Tag: china ai regulation

  • AI Regulations Around the World: A 4-Jurisdiction Comparison for Research Consortia

    AI regulations around the world diverge sharply in 2026: the EU AI Act is a binding, risk-tiered statute with extraterritorial reach; US oversight is a fragmented state-law patchwork with no federal statute; China runs a registration-and-content-control regime; and the Council of Europe treaty sets shared principles without direct enforcement. No single checklist covers every consortium partner.

    AI regulation is the set of binding statutes, administrative measures and international instruments that govern how artificial intelligence systems may be developed, deployed and used within a given jurisdiction. For a multi-country research consortium, that matters practically: the same AI-assisted analysis tool or generative writing aid can be lawful for one partner and non-compliant for another, purely because of where each institution sits.

    This article maps the four regimes that most often collide in international data-sharing agreements — the EU AI Act, US state AI laws, China’s AI measures, and the Council of Europe’s AI treaty — and identifies where the friction actually occurs, not just what each law says in isolation.

    Contents

    What are the main AI regulatory regimes research consortia must track?

    Four regimes dominate cross-border research collaboration in 2026: the EU’s binding AI Act, a growing set of US state statutes, China’s registration-led administrative measures, and the Council of Europe’s rights-based treaty. Each uses a different legal mechanism, a different geographic trigger, and a different enforcement model, which is precisely why a consortium cannot rely on one partner’s compliance work to cover the group.

    Regime Legal status Geographic reach Compliance approach Relevance to research consortia
    EU AI Act (Regulation (EU) 2024/1689) Binding regulation, directly applicable in all EU member states Extraterritorial: covers providers and deployers outside the EU where an AI system’s output is used within the EU Risk-tiered (unacceptable / high / limited / minimal); high-risk obligations broadly apply from 2 August 2026 A non-EU partner can still be caught if any consortium member deploys the tool’s output in the EU; grant-review and admissions-style AI can fall into Annex III high-risk categories
    US state AI laws No binding federal AI statute; state statutes such as the Colorado AI Act and California’s AI Transparency Act Applies within the enacting state; a December 2025 executive order pushes federal preemption of “burdensome” state rules, but this is contested and unsettled as of mid-2026 Sector- and harm-specific (algorithmic discrimination, transparency, deepfakes) rather than one risk taxonomy A single US institution can trigger several inconsistent duties depending on which state its staff, servers or subcontractors sit in
    China’s AI measures Binding administrative measures enforced by the Cyberspace Administration of China (CAC), now folded into the amended Cybersecurity Law from January 2026 Applies to AI services offered within China; requires algorithm registration with the CAC before deployment Registration- and content-control-led: mandatory labelling of AI-generated content, security assessments, real-name verification Chinese partner institutions typically cannot lawfully run an unregistered foreign AI tool against shared data, creating a hard blocker for joint analysis pipelines
    Council of Europe AI treaty First legally binding international AI treaty (Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law) Open to Council of Europe members and non-member signatories, including the US, UK, Canada and Japan; needs ratification by five signatories, including three Council of Europe states, to enter into force Principles-based: human rights, democracy and rule-of-law safeguards for public- and private-sector AI Offers shared language consortia can cite in data-sharing agreements, but is not self-executing and needs domestic implementing law in each signatory state

    How does the EU AI Act apply to multi-country research?

    The EU AI Act entered into force on 1 August 2024, with obligations phased in over several years. Bans on unacceptable-risk systems and AI-literacy duties applied from 2 February 2025; general-purpose AI obligations followed on 2 August 2025; and high-risk system obligations broadly apply from 2 August 2026, with penalties reaching €35 million or 7% of global annual turnover.

    What consortium leads consistently underestimate is scope. Like the GDPR before it, the Act reaches beyond EU borders: it applies to providers and deployers established outside the Union whenever the output of their AI system is used within it. A US or Asia-based partner running an AI-assisted screening tool that feeds results into an EU-led work package can be pulled into EU obligations even without an EU office. Annex III’s high-risk categories — including systems used in education, employment and essential services — also reach some AI-assisted grant-review and research-integrity screening tools.

