Comparative index of the real state of digital regulation country by country, designed as regulatory-intelligence infrastructure. It measures not only whether a country has AI or data-protection laws, but the distance between three layers that rarely coincide: the law passed, the authority designated to enforce it and the real enforcement (sanctions actually imposed). That gap —between legislating and applying— is the metric that matters to anyone assessing the risk of operating technology in a jurisdiction. Each record profiles a country with the state of its AI framework, its data-protection regime, its enforcement capacity and a composite regulatory-risk level, with its sources. It connects with Diálogo Ciudadano's per-jurisdiction trackers (AI Act, GDPR, DSA, US and Latin American AI laws).
Statistical readings derived from the attributes of each recorded case. All figures come from the documented events; amounts are computed only over cases with a sum expressed in the indicated currency, without converting between currencies.
Choropleth by number of forensically or judicially documented cases. Countries with no verifiable public cases remain in the base colour — the absence of events does not equal the absence of surveillance. Hover or click a coloured country to see the cases.
For a company deploying technology in several countries, the question is not 'how many digital laws each one has', but the distance between the written law, the authority that should enforce it and the sanctions that actually fall. This index measures that gap across 16 jurisdictions in six regions, because that is where the real regulatory risk lives.
More than seventy countries have already launched over a thousand AI policy initiatives, and almost all have some form of data-protection law. If one stopped at that count, one would conclude that the world is regulated. But that count is misleading, because it lumps together a binding law with fines of 7% of global turnover and a voluntary strategy without a single sanction. This index is built precisely to undo that deception: it separates three layers that rarely coincide.
The first layer is the law: whether there is a comprehensive AI framework in force, a bill in progress, a voluntary strategy or nothing. The second is the authority: whether there is a designated, operational body to enforce it. The third, the decisive one, is enforcement: whether that body imposes final sanctions regularly or the law lives on paper. A country is only regulatorily serious when the three layers align, and surprisingly few manage it.
The key to reading it: 'high regulatory risk' does not mean 'badly governed country'. The EU has the world's highest sanction risk —7% fines, active enforcement— and is, at the same time, the most predictable environment. The hardest risk to manage is not that of the country that sanctions a lot, but that of the one with many unenforced laws: there, unpredictability makes everything opaque.
The index reveals that countries do not line up on a single 'more to less regulated' scale, but in distinct profiles. There are the high, predictable-enforcement ones —the EU, South Korea—, where the risk is sanctions but the rules are clear. There are the unpredictable ones —the United States with its disputed state patchwork, Mexico with its framework under reform—, where the problem is not strictness but not knowing which rule applies. And there are the state-control ones —China at the front—, where data regulation intertwines with forced localization and digital sovereignty.
For a compliance team, a fund assessing an investment or a vendor selling software to governments, this profile distinction is more actionable than any linear ranking. The risk of operating in a strict, predictable environment is not managed the same way as in a lax but unpredictable one. The index is designed for that decision: cross the three layers by country and, above all, connect with each jurisdiction's specific trackers —the AI Act one, the GDPR-by-country one, the US patchwork one— to descend from the general profile to the concrete case.
Expanding the index to Asia-Pacific reveals it is the most heterogeneous region of all. At one end, China combines regulatory tightening with forced data localization. At the other, Singapore exhibits the finest balance between innovation and regulation, with voluntary but sophisticated AI governance. Between them, India operationalized its data law in 2025 with a single authority —the Data Protection Board— but chose to govern AI with principles, not a comprehensive law; Japan and Australia remain in voluntary frameworks; and Indonesia and Vietnam are only now consolidating their data regimes.
That Asian diversity confirms the index's thesis: there is no single 'level' of regulation, but profiles. Two countries with the same 'no comprehensive AI law' —India and the United States— can have opposite risks depending on their data authority and enforcement. That is why the index does not rank on a scale, but profiles layer by layer, and lets each user weight the layers according to what matters to them.
Vietnam passed several laws in 2025, including a comprehensive personal-data-protection law in force since 1 January 2026, formalizing rights, controller obligations and transfer restrictions, alongside data-classification and security rules. Enforcement still to consolidate.
