AI laws and regulation in Colombia

Low.

There is currently no dedicated AI law in force in Colombia. 

Colombia does not yet have a standalone comprehensive AI statute. However, AI is currently governed through existing cross-cutting and sector-specific laws:

• Data Protection Law (Law 1581 of 2012): Regulates the processing of personal data, establishes rights and obligations for data controllers and processors.
• Financial Data Law (Law 1266 of 2008): Applies to credit scoring and financial profiling.
• Consumer Protection Statute (Law 1480 of 2011) Covers transparency, advertising, product safety, and misleading claims.
• Cybersecurity and cybercrime regime and Criminal Code (Law 1273 of 2009): Relevant when AI systems access or manipulate information systems.
• ICT and digital services regulation (Law 1341 of 2009)
• Decree 1377 of 2013: provides specific rules and procedures for the application of Data Protection Law (Law 1581 of 2012).
• Access to public information Law (Law 1712 of 2014): regulates the access, availability, and use of public data.
• Copyright Law (Law 23 of 1982 and amendments)

Colombia does not currently have a single AI regulator. However, the current oversight is fragmented across existing bodies.

• Superintendence of Industry and Commerce leads on data protection and algorithm accountability.
• Ministry of ICT: coordinates digital transformation policy
• National Planning Department: leads national AI policy design
• Ministry of STI: shapes the national AI ecosystem by steering research, infrastructure development, expert advisory structures, and innovation policies.

Activity level:  Moderate. There is active policy work, consultations, and published guidance, but AI-specific enforcement mechanisms are not yet consolidated.

Colombia has several key policy instruments:

• CONPES 4144 (Issued on February 2025)- National AI Policy: A 2030 roadmap covering ethics, governance, talent, infrastructure, innovation, and adoption across public and private sectors.
• AI Ethics Framework (MinTIC/DNP) (2021): Non-binding guidelines on transparency, explainability, fairness, and human oversight.
• CRC Algorithmic Transparency Initiatives (2024–2025): Public consultations and draft regulation addressing recommendation systems, content curation, and platform transparency.
• Joint Directive 007 (2025): Algorithmic Transparency Standards for the State. Binding for public sector algorithms, with obligations on disclosure, registry, citizen, and contract clauses.
• Judicial Branch Guidance (2024): The Superior Council of the Judiciary recently issued an internal regulation authorizing AI for administrative tasks only, while prohibiting its use for:
  • judicial reasoning,
  • interpretation of legal norms,
  • assessment of evidence,
  • or drafting of judicial decisions.

These documents shape expectations and institutional policy even though they are not binding law.

Colombia’s AI policy and the 2025 draft AI bill explicitly reference global frameworks, including:

• OECD AI Principles
• UNESCO Recommendations on AI Ethics
• ISO/IEC standards for AI risk and quality management
• EU AI Act as a conceptual reference (risk-based model)
• NIST AI Risk Management Framework, used as a best-practice model

Colombia is currently experiencing an intense legislative activity around AI, with multiple bills introduced across both chambers of Congress. While no single consolidated AI law has emerged yet, the proposals collectively signal a strong regulatory appetite.

Current initiatives can be broadly grouped into the following themes:

• Horizontal AI governance frameworks, inspired by risk-based models similar to the EU AI Act, setting principles, obligations across the AI value chain, governance structures, and sanctions.
• Human-centric and rights-based approaches, with a strong focus on mental health, children’s rights, neurodata, algorithmic transparency, and protections for vulnerable groups.
• Sector-specific AI regulation, particularly in public administration (e.g. petitions and complaints systems), consular services, and road-safety management.
• Institutional and oversight mechanisms, including proposals to create permanent AI-focused bodies within Congress.
• Indirect AI regulation through corporate accountability, such as human-rights due diligence obligations covering automated decision-making and algorithmic systems.

Although legislative momentum is high, most initiatives currently face a low likelihood of approval, due to fragmentation, overlapping scopes, and political congestion. In practice, Colombia’s AI regulatory landscape continues to be shaped primarily through policy instruments, guidelines, and sector-specific rules rather than comprehensive statutory reform.