Tag: artificial intelligence laws and regulations

  • AI Act Regulation: Penalties for Research Bodies

    AI Act regulation penalises non-compliance on a three-tier scale: up to €35 million or 7% of global annual turnover for prohibited AI practices, up to €15 million or 3% for high-risk and general-purpose AI failures, and up to €7.5 million or 1% for supplying false information to regulators — whichever figure is higher in each case. For a university, spinout, or research consortium, the exposure is rarely the maximum headline number; it is the cost of misclassifying an admissions algorithm, an exam-proctoring tool, or a recruitment screen as “low risk” when the law says otherwise.

    The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is the harmonised EU law setting risk-based obligations and penalties for AI systems, and it applies to research institutions as deployers whenever an AI system’s output affects people in the EU.

    What actually counts as an AI Act violation for a research institution?

    Universities and consortia rarely build the AI systems they use — they deploy them. Under the Act, a deployer is any organisation using an AI system in a professional capacity, and deployers carry real obligations even when a vendor built the underlying model. A learning-management platform that scores exam integrity, an HR tool that ranks job applicants, or an admissions filter all fall within scope if they touch people inside the EU, regardless of where the institution is based.

    Non-compliance is not a single offence. It spans failing to conduct a fundamental rights impact assessment, deploying an unregistered high-risk system, ignoring human-oversight requirements, or running a system the Act classifies as prohibited. Each failure mode sits on a different penalty tier.

    How much can an AI Act fine cost, tier by tier?

    Article 99 of Regulation (EU) 2024/1689 sets three fine bands. The final figure is whichever is higher — the flat euro cap or the percentage of worldwide annual turnover — which matters enormously for a university with a large total budget but a tiny AI-specific footprint.

    Violation type Maximum fine Turnover percentage Typical trigger for a research institution
    Prohibited AI practices (Art. 5) €35,000,000 7% Emotion-recognition in exams; covert biometric categorisation of students or staff
    High-risk system / GPAI obligation breaches €15,000,000 3% Recruitment or admissions AI deployed without a rights impact assessment
    Supplying incorrect, incomplete or misleading information €7,500,000 1% Inaccurate disclosures to a market surveillance authority or notified body

    Regulators must apply fines proportionately, weighing the nature, gravity and duration of the breach against the size of the organisation. Article 99(6) directs authorities to consider the interests of small and medium-sized enterprises and start-ups — relevant for university spinouts on constrained budgets — but this softens the number, not the underlying obligation.

    • Fines apply per infringement, so a consortium running several non-compliant systems faces cumulative, not capped, exposure.
    • Turnover is calculated on the whole legal entity’s global turnover, not just the department’s AI-related revenue or grant income.
    • National market surveillance authorities, not the EU AI Office, issue most fines against deployers; the AI Office focuses on general-purpose AI providers.

    Which of your institution’s AI systems could be “prohibited” outright?

    Article 5 bans a specific list of practices regardless of sector, and several map directly onto tools already used in higher education and research settings. A prohibited AI practice cannot be risk-managed into compliance — it must be withdrawn.

    The clearest overlaps for a research institution are:

    • Emotion recognition in educational institutions or workplaces, except for narrow medical or safety purposes — implicating some exam-proctoring and staff-monitoring software.
    • Biometric categorisation systems inferring race, political opinion, trade union membership, religion, or sexual orientation from biometric data.
    • Untargeted scraping of facial images from the internet or CCTV to build a recognition database — relevant to campus security systems built on scraped datasets.
    • Social-scoring-style evaluation of individuals by behaviour or personal traits leading to detrimental treatment unrelated to the original context.

    From 2 December 2026, two further prohibited categories take effect under the Digital Omnibus agreement: AI systems that generate or manipulate non-consensual intimate imagery (“nudifier” applications) and systems used to produce child sexual abuse material. Institutions running student-safeguarding or content-moderation tooling should confirm vendor compliance well ahead of that date.

    Has the Digital Omnibus changed the deadlines that matter?

    Yes, but selectively. The Act’s obligations phase in from its 1 August 2024 entry into force: prohibited practices became enforceable on 2 February 2025 (six months later), and general-purpose AI model obligations followed on 2 August 2025 (twelve months later). Both dates already passed and remain in force.

    In November 2025, the Council and Parliament agreed a “Digital Omnibus” simplification package — analysed by law firms including DLA Piper, Gibson Dunn and White & Case — pushing back the two remaining high-risk deadlines. Stand-alone high-risk systems under Annex III (covering most education, employment and public-service AI) now face obligations from 2 December 2027 rather than August 2026, a sixteen-month reprieve. High-risk AI embedded in regulated products under Annex I moves to 2 August 2028.

    Two dates were not delayed: Article 50 transparency obligations — labelling AI-generated content and disclosing chatbot interactions — still apply from 2 August 2026, the same date the Commission gains full penalty-enforcement powers over general-purpose AI providers. Institutions assuming the whole Act slipped to 2027 risk missing this transparency deadline.

    What should a research institution do now?

    The Digital Omnibus buys time on high-risk classification work, not on everything. A defensible position by August 2026 requires:

    • Inventory every AI system touching students, staff, applicants, or research subjects, tagged against the Article 5 prohibited list and Annex III high-risk categories.
    • Confirm any generative AI or chatbot-facing tool meets the Article 50 transparency requirement before 2 August 2026, independent of the high-risk delay.
    • Assign a named owner — typically in research administration or data governance — to track phased deadlines rather than treat the Act as one compliance date.
    • Apply vendor due diligence to procured AI tools, since deployer obligations do not disappear because a third party built the system.

    Answer-first: common questions on AI Act penalties

    Is the AI Act a regulation?

    Yes. The Artificial Intelligence Act is Regulation (EU) 2024/1689, meaning it applies directly and uniformly across all EU member states without needing national transposing legislation. It entered into force on 1 August 2024, and its obligations phase in over a multi-year timeline extending to 2028.

    What is the EU AI Act in 2026?

    By mid-2026, the prohibited-practice and general-purpose AI rules are already fully enforceable, while most high-risk system obligations have been pushed to December 2027 and August 2028 under the November 2025 Digital Omnibus agreement. Article 50 transparency duties and full GPAI enforcement powers still take effect on 2 August 2026 as originally scheduled.

    Does the UK have to comply with the EU AI Act?

    The UK has no domestic equivalent to the AI Act, but the regulation’s extraterritorial scope reaches UK institutions whenever their AI system’s output is used by, or affects, people in the EU. A UK university running an EU-facing admissions or research-collaboration platform can fall within scope despite being outside the bloc.

