Licentium

AI Regulation Hub

Peru

Peru has a national AI framework: Law No. 31814 and its 2025 implementing regulation (Supreme Decree No. 115-2025-PCM). It classifies AI uses by risk into non-permitted, high-risk and acceptable AI, with concrete duties for public and private operators.

Key provisions

Risk classification (non-permitted / high-risk / acceptable)

In force

Risk-based scope: non-permitted AI is banned; high-risk AI carries strict duties; other AI uses must comply with Peru's AI principles.

Non-permitted AI

In force

Subliminal manipulation, exploitation of vulnerabilities, autonomous lethal weapons without human supervision, mass surveillance without legal basis, biometric inference of sensitive characteristics, real-time biometric ID in public spaces (with limited exceptions), and criminal-behaviour prediction based on profiling.

High-risk AI

In force

AI used in critical national assets and essential services (energy, water, health, transport, telecoms, banking); certain education evaluations of minors; employment selection or evaluation; access to social programmes; credit evaluation; healthcare access / triage; suggested clinical diagnosis with significant impact; workplace or education emotion inference (limited exceptions).

Public-sector AI duties

In force

Adopt institutional AI policies; strengthen digital skills; use recognised AI management standards; create multidisciplinary teams; share high-value public data; publish source code of publicly-funded AI on the national public software platform; ensure human supervision for high-risk AI in health, education, justice, finance, basic services and social programmes.

Private-sector AI duties (high-risk)

In force

Maintain updated records on system functioning, data sources, algorithmic logic and impacts. Adopt internal policies on security, privacy, transparency and accountability. Train staff. Ensure human supervision where high-risk AI may affect fundamental rights.

Transparency for affected persons

In force

Users affected by high-risk AI must receive prior, clear and simple information about the system's purpose, operation and decisions. Products / services / content generated with AI must be visibly labelled where required. Where AI affects human rights, the affected person must be offered an understandable explanation.

Data-protection compliance

In force

AI systems must comply with Peru's personal-data rules: minimise sensitive data, security by design, lawful basis for processing.

Detailed overview

Peru has enacted a national AI framework through Law No. 31814, which promotes the use of artificial intelligence for economic and social development, and through its 2025 implementing regulation approved by Supreme Decree No. 115-2025-PCM. Peru is therefore one of the Latin American jurisdictions with a specific AI legal framework.

Risk-based scope

Peru's AI framework is based on safe, responsible, ethical, transparent, sustainable and inclusive AI use. It recognises that AI may create benefits, but also risks to fundamental rights, privacy, equality, security and human oversight. The regulation classifies AI uses by risk and distinguishes between non-permitted AI, high-risk AI and acceptable AI.

Non-permitted AI includes AI systems that manipulate or deceive people through subliminal techniques or exploitation of vulnerabilities, autonomous lethal weapons without human supervision, mass surveillance without legal basis or with disproportionate effects on rights, biometric systems that infer sensitive characteristics such as ethnic origin, religion, political opinions or sexual orientation, real-time biometric identification in public spaces except in specific lawful cases, and systems that predict criminal behaviour based on profiling, traits or personal characteristics.

High-risk AI includes AI used in critical national assets and essential services, such as energy, water, health, transport, telecommunications and banking. It also includes AI used in certain educational evaluation processes involving children and adolescents, employment selection or evaluation, access to social programmes, credit evaluation, healthcare access or triage, suggested clinical diagnosis with significant impact, and emotion inference in the workplace or education except in limited medical or safety contexts.

AI uses outside the prohibited and high-risk categories may generally be considered acceptable if they comply with Peru's AI principles. These include safety, non-discrimination, privacy, copyright, accountability, human supervision, ethics and transparency.

Public-sector duties

Public entities must adopt institutional policies for safe, responsible and ethical AI use. They must strengthen digital skills, use recognised AI management standards, create multidisciplinary teams, share high-value public data where appropriate, include AI projects in digital-government planning, and publish the source code of AI systems developed with public funds on the national public software platform.

Public entities must also ensure human supervision for high-risk AI systems in areas such as health, education, justice, finance, basic services and social programmes. They must apply security measures, risk management, privacy by design, security audits, incident management and high-risk impact assessments to identify and minimise risks.

Private-sector duties

Private entities using high-risk AI must maintain updated records about system functioning, data sources, algorithmic logic and social or ethical impacts. They must adopt internal policies and protocols on security, privacy, transparency and accountability, train staff on AI risks and ethics, and ensure human supervision where high-risk AI may affect fundamental rights in areas such as health, education, justice, finance and essential services.

Transparency and data protection

Transparency is a central requirement. Users affected by high-risk AI must receive prior, clear and simple information about the system's purpose, operation and decisions it may make. Products, services or content generated with AI must be visibly labelled where required. Where AI affects human rights, the affected person must be offered an understandable explanation of the criteria or factors that influenced the result.

AI systems must also comply with Peru's personal-data rules. This includes minimising sensitive data, applying security by design, avoiding privacy-invasive processing and ensuring a lawful basis for processing, such as consent, public competence or another legal ground.

Penalties

Peru's AI framework creates concrete governance and transparency obligations, but penalties may depend on the specific breached regime. AI-related violations may be enforced through the AI regulation, data-protection law, consumer law, public-sector rules, civil liability, criminal law or sector-specific regulation depending on the facts.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started