Africa Does Not Need Europe's AI Laws — It Needs Its Own

The EU AI Act was built for mature digital markets with well-resourced regulators. Transplanting it to a continent defined by thin institutional capacity and informal data flows is not governance.

Sign up for my Substack daily AI newsletter here.

See my AI Training course portfolio for corporate Business Leaders here.

Article link: https://open.substack.com/pub/johanosteyn/p/africa-does-not-need-europes-ai-laws?r=73gqa&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true

Follow me on LinkedIn: https://www.linkedin.com/in/johanosteyn/

Mauritius adopted the first national AI strategy on the African continent in 2018. Since then, over a dozen African states have followed with their own national AI policies of varying ambition and specificity. Kenya and Ethiopia have tabled draft AI laws. Morocco, Egypt, and Nigeria are actively considering AI legislation. The African Union has adopted a continental AI strategy. By any measure, the African policy response to artificial intelligence has been more active than the global conversation typically acknowledges — and in a narrower timeframe than the equivalent legislative cycles in Europe or the United States.

The dominant thread running through that response, however, is one that two technology law and policy scholars from the University of Leeds and Strathmore University identified in research published this week: African states are disproportionately adopting the European Union’s risk-based approach to AI regulation, transplanting a legal architecture built for a different institutional context into environments that differ from the EU in almost every material respect. Both Kenya’s and Ethiopia’s AI bills adopt the EU’s risk classification model, regulating AI systems based on the nature of risk they pose, banning those that present unacceptable risks and imposing requirements on those with lower risks. The concern is not that the EU’s approach is inherently wrong. It is that Africa keeps borrowing frameworks without asking whether they were built for the conditions Africa actually has.

Africa needs AI governance. The question is whether the governance it is building will protect the people it claims to serve, or add to the continent’s already significant collection of laws that exist but are not enforced.

CONTEXT AND BACKGROUND

The legal transplant pattern the researchers identify is not new in Africa’s approach to technology regulation. The first generation of data protection and cybercrime laws on the continent drew directly from European legal instruments — the Council of Europe’s Budapest Convention on Cybercrime and the EU’s data protection directives. The results have been mixed at best. Many African countries have enacted data protection legislation. Most have not installed functioning oversight bodies. Those who have frequently lack the resources and political mandate to enforce the laws they are meant to uphold. The enforcement gap is not an accident of poor drafting. It reflects a structural mismatch between the regulatory obligations those laws create and the institutional capacity available to fulfil them.

The AI governance moment is reproducing this pattern at speed, in a domain where the consequences of failed enforcement are considerably more serious. AI systems are already deployed across the continent in healthcare, social protection, policing, and credit assessment. Ethiopia has used AI-powered X-ray systems for tuberculosis screening. Rwanda has deployed AI in cervical cancer detection. These are applications with direct, life-altering consequences for people who have no meaningful ability to exercise the rights that European-style data protection and AI regulations nominally protect — because the oversight bodies that would enforce those rights either do not exist or lack the resources to act. In this environment, AI legislation modelled on the EU Act produces the same outcome as the data protection laws that preceded it: aspirational documents, unenforced obligations, and populations exposed to algorithmic systems whose errors have no accountability mechanism.

South Africa’s experience makes the implementation problem concrete in a way that should concentrate minds across the continent. The country’s Draft National AI Policy, approved by Cabinet in March 2026 and gazetted for public comment in April, was withdrawn weeks later after News24 established that at least six of its 67 academic citations were AI-generated fabrications. The country that had produced the most developed AI policy framework on the continent, proposing an AI Ombudsperson, an Ethics Board, a risk-tiered governance framework modelled explicitly on international best practice, and an AI Insurance Superfund, is now without any framework at the moment it needs one most. The lesson is not that South Africa failed to copy Europe adequately. It is that a governance document built without institutional literacy about AI’s failure modes cannot govern AI’s failure modes.

INSIGHT AND ANALYSIS

The case for Africa developing its own approach to AI governance rather than borrowing Europe’s begins with four questions that the EU AI Act was not designed to answer, because the EU did not need to ask them.

The first is who controls the data. Large technology companies headquartered in the United States, China, and Europe collect and process vast amounts of data generated by African users, frequently under terms of service that most users neither read nor meaningfully consent to, with limited accountability to African regulators. The EU AI Act addresses risk classification of AI systems. It does not adequately address the prior question of who owns the training data those systems depend on, where it flows, and what recourse African governments and citizens have when it is misused. For a continent generating significant behavioural, health, and financial data that is being processed outside its borders by companies not accountable to its regulatory authorities, that prior question is the governance question.