    Does the UK have any AI regulation of its own?

    Not a single statute. The UK relies on a sector-by-sector, principles-based approach enforced by existing regulators (ICO, EHRC, Ofcom) rather than one AI Act. This is why UK institutions with EU-facing systems must track both the domestic guidance and the EU regulation’s extraterritorial reach separately.

    What this means for institutional risk management

    The headline €35 million figure will rarely apply to a university outright, but the reputational cost of a prohibited-practice finding is not confined to the fine itself. A finding against emotion-recognition exam software invites scrutiny of every other AI-enabled assessment tool on campus, and funders increasingly expect institutions to demonstrate AI governance maturity, mirroring assurance expectations already familiar from research administration compliance frameworks.

    Treating AI Act regulation as a procurement and governance discipline — inventory, classification, named ownership, phased deadline tracking — converts an open-ended legal risk into a manageable operational programme.

    Where this is heading

    The Digital Omnibus shows the EU will adjust timelines under pressure, but it has not softened the penalty structure, and it has added prohibited categories rather than removed any. Research institutions should expect further phased deadlines and continued extraterritorial reach, and should treat every delay as a planning window, not a reason to deprioritise compliance work.

  • AI Legislation Tracker: Free Tools Compared for Research Offices

    An AI legislation tracker is a curated, continuously updated resource that monitors the progress of artificial intelligence bills, statutes and regulations across jurisdictions. For research offices, three free options cover the ground a paid GRC subscription would otherwise charge for: the IAPP’s US State AI Governance Legislation Tracker for state-level bills, White & Case’s AI Watch for a global regulatory sweep, and the AI Act Explorer for line-by-line navigation of the EU AI Act. Used together, they give research administrators enough coverage to flag compliance and procurement risk without a dedicated legal-intelligence budget.

    An AI legislation tracker is a legal-intelligence tool — usually maintained by a law firm, professional association, or legislature — that indexes AI-related bills and regulations by jurisdiction, status and topic so non-specialists can monitor change without reading primary legislative text. For a research office, that means catching a new state disclosure requirement or an EU AI Act compliance deadline before it lands in an audit finding.

    Table of contents

    What is an AI legislation tracker, and why does a research office need one?

    Research offices sit at the intersection of three regulatory pressures: institutional AI-use policy, funder terms and conditions, and the AI laws of every jurisdiction in which their institution operates, procures software or receives funding. No single regulator publishes a consolidated feed of all three, which is why legal-intelligence trackers — built by law firms and associations to serve their own clients — have become the de facto public monitoring layer for everyone else.

    Three gaps make this monitoring hard for a research office specifically. First, state-level fragmentation in the US: MultiState.ai reported tracking 1,561 AI-related bills across 45 states in early 2026, and a bill’s status can change between a legislative session’s opening and a grant’s renewal date. Second, phased EU obligations: the AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 but applies in stages — prohibited-practice provisions since 2 February 2025, general-purpose AI model obligations since 2 August 2025, and the bulk of high-risk system obligations from 2 August 2026. Third, procurement-clause drift: institutional purchasing teams increasingly need to know whether a vendor’s AI tool falls under a “high-risk” classification before a contract is signed, not after.

    Comparing the free trackers: IAPP, White & Case AI Watch and the AI Act Explorer

    Each of the three core tools covers a different layer of the regulatory stack. None requires a paid subscription for the baseline tracker view, though firms use them as client-development tools, so update cadence and depth of legal commentary vary.

    Tool Publisher Geographic scope Best use for a research office Cost
    US State AI Governance Legislation Tracker IAPP US state legislatures Flagging new state disclosure/consumer-protection bills affecting AI-assisted research tools Free
    AI Watch: Global Regulatory Tracker White & Case US, EU, UK, China and other core markets Cross-jurisdiction horizon-scanning for institutions with international partners Free
    AI Act Explorer Future of Life Institute (artificialintelligenceact.eu) European Union Locating the exact article/annex governing a specific AI use case before procurement sign-off Free
    Artificial Intelligence Legislation Database National Conference of State Legislatures (NCSL) US state legislatures Official-source cross-check against law-firm trackers, filterable by policy topic Free
    OECD.AI Policy Navigator OECD 80+ countries and international bodies Global baseline for institutions with funders or partners outside the US/EU Free

    Two law-firm trackers rarely agree exactly on bill status, since each applies its own inclusion criteria — the IAPP chart, for example, deliberately excludes government-only AI bills to focus on rules affecting private-sector organisations. A research office should treat the NCSL database as the authoritative cross-check whenever a law-firm tracker and an internal compliance log disagree, since NCSL draws directly from legislative records rather than curated commentary.

    How to monitor AI law without a paid GRC subscription

    A practical monitoring routine needs three components: a jurisdiction list, a check cadence, and an escalation trigger. Map the institution’s actual footprint — states where staff or partner sites are located, countries with active funder relationships, and any EU-based collaborators — against the five tools above, rather than trying to watch all 45+ US states with active bills at once.

    • Set a monthly review of the IAPP tracker and NCSL database for the institution’s home state plus any state with a satellite campus or major subcontractor.
    • Set a quarterly review of White & Case AI Watch for jurisdictions tied to international grant or publishing partners.
    • Check the AI Act Explorer whenever procuring or renewing an AI-enabled research tool from an EU-based or EU-selling vendor, since Article 53 transparency obligations for general-purpose AI providers already apply.
    • Escalate to institutional counsel the moment a tracked bill moves from “introduced” to “enacted” in a jurisdiction on the footprint list — status changes, not initial filings, are the actionable signal.

    This cadence substitutes staff time for the subscription cost of a commercial GRC platform. It will not catch everything a paid legal-intelligence service would, but it closes the gap between “no monitoring” and “monitoring proportionate to institutional risk,” which is the realistic target for most research offices.

    Which AI rules actually affect grant compliance and procurement

    Not every tracked bill is relevant to a research office. The ones that matter cluster into two categories: funder-facing disclosure requirements and vendor/procurement obligations. On the funder side, publishers already require disclosure of generative-AI use in manuscript preparation under guidance from bodies such as ICMJE and COPE — a policy layer that sits alongside, not inside, the legislative trackers above, and one research offices should monitor through authorship policy channels rather than a legislation tracker.

    On the procurement side, the EU AI Act’s general-purpose AI model obligations — applicable since 2 August 2025 — require providers to maintain technical documentation and, for systemic-risk models, conduct model evaluations; institutions procuring AI research tools from in-scope vendors should expect updated contract terms reflecting this. Separately, under Article 57 of Regulation (EU) 2024/1689, each EU member state must establish at least one national AI regulatory sandbox operational by 2 August 2026 — a detail the AI Act Explorer surfaces clearly but general news coverage rarely mentions, and one that matters to institutions running EU-based pilot deployments of AI research tools.

