The convergence of artificial intelligence and blockchain technology not only opens fascinating technical possibilities — it generates regulatory dilemmas for which existing legal frameworks were never designed. Decentralized AI systems, blockchain-based data verification, and AI-enhanced smart-contract governance are already a reality, yet the legal frameworks governing these hybrid systems remain in their embryonic stage. Understanding these intersections is essential for companies building at this technological crossroads. This text is informational in nature and does not replace individual legal advice.
What the Convergence of AI and Blockchain Entails
Before examining the regulatory questions, it is useful to map the key ways in which AI and blockchain intertwine in practice:
AI for enhancing blockchain networks — machine learning is applied to optimise consensus algorithms, detect malicious actors, predict network congestion, and manage gas costs. This is a relatively “quiet” convergence with no dramatic regulatory implications.
Blockchain for AI auditability — distributed ledgers are used to create an immutable record of data flows, model versions, and AI system decisions. This is a technological response to the problem of AI opacity and can be a valuable compliance tool under the AI Act (Regulation (EU) 2024/1689 on artificial intelligence).
Decentralised AI (DeAI) — AI models that are trained, validated, and executed across a distributed network without a centralised operator. Projects such as Fetch.ai and SingularityNET are experimenting with this model, while related platforms such as Ocean Protocol (a decentralised data marketplace for AI) build infrastructure around it.
AI in smart contracts — the embedding of AI logic into autonomously executable smart contracts that can independently react to market data, environmental conditions, or user behaviour.
AI oracles — specialised intermediaries that bring information from the external world into the blockchain environment, using AI to verify, aggregate, and interpret that information.
The Jurisdictional Problem in Decentralised Systems
One of the fundamental regulatory questions is: who has jurisdiction over a decentralised AI system that recognises no geographical boundaries?
Under the AI Act, the rule is relatively clear when there is an identifiable operator or service provider established in the EU or targeting EU users — EU rules then apply to that entity. The problem arises when a system is genuinely decentralised: developers are anonymous or located in different jurisdictions, network validators are dispersed globally, and there is no single entity that could be regarded as the “operator” of the system within the meaning of the AI Act.
The EU’s current regulatory approach is to look for a “responsible actor” that can be designated as the duty-bearer. Where no such actor exists or can be identified, regulatory enforceability is limited in practice. This is one of the regulatory gaps being monitored and considered by the European Commission and the relevant AI governance bodies in the EU.
Data Privacy: GDPR and Blockchain Incompatibility
One of the deepest tensions at the AI-blockchain intersection is that between the GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) and the inherent characteristics of public blockchains:
The GDPR guarantees the right to erasure (the right to be forgotten) — when a natural person requests the deletion of their data, the controller must be in a position to comply. A public blockchain, however, is by definition immutable — data once recorded cannot be deleted.
The GDPR right to rectification of inaccurate data faces the same constraint.
Difficulties also arise in identifying the data controller in decentralised networks — who is the “controller” responsible for respecting the rights of data subjects?
Two principal legal approaches are under consideration: first, all personal data is held off-chain, and only hash values (verifiable fingerprints) are recorded on the blockchain, which eliminates the immutability problem for personal data. The second approach is the use of permissioned blockchain solutions rather than public ones, where the set of participants is known and identified and where control and deletion mechanisms can be applied.
Both approaches involve trade-offs in terms of functionality, transparency, and decentralisation.
The AI Act and Decentralised AI: Enforcement without an Identifiable Operator
The AI Act defines a “provider” as an entity that develops an AI system or places it on the market under its own name. For decentralised AI that has been developed anonymously by a community and runs on a distributed network, it is difficult to identify who would be the provider within the meaning of the Act.
Potential candidates for regulatory responsibility in such systems include:
- Front-end applications and interfaces that provide users with access to decentralised AI — these intermediaries are typically identifiable and may fall under AI Act obligations
- Tokenised governance structures that make key decisions about the system — a DAO (decentralised autonomous organisation) as a potential “provider”
- Validators and nodes that perform AI inferencing — although attributing responsibility here is also legally uncertain
This remains an active regulatory question without definitive answers as of the date of publication of this text, and more detailed guidance from the European Artificial Intelligence Board is expected.