    What do US state AI laws mean for consortium partners?

    The United States has no comprehensive federal AI statute in 2026. Instead, regulation is set state by state: Colorado’s AI Act (SB 24-205), the first comprehensive US state AI law, requires reasonable care to prevent algorithmic discrimination in high-risk systems, with implementation delayed to 30 June 2026. California has separately enacted an AI Transparency Act and a frontier-model safety statute.

    A December 2025 executive order directed federal agencies to challenge state AI laws viewed as inconsistent with a lighter-touch national standard, but as of mid-2026 that preemption push is unsettled and existing state statutes remain in force. For a consortium, a single US institution’s obligations can shift depending on which state its staff, infrastructure or subcontractors sit in — and may change again if preemption litigation succeeds.

    How does China regulate AI differently?

    China’s approach is registration-led and content-focused rather than risk-tiered. The Cyberspace Administration of China requires algorithm registration and security assessment before many AI services can be deployed. The Measures for Labelling AI-Generated and Synthetic Content took effect in September 2025, three national standards on generative AI security took effect on 1 November 2025, and AI governance obligations were folded into the amended Cybersecurity Law from January 2026.

    For research consortia, this is a structurally different problem from the EU or US: it is not primarily about disclosure or risk assessment, but whether a given AI tool may operate against Chinese-held data at all. An unregistered foreign analysis tool cannot lawfully be applied to a Chinese partner’s data set, regardless of how compliant it is elsewhere.

    What does the Council of Europe AI treaty add?

    The Council of Europe’s Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law is the first legally binding international treaty on AI. It opened for signature in September 2024, and early signatories include the European Union, the United States, the United Kingdom, Canada and Japan. It requires ratification by five signatories, including three Council of Europe member states, to enter into force.

    Unlike the EU AI Act, the treaty does not create a detailed compliance regime of its own; it sets human-rights and rule-of-law principles that signatory states must implement through domestic law. For a consortium, it functions less as a rulebook and more as shared vocabulary — a reference point agreements can cite when partners disagree on baseline AI safeguards, even where no national statute yet covers a given use case.

    Where do multi-jurisdiction consortia hit compliance friction?

    The practical friction is rarely about any one regime being stricter than another — it is about the regimes using incompatible triggers. The EU AI Act asks “where is the output used?” US state law asks “which state is the deployer in?” China asks “is this algorithm registered?” The Council of Europe treaty asks “has this state ratified and implemented it?”

    • Data-sharing agreements drafted for one jurisdiction’s risk taxonomy often fail to address another partner’s registration or transparency duties.
    • AI-assisted research tools — plagiarism and integrity screening, generative drafting aids, automated peer-review triage — can simultaneously be “limited risk” in the EU, unregulated in one US state, and require CAC registration in China.
    • Consent and disclosure language for AI use in participant-facing materials rarely satisfies all four regimes’ transparency requirements at once.
    • Governing-law clauses in consortium agreements need to specify which partner’s AI-use obligations apply to shared infrastructure, not just which partner “owns” the data.

    UKRI, Horizon Europe consortia and cOAlition S-aligned funders increasingly expect applicants to describe how AI tools are governed across all partner sites, not only the lead institution’s — making this mapping exercise a funding-eligibility question, not only a legal one.

    Answer-first Q&A

    Are there any global AI regulations?

    No single binding global AI law exists. The Council of Europe’s Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law, opened for signature in September 2024, is the first legally binding international AI treaty, but it needs ratification by five signatories, including three Council of Europe states, before it takes effect.

    Which countries have the most AI regulations?

    The European Union has the most comprehensive statutory AI framework via the EU AI Act, while the United States has the largest volume of measures once state activity is counted. In the 2025 legislative session, all 50 states introduced AI bills and 38 enacted measures, per the National Conference of State Legislatures.