    In the US, state consumer-protection style AI bills increasingly impose obligations on “deployers” as well as developers — meaning an institution using a third-party AI tool, not just the vendor that built it, can carry compliance obligations. This is the single most consequential fact a research office should extract from the state trackers: deployer obligations mean procurement due diligence, not just vendor selection, is now a compliance function.

    Common questions research administrators ask

    Are there any regulations on AI?

    Yes. There is no comprehensive federal AI statute in the United States, but individual US states have enacted targeted laws, the European Union’s AI Act (Regulation (EU) 2024/1689) is in force with phased obligations through 2027, and dozens of other jurisdictions maintain sector-specific or principles-based AI policy frameworks tracked by the OECD.

    Does Europe have AI regulations?

    Yes. The EU AI Act is the first comprehensive AI-specific legal framework, entering into force on 1 August 2024. Prohibited-practice rules applied from February 2025, general-purpose AI model obligations from August 2025, and most high-risk system requirements apply from August 2026 onward.

    Where are the AI regulations?

    AI rules are distributed across national statutes, EU regulation, and US state legislatures rather than one source — which is precisely why trackers such as IAPP’s state chart, White & Case’s AI Watch, and the AI Act Explorer exist: each consolidates one layer of a fragmented, multi-jurisdiction landscape into a single reference point.

    The regulatory landscape a research office must monitor will keep expanding rather than consolidating: more US states are expected to move bills from “introduced” to “enacted” through 2026 and 2027, and the EU AI Act’s remaining compliance deadlines run to August 2027. A footprint-mapped, tiered-cadence monitoring routine built on these five free trackers is a realistic, sustainable substitute for a paid GRC subscription — provided it is reviewed and re-scoped as the institution’s own AI use, partnerships and procurement expand.

  • AI Research, Innovation, and Accountability Act: What Research Offices Need to Know

    The AI Research, Innovation, and Accountability Act (AIRIA, S.3312) was a bipartisan US Senate bill that would have created federal risk tiers, transparency reporting, and certification duties for high-impact AI systems. It cleared the Senate Commerce Committee in July 2024 but died when the 118th Congress adjourned in January 2025. Its framework has not disappeared, however: near-identical risk-tier and disclosure ideas now surface in state AI statutes, in federal agency guidance, and in follow-on bills before the 119th Congress — several of which already touch how NIH and NSF handle AI in grant review.

    AIRIA is a defined legislative proposal, not a law currently in force: it is the bill that proposed classifying AI systems as “high-impact” or “critical-impact” and tasking the National Institute of Standards and Technology (NIST) with testing, evaluation, validation, and verification standards for the highest-risk category.

    What is the AI Research, Innovation, and Accountability Act?

    The AI Research, Innovation, and Accountability Act is a US Senate bill introduced on 15 November 2023 by Senators John Thune (R-SD), Amy Klobuchar (D-MN), Roger Wicker (R-MS), John Hickenlooper (D-CO), Shelley Moore Capito (R-WV), and Ben Ray Luján (D-NM). It proposed a risk-based federal framework rather than blanket rules for all AI.

    Core provisions included:

    • A two-tier risk classification for “high-impact” and “critical-impact” AI systems used in consequential decisions.
    • Mandatory transparency reports and risk assessments from developers and deployers of the highest-risk systems.
    • A NIST-led programme to develop testing, evaluation, validation, and verification (TEVV) standards.
    • A certification and enforcement structure housed at the Department of Commerce.
    • A consumer-education and industry working-group mandate to support voluntary compliance ahead of formal rules.

    Unlike the EU’s comprehensive AI Act, AIRIA targeted only the highest-risk use cases and left most research and low-risk commercial AI activity outside its scope.

    What happened to AIRIA in Congress?

    AIRIA advanced further than most AI bills of its era but still did not become law. The Senate Committee on Commerce, Science, and Transportation ordered it reported on 31 July 2024, and the Congressional Budget Office published a cost estimate on 6 December 2024. Under standard congressional procedure, any bill not enacted before a Congress ends is considered dead; AIRIA lapsed with the close of the 118th Congress on 3 January 2025 and was not carried forward automatically.

    That is not the end of the story. Several bills before the 119th Congress (2025–2026) reuse AIRIA’s building blocks — including the AI Accountability Act (H.R.1694), which directs a federal study of AI accountability measures, and the Future of Artificial Intelligence Innovation Act of 2026 (S.3952), which revives the NIST standards-and-evaluation mandate AIRIA proposed. None of these has replicated AIRIA in full, but the pattern is consistent: risk tiers, NIST-run testing standards, and disclosure duties keep reappearing in federal drafting, which is why the original bill remains a useful reference text even though it never passed.

    How does AIRIA interact with NIH and NSF grant compliance?

    AIRIA itself never reached the funding agencies, but the compliance gap it targeted — undisclosed or unaccountable AI use in high-stakes review processes — is already being filled through agency policy rather than statute. Research offices do not need AIRIA to pass to feel its logic in practice.

    • NIH issued NOT-OD-23-149, prohibiting NIH scientific peer reviewers from uploading grant application or critique content into generative AI tools, to protect peer-review confidentiality and integrity.
    • NSF issued a parallel notice on 14 December 2023 barring reviewers from entering proposal or review information into non-approved generative AI tools, with corresponding updates folded into the Proposal & Award Policies and Procedures Guide (PAPPG).
    • OMB Memorandum M-24-10, issued 28 March 2024, requires every CFO Act agency — including the parent departments of NIH and NSF — to designate a Chief AI Officer, convene an AI governance board, inventory AI use cases annually, and publish compliance plans.

    Research administrators should read AIRIA less as a future obligation and more as the missing statutory layer above rules that funders have already implemented administratively. If AIRIA-style provisions are eventually enacted, they would most plausibly formalise — not replace — the NIH and NSF confidentiality prohibitions and the OMB governance-board model that are already operating today.

    How does AIRIA compare with state AI laws and the EU AI Act?

    Research institutions rarely operate under one AI framework. Multi-state university systems, international co-investigators, and federally funded projects with EU partners are simultaneously exposed to federal inaction, an unsettled state landscape, and a phased EU regime.