Smart Contracts with AI Components: Who Is Liable
Smart contracts in themselves raise liability questions because, once deployed, they are difficult to modify and execute automatically. When an AI component is added — for example, dynamic pricing based on an ML (machine learning) model that changes over time — the question of liability becomes even more complex.
Relevant regulatory questions include:
The classification of the AI component of a smart contract under the AI Act — does it constitute a high-risk system? If embedded in a financial smart contract, this is possible.
Liability for code errors — who is responsible when a bug in a smart contract causes financial loss to users? In the absence of a centralised entity, litigation becomes extremely difficult.
The regulatory treatment of automated financial decisions — MiFID II (Directive 2014/65/EU on markets in financial instruments) and MiCA (the EU’s Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114) require a certain degree of human oversight over financial transactions, which is directly in tension with the autonomy of smart contracts.
Data Verification and AI Oracles: A Regulatory Gap
AI oracles that bring external data into blockchain ecosystems (asset prices, meteorological data, sports results, etc.) play a critical infrastructural role in DeFi (decentralised finance) and blockchain-based smart contracts. However, they are almost invisible under current regulation.
Open questions include: Does an oracle providing financial prices qualify as a market data provider subject to MiFID II? Does AI that aggregates and filters data for an oracle function as a high-risk AI system? Who is liable for damage caused by manipulated or inaccurate oracle data that triggered automated financial transactions?
This is an area where regulation clearly lags behind technology and where legal uncertainty remains high.
Frequently Asked Questions (Q&A)
Are projects that combine AI and blockchain in the EU required to comply with the AI Act? Where there is an identifiable provider or operator targeting EU users or established in the EU, the AI Act applies to the AI components of the system. The blockchain component as such is not subject to the AI Act, but AI functionalities integrated into blockchain systems are subject to regulation.
How does MiCA treat crypto projects that use AI for decision-making? MiCA focuses on crypto-assets and services, not on technical implementation. CASPs (Crypto-Asset Service Providers — providers of services related to crypto-assets) that use AI in internal processes (e.g. for fraud detection or automated portfolio management) are subject to MiCA without specific AI-related provisions, but must also be aware of applicable AI Act requirements if those AI systems fall into high-risk categories.
Can blockchain resolve the problem of AI system transparency? Blockchain can contribute to transparency by recording key data about an AI system (model version, input data for specific decisions, test results) in an immutable manner. However, blockchain itself does not resolve the problem of the intrinsic opacity of ML models — it merely reliably records what it is told to record, but cannot on its own explain the logic behind an AI decision.
Is there EU regulation specifically for decentralised AI systems? As of the date of publication of this text, there is no EU regulation specifically designed for decentralised AI systems. The AI Act, however, applies directly to decentralised AI systems when they fall within its defined risk scope (high-risk AI systems or general-purpose AI models), while MiCA explicitly excludes fully decentralised systems without intermediaries from direct scope but applies to partially decentralised systems where an identifiable intermediary exists. Significant gaps remain; regulatory evolution in this domain is actively monitored, and supplementary guidance is expected.
Conclusion
The intersection of artificial intelligence and blockchain technology is a zone of high legal uncertainty that simultaneously offers the greatest innovative opportunities. Companies building at this crossroads must carefully examine the regulatory obligations applicable to each component of their system, not only to the system as a whole. In practice, the proactive identification of regulatory gaps and responsible entities, combined with documentation and architectural choices that facilitate compliance (such as off-chain storage of personal data), reduces regulatory risk.
If you are developing or investing in projects that combine AI and blockchain and wish to obtain a regulatory analysis of your specific model, schedule a consultation with our team, which monitors developments in both regulatory domains.
Sources: – https://eur-lex.europa.eu/eli/reg/2024/1689/oj (AI Act, Regulation (EU) 2024/1689) – https://eur-lex.europa.eu/eli/reg/2023/1114/oj (MiCA, Regulation (EU) 2023/1114) – https://www.weforum.org/agenda/2023/11/ai-blockchain-synergy-unleashing-decentralized-intelligence/ – https://www.ibm.com/blogs/research/2023/07/ai-and-blockchain-synergy/ – https://www.brookings.edu/articles/the-interplay-of-blockchain-and-ai/