Peru has approved detailed rules to implement its national artificial intelligence (AI) law, setting a phased, risk-based framework for how AI is developed and used across the public and private sectors. The decree, published in Lima as Supreme Decree No. 115-2025-PCM, issues the Regulation of Law No. 31814, which promotes AI for economic and social development while safeguarding fundamental rights. Signed by President Dina Boluarte and countersigned by the prime minister and ministers of education, production, and justice (acting), the measure takes effect 90 business days after publication, with several provisions entering into force the following day.
The regulation designates the Presidency of the Council of Ministers, through the Secretariat of Government and Digital Transformation (SGTD), as the national technical authority for AI. SGTD will steer policy, issue binding guidance, supervise compliance, and act as Peru’s national contact point, reporting annually to Congress on AI and digital transformation progress. Governance is built around existing digital institutions and new instruments, including a National Center for Digital Innovation and AI, a national data center, a digital security center, and a government innovation lab. SGTD is also empowered to run a controlled testing environment—or sandbox—to pilot AI systems, with particular support for startups and SMEs.
A core feature is a three-tiered risk approach. “Improper use” of AI—such as manipulative behavioral techniques, unlawful mass surveillance, real-time biometric categorization in public spaces (with narrow exceptions), inference of sensitive traits from biometrics, and criminal-propensity prediction—is explicitly prohibited. High-risk applications include AI used in critical infrastructure, employment decisions, access to social programs, credit scoring, and key health and education functions. These systems require human oversight, transparency, and documented risk assessments before deployment.
Transparency obligations include clear pre-use disclosures about an AI system’s purpose and capabilities, visible labeling where relevant, and explanations when automated outputs affect rights. Privacy compliance must align with Peru’s data protection regime. Ethics provisions call for multidisciplinary teams, bias mitigation, and attention to social and environmental impacts.
Public bodies face specific duties: adopting an institutional AI policy, building multidisciplinary teams, strengthening staff skills, sharing high-value datasets through the national data center, and—critically—using the newly adopted NTP-ISO/IEC 42001:2025 AI management system standard. Publicly funded AI code must be published under open licenses on Peru’s national software platform. SGTD will monitor for prohibited and high-risk uses, coordinate incident response, and channel citizen alerts through a new AI portal.
Implementation is staggered: central powers have one year to comply with key transparency and oversight provisions, with longer timelines for regional and local governments and sector-based schedules for private entities. The decree also repeals a 2007 resolution mandating the legacy ISO/IEC 17799 information-security standard, replacing it with updated national norms.
Need Help?
If you have questions or concerns about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
