International AI Legal Landscape (2026) — What Australian Businesses Should Know¶
Purpose: Navigate international AI regulations affecting Australian organisations operating globally Audience: Legal, compliance, international business and governance teams | Time: 60-90 minutes
Last updated: January 2026. This page is informational and not legal advice.
Rapidly evolving landscape
International AI regulations are changing fast. South Korea's AI Basic Act takes effect in January 2026 with implementing rules still emerging. Canada's AIDA died on the Order Paper and any replacement may differ substantially. Always verify current status with official sources before making compliance decisions.
As AI regulation accelerates globally, many jurisdictions already impose binding requirements or have near-term obligations that will affect Australian organisations exporting, operating, or handling data linked to those regions.
Below is a practical snapshot of the US, Canada, EU, UK, Japan, South Korea, Singapore, plus the global frameworks most often referenced by regulators.
Executive Snapshot¶
Key Jurisdictions at a Glance
-
🇪🇺 EU — The EU AI Act is in force with staged obligations. Bans on "unacceptable risk" uses started 2 Feb 2025; general-purpose AI (GPAI) duties start 2 Aug 2025; most remaining rules phase in through 2026–2027. Expect documentation, transparency, risk management and post-market monitoring obligations if you sell into the EU or provide GPAI there.
-
🇺🇸 US — No single federal AI law. Federal direction runs through NIST AI RMF 1.0 and public-sector guidance (OMB M-24-10). States are moving: Colorado's AI Act (effective 30 June 2026) requires risk programs, impact assessments and notices for "high-risk" AI. NYC mandates bias audits for automated hiring tools.
-
🇨🇦 Canada — The federal Artificial Intelligence and Data Act (AIDA) (within Bill C-27) died on the Order Paper in January 2025 when Parliament was prorogued. Any future legislation may differ substantially; no timeline for re-introduction.
-
🇬🇧 UK — No single AI Act; regulator-led, "pro-innovation" model with central government coordination and the AI Security Institute (rebranded Feb 2025). Regulators are issuing sector guidance and pilots (assurance, sandboxes). The Data (Use and Access) Act (mid-2025) marks the UK's first statutory step toward AI-relevant obligations.
-
🇯🇵 Japan — On 28 May 2025 Parliament approved the AI Promotion Act (Japan's first AI law, effective 4 June 2025), establishing the AI Strategy Headquarters. Compliance remains guideline-driven via the AI Guidelines for Business (2024) and existing laws (privacy, consumer).
-
🇰🇷 South Korea — Passed the AI Basic Act (promulgated 21 Jan 2025; effective 22 Jan 2026). Establishes national governance, trustworthiness requirements and enables future rules; extra-territorial effects likely for some activities.
-
🇸🇬 Singapore — Leading with Model AI Governance Framework (GenAI) and the open-source AI Verify testing toolkit. Often used as a practical implementation benchmark, interoperable with NIST AI RMF.
Why This Matters for Australian Businesses
- 🌏 Export exposure: Selling AI products/services into the EU, UK or Korea may trigger local provider/deployer duties even if you're based in Australia
- 📋 Procurement pressure: Multinationals will increasingly require AI risk assessments, bias testing and documentation aligned to EU/US frameworks (EU AI Act, NIST AI RMF, ISO/IEC 42001)
- 🔄 Interoperability benefits: Adopting risk-based governance now reduces later retrofit costs and smooths compliance across markets
Jurisdiction Guides¶
European Union (EU)¶
Status & scope: The EU AI Act (Regulation (EU) 2024/1689) is live with a risk-tiered regime (prohibited, high, limited, minimal), dedicated GPAI obligations and strong enforcement (up to 7% global turnover). Key dates: 2 Feb 2025 (prohibitions), 2 Aug 2025 (GPAI, governance/penalties), from Aug 2026–27 (most high-risk rules).
What to Do
- ✅ Map any EU-facing AI systems to risk categories; identify if you're a provider, deployer, importer or distributor
- ✅ For GPAI/models, prepare training-data summaries, technical documentation and risk-mitigation processes (red-teaming, incident reporting)
United States (US)¶
Status & scope: No omnibus federal AI law. Federal levers include NIST AI RMF 1.0 (widely adopted) and OMB M-24-10 (governance for US federal agencies). States and cities are active: Colorado SB24-205 (effective 30 June 2026, delayed from the original February 2026 date via SB 25B-004) mandates risk management programs, impact assessments, consumer notices and appeal/human review for "high-risk" AI; NYC Local Law 144 requires bias audits and notices for automated hiring tools.
What to Do
- ✅ Align your program to NIST AI RMF (often accepted as a defence/interoperability baseline, including in Colorado's framework)
- ✅ If serving US customers/employers, build impact assessment and bias-audit capability into your lifecycle
Canada¶
Status & scope: Bill C-27 (which included the federal Artificial Intelligence and Data Act, AIDA) died on the Order Paper on 6 January 2025 when Parliament was prorogued. The bill would need to be completely re-introduced in a future parliamentary session. Any future AI legislation is expected to take a different approach; status remains highly uncertain. Note: Ontario's Bill 194 (passed November 2024) regulates public sector AI use provincially.
What to Do
No federal AI-specific law is imminent. Continue monitoring for potential re-introduction under a new government. Organisations can still reference AIDA's former companion guidance for voluntary best practices (risk-based duties for "high-impact" systems, impact assessments, incident reporting), but recognise any future legislation may differ substantially.
United Kingdom (UK)¶
Status & scope: No single AI Act; the UK follows a contextual, regulator-led approach under the Government Response (Feb 2024) to its AI White Paper. Central functions coordinate regulators; the AI Security Institute (rebranded from "AI Safety Institute" in February 2025) evaluates advanced systems and supports guidance/testing. The Data (Use and Access) Act (mid-2025) introduced provisions affecting AI training datasets and algorithmic accountability.