    Framework Jurisdiction Status as of July 2026 Relevance to research offices
    AIRIA (S.3312) US federal (Senate) Died with the 118th Congress, 3 Jan 2025; ideas recur in newer bills Reference model for future federal risk-tier and disclosure rules
    OMB M-24-10 US federal (executive) In effect since 28 Mar 2024 Directly governs how NIH, NSF, and other agencies use AI internally
    NIH / NSF AI notices US federal agency policy In effect since Jun–Dec 2023 Bars generative AI use in peer review of grant applications
    Colorado AI Act (SB 24-205) US state Repealed by SB 26-189 (14 May 2026); never took effect Cautionary example — comprehensive state AI law can collapse before compliance deadlines
    Texas TRAIGA US state In effect 1 Jan 2026 Intent-based liability model; applies to any AI system touching Texas residents
    EU AI Act European Union Phased in Aug 2024–Aug 2026 Relevant to Horizon Europe co-investigators and EU-based research partners

    The Colorado reversal is the clearest recent signal: SB 24-205 was the first comprehensive US state AI law, but Colorado Governor Jared Polis signed its full replacement, SB 26-189, on 14 May 2026 — meaning the original statute never actually took effect. State AI law is moving fast and is not stable enough to treat any single statute as a durable compliance target.

    Common questions research administrators ask

    What is the AI Research, Innovation, and Accountability Act?

    It is a 2023 US Senate bill (S.3312) that proposed risk-tiered federal oversight of “high-impact” and “critical-impact” AI systems, including NIST-led testing standards and mandatory transparency reporting. It advanced through Senate Commerce Committee review in 2024 but was never enacted.

    What is the AI legislation situation in 2026?

    No single comprehensive federal AI statute exists in the United States as of mid-2026. Oversight instead comes from a patchwork of agency guidance (OMB M-24-10, NIH and NSF notices), a shifting set of state statutes (Texas TRAIGA in effect, Colorado’s law repealed and replaced), and several competing federal bills still in committee.

    What are the seven principles referenced in AI regulatory frameworks?

    Frameworks such as the EU AI Act commonly cite human agency and oversight, technical robustness and safety, privacy and data governance, transparency, non-discrimination and fairness, societal and environmental wellbeing, and accountability. AIRIA did not adopt this exact list but pursued the same accountability and transparency goals through US-specific risk tiers.

    Why research offices should track this now

    Waiting for a federal AI bill to pass before building internal AI-use policy is the wrong sequencing. NIH and NSF already enforce confidentiality rules on generative AI in peer review, OMB already requires agency AI governance boards, and state rules are changing faster than any single institution can absorb reactively — Colorado’s reversal took less than two years from enactment to repeal.

    Research offices should treat AIRIA as a design template, not a deadline. Institutions that map their existing AI-use disclosure practices against AIRIA’s risk-tier and TEVV concepts now will be positioned to adapt quickly if a successor bill — whether H.R.1694, S.3952, or a future proposal — advances further than AIRIA did. The direction of travel across federal agency guidance, state law, and the EU AI Act is consistent even where the US federal statute itself has stalled: more disclosure, more documented risk assessment, and more named institutional accountability for AI used in decisions that affect people’s funding, careers, and research records.

    For related compliance context, see CASRAI’s research administration resources and the CASRAI Dictionary for definitions of adjacent governance and compliance terms.

  • State AI Laws Create a Patchwork for Consortia

    State AI laws are the individual statutes and regulations that US states — rather than the US Congress — have enacted to govern the development, deployment and disclosure of artificial intelligence, and by mid-2026 more than 45 states have introduced such legislation with no unifying federal framework in place. For research consortia and shared-service research offices that span multiple states, this means the same AI-assisted grant-writing tool, chatbot, or automated screening system can be lawful in one member campus’s state and restricted or unlawful in another’s.

    A state AI law is a statute enacted by an individual US state legislature — as distinct from federal legislation — that regulates how artificial intelligence systems are developed, deployed, disclosed, or audited within that state’s jurisdiction.

    What Are State AI Laws, and How Many States Have Passed Them?

    State AI laws cover a wide range of obligations: algorithmic-discrimination audits, generative-AI content disclosure, “high-risk” system impact assessments, and rules on AI use in employment and consumer decisions. According to the National Conference of State Legislatures (NCSL), in the 2025 legislative session all 50 states, Puerto Rico, the Virgin Islands, and Washington, DC introduced AI-related legislation — a volume that state legislative trackers report continued to accelerate into 2026, with well over a thousand AI-related bills introduced nationwide.

    No two states have adopted the same definitions, thresholds, or enforcement mechanisms. A tool classified as “high-risk automated decision-making” in one state’s statute may fall entirely outside another state’s scope, or be captured under a different label altogether.

    How Do California, Colorado, and Texas AI Laws Compare?

    Three states illustrate how far the approaches diverge. California took effect on 1 January 2026 with two distinct statutes: the Transparency in Frontier AI Act (SB 53), which imposes safety and transparency reporting duties on developers of large-scale frontier models, and the AI Transparency Act (SB 942), which requires disclosure when content is AI-generated. Colorado enacted the first comprehensive state AI statute, the Colorado AI Act (SB 24-205), which took effect in June 2026 and requires developers and deployers of high-risk AI systems to complete impact assessments and provide consumer disclosures; a subsequent amendment, SB 26-189, narrowed that scope to automated decision-making technology, with a revised effective date of 1 January 2027. Texas, by contrast, passed the Texas Responsible AI Governance Act (TRAIGA), which favours an industry self-governance framework over Colorado’s impact-assessment model.

    Jurisdiction Key statute Core mechanism Effective date
    California SB 53 (Transparency in Frontier AI Act); SB 942 (AI Transparency Act) Frontier-model safety reporting; AI-generated content disclosure 1 January 2026
    Colorado Colorado AI Act (SB 24-205), amended by SB 26-189 Impact assessments for automated decision-making technology 1 January 2027 (as amended)
    Texas Texas Responsible AI Governance Act (TRAIGA) Industry self-governance framework Enacted 2025
    Federal Executive Order, “Ensuring a National Policy Framework for Artificial Intelligence” Directs agencies to identify and challenge state AI laws seen as burdensome 11 December 2025 (signed)

    Is the Federal Government Trying to Preempt State AI Laws?

    Yes — but not yet through legislation that has passed Congress. On 11 December 2025, the White House signed an executive order, “Ensuring a National Policy Framework for Artificial Intelligence,” directing federal agencies to identify state AI laws that require models to alter their truthful outputs or that otherwise obstruct a national AI policy. The order instructs agencies to evaluate funding and litigation levers against such state statutes, but an executive order cannot itself repeal state law: only Congress or the courts can do that, and no comprehensive federal AI statute analogous to the EU AI Act has been enacted.

