African States Race to Legislate AI While Implementation Deficits Persist
Kenya and Ethiopia have tabled draft AI legislation modelled closely on the European Union’s risk-based regulatory framework, while Morocco, Egypt, and Nigeria are advancing similar proposals. The legislative momentum raises a precise governance question: can regulatory frameworks designed for mature digital economies with well-resourced oversight bodies function in institutional environments where preceding technology laws remain largely unenforced?
The answer, according to technology law and policy researchers studying AI governance initiatives across the continent, is that African states risk producing aspirational legislation that mirrors the implementation failures of earlier digital regulatory cycles, unless they ground AI governance in local institutional realities rather than European precedent.
The Implementation Deficit: A Structural Governance Problem
Africa’s digital regulatory record reveals a persistent gap between legislative output and enforcement capacity. Mauritius became the first African country to adopt a national AI strategy in 2018. Since then, over a dozen African states have published AI policy frameworks. Yet several governments that committed to responsible AI development have neither established nor funded the institutions those strategies required.
Data protection legislation offers the clearest diagnostic. Across West Africa and the broader continent, countries have enacted data protection laws that nominally align with international standards, but oversight bodies either do not exist or lack the human and financial resources to investigate complaints, audit data processors, or impose sanctions. Nigeria’s Data Protection Act (2023) established the Nigeria Data Protection Commission, but the agency remains in an early operational phase with limited enforcement precedent. Ghana’s Data Protection Commission, established under the Data Protection Act (2012), has operated for over a decade yet faces persistent resource constraints that restrict its regulatory reach.
Layering AI-specific legislation onto this foundation, without first resolving the institutional capacity deficit, risks compounding the problem. Laws that cannot be enforced do not protect rights; they signal regulatory intent while leaving individuals exposed to the harms the legislation nominally prohibits.
Europeanisation of African Law: The Risk-Based Model Under Scrutiny
Both Kenya’s AI Bill and Ethiopia’s draft AI legislation adopt the EU’s risk-based classification system, the same architecture embedded in the EU AI Act that entered into force in August 2024. Under this model, AI systems are categorised by risk level: those posing “unacceptable risks” are prohibited outright, while systems in lower-risk categories must meet defined compliance requirements covering transparency, data governance, and human oversight.
The transplantation of European legal standards into African regulatory contexts is not a new phenomenon. The first generation of African data protection and cybercrime laws drew directly from European instruments, particularly the EU’s General Data Protection Regulation (GDPR) and the Council of Europe’s Budapest Convention on Cybercrime. Researchers examining these earlier transplanting exercises have consistently found that they rarely incorporated local institutional contexts, enforcement realities, or the specific rights vulnerabilities of African populations.
The EU AI Act was calibrated for a regulatory environment with established data protection authorities, functioning judicial systems accustomed to technology disputes, and consumer populations with meaningful capacity to exercise legal rights. Transposing that framework into contexts defined by thin regulatory capacity, informal data flows, and limited digital literacy does not produce equivalent protections. It produces compliance obligations that large multinational technology companies can absorb while local actors, including African AI developers and public-sector deployers, face disproportionate regulatory burdens without corresponding enforcement infrastructure.
The concern is not that the EU’s risk-based approach is analytically flawed. It is that African policymakers are adopting it without asking whether it addresses the specific AI risks that African populations actually face.
What African AI Governance Must Actually Address
Researchers argue that effective AI legislation in Africa must be preceded by a concrete assessment of how AI systems are currently operating on the continent. Several structural questions define the governance challenge.
Data sovereignty and corporate accountability: Large technology companies headquartered in the United States, China, and Europe collect and process vast volumes of data generated by African users, frequently under terms of service that users neither read in full nor meaningfully consent to. African regulators have limited jurisdictional reach over these flows. AI legislation that does not address data sovereignty and cross-border accountability mechanisms will leave this structural asymmetry intact.
Public-sector AI deployment: Governments across the continent are integrating AI into social protection systems, policing, and public administration. Ethiopia and Rwanda have deployed AI tools in tuberculosis and cervical cancer screening programmes. These deployments are occurring in a regulatory vacuum, without mandatory impact assessments, independent audits, or redress mechanisms for individuals harmed by algorithmic errors.
Content moderation and linguistic exclusion: AI-powered content moderation systems perform poorly in African languages and local cultural contexts. This creates asymmetric harm: harmful content in major global languages is more likely to be detected and removed, while misinformation and hate speech in Swahili, Hausa, Amharic, or Wolof circulates with less friction. Regulation that does not address this structural bias will not protect the populations most exposed to it.
Accountability for algorithmic harm: When AI systems deployed in healthcare, credit scoring, or law enforcement produce errors, existing legal frameworks in most African jurisdictions provide no clear redress pathway. Identifying who bears legal responsibility, the technology developer, the government agency, or the private contractor, requires explicit statutory treatment that current draft legislation does not adequately resolve.
Regional Coordination and the ECOWAS Governance Dimension
West Africa’s AI governance challenge has a regional dimension that national legislation alone cannot resolve. ECOWAS has developed a Supplementary Act on Personal Data Protection (2010) that provides a regional data governance baseline for member states, but uptake and implementation have been uneven. A comparable regional instrument for AI governance does not yet exist.
The African Union’s AI strategy provides continental direction, but AU frameworks require domestic implementation to carry legal force. The divergence between national approaches, Kenya and Ethiopia moving toward EU-aligned legislation while West African states remain at earlier policy stages, creates regulatory fragmentation that complicates intra-African data flows and cross-border AI deployment under the AfCFTA digital trade agenda.
ECOWAS has both the institutional mandate and the precedent, through its data protection supplementary act, to develop a regional AI governance framework that reflects West African institutional realities rather than simply harmonising around EU standards. Doing so would require member states to fund the exercise adequately and commit to implementation, conditions that have historically been difficult to meet but remain structurally achievable.
Policy Pathways: Sequencing Regulation to Match Institutional Capacity
Technology law researchers propose a moratorium on the deployment of high-risk AI systems in sensitive public-sector domains, including healthcare diagnostics, predictive policing, and social benefit allocation, until minimum regulatory safeguards are in place. This is not a rejection of AI adoption; it is a sequencing argument. Deploying high-stakes AI systems before accountability mechanisms exist transfers risk entirely onto the populations those systems are meant to serve.
For Ghana and its West African peers, three institutional priorities follow from this analysis. First, existing digital regulatory bodies, data protection commissions, cybersecurity authorities, and telecommunications regulators, require adequate resourcing before new AI-specific agencies are created. Second, any AI legislation should include mandatory public-sector impact assessments and independent audit requirements as non-negotiable baseline obligations, not aspirational provisions. Third, ECOWAS member states should commission a regional AI risk assessment that maps actual deployment patterns, institutional capacity gaps, and population-level harms before adopting a harmonised legislative template.
Legislation that cannot be enforced does not govern AI. It documents the intention to govern it, which is a different and considerably weaker outcome.
