Embodied AI decoded #1: A global snapshot of the rules reshaping robotics and embodied AI
Introduction
AI is no longer confined to chatbots and software platforms. It now powers surgical assistants, warehouse co-workers, delivery drones and taxis that navigate city streets. As these systems move from the virtual to the physical world, the legal framework is shifting to meet them. Some jurisdictions are introducing comprehensive new statutes, while others are adapting existing rules. The result is an increasingly complex and fragmented regulatory landscape that shapes not only what embodied AI can do, but also how it must be designed, tested, documented and monitored over its lifecycle.
In this series of blog posts, we will be exploring the key legal considerations for companies developing and deploying embodied AI. In this first post, we outline some of the AI-specific laws applicable to embodied AI across several key jurisdictions.
The next post in this series will focus on product liability laws, including who bears the associated risks and how to manage them – so we won't cover those here.
What is embodied AI?
Embodied A is understood as AI that operates in a physical form – like robots, drones, autonomous vehicles and smart industrial machinery – as distinct from purely software-based AI such as chatbots or recommendation engines. These systems sense, move in, and interact with, the real world. This creates a distinct set of legal risks, including product safety obligations, real‑world incident and recall exposure, and heightened liability where physical harm or property damage is foreseeable.
Jurisdiction overview
The EU AI Act – the most comprehensive regime to date
The EU AI Act classifies AI systems by risk tiers, and various embodied AI applications will fall into the high-risk category – not because they are robotics per se, but because they are deployed in contexts where failure can have significant safety or fundamental rights implications. While the definition of what constitutes in-scope AI under the EU AI Act is very broad, whether the high-risk category is triggered depends on the function the system performs and the regulatory environment in which it operates.
For embodied AI, a high-risk classification can arise in two scenarios:
- Integration into regulated products: Where AI is embedded in products already subject to specific EU safety legislation (e.g. medical devices, machinery or vehicles), it is automatically drawn into the high-risk regime. In these cases, the EU AI Act effectively extends existing product safety rules to cover algorithmic decision-making, with compliance tied to established conformity assessment processes.
- Standalone high-risk use cases: Even outside product regulation, embodied AI will qualify as high-risk where it performs functions that can materially affect health, safety or fundamental rights. This is particularly relevant for systems that:
- make or inform decisions with real-world consequences (e.g. navigation, task execution or access control);
- operate in close proximity to or interaction with humans, especially where users may be vulnerable or unable to meaningfully supervise the system; or
- enable identification, tracking or behavioral inference in physical environments, raising acute privacy and surveillance concerns.
If an AI system falls into the high-risk category, this triggers extensive obligations, including ex ante conformity assessments, transparency obligations, and human oversight requirements.
Compliance deadlines are staggered and have recently been shifted as part of the European Commission’s Digital Omnibus on the EU AI Act. Under the updated schedule, key obligations for high-risk systems will apply from December 2027. As an exception, an even longer transition period applies until August 2028 where the high-risk AI system (i) is used as a safety component of a product, or the AI system is itself a product covered by certain EU harmonization legislation, and (ii) must undergo a third-party conformity assessment. While these shifted compliance deadlines grant AI manufacturers focusing on the EU market additional time, they are nevertheless required to assess whether their AI systems will fall under any of the high-risk categories and should closely follow the availability of standards, common specifications and highly anticipated guidelines clarifying specific aspects of the EU AI Act.
Even where an embodied AI system is not classified as high-risk, the EU AI Act may still apply – particularly through the rules on general-purpose AI models, which often form part of embodied AI stacks (e.g. perception, language or planning components). These rules, applicable since August 2025, impose obligations around documentation, transparency and (for advanced models) systemic risk mitigation.
Further, the EU AI Act includes transparency obligations for providers and users of AI systems interacting directly with natural persons or generating outputs, many of which take effect on 2 August 2026. As part of the European Commission’s Digital Omnibus, a grace period for providers of such AI systems placed on the market before 2 August 2026 has been introduced so that they have until 2 December 2026 to comply with certain transparency obligations relating to marking and detection.
Action: Map your embodied AI products against the EU risk tiers now and closely follow the publication of standards, specifications and guidelines – lead times for conformity assessment are significant.
US state laws – a patchwork with sharp edges
There is still no comprehensive federal AI statute. Instead, embodied AI is governed by sector-specific regulators (e.g. the Food and Drug Administration (FDA) for medical devices and the National Highway Traffic Safety Administration (NHTSA) for autonomous vehicles) layered over an accelerating wave of state legislation.
At the federal level, the current administration has taken a deregulatory approach, revoking earlier AI safety requirements and signaling an intent to preempt state AI laws – a December 2025 executive order, “Ensuring a National Policy Framework for Artificial Intelligence,” proposes to preempt state AI laws deemed inconsistent with federal policy, and the White House unveiled a national AI legislative framework in March 2026 – though no federal preemption has yet been enacted.
