What is the Council of Europe AI Framework Convention?
AI regulation: concepts, institutions and standards
The Council of Europe AI Framework Convention is the first treaty designed specifically for AI. It creates an international framework for how states govern AI in line with human rights, democracy and the rule of law, across the AI lifecycle and through domestic law, regulation and oversight. It is not a detailed global AI code like the EU AI Act. As of June 2026, it had 20 signatories and an EU ratification, with entry into force still pending.
What this means
Most international AI governance has so far been built from principles, declarations and domestic laws. The Council of Europe Framework Convention is different because it is a treaty. Its job is to make sure AI-related activity is governed in a way that protects human rights, democratic institutions and the rule of law.
The Convention is broad, but it is not trying to regulate every technical feature of AI. It covers AI activities that can interfere with rights, democratic processes or legal safeguards, from design and testing through deployment, monitoring and retirement. Public authorities are directly in scope, and private sector activity must also be addressed by each party.
It also sits beside, not above, adjacent instruments. It is less prescriptive than the EU AI Act, and it is a different instrument from UNESCO's AI ethics recommendation. Think of it as a durable treaty framework that countries implement through their own legal systems, regulators and public institutions.
Why it matters
If your organisation builds, buys, deploys or governs AI, this Convention matters because it turns broad AI ethics language into state duties. It pushes governments toward concrete expectations on risk assessment, documentation, notice, oversight, public consultation, complaint routes and institutional accountability.
It also matters because its frame is wider than classic privacy or safety compliance. The Convention puts democracy and the rule of law into the same picture as individual rights. That means election integrity, access to justice, administrative fairness, judicial independence, lawful decision-making and safeguards against arbitrary state power all become relevant when AI is used in sensitive contexts.
For operators, the practical effect is usually indirect but still important. The Convention works through domestic law, procurement, regulators, public service design, courts and treaty implementation choices. A treaty article may later show up as a public sector contract term, a regulator's guidance note, a new complaints process, or a court reading existing rights duties in an AI context. Public sector bodies, vendors to government, and organisations active across multiple jurisdictions should pay especially close attention.
How it works
It is a framework treaty, not a full AI code
The Convention was adopted by the Council of Europe in May 2024 and opened for signature in September 2024. It is described as a framework convention because it sets common principles, duties and institutions, but leaves parties room to implement them through their own legal systems. A party can use legislation, administrative measures, regulatory guidance, existing supervisory bodies, courts, or combinations of these. That flexibility is deliberate. The Convention is meant to travel across different legal traditions and remain usable as AI changes, rather than lock states into a single detailed model.
Just as important, the explanatory report makes clear that the Convention is not meant to create a brand new catalogue of human rights. Its role is to help parties apply existing human-rights, democracy and rule-of-law obligations to AI-related activity. That makes it durable, but it also means it is less prescriptive than an instrument such as the EU AI Act.
It follows the AI lifecycle
The Convention uses a broad definition of an AI system and then regulates activities across the lifecycle of that system. The explanatory report gives examples such as planning and design, data collection and processing, development and model building, testing and validation, making systems available for use, deployment, operation, monitoring and retirement.
That lifecycle approach matters because a rights problem may begin long before deployment. Bias can be introduced in data selection. A lack of human review can be baked into workflow design. Oversight can fail at procurement, integration or post-deployment monitoring. By using a lifecycle frame, the Convention is not limited to one narrow stage of AI use.
The scope is still bounded. It is focused on AI activities that have the potential to interfere with human rights, democracy or the rule of law. Research and development on systems not yet made available for use is generally outside scope, unless testing is carried out in a way that could interfere with those protected interests.
Public authorities are directly in scope, private actors through national implementation
The Convention directly covers AI activity by public authorities, including private actors acting on their behalf. That is important for outsourcing and procurement. If a public body relies on a vendor to deliver or operate an AI-enabled public function, the Convention is designed to stop that vendor relationship becoming a gap in accountability.
Private sector activity more broadly is also covered, but through a more flexible route. Each party must address private-sector risks and impacts in line with the Convention's object and purpose, and must declare how it will do that. A party can choose to apply Chapters II to VI directly to private actors, or use other appropriate measures. That is one of the Convention's most important flex points, and one of the main reasons implementation may vary across countries.
There are also express boundaries. A party is not required to apply the Convention to activities related to the protection of its national security interests, although those activities must still be conducted consistently with applicable international law and with respect for democratic institutions and processes. National defence is outside the Convention's scope. Regular law enforcement, however, remains within scope unless the national security exception is genuinely engaged.