The second is who bears the harm. AI-powered content moderation systems perform poorly in African languages and local contexts. This means that misinformation, hate speech, and coordinated manipulation circulating in Swahili, Amharic, Zulu, and Yoruba are less likely to be caught and removed than equivalent content in English or German. The communities least served by AI safety systems are the most exposed to AI-enabled harms. European risk classification frameworks address this in principle. They do not address the specific technical reality of continental multilingualism — 2,000 languages, most of them underrepresented in the training data of the systems being deployed across the continent.

The third is who benefits when governments deploy AI. AI systems are being used in African public services — in social protection programmes, in policing, in public health — with limited transparency about how those systems make decisions, limited recourse for people adversely affected, and limited ability for the regulatory bodies that theoretically oversee them to audit the systems or challenge their outputs. European AI regulation was designed for contexts where civil society organisations, legal aid systems, and judicial oversight mechanisms provide a corrective check on algorithmic decision-making. Those mechanisms exist unevenly across the continent.

The fourth is what enforcement capacity actually exists. The EU AI Act was designed for a regulatory environment in which member states have established data protection authorities, technical expertise in AI evaluation, financial resources adequate to the compliance burden the legislation creates, and legal systems capable of adjudicating complex technology disputes. Kenya’s AI Bill creates an AI Commissioner and an AI Advisory Committee. The resources those bodies will have, the technical expertise they will command, and the political independence they will enjoy are questions the legislation does not answer — because answering them honestly would require acknowledging that the regulatory infrastructure the law assumes does not yet exist.

I have previously written about the broader question of what AI governance is for and who it is designed to serve — examining whether the frameworks being produced across the global governance landscape address the distributional question of who captures AI’s gains and who bears its costs, or whether they produce the appearance of governance without its substance.

The African AI governance problem is a specific and acute version of that broader question. The frameworks being transplanted from Europe are not designed to answer it. Africa’s own frameworks must be.

IMPLICATIONS

The researchers’ recommendation that policymakers should consider a moratorium on high-risk AI in sensitive domains until contextualised regulatory frameworks are in place deserves more engagement than it will likely receive. The instinct among policymakers, development partners, and technology companies operating on the continent will be to resist any pause in AI deployment, because AI’s potential contributions to African healthcare, agriculture, education, and economic development are real and significant. But the moratorium argument is not a claim that AI should not be used in African healthcare. It is a claim that using AI in healthcare without the governance frameworks to catch, attribute, and remediate its failures in low-resource, high-stakes settings is not the same as using AI safely.

For boards and executives operating in African markets, the AI governance question has a direct commercial and reputational dimension. The organisations deploying AI systems in African markets — in financial services, in healthcare, in telecommunications, in logistics — are operating in regulatory environments that are in transition, under pressure to produce governance frameworks, and likely to produce those frameworks by borrowing from models that were not designed for their contexts. The gap between what those frameworks nominally require and what the institutional environment can actually enforce creates both a compliance complexity and a governance risk. The organisations that assess that gap honestly, build internal oversight mechanisms proportionate to the actual risk their systems create, and engage with the communities whose data their systems process will be better positioned than those that wait for a regulatory instrument to define their obligations for them.

The researchers are precise about what genuine African AI governance requires: an honest reckoning with what AI is actually doing on the continent — how it is being deployed by technology companies, how misinformation spreads, how it is used in public services, who controls the data, who bears the harms, and whose interests remain unprotected. That reckoning requires African researchers, African civil society organisations, African regulatory bodies, and African business leaders to be the primary authors of the answer. It cannot be outsourced to Brussels.

CLOSING TAKEAWAY

The EU AI Act is the most comprehensive AI governance framework the world has produced. It is also a framework built for Europe — for European institutions, European enforcement capacity, European judicial systems, and populations whose digital literacy, consumer rights awareness, and ability to exercise legal remedies reflect decades of European investment in civic and regulatory infrastructure. Transplanting it to contexts that share none of those conditions does not import European governance. It imports European formatting around an African implementation vacuum.

Africa does not need to reject European AI governance. It needs to interrogate it — to understand what it was built for, what problems it was designed to solve, and what problems it was never asked to address. The frameworks that follow from that interrogation will look different from the EU AI Act. They should.

The continent they are meant to govern is different. The people they are meant to protect face different risks, exercise different rights, and depend on different institutional architectures. An AI governance framework that does not reflect those differences does not protect them. It performs their protection — and on a continent where that distinction has already been demonstrated once, in a Cabinet-approved policy document built on citations that did not exist, the performance is no longer sufficient.

Johan Steyn is a prominent AI thought leader, speaker, and author with a deep understanding of artificial intelligence’s impact on business and society. He is passionate about ethical AI development and its role in shaping a better future. Find out more about Johan’s work at https://www.aiforbusiness.net