AI laws and regulation in Peru

High.

Peru has a dedicated AI law: Law No. 31814 - Law promoting the use of artificial intelligence for the economic and social development of the country   (“Ley que promueve el uso de la inteligencia artificial…”) and its implementing Regulation approved by Supreme Decree No. 115-2025-PCM

In Peru, in addition to the AI Framework Law, there is a set of cross-cutting rules that regulate key aspects related to the use of AI, particularly personal data, digital governance, criminal liability and intellectual property.

• Personal data and privacy: Law No. 29733 applies to any AI system that processes personal data (consent, lawful purpose, etc.). Supreme Decree No. 016-2024-JUS (the new regulation) updates the regime to reflect new technologies: it introduces the concept of profiling and regulates decisions based solely on automated processing, recognising individual rights in relation to algorithmic decisions made without human intervention.
• Digital government and digital trust: Urgency Decree No. 007-2020 (the Digital Trust Framework) requires the promotion of the ethical use of data-intensive digital technologies (including AI), ensuring transparency and risk management. Legislative Decree No. 1412 (the Digital Government Law) establishes the legal framework for the use of digital technologies across the public sector and introduces principles such as privacy by design and digital security, which are relevant to AI implementations within the State.
• Criminal law and cybercrime: Law No. 32314 strengthens the criminal law response to the misuse of AI: it treats the use of AI to commit offences as an aggravating factor, sanctions deepfakes (e.g., for child sexual abuse material, scams, or reputational harm), and amends the Computer Crimes Law to include AI as a means of committing offences.
• Intellectual property: The same Law No. 32314 amends Article 217 of the Criminal Code to sanction the dissemination of AI-generated works or content that infringe copyright (moral or economic rights) or that disseminate false information. In addition, INDECOPI case law includes precedents on the protection of software and databases, which are relevant to the software underpinning AI systems and to discussions around originality and the training of AI models.

The authority specifically designated for AI oversight in Peru is the Secretariat for Government and Digital Transformation (SGTD) of the Presidency of the Council of Ministers (PCM), in accordance with Law No. 31814 and its regulations.

However, due to the cross-cutting nature of the technology, the National Authority for the Protection of Personal Data (ANPD) plays an active and critical supervisory role over the inputs (data) and processes (profiling) of AI.

In terms of activity:

• SGTD (PCM): high activity in public policy / oversight still under development. It currently leads the implementation of the regulatory framework (including the National AI Strategy and ethical guidelines). Its supervisory role is recent and still consolidating: it can monitor high-risk AI systems or misuse, coordinate reports to the Comptroller’s Office for non-compliance in the public sector, and oversee internal governance structures (e.g., appointment of officers responsible for digital security and trust).
• National Authority for the Protection of Personal Data (ANPD): high activity in enforcement. Although it is not an exclusive AI regulator, it is the body with the greatest sanctioning experience regarding essential elements of many AI systems: data processing and profiling. It has issued significant sanctions for profiling without consent and for the use/transfer of data for evaluations and profiling without adequate information, as well as providing guiding criteria (advisory opinions) on sources of public access, cloud processing, and cross-border data flows.

The Peruvian State has defined its approach to AI not only through legislation but also via strategic public management frameworks that prioritise digital transformation, ethics, and alignment with international standards.

• National AI Strategy (ENIA) to 2030: The regulation (Supreme Decree No. 115-2025-PCM) tasks the SGTD (PCM) with drafting and proposing ENIA 2030, which must be approved within one year from September 2025. It aims to bring together academia, the private sector, and civil society, updating the previous vision (ENIA 2021–2026) to address challenges such as generative AI and data governance.
• National Digital Transformation Policy (PNTD) to 2030: Approved by Supreme Decree No. 085-2023-PCM, this serves as the overarching framework where AI is recognised as a key emerging technology for Industry 4.0 and for enabling digital citizenship. It is implemented through the Peruvian Digital Agenda, which includes commitments for AI, data analytics, and IoT.
• Ethical and transparency guidelines: The regulation requires the SGTD to approve ethical guidelines for the development, implementation, and use of AI within 180 working days, and to advance algorithmic transparency, focusing on avoiding “black boxes”, particularly in the public sector.
• International alignment (OECD): The OECD accession process acts as a de facto strategic framework, driving the adoption of the OECD AI Principles (human-centred, robust, safe, and trustworthy AI).

In summary: Peru adopts a stance that promotes innovation, but guided by ethics, transparency, and fundamental rights, with ENIA 2030 and PNTD as its main pillars.

The Peruvian legal framework on AI, particularly through the regulation of the AI Act, explicitly and bindingly incorporates international norms and guidelines, adopting a model of “technical standardisation” that integrates global standards into the national legal system.

• OECD Principles on AI: Incorporated directly into administrative regulation as part of Peru’s OECD accession process. The regulation requires public officials to promote and comply with these ethical and international recommendations.
• ISO/IEC Standards (Technical Standards): References are established to standards covering governance, management, security, risk, and technical aspects of AI and machine learning. Notable examples include NTP-ISO/IEC 42001:2025 (AI management system), ISO/IEC 38507 (governance), and security standards such as ISO/IEC 27002 and 27005.
• NIST AI RMF (Risk Management Framework): Although the NIST AI RMF is not explicitly mentioned, the regulation adopts a risk-based approach, conceptually aligned with this framework.
• Adoption Mechanism (INACAL): Peru not only “references” these standards but also “nationalises” them. Article 20.2 of the AI Act Regulation mandates that the SGTD coordinate with the National Institute for Quality (INACAL) to approve Peruvian Technical Standards (NTP) adopting these international standards, making them enforceable in public procurement or compliance requirements.

Peru has opted for a regulatory model that does not reinvent the wheel but relies on international standards: OECD principles for ethics and public policy, and ISO/IEC requirements for technical, security, and governance aspects.

Peru’s AI-specific framework is already enacted (Law No. 31814 + DS 115-2025-PCM). The short-term “pipeline” is mainly implementation.

• Regulations for the Law promoting the use of Artificial Intelligence (AI) are approved: https://cms.law/en/per/publication/approval-of-the-regulations-of-the-law-that-promotes-the-use-of-ai-in-peru