The substantive duties are about rights, democracy and accountability
The Convention's core obligations begin with a simple but significant idea: AI activity should be consistent with human rights, democracy and the rule of law. It then develops that through general principles and duties. These include human dignity and individual autonomy, transparency and oversight, accountability and responsibility, equality and non-discrimination, privacy and personal data protection, reliability, and safe innovation.
The democracy and rule-of-law elements give this treaty a distinct profile. Parties must seek to ensure AI is not used to undermine democratic institutions and processes, including separation of powers, judicial independence, access to justice, fair access to public debate and the ability of individuals to form opinions freely. This is broader than a narrow consumer or product safety frame.
Transparency is also treated as practical rather than symbolic. The treaty speaks about adequate transparency and oversight requirements that are tailored to context and risk, including identifying AI-generated content where appropriate. The explanatory report also links transparency to explainability and interpretability, while recognising that technical limits may mean explanation is a matter of degree rather than perfection.
Remedies and risk management are operational, not just aspirational
One of the Convention's strongest features is that it does not stop at high-level principles. It also requires parties to support remedies and procedural safeguards. Where relevant AI systems can significantly affect human rights, parties should ensure that relevant information is documented, made available to authorised bodies and, where appropriate, communicated to affected persons. The purpose is practical: people should have enough information to challenge a decision made or substantially informed by AI, and where relevant to challenge the use of the system itself.
The Convention also requires an effective possibility to lodge a complaint with competent authorities, and procedural guarantees where AI significantly impacts the enjoyment of human rights. In some contexts, people interacting with AI should be told that they are interacting with a machine rather than a human.
Risk and impact management then runs alongside those remedies. Parties must adopt or maintain measures to identify, assess, prevent and mitigate actual and potential impacts on human rights, democracy and the rule of law. The Convention says this should be iterative, proportionate to context and severity, and informed, where appropriate, by the perspectives of affected people and other relevant stakeholders. It also requires monitoring, documentation, testing and mitigation measures. In especially serious cases, parties must assess whether moratoria, bans or other measures are needed for uses they consider incompatible with the Convention's protected values.
Oversight, consultation and technical practice sit around the legal core
The Convention does not create one single global AI regulator. Instead, it requires each party to establish or designate one or more effective oversight mechanisms. Those mechanisms must act independently and impartially, and must have the powers, expertise and resources needed to do the job. Parties can adapt existing structures, co-ordinate several regulators, or create new ones if needed.
Implementation is not meant to be closed and technocratic. The Convention says parties should seek to ensure that important questions raised by AI are considered through public discussion and multi-stakeholder consultation. It also encourages digital literacy and expert skills across the population and among those responsible for identifying and managing AI risks.
This is also where standards and assurance come in. The explanatory report points to compliance schemes, assurance practice and consensus-based technical standards as useful ways to give practical shape to open-textured legal duties. The Council of Europe's HUDERIA resources fit here. They are non-binding guidance for assessing risks and impacts on human rights, democracy and the rule of law, and can support both public and private actors as parties translate treaty principles into practice.
Follow-up is cooperative, and the treaty is still in the ratification phase
The Convention sets up a follow-up system through a Conference of the Parties. Parties will report on implementation within the first two years after becoming bound, and then periodically thereafter. The Conference can facilitate implementation, exchange information, hold public hearings where appropriate, and support co-operation among parties and stakeholders. The explanatory report also indicates that it may issue recommendations on interpretation and application, although those recommendations are not themselves legally binding.
The treaty enters into force once five signatories have expressed consent to be bound, including at least three Council of Europe member states. Official Council of Europe news confirms that North Macedonia's signature on 8 May 2026 brought the number of signatories to 20, and that the European Union ratified on 15 May 2026. The EU's ratification is especially important because the Union declared that it will apply the Convention's core chapters to private actors through the AI Act and other relevant Union law.
I did not locate an official notice stating that the entry-into-force threshold had been met by 4 June 2026. On that basis, the safer reading is that the Convention remained in the ratification phase at that date.
Examples
A ministry buys an AI system from a private supplier to help allocate social welfare benefits or support border decision-making. The explanatory report uses social welfare distribution, immigration, asylum procedures and border control as examples of contexts where AI can affect rights, democratic trust and legal safeguards. Under the Convention, a vendor acting on behalf of a public authority does not sit outside the framework. In practice, that points to tighter procurement clauses, documentation duties, human review, complaint routes and oversight arrangements.
A government website deploys an AI chatbot to interact with the public. The explanatory report says that users should usually be notified when they are interacting with AI rather than a human. If the same system later substantially informs a rights-affecting administrative decision, the Convention's remedy logic becomes relevant too: affected people should be able to obtain enough information to contest the decision and complain to a competent authority.
