AI Watch: Global regulatory tracker - Colombia

Despite congressional activity on AI in Colombia, regulation remains unclear and uncertain.

Laws/Regulations directly regulating AI (“AI Regulations”)

Currently, there are no specific laws, statutory rules, or regulations in Colombia that directly regulate AI. However, the Colombian government has issued and approved different legal instruments. For example:

CONPES 4144 establishes Colombia's National Artificial Intelligence (AI) Policy.¹ The policy aims to position Colombia as a competitive country in AI through six strategic objectives:

1. Ethics and Governance – Strengthen governance mechanisms and apply ethical principles to ensure responsible and trustworthy AI development and use
2. Data and Infrastructure – Enhance technological infrastructure and access to high-quality data to support AI advancements
3. Research, Development, and Innovation – Promote AI research and development to drive productivity and scientific progress in the country
4. Capabilities and Digital Talent – Develop skills and specialized human capital in AI, fostering social adoption of the technology
5. Risk Mitigation – Identify, prevent, and mitigate risks associated with AI use, including ethical concerns, biases, and cybersecurity threats
6. AI Adoption and Use – Encourage the adoption of AI in public institutions, businesses, and local territories, with a focus on digital transformation and sustainability

External Directive 002 of 2024 by the Colombian Data Protection Authority (the Superintendence of Industry and Commerce) (SIC).² This provides guidance on the processing of personal data for use with AI, in accordance with the Colombian General Data Protection Framework. The SIC provides instructions on ten points:

1. The processing must meet criteria of suitability, necessity, reasonableness and proportionality, in order to safeguard the principles established in the CDPR
2. Scenarios in which there is no certainty about potential damage should be avoided, and preventive measures should be implemented
3. In line with the accountability principle, risks associated with personal data must be identified, measured, controlled and monitored
4. If, prior to the design and development of the AI system, a high risk of harm to data subjects is identified, a privacy impact study must be implemented
5. Personal data must be truthful, complete, accurate, updated, verifiable and understandable
6. Differential privacy, a set of mathematical techniques that allow data analytics without revealing information about the individuals providing the data, is proposed as a way of complying with privacy by design and by default
7. Data subjects should be able to obtain information about the processing of their data
8. Security measures should be implemented to protect the confidentiality, integrity, and availability of personal data
9. Personal information that is "publicly accessible" is not, per se, information "of a public nature", so such information should not be taken and processed without the prior, express and informed consent of the data subject
10. The rights of data subjects must be ensured

Status of the AI Regulations

More than 20 bills that are intended to regulate AI have been proposed to Congress.³ However, at the time of writing, none have been approved.

Most recently, on May 7, 2025, a comprehensive bill backed by the Ministries of Science and of Information and Communication Technologies (ICT), was proposed to Congress (the "Proposed Bill").⁴

The Proposed Bill seeks to:

• Introduce classification of AI systems by risk level (i.e., prohibited, high, limited, and minimal)⁵
• Provide clear rules to protect privacy, non-discrimination, and human dignity
• Establish a governance system led by the Ministry of Science as the National Authority on AI
• Create the National Advisory Council on Artificial Intelligence
• Promote research and the training of human talent
• Provide measures for job transition
• Incentivize projects with social, territorial, and scientific impact

The Proposed Bill still needs to be scrutinized, debated and voted on—by both the Senate and the House of Representatives—before being approved by the President. Therefore, it is currently unclear if the Proposed Bill will be approved, and if so, what the final text will look like. No date has been provided for possible discussion in Congress, and despite the government's backing, it is not expected to be a legislative priority.