    Until preemption legislation clears Congress — proposals exist but none has passed as of mid-2026 — state AI laws remain, in the words of one large law firm’s 2026 tracker, “the primary source of compliance obligations” for organisations operating in the United States.

    Why Is the Patchwork a Problem for Multi-Campus Research Consortia?

    Multi-state research consortia, shared-service research offices, and multi-site funded studies do not choose a single home jurisdiction the way a single-campus institution does. A consortium spanning California, Colorado, Texas, and a fourth state must reconcile at least three incompatible disclosure and assessment regimes simultaneously — and update that reconciliation as amendments such as Colorado’s SB 26-189 shift scope and effective dates mid-cycle.

    This creates specific friction points for research administration:

    • AI-assisted grant writing and proposal development may trigger content-disclosure duties in California but not in a partner state, complicating a single consortium-wide authorship and disclosure policy.
    • Automated screening or scoring tools used in participant recruitment, peer review triage, or research-integrity checks can qualify as “high-risk automated decision-making” in Colorado while sitting outside any equivalent category in Texas.
    • Shared IT and data infrastructure hosted in one state does not exempt a consortium from a partner campus’s home-state obligations when researchers in that state are end users of the system.
    • Vendor contracts for AI writing, transcription, or analysis tools need jurisdiction-by-jurisdiction compliance riders rather than a single boilerplate clause.

    Research offices increasingly need to disclose AI involvement in scholarly outputs regardless of state law, aligning with journal and funder expectations. Where AI tools contribute to drafting, structured contributor role taxonomies used in authorship disclosure — the model CASRAI originated in 2014 and which NISO now stewards as ANSI/NISO Z39.104-2022 — offer one consistent way to record human-versus-tool contribution that sits independently of any single state’s transparency statute.

    Answer-First Q&A

    How many US states have introduced AI legislation in 2026?

    By the 2025 legislative session, all 50 states, Puerto Rico, the Virgin Islands, and Washington, DC had introduced AI-related legislation, according to the National Conference of State Legislatures. State legislative trackers report the volume of AI-related bills continued to climb through early 2026, spanning dozens of states with no sign of consolidation.

    Does the federal executive order override state AI laws?

    No. The December 2025 executive order directs federal agencies to identify and challenge state AI laws it views as obstructive, but an executive order cannot repeal state statute. Only an act of Congress or a binding court ruling can preempt state AI law, and no such federal AI statute has been enacted as of mid-2026.

    What is the Colorado AI Act’s current status?

    The original Colorado AI Act (SB 24-205) required impact assessments for high-risk AI systems. It was subsequently narrowed by SB 26-189 to focus specifically on automated decision-making technology, with a revised effective date of 1 January 2027, replacing the earlier June 2026 start date.

    What should a multi-state research consortium put in its AI-use policy?

    A consortium policy should map every member campus’s home-state AI statute, flag tools that trigger disclosure or impact-assessment duties in any one jurisdiction, and apply the strictest applicable standard consortium-wide rather than negotiating exceptions state by state.

    Implications for Shared-Service Research Offices

    Shared-service research offices — the units that run grants administration, research integrity, and compliance for several campuses at once — cannot rely on a single state’s AI statute as their reference point. The practical implication is that AI-use policy for a multi-campus consortium must be built to the strictest state standard among its members, then adjusted downward only where a specific campus’s home-state law is demonstrably more permissive and the consortium is willing to operate two policy tiers. Bodies such as NCURA and EARMA increasingly field member questions on exactly this cross-jurisdictional friction, reflecting how quickly the patchwork has become an operational, not just a legal, concern.

    Consortium agreements and vendor contracts should each name which state-law regime governs AI tool use for that workflow, rather than assuming the lead institution’s state law applies uniformly to every partner.

    Outlook

    Absent a federal AI statute, the state-by-state pattern set by California, Colorado, and Texas is likely to keep expanding rather than converging in the near term. Consortia that govern to the strictest applicable state standard, and document AI contribution through structured, framework-neutral disclosure practices, will adapt faster as more states legislate and as amendments such as SB 26-189 continue to shift effective dates and scope. Treat this as a standing monitoring task, not a one-time policy update — state statutes are already being amended within their first year in force.

  • AI Act Annex III Education Systems Explained

    Annex III of the EU AI Act (Regulation (EU) 2024/1689) classifies four specific education uses as high-risk: admissions and access decisions, evaluation of learning outcomes, assessment of the appropriate level of education for an individual, and monitoring students for prohibited behaviour during tests. That fourth category covers most commercial exam-proctoring software. Because these systems influence a person’s access to education, providers and institutions face conformity-assessment, documentation and human-oversight duties — and, as of mid-2026, a revised compliance timeline that most procurement guidance has not yet caught up with.

    Annex III is the section of the AI Act that lists the stand-alone use cases treated as high-risk regardless of sector, and education is one of eight listed domains. Under Article 6(2), any system matching an Annex III description is high-risk unless it falls within a narrow set of Article 6(3) exemptions for purely preparatory or narrow procedural tasks.

    What Annex III Actually Classifies as High-Risk in Education

    Annex III, point 3, lists four education and vocational-training use cases. Each is high-risk in its own right, not as a bundled “education AI” category:

    Annex III, point 3 What it covers Typical real-world system
    3(a) Access and admission Determining access, admission, or assignment of people to educational and vocational institutions at any level Admissions-ranking algorithms; automated place-allocation tools
    3(b) Evaluating learning outcomes Assessing outcomes, including where results steer a person’s subsequent learning path Automated essay and short-answer scoring; adaptive-learning placement engines
    3(c) Assessing appropriate education level Determining the level of education a person will receive or can access Streaming and tracking tools; aptitude-based course-eligibility systems
    3(d) Monitoring prohibited behaviour Detecting prohibited conduct by students during tests Remote exam-proctoring software with anomaly or gaze detection

    This structure matters for procurement: a vendor’s product might satisfy only one limb (proctoring under 3(d)) while a different module of the same platform — an automated grading feature, say — separately triggers 3(b). Each function needs its own classification check rather than a single institution-wide judgement.

    Why Proctoring and Admissions AI Meet the High-Risk Threshold

    The AI Act treats education systems as high-risk because their outputs shape a person’s access to opportunity, not because the underlying technology is novel. Recital 56 explains that AI in education can determine “the educational and professional course of a person’s life” and, where biased or opaque, can perpetuate discrimination on grounds such as disability, ethnic origin or sexual orientation.