    Which countries have no AI-specific restrictions?

    Several jurisdictions, including the United Arab Emirates and Saudi Arabia, rely on voluntary principles and sector guidance rather than a dedicated AI statute, though both run active national AI strategies and are expected to formalise binding rules as adoption accelerates. Partners based there face fewer AI-specific duties, but other data laws still apply.

    What should multi-country consortia do next?

    No convergence toward a single global AI standard is likely before 2027. The EU AI Act’s high-risk obligations continue phasing in through 2026 and 2027, US preemption litigation remains unresolved, China’s registration regime keeps expanding, and Council of Europe ratifications will accumulate gradually. Consortium agreements that hard-code today’s rules will need scheduled review clauses, not one-off sign-off.

    Research administration teams should treat AI-use disclosure as a standing agenda item in consortium governance, map each partner institution against the table above at project start, and build AI-tool review into existing data-sharing and research administration workflows rather than a separate compliance track.

  • Deemed Export Rule and AI Research Compliance

    The deemed export rule treats the release of export-controlled technology or source code to a foreign national inside the United States as if it were an export to that person’s home country, even though nothing crosses a physical border. For AI research groups, this means that giving a foreign-national graduate student or postdoc access to certain model weights, training code, or restricted technical data can itself require a federal export licence.

    A deemed export is any release of “technology” or “technical data” — controlled under the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations (ITAR) — to a foreign person physically present in the United States. The doctrine is old; its application to frontier AI systems is new, and it now collides with university research practice.

    What is the deemed export rule?

    Under 15 CFR 734.13(b) of the EAR, releasing controlled technology or source code to a foreign person in the United States is “deemed” to be an export to that person’s country of nationality. The Bureau of Industry and Security (BIS), the Commerce Department agency administering the EAR, names universities and high-technology research institutions as typical deemed-export-licence users, alongside biochemical, medical and computer-sector organisations.

    A “release” can occur through conversation, email, or lab access that lets a foreign national read or modify controlled source code — no shipment is required. Permanent residents, US citizens, and “protected individuals” under US immigration law are exempt; most international graduate students and postdocs on visas are not.

    How the fundamental research exclusion applies to AI research

    Most university AI research avoids deemed export licensing through the fundamental research exclusion at 15 CFR 734.8. Fundamental research is basic or applied research in science and engineering where the resulting information is ordinarily published and shared broadly, with no restrictions on foreign-national participation and no government-imposed access controls.

    The exclusion is conditional, not automatic. It fails where:

    • Results are restricted for proprietary or commercial reasons, such as a sponsorship agreement with a publication-delay clause.
    • The funding agreement imposes access or dissemination controls, which some defence-adjacent AI grants do.
    • The activity involves direct transfer of a controlled item — hardware, software, or source code — rather than an exchange of research information.

    Information already publicly available, including open-access papers and public code repositories, is separately exempt from EAR licensing.

    When AI models, weights and training infrastructure trigger a deemed export

    Using a publicly available AI chatbot or API is not, by itself, a release of controlled technology. Risk rises when a foreign national gains access to model architecture details, training methodologies, or model weights covered by an Export Control Classification Number (ECCN) on the Commerce Control List, or to advanced computing hardware BIS has specifically controlled.

    BIS tightened advanced-computing controls in its October 2022 Interim Final Rule, amended October 2023, then went further in January 2025 with a Framework for Artificial Intelligence Diffusion rule that, for the first time, extended export-control treatment to certain closed-weight AI model parameters, not only training hardware. Disclosing weights, architecture specifications, or training-cluster configuration for a covered model to a foreign-national researcher can itself be a release event.

    Much of this tightening is explicitly framed around china ai regulation concerns — restricting frontier compute and model know-how flowing to entities on the BIS Entity List. Nationality alone does not create liability; nationality plus access to a controlled item, combined with funding or sponsor restrictions, does.