Other laws affecting AI

There are various laws and regulations that do not directly seek to regulate AI but may be applied to its development, deployment or use in Colombia. Key examples include:

• The Colombian General Data Protection Framework enclosed in Law 1581 of 2012 and Decree 1074 of 2015^6,7
• The Colombian Consumer Protection Statute, Law 1480 of 2011⁸
• The Andean Community of Nations Decisions 351 of 1993 (Copyright) and 486 of 2000 (Trademarks, Patents, Industrial Designs and Trade Secrets)^9,10
• The Colombian Copyright Law, Law 23 of 1982¹¹

Definition of “AI”

Currently there is no legal definition of AI. However, the Government has used the definition provided in the National Digital Transformation Policy, CONPES 3975 (2019).¹²

This definition describes AI as: "a field of computer science dedicated to solving cognitive problems commonly associated with human intelligence or intelligent beings, understood as those who can adapt to changing situations. Its basis is the development of computer systems, data availability and algorithms."

Territorial scope

Colombia's proposed AI regulation framework presently features a wide territorial reach. According to the latest draft presented to Congress, the rules would cover the development, deployment, and use of AI systems within Colombian borders, applying equally to both domestic and international organizations.

Sectoral scope

The Proposed Bill does not currently take a sector-specific approach.¹³ The regulation would govern the development, deployment, and use of AI systems across all sectors, without limiting its application to any particular industry.

Compliance roles

The Proposed Bill establishes a clear framework of compliance roles, closely aligned with international best practices and tailored to the local context.

The main compliance role identified in the Proposed Bill is "Responsible for AI":¹⁴

• This is the central compliance role defined in the Proposed Bill
• It encompasses all natural and legal persons, whether public or private, who create, develop, implement, commercialize, import, represent, distribute, or use AI systems developed, implemented, and/or used within Colombian territory, or who, while located abroad, are subject to Colombian law due to the impact of their AI systems in Colombia
• This broad definition ensures that all actors in the AI value chain—developers, providers, distributors, and users—are subject to the law's requirements

Core issues that the AI Regulations seek to address

The AI Bill states that its core principles are to promote competitive productivity, ensure transparency, and to foster productivity through advancing fundamental AI research and personnel development. While advancing these goals, the government aims to investigate and guide organizations away from the improper use of AI, which are uses that may lead to the violation of rights or harm prosperity.

Additionally, the Hiroshima Principles identify several significant risks, including: disinformation, copyright, cybersecurity, risks to health and safety, and societal risks (e.g., the ways in which advanced AI systems can give rise to harmful bias and discrimination).

The government has noted the following risks as ones that Japan should prioritize: safety, privacy and fairness, national security and crime, property protection, and intellectual property.

Further, regarding copyright, in-depth discussions are being held in Japan about how existing laws (i.e., the Copyright Act of Japan) should address issues concerning rights and harms that may arise from generative AI. Additionally, the Council of the Agency for Cultural Affairs has announced its position regarding copyright where AI is trained on the works of humans and AI-generated content.

Risk categorization

The Proposed Bill includes the following proposal for risk categorization:¹⁵

• Prohibited AI Systems – These are banned outright due to posing unacceptable risks to fundamental rights, security, or human dignity. Examples include AI systems without human control, those designed to manipulate behavior, or those intended for discrimination or repression.
• High-Risk AI Systems – These systems can significantly impact fundamental rights, safety, or well-being. They are subject to strict requirements, including data quality, transparency, human oversight, and impact assessments. Examples include systems used in privacy-sensitive areas, automated decision-making in critical sectors, or those affecting minors.
• Limited-Risk AI Systems – These AI systems do not pose significant threats but may have indirect or notable effects on personal or economic decisions. They must be transparent, inform users that they are interacting with AI, and allow for deactivation or rejection. Examples include virtual assistants, recommendation systems, and unlabeled deepfakes.
• Low-Risk AI Systems – These AI systems present minimal risk, and are mainly subject to general ethical, transparency, and good practice guidelines. Examples include administrative tools, educational aids (not otherwise categorized), public sector support tools, and simple automation or entertainment applications.