For embodied AI specifically, the NHTSA's Automated Vehicle (AV) Framework is the most significant federal development: the agency is proposing rulemakings to amend Federal Motor Vehicle Safety Standards written for human-driven vehicles, addressing vehicles with automated driving systems and no manual controls, and has granted an exemption permitting a robotaxi manufacturer to operate AVs without certain manual controls on public roads.
At state level, the landscape continues to shift. For example, Texas' Responsible AI Governance Act (TRAIGA) took effect on 1 January 2026; California's SB 53 (Transparency in Frontier AI Act) applies to large frontier model developers; Colorado repealed its first-in-the-nation 2024 AI Act and replaced it in May 2026 with an automated decision-making transparency regime applying from January 2027; and New York's RAISE Act takes effect in January 2027. California has also enacted numerous narrower AI laws (training-data transparency, AI content disclosure, healthcare communications), and new California Consumer Privacy Act regulations impose pre-use notice, opt-out and access obligations on businesses using automated decision-making technology for significant decisions about consumers.
Action: Don't assume US deployment is unregulated – conduct a state-by-state assessment for each deployment jurisdiction, and monitor the federal preemption push, which may reshape (but has not yet displaced) state obligations.
Asia-Pacific (APAC) – fast-moving and fragmented
China does not currently have an omnibus AI law. A national standard framework for embodied AI was adopted in February 2026 (but not made public), the press release for which states that the National Technical Committee on Cybersecurity of Standardization Administration of China (TC260) is working on specific industry standards to address safety, ethics and data security. Hangzhou city is also known to be developing a tiered classification system for embodied AI products and services applicable to the many companies operating in this important tech center in China.
In contrast, Vietnam and South Korea have introduced omnibus AI laws that follow the EU approach of risk-tiered obligations, both of which came into force earlier this year. Embodied AI applications in healthcare or critical infrastructure will likely fall under the “high-impact/ risk” regimes of these laws, subject to enhanced requirements including human oversight, ongoing risk assessment and transparency obligations, among other things. Vietnam additionally requires a conformity evaluation of high-risk systems, with results to be registered in the National AI Database. Requirements for non-high-impact/ risks AI systems are more relaxed, for which compliance with transparency and assessment measures remains voluntary. South Korea requires global tech companies providing high-impact AI services to appoint a domestic representative in Korea. Vietnam’s law requires providers of high-risk AI to maintain a local commercial presence.
Action: Map your embodied AI products against each target jurisdiction's requirements before deployment, given there is no single APAC standard. Local presence or registration obligations can apply even to foreign providers.
The UK – leaning on existing laws
The UK has not yet enacted a single AI statute. Instead, it relies on existing regulators – such as those responsible for data protection, healthcare, and financial services – to apply and adapt current legal frameworks to AI within their sectors (see our previous blog post). For embodied AI developers and deployers, this means obligations are scattered across multiple regimes: product safety and liability, data protection, workplace health and safety, medical device regulation, and sector-specific licensing requirements, among others.
The practical effect is not necessarily lighter regulation – it is just harder to map. There is no single checklist or conformity assessment equivalent to the EU AI Act's risk-tiered framework. Instead, companies must conduct a cross-cutting compliance analysis tailored to their specific use case, deployment environment, and sector. One notable exception is the Automated Vehicles Act 2024, which introduced a bespoke liability and safety framework for self-driving vehicles – a topic we will explore in detail later in this series.
The UK government has signaled that it may legislate if voluntary and regulator-led approaches prove insufficient, but for now the emphasis remains on flexibility and proportionality.
Action: Audit your compliance position across the full spectrum of applicable UK laws – the absence of a single AI act does not mean the absence of binding rules.
| Jurisdiction | Key AI-specific regulation relevant to embodied AI* | Status |
|---|---|---|
| EU | EU AI Act (Regulation (EU) 2024/1689), as recently amended by the EU Digital Omnibus | In force; phased application; high‑risk timelines shifted to December 2027 / August 2028; in force for general-purpose AI models; various transparency obligations take effect on 2 August 2026 and 2 December 2026 (as explained above) |
| US | Sector-specific (FDA, NHTSA, etc.) and State laws | Various |
| UK | No single law regulating AI. Sector-regulator model, and general laws where applicable | Ongoing |
| China | No unified AI act; Layered framework: municipal-level embodied AI robot regulation; national standards for humanoid robot and embodied AI | In force |
| Vietnam | Law on AI | In force |
| South Korea | Framework Act on the Development of Artificial Intelligence and Creation of a Trust Base (AI Basic Act) | In force |
*Other general laws may also be applicable (including data security and privacy laws).
Takeaways
The regulatory picture for embodied AI is complex, fast-moving, and varies significantly across jurisdictions. For companies operating across borders, these overlapping regimes demand a coordinated compliance strategy – and frameworks designed for software-only AI will not necessarily translate cleanly to systems that operate in the physical world.
Freshfields' cross-practice, cross-border AI team advises on the full spectrum of issues covered in this series. If you would like to discuss how these developments affect your business, please get in touch.