What to Do
- ✅ Track sector regulators (ICO, CMA, FCA, MHRA etc.)
- ✅ Expect assurance, transparency, and evaluation asks for frontier/GPAI uses
- ✅ Monitor the Data (Use and Access) Act for AI training data and algorithmic accountability requirements
Japan¶
Status & scope: Japan emphasises soft-law via the AI Guidelines for Business (2024, METI/MIC), updated subsequently. On 28 May 2025 Parliament approved the AI Promotion Act (Japan's first AI law), with most provisions taking effect 4 June 2025. The Act establishes the AI Strategy Headquarters under the Prime Minister's Office and focuses on R&D promotion and voluntary guidelines rather than hard restrictions.
What to Do
- ✅ Apply the Guidelines lifecycle controls (risk identification, governance, transparency)
- ✅ Ensure compliance with APPI and sector rules
Republic of Korea (South Korea)¶
Status & scope: AI Basic Act (officially "Basic Act on the Development of AI and the Establishment of a Foundation for Trustworthiness") passed 26 Dec 2024, promulgated 21 Jan 2025, effective 22 Jan 2026. Creates national governance (AI committee, safety institute), a trustworthiness baseline and foundation for detailed rules; extra-territorial reach is anticipated in some areas. Fines up to KRW 30 million (~$20,870) and potential imprisonment for violations.
What to Do
- ✅ If offering AI into Korea, prepare for registration/notice, risk management, and safety/trust controls as implementing measures roll out
Singapore¶
Status & scope: Model AI Governance Framework (GenAI) and the AI Verify testing toolkit provide practical, testable governance guidance; mapped to NIST AI RMF for interoperability. Frequently used by multinationals for assurance.
What to Do
- ✅ Use AI Verify (or equivalent) for bias, robustness, transparency testing
- ✅ Publish assurance artefacts for enterprise buyers
Side-by-Side Summary¶
| Jurisdiction | Legal posture (Jan 2026) | Primary instruments | Key dates | Headline obligations (examples) |
|---|---|---|---|---|
| EU | Binding, phased | EU AI Act | Feb 2025 (bans); Aug 2025 (GPAI); Aug 2026 (full enforcement); Aug 2027 (legacy GPAI) | Risk-tiered duties, GPAI transparency/docs, post-market monitoring, penalties up to 7% turnover |
| US | Patchwork + federal guidance | NIST AI RMF; OMB M-24-10; Colorado AI Act; NYC AEDT law | CO: 30 June 2026; NYC AEDT: in force | Risk programs, impact assessments, notices, bias audits (hiring), consumer appeal/human review |
| Canada | Dead (died Jan 2025) | AIDA (Bill C-27) – terminated | No timeline; re-introduction uncertain | Bill C-27 died on Order Paper; any future legislation may differ substantially from original AIDA proposal |
| UK | Regulator-led framework | Gov't Response (Feb 2024); AI Security Institute; Data (Use and Access) Act | Data Act mid-2025; AI legislation expected 2025–26 | Sector regulators issue guidance; evaluation & assurance focus (frontier/GPAI); data/algorithmic accountability |
| Japan | Soft-law + promotion act | AI Guidelines for Business; AI Promotion Act | Act effective 4 June 2025; AI Strategy HQ operational Sept 2025 | Lifecycle governance guidance; R&D promotion; voluntary compliance (no direct penalties) |
| Korea | Binding (framework) | AI Basic Act | Effective 22 Jan 2026 | National governance; trust/safety foundations; fines up to KRW 30M; further rules expected |
| Singapore | Voluntary but influential | Model AI Governance (GenAI); AI Verify | Framework updated 2024–25; OECD/GPAI alignment 2025 | Testing toolkit + governance guidance; NIST RMF cross-walk; red-teaming benchmarks |
Global Reference Frameworks (useful everywhere)
- 🌐 NIST AI Risk Management Framework 1.0 — broad, practical and widely referenced (US and beyond)
- 📋 ISO/IEC 42001:2023 — AI management system standard (AIMS) for organisations building/using AI
- 🤝 OECD AI Principles — internationally endorsed principles aligned with human-centred, trustworthy AI
Related SafeAI-Aus Tools
This page should be read together with our governance tools:
Key References¶
European Union
- EU AI Act - Official Text (EUR-Lex)
- EU AI Act Implementation Timeline
- Guidelines for GPAI Providers (European Commission)
United States
- NIST AI Risk Management Framework 1.0
- OMB M-24-10 - AI Governance (White House)
- Colorado SB24-205 (Colorado General Assembly)
- NYC Local Law 144 - AEDT (NYC DCWP)
Canada
United Kingdom
- AI Regulation White Paper Response (GOV.UK)
- AI Security Institute (GOV.UK)
- Data (Use and Access) Act (Parliament)
Japan
South Korea
- AI Basic Act - MSIT Announcement
- AI Basic Act Analysis (Cooley)
- Framework Act English Translation (CSET Georgetown)
Singapore
Global Standards
Disclaimer & Licence
Disclaimer: This guide provides general information about international AI regulations and is not legal advice. SafeAI-Aus has exercised care in preparation but does not guarantee accuracy, reliability, or completeness. International AI laws change rapidly. Organisations should adapt to their specific context and seek advice from legal professionals with expertise in relevant jurisdictions before making decisions based on this information.
Licence: Licensed under Creative Commons Attribution 4.0 (CC BY 4.0). You are free to copy, adapt and redistribute with attribution: "Source: SafeAI-Aus (safeaiaus.org)"