Inside the EU, the Convention is already taking a concrete implementation path. When the EU approved it, the Union declared that it would apply the Convention's main chapters to private actors through the AI Act and other relevant Union law. For organisations already preparing for AI Act compliance, that means the Convention matters less as a separate checklist and more as an international legal frame that reinforces the rights, democracy and rule-of-law rationale behind those controls.
Common misunderstandings
It is the same thing as the EU AI Act. It is not. The Convention is a treaty framework for states. The AI Act is a detailed EU regulation with far more operational rules.
It only matters in Europe. It does not. The treaty was negotiated with non-member states and is open to wider participation. Its signatories already include non-European countries.
It only covers government AI. Not quite. Public authorities are directly covered, and private actors must also be addressed. The main question is how each party chooses to implement private-sector coverage.
It automatically bans a fixed list of AI uses. No. The treaty does not contain a single universal blacklist. Instead, it requires parties to assess whether moratoria, bans or other measures are needed for uses they consider incompatible with protected values.
It is already fully in force. As of 4 June 2026, official sources confirmed broad signature and the EU's ratification, but I did not locate an official notice that the treaty had crossed its entry-into-force threshold.
Risks and boundaries
The Convention is powerful as a normative frame, but it is not a one-document compliance manual for firms. It leaves parties significant discretion over implementation. In some countries that may mean new AI-specific law. In others it may mean updated procurement rules, regulator guidance, data protection enforcement, court interpretation, sector regulation or combinations of existing measures.
Its scope is also uneven at the edges. Public authorities and private actors acting on their behalf are directly addressed, but private-sector activity generally can still be handled through different implementation routes chosen by each party. National security activity is not required to be brought within the Convention, and defence is outside scope. Remedies and information duties also use thresholds tied to systems that significantly affect human rights, so not every AI use will trigger the same obligations.
Current legal status also matters. Official sources clearly confirm signature activity and the EU's ratification. Less clear, from the sources I located, is whether additional ratifications after 15 May 2026 had already been deposited in a way that met the entry-into-force threshold by 4 June 2026. The prudent position is to treat formal entry into force as still pending unless and until the Council of Europe Treaty Office says otherwise.
What to do next
Map where your AI use could touch human rights, democratic processes or rule-of-law functions. Do not limit that exercise to privacy or cybersecurity. Include public decision-making, access to justice, elections, public debate, administrative fairness and vulnerable groups.
Treat public sector supply chains as a priority area. If you sell AI into government, or operate AI on behalf of a public authority, assume that documentation, human review, complaint handling and procurement scrutiny will keep tightening first in that part of the market.
Build lifecycle evidence now. That means clear scoping, risk and impact assessment, testing, monitoring, change control, accountability assignment, user notice where relevant, and records that can support challenge or review if a system affects rights.
Separate three governance questions in leadership discussions: what current domestic law already requires, what treaty implementation may add in the jurisdictions you operate in, and what good practice you should adopt before any formal legal change arrives.
Watch ratifications, Article 3 declarations on private actors, and practical guidance such as HUDERIA. Those are the places where this framework starts turning from high-level treaty language into everyday governance expectations.
FAQs
What does "framework convention" mean here?
It means the treaty sets common principles, duties and institutions, but leaves parties room to implement them through their own legal systems, regulators and existing rights frameworks.
Is the Convention already in force?
The treaty enters into force after five ratifications, including at least three Council of Europe member states. Official sources confirm 20 signatories and the EU's ratification, but I did not locate an official notice that the threshold had been met by 4 June 2026.
Who can sign or join it?
Council of Europe member states, the non-member states that took part in drafting, and the EU could sign from the outset. After entry into force, other non-drafting states may be invited to accede.
Does it apply to private companies?
Yes, but not through one identical model everywhere. Each party must address private-sector risks and declare whether it applies the Convention's core chapters directly to private actors or uses other appropriate measures.
Does it create new human rights?
No. The explanatory report says the Convention is meant to help apply existing human-rights, democracy and rule-of-law obligations to AI activity, not invent a new set of rights.
Does it ban any AI uses by itself?
Not through a fixed treaty blacklist. It requires parties to assess whether moratoria, bans or other measures are needed for uses they consider incompatible with human rights, democracy or the rule of law.
How does it relate to the EU AI Act?
The EU has declared that it will implement the Convention through the AI Act and other relevant Union law. The Convention is broader and more principle-based; the AI Act is more detailed and operational.
How is it different from UNESCO's AI ethics recommendation?
UNESCO's recommendation is a separate global standards instrument for UNESCO member states. The Council of Europe instrument is a treaty route that depends on signature, ratification and domestic implementation.