Mapping neurotech governance

Neurotechnology is evolving rapidly

Neurotechnology is evolving rapidly^[1], with applications ranging from clinical treatments for neurological disorders to consumer tools for wellness, productivity, and entertainment. Devices on the market today span from invasive brain implants, to wearables that read and interpret the electrical activity of the brain. Some are certified as medical devices, while others are marketed as lifestyle products, and others still focus solely on data analytics and services.

These technologies offer exciting potential to enhance health, cognition, and quality of life, but they also raise complex risks, including intrusions on data privacy, unintended cognitive effects, and the erosion of mental autonomy and agency. As the market grows and the capabilities advance, so too does the urgency of establishing clear and cohesive governance frameworks that ensure neurotechnology is developed and used in ways that are ethical, equitable, and respectful of fundamental rights.

The challenges of governing neurotechnology in the EU

Governing neurotechnology in the EU is inherently complex. In line with the EU’s broader approach to emerging technologies, neurotechnology is not governed by a single dedicated framework but rather by a patchwork of cross-cutting regulations that address different sectoral aspects, such as data privacy, product safety, clinical validation, marketing, and consumer protection. Adding to this complexity, neurotechnology is a highly convergent field with diverse applications across multiple domains—healthcare, consumer products, employment, digital services, and beyond—each falling under distinct policy areas.

To help navigate this fragmented landscape, CFG has developed an interactive map that provides a clear and accessible overview of the regulatory environment as it currently applies to all types of neurotechnologies.

The tool distils and visualises key governance frameworks, highlighting their relevance for neurotech. The map focuses on the EU (on the right side of the map), covering each of the major frameworks that apply to neurotechnology. It also includes selected Member States, key international agreements, and examples from other jurisdictions that have already taken more concrete or specific steps to govern neurotechnology (on the left side of the map).

For each law, recommendation, or policy instrument, the map includes extracts of key provisions along with a concise analysis of its main strengths and potential gaps. This work builds on existing legal scholarship—citing sources where appropriate—and has been reviewed by leading legal experts in the field.

Aims of this interactive map

This interactive map is intended to inform ongoing research into the governance challenges surrounding neurotechnology, as well as serve as a starting point for identifying opportunities for international cooperation. It is designed as a living, dynamic tool that will be regularly updated to reflect changes in the regulatory landscape, emerging scholarship, and user feedback—which we actively welcome and encourage. While we have aimed to provide as comprehensive and accessible an overview as possible, some trade-offs were necessary, and it is entirely possible that important elements may have been missed. To give us feedback on this tool, please contact: neurotechnology@cfg.eu.

DISCLAIMER: Please note that this tool is not designed for regulatory compliance, though it can serve as a starting point for stakeholders exploring this space.

At a glance

The EU has a diverse regulatory toolkit to address neurotechnology, from privacy and data protection to safety and AI-related risks. However, the landscape remains fragmented and largely indirect, with almost no neuro-specific rules. The AI Act is the first (outside the Medical Devices Regulation) to explicitly reference neurotechnology, noting the potential of brain-machine interfaces to be used for manipulative techniques (Recital 29). Most protections rely on the interpretation of tech-neutral frameworks applied to specific neurotech use cases.

Non-binding elements such as recitals, declarations, and advisory opinions also play an important role, frequently reinforcing values like privacy, freedom, and individual integrity. While not directly enforceable, they strongly influence judicial interpretation, meaning that infringements on these principles are likely to be viewed unfavourably by courts even when regulations are ambiguous.

Differences in definitions across frameworks require close attention. Neural data sits at the intersection of several frameworks: under GDPR its classification may be debated, while under the AI Act it would almost certainly be treated as biometric data, triggering the highest protections. Persistent gaps remain however, especially for consumer neurotech, where current laws struggle with issues like the blurred line between wellness tools and medical devices.

Recently there has been a surge of horizontal data and cybersecurity regulations—eight in this mapping were adopted since 2022, compared to just two before then— reflecting political concern over connected digital products. However, enforcement practices^[2] are still in their infancy, and several laws are not yet in force. Adding to the uncertainty, the EU faces political pressure^[3] from across the Atlantic to scale back its digital regulatory agenda, raising questions about future enforcement—and even the survival—of some of these frameworks.

Globally, neurotechnology governance is uneven. Latin America is leading on neuro-specific rules: Chile has enshrined neurorights in its constitution, while Mexico and Brazil are pursuing similar bills. In the United States, several states—such as California, Colorado, and soon Minnesota—have explicitly included neural data in their privacy laws,. At the U.S. federal level, a bill was recently introduced,  – the MIND Act[4], – that would direct the Federal Trade Commission to investigate legislation to protect neural data. China^[5], India^[6], and African nations^[7] regulate neurotech only  through broader digital or health laws.^[a][b][c]

This uneven picture positions the EU as a global leader in overall neurotech governance, thanks to its comprehensive, tech-neutral frameworks, while countries in the Americas such as Chile and the USA  are leading the way on neuro-specific legislation and first-of-their-kind constitutional reforms.

Methodology

Phase 1: Identifying Relevant Regulations

We began by compiling a list of potentially relevant regulations. Our previous collaboration^[8] with the Institute of Neuroethics as well as the OECD Neurotechnology Toolkit provided an initial foundation. We also did a literature review of existing broad regulatory analyses relevant to neurotechnology, such as the Legal Analysis by TechEthos^[9] on neurotechnology.

Building on this, we conducted a broader scan of recent and upcoming EU legislation, identifying additional governance frameworks with possible relevance to neurotechnology, such as the General Product Safety Regulation, the European Health Data Space, and the Cyber Resilience Act.

Phase 2: Detailed analysis & review

Each regulation was reviewed article by article to assess its possible implications for neurotechnology. This process involved cross-disciplinary validation between CFG colleagues. Articles of potential interest were systematically reviewed and checked against analysis in existing scholarly literature, and any uncertain cases discussed and resolved collaboratively.

Phase 3: Standardisation and visualisation

Analysis for each framework was developed, including: (1) Introduction, (2) Key takeaways for neurotechnology, (3) Selected Relevant Articles (max 10), (4) Conclusions and analysis.

For the European Union, we further clustered governance frameworks according to the following categories: Civil society, Structural / fundamental, Data governance, Cybersecurity, Health, Consumer protection.

Frameworks appear per category in order according to when they were adopted.

Each framework is colour-coded according to whether it is legally-binding (orange) or not (green). The findings were visualised using Mindomo.com.

Phase 4: Review

We circulated the draft product to our network of legal and academic experts for review. We thank in particular Dr Marietje Botes (University of Texas), and Halid Kayhan (KU Leuven Center for IT & IP Law) for their detailed comments and input. As the tool is a living product, we invite further feedback from any knowledgeable parties: neurotechnology@cfg.eu.

Endnotes