Last reviewed
Jun 3, 2026
Sources
9 citations
Review status
Source-backed
Revision
v1 · 1,856 words
Add missing citations, update stale details, or suggest a clearer explanation.
The Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225) is the first international legally binding treaty devoted specifically to artificial intelligence. It was adopted by the Council of Europe Committee of Ministers on 17 May 2024 and opened for signature in Vilnius, Lithuania, on 5 September 2024.[1][2] Rather than regulating any particular technology, the Convention applies existing human-rights, democracy and rule-of-law obligations to activities across the life cycle of AI systems. On 15 May 2026 the European Union became the first party to ratify it, a notable milestone even though the treaty has not yet entered into force.[3][4]
The Convention sits alongside the EU AI Act as one of the two major legal instruments shaping AI governance in Europe, but the two are different in kind. The AI Act is detailed, binding product-safety legislation for the EU internal market. The Convention is a treaty open to states around the world that sets a human-rights baseline and leaves implementation to each party's own law.
Work began in 2019, when the Council of Europe set up an ad hoc Committee on Artificial Intelligence (CAHAI) to study whether such an instrument was feasible. In 2022 it was succeeded by the Committee on Artificial Intelligence (CAI), which drafted and negotiated the final text.[2] The negotiating table was unusually broad for a Council of Europe treaty. The 46 member states took part alongside the European Union and eleven non-member states: Argentina, Australia, Canada, Costa Rica, the Holy See, Israel, Japan, Mexico, Peru, the United States and Uruguay. In keeping with the organisation's multi-stakeholder practice, 68 representatives from civil society, academia and industry contributed as observers.[2][5]
A deliberate design choice runs through the whole text: it is technology-neutral. The drafters did not want to name specific systems or techniques that would date quickly. The aim, in the Council of Europe's words, was to "stand the test of time" by filling legal gaps left by rapid technological change rather than by chasing the technology itself.[1] When the Convention was adopted, Secretary General Marija Pejcinovic Buric described it as "a first-of-its-kind, global treaty that will ensure that Artificial Intelligence upholds people's rights."[5]
Parties commit to ensuring that activities within the life cycle of AI systems comply with seven fundamental principles:[1]
Beyond the principles, the treaty requires remedies and procedural safeguards. Parties must document information about AI systems so that affected people can challenge a decision made through, or substantially based on, such a system, and challenge the use of the system itself. People must be able to lodge a complaint with a competent authority, and they must be told when they are interacting with an AI system rather than a human being.[1] On the management side, parties have to carry out iterative risk and impact assessments covering effects on human rights, democracy and the rule of law, put prevention and mitigation measures in place, and retain the option of banning or imposing moratoria on certain uses, the so-called "red lines."[1]
Scope is where the Convention gets politically delicate. It covers the use of AI by public authorities, including private actors acting on their behalf, and by private actors generally. But it gives parties two ways to meet their obligations toward the private sector. A party can either be directly bound by the relevant provisions, or it can take other measures that comply with the treaty while respecting its international human-rights obligations.[1] The Council of Europe presents this two-track option as a necessary accommodation of very different legal systems around the world.[5] Two carve-outs also apply. Parties are not required to apply the treaty to national-security activities, though those activities must still respect international law and democratic institutions. National defence falls outside the treaty entirely, as does research and development, except where the testing of AI systems could interfere with rights, democracy or the rule of law.[1]
Compliance is overseen by a follow-up mechanism, the Conference of the Parties, made up of official representatives of the parties. It assesses how far provisions are being implemented and can issue findings and recommendations, and it may hold public hearings with stakeholders.[1] This is a lighter touch than the EU's enforcement machinery, with no power to fine and no court attached.
