readiness Assessment?
A diagnostic exercise using UNESCO's methodology, completed in Timor-Leste in 2025 with the Ministry of Transport and Communications, TIC Timor and Catalpa International, that identifies legal, institutional and capacity gaps and informs the planned revision of Timor Digital 2032.
Does the EU AI Act or GDPR apply in Timor-Leste?
Not directly, but their extraterritorial scope can reach organisations whose activities or data flows connect to the EU, so cross-border deployments should account for them.
Is AI already being used in Timor-Leste?
Yes. Universities, the private sector and development partners use AI for research, climate forecasting, health and disaster early warning, ahead of any dedicated regulatory framework.