    Two features push a system firmly into the high-risk tier. First, if the tool performs profiling of natural persons — building a behavioural or performance profile used in a decision — Article 6(3) removes the narrow-task exemptions entirely, so the system is automatically high-risk. Most commercial proctoring tools that flag “suspicious behaviour” patterns over time perform exactly this kind of profiling. Second, where a system’s error directly changes an admission, grading or progression outcome, it cannot credibly claim the “preparatory task only” or “improves a human decision” carve-outs in Article 6(3), because the human reviewer rarely has the practical capacity to re-examine every flagged case in full.

    Conformity-Assessment Duties That Follow

    Classification as high-risk is the trigger, not the end point. Providers placing an Annex III education system on the market must run it through conformity assessment under Article 43 before deployment, and both providers and deploying institutions then carry ongoing obligations:

    • Establish and maintain a risk-management system across the tool’s lifecycle
    • Use training, validation and test data that is relevant, representative and checked for bias
    • Produce technical documentation demonstrating compliance, and enable automatic logging for traceability
    • Complete a declaration of conformity, affix the CE marking, and register the system in the EU high-risk AI database under Article 49
    • Deployers must run a fundamental rights impact assessment before first use, keep human oversight with real override authority, and tell students and applicants that a high-risk system is involved

    None of these duties can be delegated to the software vendor by contract alone. An institution that deploys a high-risk admissions tool is a deployer under the Act and carries deployer-specific obligations even where the vendor, as provider, has already completed its own conformity assessment.

    The compliance timeline itself has shifted since most existing guidance was written. Article 113 originally set 2 August 2026 as the date the Annex III obligations became applicable. On 7 May 2026, the European Parliament and the Council reached a provisional political agreement on the Digital Omnibus on AI, replacing that date with fixed extensions: 2 December 2027 for stand-alone Annex III systems (including education), and 2 August 2028 for Annex I product-embedded systems. Separately, the marking obligations under Article 50(2) now fall due on 2 December 2026. Until the agreed text is formally adopted and published in the Official Journal, the original 2 August 2026 date remains the legally binding one — institutions should treat the extension as highly likely, not yet certain.

    Obligation Original deadline Revised deadline (Digital Omnibus, agreed 7 May 2026)
    Annex III stand-alone high-risk systems (education, employment, essential services) 2 August 2026 2 December 2027
    Annex I product-embedded high-risk systems 2 August 2027 2 August 2028
    Article 50(2) transparency/marking obligations 2 August 2026 2 December 2026

    What This Means for Procurement of Proctoring and Admissions AI

    For institutions and publishers buying exam-proctoring, admissions-ranking or automated-scoring tools, the practical question is no longer “is this AI regulated eventually” but “which Annex III limb applies, and can the vendor prove it.” A procurement checklist built around Annex III should require vendors to confirm, in writing, before contract renewal:

    • Whether each distinct feature of the product (scoring, proctoring, ranking) falls under Annex III, point 3(a)-(d), and if so, which limb
    • Evidence of a completed or in-progress conformity assessment and EU database registration, or a documented Article 6(3) exemption assessment
    • What training data was used, and what bias-testing was performed against protected characteristics
    • What logging and traceability the institution will have access to for its own record-keeping duties as deployer
    • Whether the tool performs any form of profiling, since this removes access to the narrow-task exemptions

    Institutions with any EU touchpoint — joint degrees, EU-based applicants, satellite campuses — should apply the same checklist even where their primary jurisdiction sits outside the EU, because the Act’s extraterritorial scope catches systems whose output is used within the EU.

    Common Questions on Annex III Education Systems

    What Is Considered a High-Risk AI System Under the AI Act?

    An AI system is high-risk if it is a safety component of a product covered by Annex I legislation, or if its use case appears in Annex III — covering biometrics, education, employment, essential services, law enforcement, migration and justice — unless it genuinely poses no significant risk under the narrow Article 6(3) exemptions.

    Which Education Apps Are High-Risk Under the AI Act?

    Annex III, point 3 names four categories: admissions and access tools, learning-outcome evaluation systems, tools assessing a person’s appropriate education level, and software monitoring students for prohibited behaviour in tests. Automated essay scoring and exam proctoring fall squarely within these limbs.

    Can an Exam Proctor Be AI?

    Yes — many institutions already use AI-based remote proctoring that analyses movement, gaze and audio to flag suspected cheating. Under the AI Act, this function sits within Annex III, point 3(d), making the software high-risk and subject to conformity-assessment and human-oversight duties, not a substitute human decision-maker.

    Are Any Education AI Practices Banned Outright, Not Just High-Risk?

    Yes. Since 2 February 2025, Article 5 has banned emotion-recognition systems in educational settings outright, with no research or institutional exemption, except narrow medical or safety uses. This sits above the high-risk tier — a banned practice cannot be brought into compliance through conformity assessment.

    The classification logic behind Annex III will not soften even as its application date moves. Institutions and publishers procuring proctoring, admissions or scoring AI gain a longer runway to 2 December 2027, but the underlying duties — bias-tested data, documented conformity assessment, human override authority, and registration in the EU database — remain the fixed reference point for any system that touches a student’s access to education.

  • Council of Europe AI Treaty: A Second Track

    The Council of Europe AI treaty — formally the Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law — is the first legally binding international treaty on artificial intelligence. Opened for signature on 5 September 2024 and designated CETS No. 225, it runs alongside, not inside, the EU AI Act, and it applies across the Council of Europe’s 46 member states plus a growing list of non-European signatories, including the United States.

    The Framework Convention is a treaty under public international law, not an EU regulation: it creates binding obligations for the states that ratify it, each of which must transpose those obligations into domestic law. That structure makes it a second, parallel governance track for any research institution operating in a Council of Europe member state that sits outside the European Union — the United Kingdom, Switzerland, Norway, Ukraine, Türkiye, and more than a dozen others.

    What is the Council of Europe AI treaty?

    The Framework Convention was negotiated by the Council of Europe’s Committee on Artificial Intelligence (CAI), successor to the ad hoc committee (CAHAI) that began scoping work in 2019. It was drafted by the Council of Europe’s 46 member states with observer states Canada, Japan, Mexico, the Holy See and the United States, plus the European Union and non-member states including Australia, Argentina, Costa Rica, Israel, Peru and Uruguay.

    According to the Council of Europe, 68 representatives from civil society, academia and industry contributed to the drafting. The treaty sets out principles AI systems must respect: human dignity, equality and non-discrimination, privacy and data protection, transparency and oversight, accountability, safe innovation, and remedies for people affected by AI-driven decisions.

