What is AI regulation in Tunisia?
AI regulation: countries and regions
Tunisia does not have a dedicated AI law or a standalone AI regulator. Today, AI governance in Tunisia is mainly built from the 2004 personal data protection law, the powers of the INPDP, specific health data rules, and broader government digital policy. Official materials also show ongoing national AI strategy work and a pending 2025 personal data bill with AI related clauses, but those do not amount to an in force AI Act.
What this means
Tunisia's current AI position is best understood as privacy led rather than AI specific. If an AI system handles personal data, the main binding rules come from the 2004 data protection law, which applies to both automated and non automated processing. That law gives people rights over their data and gives the INPDP a central oversight role.
In practice, this means organisations cannot assume that "no AI law" means "no rules". Prior declarations, authorisations for some sensitive processing, and controls on transfers abroad can all matter. In health and telemedicine, the framework becomes more detailed and more restrictive.
Alongside that hard law, Tunisia has a policy layer. Ministries formally launched work on a national AI strategy in 2022, and government communications in 2025 linked AI to open data and public sector digitalisation. Parliament is also considering a broader personal data reform bill with AI related features, but that proposal is not yet the law in force.
Why it matters
For organisations deploying AI in Tunisia, the key risk is misreading the gap between policy ambition and binding law. Tunisia may not yet have an AI Act, but businesses, public bodies and buyers still face real duties where AI relies on personal data, especially in cross border vendor arrangements, health, surveillance, or public administration.
This matters for product design, procurement, timelines and accountability. A project can run into friction not because Tunisia has detailed AI specific rules, but because the existing personal data regime is authorisation heavy in places and because a newer reform path is visibly being debated. Good governance therefore means handling today's data protection duties seriously while preparing for a more explicit AI governance layer later.
How it works
No dedicated AI Act
The official sources reviewed through 7 June 2026 do not show a dedicated Tunisian AI statute or a specialist AI authority. Tunisia's AI governance is therefore emerging through older personal data law, sector specific rules, government strategy work, and wider digital state policy rather than through a single AI code.
Personal data law does most of the work
The core hard law is Organic Law No. 63 of 27 July 2004 on personal data protection. It applies to automated and non automated processing. It requires lawful, specific purposes, fair and necessary processing, and recognises rights such as access, correction and objection. As a baseline, personal data processing is subject to prior declaration to the INPDP. Some categories, including certain sensitive data, move into prior authorisation territory. Transfers abroad are also controlled: the receiving country must offer an adequate level of protection, and INPDP authorisation is mandatory for the transfer. The law also carries criminal penalties and fines for some breaches. For many AI deployments, this older data law is doing the practical work that a modern AI Act would do elsewhere.
What INPDP can and cannot do
The INPDP is Tunisia's personal data protection authority, not a dedicated AI regulator. Under the 2004 law it receives declarations and complaints, grants or withdraws authorisations in the cases set by law, sets safeguards, conducts checks, and gives opinions on data protection matters. Its decisions can be challenged before the Tunis Court of Appeal. So, when AI systems process personal data, the INPDP is the institution organisations need to think about, even though it does not supervise AI as a separate legal category.
Sensitive sectors are more tightly framed
Health is the clearest example. Tunisia's law and INPDP health guidance treat health data as especially protected. Processing health data is limited to doctors or persons bound by professional secrecy, and research or telemedicine uses bring extra formalities. Current guidance also points health institutions toward a designated personal data protection lead, record keeping, and impact style review for more sensitive processing. That is not a general Tunisian AI impact assessment law, but it does show where Tunisia is already closest to an impact assessment mindset.
Policy and strategy sit on top of that law
Tunisia's ministries signed a memorandum in February 2022 to prepare a national AI strategy and implementation plan. The official aims included a legal framework for data collection, classification and use, an institutional structure for data and information, and digital projects across sectors such as health, education, industry, environment and transport. In September 2025, the Presidency of the Government linked AI to public data classification, open data policy and digital administration projects. The INPDP also presents Tunisia's data protection framework alongside Convention 108. Taken together with the African Union's 2024 Continental AI Strategy, this places Tunisia in a North African and wider African context where data governance, institutional capacity and national strategy building are moving faster than AI specific statutes.
A broader reform is being discussed
A separate but important development is the parliamentary proposal on personal data protection, numbered 095/2025. As of early June 2026 it was still at committee stage. A February 2026 committee hearing described the proposal as containing AI related elements, including a right not to be subject to a solely automated decision, impact assessment for high risk processing, and rules touching AI use, health data and visual monitoring. Those ideas are important signals, but they remain proposed reforms until parliament passes them and they are published as law.