It is easy to conflate the Convention with the EU AI Act, because both use a risk-based approach and both come out of Europe at roughly the same moment. They are not substitutes. The AI Act, Regulation (EU) 2024/1689, was adopted on 13 June 2024 and entered into force on 2 August 2024. It is comprehensive, directly applicable legislation that imposes binding requirements on data governance, technical documentation, human oversight, robustness, cybersecurity, transparency and post-market monitoring for high-risk systems, and it prohibits a defined set of unacceptable practices.[4]
The Convention, by contrast, is an international treaty that restates human-rights obligations and leaves the detail to each party. The European Parliament's own assessment put it plainly: the Convention "operates as an international baseline, while the AI Act and the wider Union acquis already set a higher, more detailed level of protection and harmonisation within the internal market."[4] Article 22 of the Convention expressly allows parties to grant wider protection than it requires.[4] In practice the EU intends to satisfy the treaty through laws it already has, chiefly the AI Act, the GDPR, and its non-discrimination rules. The Parliament singled out the Fundamental Rights Impact Assessment in the AI Act as a direct bridge to the Convention's emphasis on ex ante risk management.[4] The Convention also drew on a wider body of international work during drafting, including the OECD AI principles, the UNESCO Recommendation on the Ethics of Artificial Intelligence, and the G7 Hiroshima AI Process.[4]
The European Commission signed the Convention on behalf of the EU on the opening day, 5 September 2024, following Council Decision (EU) 2024/2218 of 28 August 2024.[4][6] Signature alone does not bind a party; ratification does. For the EU, that required the consent of the European Parliament. On 11 March 2026 the Parliament gave that consent, on the basis of a recommendation by its Internal Market (IMCO) and Civil Liberties (LIBE) committees, with co-rapporteurs Jose Cepeda and Paulo Cunha.[4] The EU then deposited its instrument of ratification on 15 May 2026, at the 135th Session of the Committee of Ministers in Chisinau, Republic of Moldova.[3]
The treaty enters into force on the first day of the month following a three-month period after five signatories have ratified it, including at least three Council of Europe member states.[2] As of 3 June 2026 the EU was the only party to have ratified, against 19 signatures not yet followed by ratification.[7] Because the EU is an international organisation rather than a member state, its single ratification does not by itself count toward the three-member-state threshold, so several national ratifications are still needed before the Convention can take effect.
| Step | Date | Detail |
|---|---|---|
| Adopted by Committee of Ministers | 17 May 2024 | Strasbourg[5] |
| Opened for signature | 5 September 2024 | Vilnius; CETS No. 225[2] |
| EU AI Act enters into force | 2 August 2024 | Regulation (EU) 2024/1689[4] |
| European Parliament consent | 11 March 2026 | Plenary vote, recommendation A10-0007/2026[4] |
| EU ratification deposited | 15 May 2026 | 135th Committee of Ministers session, Chisinau[3] |
| Entry into force | Pending | Needs 5 ratifications, including 3 CoE member states[2][7] |
The signatory list reaches well beyond Europe. Early signatories on opening day included Andorra, Georgia, Iceland, Norway, Moldova, San Marino, the United Kingdom, Israel, the United States and the EU.[5] Canada and Japan signed in February 2025, with later signatures from Switzerland, Liechtenstein, Ukraine, Uruguay, Bosnia and Herzegovina, Armenia and North Macedonia.[7] Norway and Ukraine filed declarations on signature; Norway's stated that it would apply the Convention fully to private entities as well as public ones.[7][8] The treaty is open to accession by any country once it enters into force, which is why supporters describe it as having potentially global reach.
The Convention drew sustained criticism from civil society, much of it before adoption. In January 2024 a coalition of more than forty organisations, including ARTICLE 19, Access Now, AlgorithmWatch, the European Center for Not-for-Profit Law and the Center for AI and Digital Policy, published an open letter warning that some negotiating states were trying to leave private companies, "including Big Tech, out of scope," which would amount to "giving these companies a blank check rather than effectively protecting human rights."[8] The same letter called on negotiators to "unequivocally reject blanket exemptions regarding national security and defence."[8]
The final text kept both contested features, in softened form: the optional two-track approach to the private sector, and the national-security carve-out. After adoption, European Digital Rights (EDRi) wrote that there were "not many reasons to celebrate," pointing to the national-security exemption and to "imprecise language on States' obligations" that raised questions about legal certainty and enforceability.[9] Critics have also noted what the treaty leaves out, including explicit bans on uses such as untargeted mass surveillance and certain biometric applications, and the absence of health and the environment among its core principles.[9]
There is a quieter risk on the other side. The United States signed in September 2024 under the Biden administration, but Washington's posture on binding international AI commitments shifted afterward toward a more deregulatory, innovation-first stance, and the US had not ratified as of mid-2026.[7] Whether large non-European signatories follow through with ratification, and whether they choose the directly-binding track for the private sector or the looser alternative, will do much to determine how much the Convention actually constrains AI in practice.