Current Regulatory Landscape for Artificial Intelligence in Israel
As of the date of this article, Israel has no dedicated comprehensive legislation addressing artificial intelligence regulation. The existing regulatory framework relies on general laws governing technology use and data processing. Key relevant legislation includes the Privacy Protection Law, 5741-1981 (as amended by Amendment 13), the Consumer Protection Law, 5741-1981, and the Prohibition of Defamation Law, 5725-1965.
The current situation creates significant challenges for companies operating in the AI space. Without clear definitions and dedicated regulation, companies must navigate legal obligations that were not specifically designed for AI technologies. This is particularly true for deep learning algorithms, natural language processing systems, and autonomous decision-making systems.
The Privacy Protection Authority has published preliminary guidance on AI, but these guidelines are not legally binding. Additionally, most oversight is conducted through publication of guidelines and reports, without clearly defined enforcement powers specifically for the AI domain.
Implications of Privacy Protection Law for AI System Development and Operation
Amendment 13 to the Privacy Protection Law, which came into effect in 2025, imposes new restrictions on personal data processing that are particularly relevant to AI systems. These restrictions include the requirement for informed consent for processing sensitive data, limitations on processing for purposes other than the original purpose, and mandatory reporting of security breaches.
For AI systems, the most problematic requirement relates to algorithmic transparency. The law requires companies to provide users with information about "the method of processing and use of personal data." For complex machine learning systems, there is a genuine technical difficulty in explaining how the algorithm works in simple terms.
- Requirement to collect separate consents for each type of AI processing
- Need to explain in clear language how the AI system uses data
- Mandatory appointment of a data protection officer for companies processing large amounts of data
- Data subjects' right to receive a copy of their data (data portability)
The practical difficulty is that AI systems often "learn" from data and create complex statistical models. It is extremely difficult to explain in simple language what happens "inside the black box" of a deep algorithm. In some cases, even the developers themselves cannot explain exactly how the algorithm reached a particular decision.
Disclosure and Transparency Obligations for Algorithmic Decision-Making Systems
One of the most complex challenges in AI regulation relates to transparency requirements. Even without dedicated legislation, Israeli courts have begun recognizing the public's right to know how decisions affecting them are made, especially when automated systems are involved.
The Privacy Protection Authority has published guidelines requiring companies to disclose "automated profiling" - systems that create profiles of individuals or make automated decisions about them. Disclosure requirements include:
- Notice of automated system existence - Companies must notify data subjects that decisions are being made about them through automated systems
- Explanation of decision logic - General description of the main factors influencing the decision
- Right to object - Opportunity for data subjects to request that decisions be made by humans rather than machines
In practice, these obligations create tension between the need for transparency and protection of intellectual property. Many companies argue that detailed disclosure of algorithms would harm the commercial value of their technology and allow competitors to copy their solutions.
Practical Challenges in Implementing Transparency Requirements
The technical reality is more complex than the legal framework. In many deep learning cases, the algorithm itself "discovered" correlations in data that its developers cannot explain. How can you explain a decision when even the experts aren't sure exactly how the algorithm works?
Practical solutions that companies implement include "approximate" explanations (such as "the decision was based primarily on financial history and purchasing behavior"), or developing simpler models that can be explained even if they are less accurate.
New Legislative Proposals: AI Policy and Algorithmic Security
Several bills are pending in the Knesset aimed at creating a comprehensive regulatory framework for artificial intelligence. The most advanced proposal is the "Artificial Intelligence and Algorithms Regulation Bill, 5785-2025," largely based on the European model (EU AI Act).
Key elements of the proposal include classification of AI systems by risk level:
- Minimal risk - Chatbots, simple recommendation systems, games. No special obligations beyond basic transparency
- Limited risk - Deepfakes, emotion recognition systems, bots attempting to impersonate humans. Clear disclosure requirements
- High risk - Credit scoring systems, employee recruitment, medical diagnosis, security systems. Strict requirements for testing, documentation, and auditing
- Unacceptable risk - Complete ban on certain systems such as social credit scoring or psychological manipulation
The significant innovation in the Israeli proposal is the emphasis on "algorithmic security." The proposal requires companies developing high-risk AI systems to undergo security risk assessments and obtain approval from the National Cyber Directorate.
Expected Timelines
According to estimates, the law may pass its first reading in the Knesset during the current session. If the law is approved, an adaptation period of 18-24 months is expected for existing companies, with immediate implementation for new systems.
It's important to note that additional bills are being promoted simultaneously, including amendments to the Privacy Protection Law specifically related to AI and additions to the Consumer Protection Law in the context of automated digital services.
Sector-Specific Regulations: Finance, Healthcare, and Education
Beyond general regulation, several sector-specific regulators in Israel have published specific guidelines and requirements for AI use. The sectoral approach allows better adaptation to the unique risks of each domain, but also creates complex regulatory complexity.
Banking and Insurance Supervision
The Bank of Israel has published detailed guidelines for using algorithms for credit purposes and risk assessment. The guiding principles include prohibition of discrimination in credit provision based on protected characteristics (such as gender, religion, or ethnic origin), requirement for detailed documentation of algorithmic decisions, and appeal options for customers.