Examples
A hospital or telemedicine provider wants to add an AI triage or diagnostic support tool to patient care. In Tunisia, that is not just an "AI project". It is first a health data project. The organisation should expect the 2004 law, the INPDP health framework, professional secrecy requirements, prior formalities, and hosting controls to shape deployment. If data are externalised or sent abroad, separate transfer and hosting questions arise.
A Tunisian company wants to use an overseas AI vendor for customer support, fraud screening or internal analytics. The practical compliance question is where the personal data go, for what purpose, and whether the transfer leaves Tunisia. Under the current framework, the organisation should map the data flows early, determine whether sensitive data are involved, and treat INPDP declaration and foreign transfer authorisation as gating issues rather than late paperwork.
A ministry or public body wants to embed AI in an administrative digitalisation project. Official government material encourages clearer public data governance, open data policy and AI use in digitisation. But a public sector project still needs to distinguish between public data, personal data and sensitive data, and it cannot skip the personal data regime simply because the project is framed as digital transformation or anti corruption work.
Common misunderstandings
Misunderstanding: Tunisia already has an AI Act. Correction: No dedicated AI law was identified in the official sources reviewed through 7 June 2026.
Misunderstanding: The INPDP is Tunisia's AI regulator. Correction: The INPDP is the personal data protection authority. It matters for many AI uses because AI often processes personal data.
Misunderstanding: If an AI tool is hosted outside Tunisia, Tunisian rules stop applying. Correction: Transfers of personal data abroad are specifically regulated and require INPDP authorisation.
Misunderstanding: Only health or biometric AI is regulated. Correction: The 2004 personal data law applies much more broadly to automated and non automated personal data processing, with extra layers for sensitive sectors.
Misunderstanding: The 2025 to 2026 reform debate has already changed the law. Correction: Parliamentary proposals and hearings show direction of travel, but they are not yet the law in force.
Risks and boundaries
Tunisia's present framework leaves important boundaries and gaps. It does not yet provide a single, AI specific rulebook for topics such as model risk tiers, general purpose AI, training data provenance outside personal data law, or broad AI incident reporting. The current hard law is mainly about data protection, not AI systems as such.
There is also a status gap between what is being planned and what is binding. Official materials clearly show AI strategy work, digital transformation planning and parliamentary debate on an updated personal data law. But the official sources reviewed do not show a dedicated AI law in force, and they do not show an official published final AI strategy instrument with legal force equivalent to a statute or regulation. That means organisations should not assume that policy language automatically creates enforceable AI duties.
Finally, the existing regime can be operationally heavy. Projects involving sensitive data, foreign transfers, telemedicine, surveillance style tools or public sector use may face more procedural friction than teams expect. The safest reading is that Tunisia is moving toward clearer AI governance, but today it still governs most AI through personal data law and sector rules.
What to do next
Map each AI use case to the data it uses, the purpose, the storage location, the vendor chain and any transfer outside Tunisia. Treat INPDP filings and authorisations as early project milestones, not end stage admin. Apply extra scrutiny to health, public sector, surveillance and high impact decision uses. Build human review, logging, testing for error and bias, and a written impact assessment now, even where not expressly required across the board, because those controls fit both the current privacy regime and the direction of the pending bill and AU strategy. Then monitor proposal 095/2025, any new INPDP guidance, and any official publication of a final national AI strategy.
FAQs
Does Tunisia have a dedicated AI law?
No. In the official sources reviewed through 7 June 2026, Tunisia does not yet have a dedicated AI Act.
Is there a Tunisian AI regulator?
Not as a separate authority. The INPDP oversees personal data protection, which is the main binding layer affecting many AI uses.
Does every AI system need INPDP approval?
Not every AI system as such, but personal data processing generally requires prior declaration, and some processing plus all foreign transfers require authorisation.
Are overseas AI vendors allowed?
They can be, but if personal data leave Tunisia the transfer framework applies, and the receiving country must provide an adequate level of protection.
Are health AI projects treated differently?
Yes. Health data uses are more tightly controlled, and telemedicine and research projects bring extra confidentiality and procedural duties.
Is Tunisia rewriting its data law?
Parliament is examining proposal 095/2025 on personal data protection, but it is still a proposal and not yet the law in force.
Does Tunisia already require AI impact assessments?
Not through a general AI Act. However, current health guidance refers to impact style review for sensitive processing, and the pending bill would make high risk assessments more explicit.
How does the African Union context matter here?
The AU strategy supports national AI strategies, risk aware governance and assessment tools. Tunisia's policy direction fits that continental trend, even without a domestic AI Act.