    US deemed export rules vs the EU AI Act research exemption

    Institutions with EU partnerships increasingly ask how the US doctrine compares with the European approach. The EU AI Act — Regulation (EU) 2024/1689 — takes a structurally different route: rather than controlling technology transfer by nationality, it excludes AI systems and models developed and used exclusively for scientific research from most of the Act’s obligations, under Article 2(6) and Article 2(8).

    Aspect US deemed export rule EU AI Act research exemption
    Governing instrument EAR, 15 CFR 734.13(b) and 734.8 Regulation (EU) 2024/1689, Art. 2(6) & 2(8)
    What triggers the rule Release of controlled technology to a foreign person Placing an AI system on the market or into service
    Exclusion basis Fundamental research intended for open publication Research and development activity, prior to market placement
    Administering body Bureau of Industry and Security (Commerce Dept.) National market surveillance authorities / EU AI Office
    Nationality relevant? Yes — central to the rule No — exemption is activity-based, not person-based

    The distinction matters for compliance design: a US export control office manages deemed exports as a personnel and access-control question, while an EU research-exemption assessment is a product-lifecycle question. A model built for fundamental research at a US university may fall outside the AI Act exemption once deployed commercially — the two frameworks do not map onto each other cleanly.

    Compliance steps for universities with foreign national researchers

    Export control officers, research administrators, and AI lab principal investigators need a shared workflow before granting foreign nationals lab or system access:

    1. Screen every incoming foreign national against the BIS Entity List and the Treasury Denied Persons List before granting technical access.
    2. Classify the technology, dataset, or model against the Commerce Control List to determine whether an ECCN applies.
    3. Document the fundamental research exclusion in writing at project inception — funding terms, publication plans, and sponsor restrictions.
    4. Restrict access to controlled weights or training infrastructure until the export control office confirms licence status.
    5. Certify deemed export status accurately on Form I-129 for H-1B, H-1B1, L-1, and O-1A hires, as USCIS requires.
    6. Use the NIST AI Risk Management Framework to document AI system risk tiers internally — a defensible record, though not itself an export-control exemption.

    Treat this as distinct from state ai laws, such as Colorado’s and California’s AI transparency statutes, which govern AI deployment to end users, not technology transfer to foreign persons — a university can comply with one and still be exposed under the other. Guidance from the Center for AI Standards and Innovation (CAISI), the Commerce Department body that succeeded the original AI Security Institute at NIST, can inform risk-evaluation methodology, though it is not itself an export-control determination. See CASRAI’s research administration resources for broader governance context.

    Frequently asked questions

    What are the criteria for a deemed export?

    A deemed export occurs when controlled technology or source code is released to a foreign person inside the United States. The criteria: the item sits on the Commerce Control List or US Munitions List, the recipient is not a citizen, permanent resident, or protected individual, and no exclusion applies.

    How can a university determine whether an activity is a deemed export?

    A university’s export control office classifies the technology against its ECCN or USML category, checks whether the fundamental research exclusion applies, and confirms the researcher’s immigration status. If the technology is controlled, the researcher is a foreign person, and no exclusion fits, a licence is required before access.

    Who is exempt from the deemed export rule?

    US citizens, lawful permanent residents, and individuals granted protected individual status under US immigration law are exempt from deemed export licensing regardless of the technology involved. Most international students and postdocs on visas do not qualify for this exemption and depend instead on the fundamental research exclusion.

    Does using a publicly available AI model trigger a deemed export?

    No. Interacting with a publicly available AI model — a public API, chatbot, or open-weight release with no access restrictions — is not a controlled release under the EAR. Risk arises only when a foreign national gains access to restricted model weights, proprietary architecture details, or controlled training infrastructure not available to the public.

    Implications and outlook

    Export control offices built their playbooks around physical items and classified research; AI weights and training infrastructure do not fit that playbook cleanly. As BIS extends ECCN coverage into software and model parameters, universities running foreign-national-staffed AI labs face rising documentation burden even where no licence is ultimately required.