Key compliance requirements

The Proposed Bill sets out a comprehensive suite of compliance requirements, many of which are risk-based and tailored to the role and activity of the actor in the AI value chain. Key requirements include:

Risk Classification and Management:¹⁶

• AI systems are classified into four risk categories: prohibited, high risk, limited risk, and low risk
• Prohibited systems (e.g., those that cannot be controlled by humans, or that are designed to manipulate behavior or discriminate) are banned outright
• High-risk systems (e.g., those affecting fundamental rights, health, safety, or used in sensitive sectors like justice or security) are subject to strict requirements, including:
  • Rigorous data quality standards
  • Transparency and explainability obligations
  • Human oversight and the ability to intervene or deactivate the system
  • Mandatory impact assessments on fundamental rights and data protection
  • Registration and documentation requirements

Transparency and Explainability:¹⁷

• All AI systems must be designed and operated to ensure clarity, accessibility, and traceability of automated processes and decisions
• Users must be informed when they are interacting with an AI system, especially in the case of limited-risk systems (e.g., chatbots, recommendation engines)

Human Oversight and Control:¹⁸

• Systems must allow for human intervention, audit, and supervision, particularly for high-risk applications

Data Protection and Privacy:¹⁹

• Compliance with Colombia's existing data protection laws is mandatory
• AI systems must not infringe on privacy or process personal data unlawfully

Non-Discrimination and Equity:²⁰

• AI systems must be developed and used to avoid discrimination and to promote diversity and inclusion
• Special attention must be given to preventing the amplification of existing social, economic, or digital divides

Accountability and Documentation:²¹

• Responsible parties must maintain documentation demonstrating compliance with risk management, transparency, and ethical requirements
• For high-risk systems, detailed technical documentation and records of impact assessments are required

Workforce Transition and Training:

• Employers implementing AI systems that may impact employment practices must develop and execute plans for retraining, redeployment, or upskilling affected workers

Regulators

The Proposed Bill names the Ministry of Science as the National Authority on AI.²² However, the SIC will continue to oversee data protection and consumer matters.²³

Enforcement powers and penalties

The Proposed Bill outlines the following possible sanctions:²⁴

• Personal and institutional fines – These could be for a maximum of the equivalent of three thousand (3,000) current legal monthly minimum wages at the time the sanction is imposed. Fines may be imposed successively as long as the non-compliance that gave rise to them persists.
• Suspension of activities related to the AI system – This suspension could last for up to twenty-four (24) months and may include the inability to access the AI system within Colombian territory. The suspension order will specify the corrective actions that must be taken.
• Temporary closure of operations related to the AI system – This may include the inability to access the AI system within Colombian territory, even after the suspension period has elapsed, if the corrective actions ordered in the suspension order have not been implemented.
• Immediate and definitive closure of the operation involving the AI system – This may include the permanent blocking of access to the AI system within Colombian territory.

1 See CONPES 4144 here.
2 See External Directive 002 of 2024 here.
3 See an article from El Espectador here.
4 See the press release here.
5 See the press release here.
6 See the Colombian General Data Protection Framework (Statutory Law 1581 of 2012) here.
7 See the Colombian General Data Protection Framework (Decree 1074 of 2015) here.
8 See the Colombian Consumer Protection Statute, Law 1480 of 2011 here.
9 See the Andean Community of Nations Decision 351 of 1993 (Copyright) here.
10 See the Andean Community of Nations Decision 486 of 2000 here.
11 See the Colombian Copyright Law, Law 23 of 1982 here.
12 See the National Digital Transformation Policy, CONPES 3975 (2019) here.
13 See Article 2 of the Proposed Bill (Note that although the Bill was proposed to Congress on May 7th, it has not been published in the official Congress Gazette, so it is currently lacking a Bill number)
14 See Articles 2 and 4 of the Proposed Bill.
15 See Article 5 of the Proposed Bill.
16 See Article 5 of the Proposed Bill.
17 See Article 3 of the Proposed Bill.
18 See Article 3 of the Proposed Bill.
19 See Article 3 of the Proposed Bill.
20 See Article 3 of the Proposed Bill.
21 See Article 5 of the Proposed Bill.
22 See Article 6 of the Proposed Bill.
23 See Article 31 of the Proposed Bill.
24 See Article 30 of the Proposed Bill.

Brigard Urrutia contributors - Sergio Michelsen, Andrés Fernández, and Nicolás Albornoz.

[View source.]