By 
The UAE has chosen a different path from the EU on AI regulation. Rather than a single horizontal AI statute, it operates a layered regime of federal data protection law, financial-free-zone-specific AI rules, sectoral regulators, and high-level ethical charters. For businesses building or deploying AI in the UAE, the practical effect is that compliance work requires mapping which regimes apply in which emirate or free zone. The same deployment can sit under different rules depending on whether it is onshore Dubai, in the DIFC financial free zone, in ADGM, or in Abu Dhabi onshore.
The most important compliance development for AI specifically arrived in late 2023 and reached full enforcement on 1 January 2026: DIFC's Regulation 10, the first AI-specific regulation in the wider Middle East, Africa, and South Asia (MEASA) region. Regulation 10 sits inside the DIFC Data Protection regime and imposes specific duties on entities that deploy autonomous or semi-autonomous systems processing personal data. Combined with the federal Personal Data Protection Law and the broader policy charters, this is what most UAE-facing AI compliance programmes need to address in 2026.
The UAE AI strategy and policy landscape
The UAE's institutional AI commitment dates to 2017, when it became the first country in the world to appoint a Minister of State for Artificial Intelligence (H.E. Omar Sultan Al Olama, currently Minister of State for AI, Digital Economy and Remote Work Applications). The UAE National Strategy for Artificial Intelligence 2031, originally launched in October 2017 and updated in 2023, sets the country's policy direction. It frames AI as both a productivity tool for government services and a strategic driver of economic diversification.
The strategy itself is policy guidance rather than enforceable law, but it shapes how UAE regulators interpret existing statutes and what new instruments they prioritise.
The UAE Charter for the Development and Use of AI (June 2024)
On 30 July 2024, the UAE AI Office published the UAE Charter for the Development and Use of Artificial Intelligence. The Charter is non-binding but functions as the country's authoritative ethical framework. It articulates 12 principles covering:
- Strengthening human-machine ties
- Safety
- Algorithmic bias mitigation
- Data privacy
- Transparency
- Human oversight
- Governance and accountability
- Technological excellence
- Human commitment
- Peaceful coexistence with AI
- Inclusive access
- Compliance with applicable laws and treaties
In September 2024, the UAE Cabinet supplemented the Charter with an International Policy on AI grounded in six principles (progress, collaboration, community, ethics, sustainability, safety), which positions the UAE's national AI objectives within an international cooperation frame. Both instruments are non-binding but inform sectoral rule-making and are commonly referenced in commercial contracts and procurement.
Key institutional bodies
Several entities shape AI policy and oversight in the UAE. Their roles overlap and the institutional map is best understood by jurisdiction.
The UAE AI Office (federal)
The UAE AI Office sits within the Ministry of State for AI, Digital Economy and Remote Work Applications and coordinates national AI policy, strategy, and the Charter. It does not issue binding fines under a horizontal AI statute (because there is no such statute), but it sets the policy context that other regulators reference.
The Artificial Intelligence and Advanced Technology Council (Abu Dhabi)
Abu Dhabi Law No. 3 of 2024, issued in January 2024, formally established the Artificial Intelligence and Advanced Technology Council (AIATC). The AIATC oversees AI and advanced technology projects, research, infrastructure, and investment within the Emirate of Abu Dhabi. It is the clearest example of an emirate-level AI council established by a binding legal instrument, and it sits at the centre of Abu Dhabi's positioning as an AI investment hub. The Mubadala-launched MGX investment company and the Mohamed bin Zayed University of Artificial Intelligence (MBZUAI) operate within this institutional context.
UAE Data Office (federal)
The UAE Data Office is the independent federal regulator responsible for overseeing the PDPL. It is the body that issues guidance, investigates breaches, and (where applicable) imposes administrative fines under the data protection regime. AI deployments that process personal data are subject to its supervision wherever the PDPL applies.