    • Deliberately technology-neutral, so the text does not require revision each time a new AI architecture emerges.
    • Applies to AI systems used by public authorities (including private actors acting on their behalf) and by private-sector actors.
    • Excludes national defence matters and most research and development activity, with one important exception (see below).
    • Monitored by a Conference of the Parties, which reviews implementation and facilitates stakeholder hearings.

    Who has signed and ratified it?

    The treaty opened for signature on 5 September 2024. Early signatories included the European Union, the United Kingdom and the United States, alongside several Council of Europe member states. Since then, further states — including Bosnia and Herzegovina, North Macedonia, the Republic of Moldova and San Marino — have signed or moved toward ratification, per the Council of Europe’s treaty tracking page.

    A pivotal step came on 15 May 2026, when the European Union formally ratified the Framework Convention, according to the Council of Europe’s Artificial Intelligence Portal. Ratification does not fold the treaty into EU law; the two instruments remain distinct tracks the Union has committed to enforcing in a complementary way.

    Because the Council of Europe has 46 member states — nearly double the EU’s 27 — a large bloc of countries with binding obligations under this treaty will never be covered by the EU AI Act at all: the UK, Switzerland, Norway, Iceland, Ukraine, Türkiye, Armenia, Georgia, Azerbaijan and the Western Balkan states listed above.

    How does it differ from the EU AI Act?

    The EU AI Act (Regulation (EU) 2024/1689) is directly applicable law inside the EU and EEA, built on a tiered risk-classification system with technical and conformity obligations. The Framework Convention is a different instrument: a human-rights treaty setting baseline principles for ratifying states to implement through domestic legislation, not a self-executing regulatory code.

    Dimension Council of Europe AI treaty EU AI Act
    Legal form International treaty (CETS No. 225) Directly applicable EU regulation
    Territorial reach 46 Council of Europe member states + non-European signatories (US, others) 27 EU member states + EEA
    Approach Principles-based human-rights baseline Risk-tiered technical compliance regime
    Enforcement Domestic implementing law per ratifying state; Conference of the Parties oversight National market-surveillance authorities + EU AI Office
    R&D treatment Excluded, except where testing may interfere with rights/democracy/rule of law Research exemption with narrower conditions

    Legal trackers such as White & Case’s AI Watch note the Framework Convention requires each signatory to ensure remedies are available to those affected by AI systems — an obligation that exists independently of whatever risk category the EU AI Act would assign to the same system.

    Does it apply to research and development?

    This is the detail research institutions most often miss. The Framework Convention does not apply to research and development activities — except when testing of an AI system may interfere with human rights, democracy or the rule of law. The carve-out is narrower than it looks: once a prototype moves from the lab into testing that touches real people’s data or opportunities, the exception can lapse and obligations on transparency, accountability and remedy attach.

    For universities, research funders and multinational consortia, this means AI-enabled research tools — automated peer-review triage, algorithmic grant scoring, participant-recruitment models, predictive analytics on patient or student data — are not automatically outside scope simply because they originate in a research setting. Institutions in non-EU Council of Europe states cannot assume “the EU AI Act doesn’t apply to us” settles the matter; the Framework Convention raises a parallel, sometimes broader, compliance question the moment R&D testing touches real-world rights.

    Frequently asked questions

    What is the Council of Europe AI treaty?

    The Council of Europe AI treaty is the Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law, opened for signature on 5 September 2024. It is the first legally binding international treaty requiring signatory states to govern the full lifecycle of AI systems in line with human rights, democratic values and the rule of law.

    Which countries have signed the Council of Europe AI treaty?

    Early signatories included the European Union, United Kingdom and United States, joined since by further Council of Europe member states including Bosnia and Herzegovina, North Macedonia, the Republic of Moldova and San Marino. The EU formally ratified the treaty on 15 May 2026, per the Council of Europe’s official portal.

    Is the Council of Europe AI treaty the same as the EU AI Act?

    No. The EU AI Act is a directly applicable EU regulation limited to the EU/EEA. The Council of Europe treaty is a separate international human-rights instrument spanning 46 member states plus non-European signatories, enforced through each state’s own domestic implementing legislation.

    Does the treaty regulate university and funder AI tools?

    Generally research and development is excluded, but the exclusion lifts once AI testing could affect real people’s rights — for example, algorithmic grant scoring or predictive analytics on participant data. Institutions should not assume research-labelled AI tools sit permanently outside the treaty’s reach.

    Implications and outlook for research institutions

    Research institutions in a Council of Europe member state outside the EU should treat the Framework Convention as an independent compliance track, not a footnote to EU AI Act guidance. Practical steps:

    • Map which AI systems used in research administration, grant assessment or participant-facing services could trigger the treaty’s rights-impact exception once national implementing legislation is adopted.
    • Track ratification status in each jurisdiction where the institution operates, since obligations activate state-by-state, not on a single EU-wide date.
    • Build transparency and remedy mechanisms — notice of AI use, a route to challenge automated decisions — into research-facing AI tools regardless of which regime formally applies yet.

    Globally, the treaty is one entry in a widening, uneven map of AI regulations around the world: the EU’s harmonised regulatory code, the Council of Europe’s rights-based treaty spanning EU and non-EU states, a fragmented patchwork of US state AI laws in the absence of comprehensive federal legislation, and sector-specific rules elsewhere. Institutions tracking several of these regimes at once increasingly need an AI legislation tracker that separates treaty-level from regulation-level instruments, rather than one undifferentiated “AI law” category.

    The Framework Convention will not be the last binding international AI instrument. Its Conference of the Parties is designed to accumulate practice and guidance over time, as other Council of Europe human-rights treaties have. Research institutions that build AI governance around rights-based principles now — not only EU AI Act risk tiers — will be better placed as more states ratify and more domestic implementing laws take effect. CASRAI’s research administration resources track how such cross-border compliance obligations intersect with day-to-day research operations.

  • China AI Regulation for Research Collaboration

    China’s AI regulation centres on the Interim Measures for the Management of Generative Artificial Intelligence Services (effective 15 August 2023), which require AI-service providers to disclose AI use and forbid listing generative AI as a co-author. For Western universities collaborating with Chinese institutions, the rules affect authorship credit, cross-border data transfer, and how AI tools may be used in co-supervised research.

    China’s Interim Measures for the Management of Generative Artificial Intelligence Services is the country’s first binding, AI-specific regulation, jointly issued by the Cyberspace Administration of China (CAC) and six other ministries. It sits alongside the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law (PIPL) as the legal backbone for how AI-enabled research involving Chinese partners must be conducted.