The Capital Market, Insurance and Savings Authority has added requirements for insurance companies regarding the use of algorithms for pricing and underwriting policies. The main innovation is the obligation to conduct annual "algorithmic audits" by qualified external parties.
AI Regulation in Healthcare
The Ministry of Health has published a particularly cautious policy regarding AI use for diagnosis and treatment purposes. The policy distinguishes between "physician assistance tools" (requiring registration as medical device substitutes) and "independent diagnostic tools" (requiring lengthy and strict registration processes similar to new drug registration).
Requirements include:
- Proof of clinical efficacy through controlled trials
- Hospital ethics committee approval
- Mandatory reporting of every case of system "wrong decision"
- Maintaining the treating physician's final veto right
AI in Education: Ministry of Education Guidelines
The Ministry of Education addressed the challenge of increasing AI tool use by students and teachers. Current policy focuses on regulating educational use while protecting student privacy and promoting critical thinking skills.
Key guidelines include prohibition of systems processing minor data without explicit parental consent, mandatory disclosure when AI tools are used in preparing learning materials, and establishing transparent policy regarding AI use in tests and assignments.
Impact of GDPR, EU AI Act, and US Regulation on Israeli Companies
Israeli companies operating in international markets face the challenge of complying with foreign regulations while adapting to Israeli requirements. The complexity increases as more countries develop unique regulatory frameworks for artificial intelligence.
EU AI Act and Its Implications for the Israeli Market
The European Artificial Intelligence Act, gradually coming into effect from 2024, applies to any AI system used within the European Union - regardless of where it was developed. For Israeli companies exporting AI solutions to Europe, this means full compliance with European requirements.
The most burdensome requirements apply to "high-risk" systems including:
- Biometric systems for identifying or classifying people
- Systems for managing critical infrastructure (such as water, electricity, transportation)
- Systems for education or vocational training affecting access to education
- Systems for employee recruitment, management, and control
- Systems for assessing eligibility for essential services (credit, insurance, public assistance)
For these systems, requirements include comprehensive risk assessment, quality management system, detailed documentation of training data, transparency and user information, human oversight, and accurate and robust performance.
US Regulation: Executive Order and Federal Policy
The United States takes a different approach from Europe, emphasizing industry voluntariness and cooperation with regulators. President Biden's executive order on AI focuses on addressing security risks and human rights violations.
For Israeli companies working with the US government or large American companies, requirements include:
- Reporting for large AI systems above a certain computational power threshold
- Safety testing before releasing new models
- Sharing safety test results with the government
- Measuring and reporting dual-use risks - the possibility of use for security purposes
International Compliance Strategy
Israeli companies develop compliance strategies based on the strictest principle ("highest common denominator"). Instead of developing different systems for each market, many companies choose to meet the strictest standard among all markets in which they operate.
This approach simplifies development and operation but increases costs and imposes limitations on innovation. The alternative is modular development allowing adaptation to each market according to local requirements, but requiring a more complex product management system.
Practical Recommendations: How to Prepare for AI Regulation in Israel
In the absence of complete regulatory certainty, technology companies need to take a proactive approach and prepare for different regulatory scenarios. The recommended approach is building a flexible compliance infrastructure that can adapt to changing requirements.
Building Internal AI Governance Framework
The first step is establishing an internal governance framework for AI systems. This includes:
- Mapping all AI systems in the organization - Detailed registry of every algorithm, model, or automated system, including purpose of use, types of data processed, and level of autonomy
- Risk-based classification - Dividing systems into risk categories according to expected impact on users and the business
- Defining approval processes - Determining who needs to approve development, testing, and implementation of new AI systems
- Ongoing documentation - Creating records of decisions, considerations, and tests performed at every development stage
Implementing Transparency and Ethics Principles
Even without explicit legal obligation, it's recommended to develop internal policy for AI transparency and ethics:
- Fair and anti-bias policy - Ongoing testing to identify algorithmic biases, especially toward protected groups
- User explanations - Developing ability to explain algorithmic decisions in simple language, even if not currently required by law
- Human oversight - Ensuring there's always a person responsible for final decisions, especially on sensitive matters
- Right of appeal - Providing users opportunity to appeal automated decisions and receive human review
Preparing for Documentation and Reporting Requirements
Expected regulation will require much higher documentation levels than currently common in most companies. It's recommended to start documenting now:
- Data sources for model training and cleaning and processing methods
- Architectural decisions in AI systems and reasoning behind them
- Quality, accuracy, and fairness testing performed on systems
- Incidents of failures or unexpected system behavior
- Changes and updates to existing models
Preparing Integrated Legal and Technical Team
AI regulation compliance will require close cooperation between technical and legal teams. Recommended:
- Training legal team in basic technical AI issues
- Training developers and data engineers in privacy and regulatory matters
- Establishing mixed team capable of assessing legal implications of technical decisions
- Developing legal review processes before launching new products
The key to success is starting preparations now, while regulation is still forming, rather than waiting until the law is passed and takes effect. Companies that prepare in advance will be in a much better position when new requirements take effect, and can also influence regulatory design during public consultation phases.
The information contained in this article is general in nature and does not constitute legal advice. For advice tailored to the specific circumstances of your company, we invite you to contact our firm.