DIFC Commissioner of Data Protection
The DIFC Commissioner of Data Protection administers the DIFC Data Protection Law and the Data Protection Regulations including Regulation 10 on AI. The Commissioner publishes guidance, reviews high-risk processing notifications, certifies AI systems, and operates the Regulation 10 Accelerator sandbox programme.
ADGM Office of Data Protection
ADGM operates its own data protection regime under the ADGM Data Protection Regulations 2021. It does not have a direct AI-specific equivalent to DIFC's Regulation 10, but the existing privacy-by-design and impact-assessment requirements still apply to AI systems within ADGM.
Sectoral regulators
The Telecommunications and Digital Government Regulatory Authority (TDRA), Central Bank of the UAE (CBUAE), Securities and Commodities Authority (SCA), Insurance Authority (now consolidated under the Central Bank), and Department of Health (Abu Dhabi and Dubai) all touch AI within their domains. Federal Decree-Law No. 6 of 2025 on the Central Bank, effective 16 September 2025, broadens CBUAE licensing to include open finance, virtual-asset payments, and technology-enabled services, embedding cybersecurity into primary legislation in ways that reach AI systems used by regulated financial entities.
The Federal Personal Data Protection Law (Federal Decree-Law No. 45 of 2021)
The UAE Personal Data Protection Law (PDPL) is the cornerstone of onshore privacy regulation, in force since 2 January 2022. It applies to controllers and processors established in the UAE, and extraterritorially to entities outside the UAE that process personal data of individuals residing in the UAE. The PDPL is principles-based and broadly aligned with GDPR concepts.
Core obligations relevant to AI
- Lawful basis for processing: consent is the default. Specific exceptions exist for public interest, legal obligations, contract performance, vital interests, archiving and statistical research, employment and social security obligations, and other narrow grounds.
- Sensitive personal data: heightened protection for data revealing family background, ethnicity, political or religious beliefs, criminal record, biometric data, health, genetics, or sexual life.
- Data subject rights: access, rectification, erasure, objection, restriction, portability, and the right to be informed about decisions made by automated processing.
- Data protection impact assessments (DPIAs): mandatory for high-risk processing, which most consequential AI deployments will trigger.
- Breach notification: required to the UAE Data Office and to affected data subjects in defined circumstances.
- International transfers: permitted to jurisdictions with adequate protection, or under approved mechanisms such as UAE-approved Standard Contractual Clauses.
Exemptions
The PDPL does not apply universally onshore. Exemptions include government data, security and judicial data, personal health data (covered by sector-specific health laws), and banking and credit data (covered by sectoral financial regulation). Companies in DIFC and ADGM follow their own data protection regimes rather than the federal PDPL.
Penalties
Administrative fines under the PDPL framework can reach significant amounts, with practitioners citing exposure of up to AED 20 million for severe violations. The exact penalty calculation depends on the executive regulations and the Data Office's enforcement decisions.
DIFC Regulation 10: the most important AI-specific instrument in the UAE
On 7 September 2023, the DIFC enacted amendments to its Data Protection Regulations, with Regulation 10 introducing specific obligations for entities deploying or operating autonomous or semi-autonomous systems (including AI and generative machine learning tools) that process personal data. Regulation 10 has been in effect since 1 September 2023 with full enforcement from January 2026.
Scope and definitions
Regulation 10 uses the broad term "System" rather than "AI" to capture any machine-based system operating autonomously or semi-autonomously that processes personal data and generates output. The framing is deliberately interoperable with OECD AI Principles, EU concepts, and other international frameworks.
Liability is allocated to the entities that authorise or benefit from the System and its outputs, since traditional "controller" and "processor" definitions do not always map cleanly onto AI deployments. Deployers (analogous to controllers) carry the primary obligations; operators (analogous to processors) carry secondary obligations.
Core duties under Regulation 10
- Notice: a clear and explicit notice at initial use or access, describing the underlying technology, human-defined purposes and limits, and the privacy implications of using the System.
- Design principles: Systems must be ethical, fair, transparent, secure, and accountable. Algorithms must be designed to avoid bias and to support intervention where decisions might be unfair or discriminatory.