    Expect continued divergence between the deemed export regime, EU AI Act research-exemption practice, and state ai laws — three separate compliance tracks addressing different questions. Research administrators who map these tracks now, rather than after an incident, will be better placed as controls continue to tighten.

  • China AI Regulation for Research Collaboration

    China’s AI regulation centres on the Interim Measures for the Management of Generative Artificial Intelligence Services (effective 15 August 2023), which require AI-service providers to disclose AI use and forbid listing generative AI as a co-author. For Western universities collaborating with Chinese institutions, the rules affect authorship credit, cross-border data transfer, and how AI tools may be used in co-supervised research.

    China’s Interim Measures for the Management of Generative Artificial Intelligence Services is the country’s first binding, AI-specific regulation, jointly issued by the Cyberspace Administration of China (CAC) and six other ministries. It sits alongside the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law (PIPL) as the legal backbone for how AI-enabled research involving Chinese partners must be conducted.

    This matters for research administrators well beyond China’s borders. Joint-authorship agreements, data-sharing memoranda and co-supervision arrangements with Chinese universities now have to reconcile Chinese disclosure and labelling duties with the authorship norms already in force under COPE, ICMJE and journal policy in the EU, UK and US.

    What China’s Interim Measures for Generative AI actually require

    The Interim Measures require providers of public-facing generative AI services to register with the CAC, prevent outputs that undermine state security or social stability, and take measures against algorithmic bias. Internal research and development that is not offered as a public-facing service is treated more lightly, but outputs intended for publication or public dissemination fall squarely within scope.

    Two further instruments extend the regime. The Measures for Labeling AI-Generated and Synthesized Content, paired with the national standard GB 45438-2025, took effect in September 2025 and require visible or embedded labels on AI-generated text, images and audio distributed in China. The Ministry of Science and Technology’s guidelines on responsible research conduct, issued in December 2023, apply specifically to academic work: they prohibit using generative AI to draft funding applications and require researchers to disclose any generative AI use in their methodology.

    China has not enacted a single, comprehensive AI statute. A draft Artificial Intelligence Law has appeared on the National People’s Congress Standing Committee’s legislative agenda since 2023, but no official draft had been released as of December 2025, and the enactment timeline remains unclear.

    How China’s framework compares with the EU, UK and US

    None of the four major jurisdictions regulates AI in research collaboration through a single dedicated instrument. Each layers AI-specific rules on top of existing data-protection, cybersecurity and research-integrity frameworks, but the point at which those rules bind differs sharply.

    Jurisdiction Core AI instrument Status (as of mid-2026) Authorship / disclosure rule for research
    China Interim Measures for Generative AI Services (2023) plus labelling rules (2025) In force; comprehensive AI Law still in draft Ministry of Science and Technology guidelines bar listing AI as a co-author; AI use must be disclosed
    European Union AI Act, Regulation (EU) 2024/1689 General-purpose AI obligations apply from August 2025; most other obligations from August 2026 No AI-authorship bar in the Act itself; publishers apply COPE and ICMJE norms
    United Kingdom No dedicated AI statute; pro-innovation, regulator-led approach Existing regulators (ICO and sector bodies) apply cross-cutting principles COPE- and ICMJE-aligned: AI cannot be listed as author; disclosure expected in methods sections
    United States No comprehensive federal law; state statutes (e.g. the Colorado AI Act) and the voluntary NIST AI Risk Management Framework Patchwork of state laws; federal approach still executive-order-driven NIH bars AI from being listed as an author or used by peer reviewers to evaluate applications; journals follow ICMJE/COPE

    The practical convergence is striking: China, the EU, the UK and the US all reach the same conclusion on authorship — a generative AI system cannot satisfy the accountability that authorship implies — even though none of them arrives there through identical legislation.