The US has no federal AI or privacy law: it operates with a state patchwork (California, Texas, Colorado…) and per-state privacy laws. Federal preemption and litigation add unpredictability. The risk is not high sanctions, but not knowing which rule applies or whether it will remain in force.
The UK regulates AI by delegating to sector regulators and applies the UK GDPR, amended by the Data Use and Access Act (DUAA, 2025). Its authority (ICO) is deliberately fine-sceptical. The European Commission extended its adequacy decision in December 2025. Medium risk, pragmatic approach.
Singapore stands out for balancing innovation and regulation, ranking among the top in the Oxford Government AI Readiness Index. Its AI governance is voluntary but sophisticated (Model AI Governance Framework), and its data law (PDPA) has an active authority. A low-friction regulatory profile with high institutional maturity.
Saudi Arabia declared 2026 the 'Year of AI' and combines binding data legislation (PDPL) with AI soft-law instruments managed by the SDAIA authority, which issued 48 PDPL enforcement decisions in 2025. Transfer regime modeled on the GDPR. Growing regulatory maturity.
Peru passed and regulated Law 31814 promoting AI use for economic and social development, placing it among Latin America's first with a specific AI rule. Its data regime has an authority. But enforcement capacity is limited: the law is more promotional than punitive.
Mexico lacks a specific AI law and its data-protection framework is under reform after restructuring its authority. Enforcement capacity is limited. High technological exposure with institutional capacity in transition: medium-high risk from unpredictability.
South Korea became, with its AI Framework Act in force since January 2026, the world's second territory after the EU with comprehensive AI legislation, copying the European risk categories. Combined with its data regime, it is a high-enforcement, predictable environment.
Japan bets on self-regulation: its AI Promotion Act (in force since June 2025) sets a non-binding framework focused on coordination, transparency and R&D, with no strong sanctions. Its data regime is aligned with international standards. Medium risk: few hard obligations.
India operationalized its Digital Personal Data Protection Act (DPDP Act 2023) in 2025 with its Rules, creating the Data Protection Board as a single authority, with fines up to ~$30 million. For AI it chose a principle-based techno-legal approach (November 2025 AI Governance Guidelines, non-binding) instead of an EU-style comprehensive law. Enforcement still nascent.
Indonesia has a relatively recent Personal Data Protection (PDP) law, with an authority under construction, but lacks a specific binding AI framework. High technological exposure and a growing digital market with developing regulatory capacity: medium-high risk from unpredictability.
The EU combines the AI Act (first comprehensive AI law, in force since August 2024) with the GDPR and active enforcement: over €7.1 billion in data-protection fines and the first DMA sanctions. Sanction risk is high, but predictable: the rules exist and are enforced.
China tightened its Cybersecurity Law in January 2026 with AI requirements and data localization, and is processing an AI Law that would formalize obligations for high-risk systems. Its outbound data-transfer restrictions are the world's strictest, exceeding the GDPR. Critical risk from localization and state control.
Canada was the world's first country with a national AI strategy (2017) and proposed an early law —the AI and Data Act (AIDA)— foreseeing an AI and Data Commissioner, but it remains in progress; meanwhile a voluntary code of conduct for generative AI applies. Its data regime (PIPEDA) is consolidated. Classic gap: early strategy, pending law.
Brazil has a consolidated data-protection law (LGPD) with its own authority (ANPD), but its AI bill (PL 2338, based on the European risk model) still lacks final approval after passing the Senate in December 2024. The region's classic gap: data yes, AI not yet.
Australia bets on capability development with its National AI Capability Plan (2024), focused on skills and infrastructure rather than binding obligations. Its Privacy Act regulates data with its own authority. It is a pro-innovation profile with soft AI regulation.
Each record profiles a country across three layers: (1) AI framework status (comprehensive law in force, bill, strategy/voluntary, no framework); (2) data-protection status (GDPR-style law with active authority, law without strong enforcement, no law); (3) enforcement capacity (high = frequent final sanctions, medium, low/symbolic). From this a composite regulatory-risk level is derived that does NOT judge the country's democratic quality, but the regulatory predictability for whoever operates technology: a country may have very strict laws and high enforcement (high but predictable sanction risk) or many unenforced laws (unpredictability risk). Each layer is attributed to its source. The classification is a revisable comparative reading, not a single official figure. No unpublished data is imputed.