Peru approves its First Artificial Intelligence Regulation

On May 5, 2023, Law 31814, the Law that promotes the use of Artificial Intelligence, was approved. More than two years later, on September 9, 2025, through Supreme Decree No. 115-2025-PCM, the Regulation of Law 31814 – the Artificial Intelligence Law—was finally approved. It will enter into force 90 business days after publication (that is, on January 22, 2026), except for four Final Complementary Provisions[1], which will take effect on September 10, 2025.

Governing Authority:

The Secretariat of Government and Digital Transformation of the PCM (SGTD) is in charge of, among other actions, promoting and implementing initiatives for the development and adoption of AI-based systems. It is also responsible for proposing legal and regulatory norms for their development and proper use, approving guidelines, standards, and manuals, among others.

Who is subject to this Regulation?

This regulation applies to:

• Public entities subject to the General Administrative Procedure Law (LPAG – Law 27444).
• State-owned enterprises under the scope of FONAFE, as well as regional and local public companies.
• Private companies, academia, civil society, and citizens within the National Digital Transformation System.

Are there sectors or subjects excluded from the Regulation?

Yes, the following are not covered by this regulation:

• Use of AI systems for personal purposes.
• Applications in defense and national security, provided they comply with special principles (notably “accountability”).

Have guiding principles been considered?

According to this regulation, all AI development, implementation, and use must align with the following principles:

1. Nondiscrimination.
2. Personal data privacy.
3. Protection of fundamental rights.
4. Respect for copyright and related rights.
5. Security, Proportionality, and Reliability.
6. Awareness and education in AI.
7. Sustainability.
8. Human oversight.
9. Transparency.
10. Accountability.
11. Ethical development for responsible AI.
12. Risk-based security standards.

Risk Classification:

Following the EU’s regulatory model, the risk classification is as follows:

Please note that European Union regulations consider risks as shown in the following table; none the less, the regulation under analysis generally follows the same classification:

Obligations and Best Practices for Private Sector Organizations:

1. For high-risk AI systems: Maintain an up-to-date and accessible register on the system’s functioning principles, data sources, algorithmic logic, and expected social and ethical impacts.
2. Establish policies, protocols, and procedures aligned with the Regulation and international technical standards.
3. Promote internal education and awareness among employees on AI risks.
4. Implement human oversight mechanisms in decision-making. Staff must have the capacity to stop, correct, or invalidate AI system decisions.

Oversight:

Under the authority of the SGTD-PCM, in the event of non-compliance with this regulation by public administration officials, it shall report to the Comptroller General of the Republic (CGR) for appropriate action (audits and sanctions against said officials).

Implementation Timeline:

The regulation provides for a gradual rollout of 1 to 4 years, depending on the sector and company size. For small and micro enterprises, implementation deadlines are based on their annual sales volume.

Final Comments:

• This regulation is much more comprehensive than Law 31814 itself and aligns with international best practices. At the same time, it also establishes that public officials who fail to comply may be reported by SGTD-PCM to the Comptroller, creating a strong deterrent against noncompliance.
• It is crucial to promote effective AI governance frameworks to ensure the safe, inclusive, ethical, and responsible development and use of this technology, respecting human rights—particularly the right to personal data protection—while fostering innovation and sustainability. In this regard, SGTD-PCM has been playing a positive role that must be strengthened.
• However, many public entities (especially local and regional governments) lack the financial resources to strengthen the digital capacities required by this new environment. Coupled with poor prioritization of projects or ineffective use of budget allocations, there are doubts about whether the most appropriate decisions will be made. This gap should be addressed in future regulations.

For further inquiries, please contact us at: administracion@kaitekiregulacion.pe

Ing. María José Rodríguez
Jefa de Transformación Digital
administracion@kaitekiregulacion.pe

[1] These are the First, Second, Fourth, and Fifth Final Complementary Provisions. They cover, among others, the progressive implementation schedule; complementary norms to be issued by SGTD-PCM (such as guides, guidelines, or technical specifications); approval of the National AI Strategy; and approval of the National Data Governance Strategy.