    What this means for joint authorship and contributor disclosure

    China’s Ministry of Science and Technology guidelines and the international consensus reflected in ICMJE recommendations and COPE position statements agree on one point: generative AI tools cannot be listed as authors or contributors, because they cannot take responsibility for the accuracy and integrity of the work. This aligns with the accountability criterion embedded in the CRediT contributor role taxonomy, which CASRAI originated in 2014 and which is now stewarded by NISO as ANSI/NISO Z39.104-2022.

    For joint publications with Chinese co-authors, this means AI-assistance disclosure statements now need to satisfy two regimes at once: China’s requirement to label AI-generated content and disclose AI use in the methodology, and the contributor-role documentation expected by journals following CRediT or ICMJE authorship criteria. A single disclosure paragraph, drafted to meet the stricter of the two standards, is usually sufficient — but it should name the specific generative AI tool, its role, and confirm that no tool is credited as an author or contributor.

    • Confirm which named human contributors meet Chinese and Western authorship criteria before drafting the manuscript.
    • Record AI-tool use (what, where, why) in a disclosure statement that satisfies both the Chinese labelling requirement and journal policy.
    • Never list a generative AI system as an author, co-author or contributor under any of the four frameworks compared above.

    Data-sharing and cross-border transfer requirements

    Research data moving out of China is governed by the Data Security Law and the Personal Information Protection Law, not by the Interim Measures themselves. Transfers of “important data” or bulk personal information generally require a CAC security assessment, a process legal trackers monitoring Chinese compliance report can take several months to clear. Projects that involve Chinese human genetic resources — common in biomedical and health-informatics collaborations — additionally require prior approval from the Ministry of Science and Technology before data can be shared internationally.

    Co-supervised doctoral projects that route data through a public-facing generative AI service add a further layer: the service falls within the Interim Measures’ registration and labelling scope, even where the underlying collaboration is privately arranged between two universities.

    Common questions on China’s AI regulation and research collaboration

    Does China have a comprehensive AI law?

    No. As of mid-2026, China has no single, comprehensive AI statute; regulation proceeds through targeted instruments — the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and AI-specific measures such as the Interim Measures for Generative AI. A draft national Artificial Intelligence Law remains under review, with no confirmed enactment timeline.

    What is the Interim Measures for the Management of Generative AI Services?

    It is China’s first binding national regulation aimed specifically at generative AI, effective 15 August 2023. Issued jointly by the Cyberspace Administration of China and six ministries, it requires providers to register services, label AI-generated content, and prevent outputs that undermine state security or social stability.

    Can AI be listed as a co-author on Chinese-affiliated research?

    No. China’s Ministry of Science and Technology guidelines on responsible research conduct, issued in 2023, prohibit listing generative AI tools as co-authors and require disclosure of AI use in manuscripts and funding applications. This mirrors COPE and ICMJE guidance already applied by EU, UK and US publishers.

    Do foreign researchers need approval to share data with Chinese AI research partners?

    Often, yes. Under the Data Security Law and PIPL, transferring research data — especially human genetic or health data — outside China can require a Cyberspace Administration of China security assessment. Projects involving Chinese human genetic resources additionally need Ministry of Science and Technology approval before international sharing proceeds.

    Implications for research offices

    Research offices managing joint-authorship agreements, data-sharing memoranda or co-supervision arrangements with Chinese institutions need compliance processes that satisfy Chinese disclosure and security-review requirements without weakening the authorship and contributor-role standards already expected by Western journals and funders. Treating China’s rules as an additional layer on top of existing CRediT-based authorship practice, rather than a separate compliance track, keeps the paperwork proportionate.

    China’s regulatory posture is still moving: the Ministry of Science and Technology, the CAC and the State Council have all issued new instruments since mid-2025. Institutions with active China partnerships should treat authorship-disclosure and data-transfer procedures as living documents, reviewed annually against the current Chinese, EU, UK and US rules.