- Mandatory DPIA: required for any AI System processing personal data, addressing risks specific to autonomous decision-making.
- High Risk Processing: where the AI System engages in High Risk Processing Activities, the deployer must satisfy additional requirements including audit and certification, human-defined or human-approved processing purposes, and the appointment of an Autonomous Systems Officer (ASO) (analogous to a Data Protection Officer but specific to AI System oversight).
- Certification: AI Systems engaging in High Risk Processing must be certified under a scheme established by the DIFC Commissioner of Data Protection. Accreditation bodies approved by DIFC issue certifications.
- Notification to the Commissioner: required prior to deployment of many AI applications, particularly where High Risk Processing is involved.
The Regulation 10 Accelerator
DIFC has launched a Regulation 10 Accelerator programme, a sandbox where AI Systems can be tested against privacy-by-design principles and Regulation 10 requirements in a supervised environment. This is one of the more practical compliance support mechanisms available to AI developers in the region.
Other recent federal decrees relevant to AI
Federal Decree-Law No. 26 of 2025 on Child Digital Safety
Effective from 1 January 2026 with a one-year transition period (full compliance by 1 January 2027), the Child Digital Safety Law imposes strict obligations on digital platforms regarding users under 18. Mandatory age verification, active content filters, and parental controls are required. Behavioural profiling of children for marketing purposes is strictly prohibited, and penalties for violations involving minors are notably higher than general PDPL exposure. AI systems used in services likely to be accessed by minors must be designed against these obligations from the outset.
Federal Decree-Law No. 6 of 2025 (Central Bank Law)
Effective 16 September 2025, this consolidates regulation of banks, finance companies, payment service providers, insurers, and critical service providers under the CBUAE. It broadens licensing to include open finance, virtual-asset payments, and technology-enabled services. AI-driven financial services may now require Central Bank licensing depending on the activity, regardless of how the product is branded.
Federal Decree-Law No. 34 of 2021 (Cybercrimes Law)
The Cybercrimes Law remains relevant to AI use in the UAE, particularly for AI-generated misinformation, deepfakes, and impersonation. It imposes criminal liability for the misuse of online technologies and applies regardless of whether AI is involved in the underlying conduct.
Federal Decree-Law No. 25 of 2018 (Project of Future Nature)
This earlier law gives the Cabinet authority to grant interim licences and to establish licensing regimes for innovative projects (including AI-related ones) where no existing legislation governs the activity. It is one of the legal hooks that enables regulatory sandboxes and pilot programmes.
A practitioner's compliance plan for AI in the UAE
Step 1: Map jurisdictions for each AI deployment
For every AI system, identify which jurisdiction governs it: onshore UAE (PDPL and federal sectoral law), DIFC (DIFC DPL and Regulation 10), ADGM (ADGM Data Protection Regulations), or Abu Dhabi onshore (federal law plus AIATC oversight where applicable). The same product offered to customers in two of these jurisdictions is subject to two different legal regimes simultaneously.
Step 2: Conduct DPIAs and risk assessments before deployment
DPIAs are mandatory under both PDPL and DIFC Regulation 10 for high-risk processing. For onshore deployments, document lawful basis, sensitive data handling, and international transfer mechanisms. For DIFC deployments, additionally address Regulation 10's bias, transparency, fairness, and accountability principles, and identify whether the activity constitutes High Risk Processing under the DIFC framework.
Step 3: Build governance roles
Appoint a Data Protection Officer where required by PDPL. For DIFC AI deployments engaging in High Risk Processing, additionally appoint an Autonomous Systems Officer (ASO) per Regulation 10. For Abu Dhabi government-linked or critical infrastructure AI projects, expect AIATC engagement. Document role allocations, escalation paths, and reporting lines.
Step 4: Address consent, notice, and transparency
Deploy clear consent flows aligned with PDPL standards (proven, specific, free, informed, unambiguous). For DIFC AI deployments, layer on Regulation 10's specific notice obligations at initial use or access. For services accessed by minors, integrate the Child Digital Safety Law's age verification and parental control requirements.