    This matters for research administrators well beyond China’s borders. Joint-authorship agreements, data-sharing memoranda and co-supervision arrangements with Chinese universities now have to reconcile Chinese disclosure and labelling duties with the authorship norms already in force under COPE, ICMJE and journal policy in the EU, UK and US.

    What China’s Interim Measures for Generative AI actually require

    The Interim Measures require providers of public-facing generative AI services to register with the CAC, prevent outputs that undermine state security or social stability, and take measures against algorithmic bias. Internal research and development that is not offered as a public-facing service is treated more lightly, but outputs intended for publication or public dissemination fall squarely within scope.

    Two further instruments extend the regime. The Measures for Labeling AI-Generated and Synthesized Content, paired with the national standard GB 45438-2025, took effect in September 2025 and require visible or embedded labels on AI-generated text, images and audio distributed in China. The Ministry of Science and Technology’s guidelines on responsible research conduct, issued in December 2023, apply specifically to academic work: they prohibit using generative AI to draft funding applications and require researchers to disclose any generative AI use in their methodology.

    China has not enacted a single, comprehensive AI statute. A draft Artificial Intelligence Law has appeared on the National People’s Congress Standing Committee’s legislative agenda since 2023, but no official draft had been released as of December 2025, and the enactment timeline remains unclear.

    How China’s framework compares with the EU, UK and US

    None of the four major jurisdictions regulates AI in research collaboration through a single dedicated instrument. Each layers AI-specific rules on top of existing data-protection, cybersecurity and research-integrity frameworks, but the point at which those rules bind differs sharply.

    Jurisdiction Core AI instrument Status (as of mid-2026) Authorship / disclosure rule for research
    China Interim Measures for Generative AI Services (2023) plus labelling rules (2025) In force; comprehensive AI Law still in draft Ministry of Science and Technology guidelines bar listing AI as a co-author; AI use must be disclosed
    European Union AI Act, Regulation (EU) 2024/1689 General-purpose AI obligations apply from August 2025; most other obligations from August 2026 No AI-authorship bar in the Act itself; publishers apply COPE and ICMJE norms
    United Kingdom No dedicated AI statute; pro-innovation, regulator-led approach Existing regulators (ICO and sector bodies) apply cross-cutting principles COPE- and ICMJE-aligned: AI cannot be listed as author; disclosure expected in methods sections
    United States No comprehensive federal law; state statutes (e.g. the Colorado AI Act) and the voluntary NIST AI Risk Management Framework Patchwork of state laws; federal approach still executive-order-driven NIH bars AI from being listed as an author or used by peer reviewers to evaluate applications; journals follow ICMJE/COPE

    The practical convergence is striking: China, the EU, the UK and the US all reach the same conclusion on authorship — a generative AI system cannot satisfy the accountability that authorship implies — even though none of them arrives there through identical legislation.

    What this means for joint authorship and contributor disclosure

    China’s Ministry of Science and Technology guidelines and the international consensus reflected in ICMJE recommendations and COPE position statements agree on one point: generative AI tools cannot be listed as authors or contributors, because they cannot take responsibility for the accuracy and integrity of the work. This aligns with the accountability criterion embedded in the CRediT contributor role taxonomy, which CASRAI originated in 2014 and which is now stewarded by NISO as ANSI/NISO Z39.104-2022.

    For joint publications with Chinese co-authors, this means AI-assistance disclosure statements now need to satisfy two regimes at once: China’s requirement to label AI-generated content and disclose AI use in the methodology, and the contributor-role documentation expected by journals following CRediT or ICMJE authorship criteria. A single disclosure paragraph, drafted to meet the stricter of the two standards, is usually sufficient — but it should name the specific generative AI tool, its role, and confirm that no tool is credited as an author or contributor.

    • Confirm which named human contributors meet Chinese and Western authorship criteria before drafting the manuscript.
    • Record AI-tool use (what, where, why) in a disclosure statement that satisfies both the Chinese labelling requirement and journal policy.
    • Never list a generative AI system as an author, co-author or contributor under any of the four frameworks compared above.

    Data-sharing and cross-border transfer requirements

    Research data moving out of China is governed by the Data Security Law and the Personal Information Protection Law, not by the Interim Measures themselves. Transfers of “important data” or bulk personal information generally require a CAC security assessment, a process legal trackers monitoring Chinese compliance report can take several months to clear. Projects that involve Chinese human genetic resources — common in biomedical and health-informatics collaborations — additionally require prior approval from the Ministry of Science and Technology before data can be shared internationally.

    Co-supervised doctoral projects that route data through a public-facing generative AI service add a further layer: the service falls within the Interim Measures’ registration and labelling scope, even where the underlying collaboration is privately arranged between two universities.

    Common questions on China’s AI regulation and research collaboration

    Does China have a comprehensive AI law?

    No. As of mid-2026, China has no single, comprehensive AI statute; regulation proceeds through targeted instruments — the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and AI-specific measures such as the Interim Measures for Generative AI. A draft national Artificial Intelligence Law remains under review, with no confirmed enactment timeline.

    What is the Interim Measures for the Management of Generative AI Services?

    It is China’s first binding national regulation aimed specifically at generative AI, effective 15 August 2023. Issued jointly by the Cyberspace Administration of China and six ministries, it requires providers to register services, label AI-generated content, and prevent outputs that undermine state security or social stability.

    Can AI be listed as a co-author on Chinese-affiliated research?

    No. China’s Ministry of Science and Technology guidelines on responsible research conduct, issued in 2023, prohibit listing generative AI tools as co-authors and require disclosure of AI use in manuscripts and funding applications. This mirrors COPE and ICMJE guidance already applied by EU, UK and US publishers.

    Do foreign researchers need approval to share data with Chinese AI research partners?

    Often, yes. Under the Data Security Law and PIPL, transferring research data — especially human genetic or health data — outside China can require a Cyberspace Administration of China security assessment. Projects involving Chinese human genetic resources additionally need Ministry of Science and Technology approval before international sharing proceeds.

    Implications for research offices

    Research offices managing joint-authorship agreements, data-sharing memoranda or co-supervision arrangements with Chinese institutions need compliance processes that satisfy Chinese disclosure and security-review requirements without weakening the authorship and contributor-role standards already expected by Western journals and funders. Treating China’s rules as an additional layer on top of existing CRediT-based authorship practice, rather than a separate compliance track, keeps the paperwork proportionate.

    China’s regulatory posture is still moving: the Ministry of Science and Technology, the CAC and the State Council have all issued new instruments since mid-2025. Institutions with active China partnerships should treat authorship-disclosure and data-transfer procedures as living documents, reviewed annually against the current Chinese, EU, UK and US rules.