Step 5: Plan for certification and ongoing monitoring
Where DIFC Regulation 10 applies and the System engages in High Risk Processing, plan for certification under the DIFC Commissioner's scheme. Beyond DIFC, build continuous monitoring for bias, performance drift, and security incidents. Document incident response procedures including breach notification timelines under PDPL.
Compliance FAQ
Does the UAE have a comprehensive AI law equivalent to the EU AI Act?
No. The UAE has chosen a layered regulatory model rather than a single horizontal AI statute. The closest AI-specific instrument is DIFC Regulation 10, which applies only within the DIFC financial free zone. Onshore AI compliance is principally governed by the PDPL, sectoral regulators, the Cybercrimes Law, and policy guidance from the AI Charter and the International Policy on AI.
If my company operates onshore in Dubai, does DIFC Regulation 10 apply to me?
No. DIFC is a separate financial free zone with its own legal framework. Regulation 10 applies to entities established in DIFC. Onshore Dubai entities are governed by the PDPL and federal sectoral law. However, if you process personal data of DIFC residents or contract with DIFC entities, your obligations may be affected by the DIFC regime through your counterparty relationships.
What is an Autonomous Systems Officer (ASO) and when do I need one?
The ASO is a role created by DIFC Regulation 10 for entities deploying AI Systems engaged in High Risk Processing of personal data within DIFC. The role is analogous to a Data Protection Officer but specific to AI System oversight, monitoring compliance, and cooperating with the DIFC Commissioner. It is not required for non-high-risk AI use within DIFC, and it is not required by the federal PDPL for onshore deployments.
What does the UAE AI Charter actually require me to do?
As a non-binding instrument, the Charter does not impose direct legal obligations or fines. In practice, however, it shapes regulator expectations, government procurement decisions, and commercial contract requirements. Documenting alignment with the Charter's 12 principles is increasingly common in vendor due diligence and government tenders, and serves as evidence of good-faith governance under sector-specific reviews.
How do UAE rules interact with EU AI Act obligations?
If your UAE-based AI system has outputs used in the EU, the EU AI Act applies in addition to UAE rules under its extraterritorial reach. The two regimes are not duplicative. EU obligations include Article 5 prohibitions (in force since February 2025), Article 50 transparency for synthetic content (from August 2026), and high-risk system obligations (currently under Digital Omnibus negotiation). UAE compliance does not satisfy EU obligations and vice versa. A unified governance programme anchored on NIST AI RMF or ISO/IEC 42001 simplifies the multi-jurisdictional posture.
What are the most likely upcoming regulatory developments?
Practitioners expect continued sectoral rule-making rather than a single horizontal AI statute. Areas to watch include CBUAE guidance on AI in licensed financial services, DIFC certification scheme expansions, sector-specific rules for AI in healthcare and government services, and possible federal-level guidance building on the AI Charter principles.
The bottom line
The UAE's AI compliance picture is more developed than commonly described. DIFC Regulation 10 has been the leading AI-specific regulation in the MEASA region since 2023 and reached full enforcement in January 2026. The PDPL anchors federal data protection in ways that capture most personal-data-processing AI uses. Abu Dhabi has a binding emirate-level AI council. The Charter and International Policy on AI shape regulator expectations even where they do not impose direct obligations. For businesses operating in or selling into the UAE, the durable compliance posture is a single governance programme that maps the same AI deployment against PDPL, Regulation 10 (where applicable), sectoral rules, and emerging federal decrees, anchored on internationally recognised frameworks. Treat the layered structure as the steady state. Adjust as new sectoral guidance arrives, but do not wait for a horizontal AI Act that the UAE has explicitly chosen not to draft.
Last updated: April 2026. This article is educational content and is not legal advice. UAE AI compliance depends on jurisdiction (onshore, DIFC, ADGM, Abu Dhabi), sector, and specific deployment characteristics. Consult qualified counsel before making compliance decisions.