The AI Law the UAE Doesn't Have (Yet)

There is no AI law in the UAE. There is one already in force, and most boards have not read it.

That sentence sounds like a contradiction. It is not. The UAE has not enacted a horizontal AI statute. There is no Emirati equivalent of the EU AI Act, no risk-tier framework, no conformity assessment regime, no notified bodies. What exists instead is a federal data protection law — Federal Decree-Law No. 45 of 2021, the PDPL — that was drafted before generative AI broke into boardrooms but contains a provision wide enough to govern most of what those boardrooms now deploy.

I have read the law. Most of the directors I work with in the Emirates have read summaries of it. This article is the read, not the summary — and the difference matters more than it should. The original Arabic text and the official English translation say something specific, and what they say has been in force since 2 January 2022.

I am not licensed to practise UAE law. This is a strategic position for board readers, not legal advice. The compliance work follows from getting the position right; the compliance work itself is what UAE-licensed counsel does.

There Is No UAE AI Law. There Is PDPL.

Three facts, taken together, change the picture.

First, there is no horizontal AI statute at the federal level. The UAE Strategy for Artificial Intelligence 2031 is a national vision, not a law. The 2024 UAE Charter for the Development and Use of Artificial Intelligence is twelve principles of ethical guidance, explicitly non-binding (background and full text covered in the IAPP Global AI Governance — UAE overview). Neither the Strategy nor the Charter creates obligations a court would enforce against a controller deploying a model.

Second, Article 18 of the PDPL — titled Automated Processing and the Data Subject's Rights — already governs the category of activity that AI systems mostly perform. The provision reads:

“The Data Subject shall have the right to object to and not to be subject to decisions issued in respect of automated processing that have legal consequences or seriously affect him, including profiling. Notwithstanding the provisions of clause (1) of this Article, automated processing shall be permissible if it is based on the Data Subject's consent or if it is necessary for the conclusion or performance of a contract between the Data Subject and the Controller, or if it is required by other legislation in force in the State.”

Read it carefully. Any system that issues a decision about a data subject — credit scoring, hiring, fraud flagging, insurance underwriting, content moderation, eligibility scoring, anomaly detection routed to enforcement — falls inside the perimeter the moment that decision has "legal consequences" or "seriously affects" the person. The text does not say "fully automated" the way GDPR Article 22 does. The threshold is the consequence, not the architecture.

Third, the operative detail of the PDPL — the Executive Regulations that would specify thresholds, timelines, fines, DPIA triggers, DPO appointment criteria, cross-border adequacy lists, and standard contractual clause templates — has not been published. Chambers Global Practice Guide, Data Protection & Privacy 2026 states the position bluntly: "the Implementing Regulations, intended to clarify key aspects of the law, have yet to be issued." The UAE Government Portal confirms the law's effective date and the UAE Data Office's role as the federal regulator. As of March 2026, the regulations have been pending for over fifty months.

The law's principles bind today. Only the operative detail awaits. That gap is where boards have been drifting.

“The provision was drafted before generative AI broke into boardrooms. It governs most of what those boardrooms now deploy.”

The Four-Year Empty Chair

A federal data law has been in force for fifty-plus months without operative regulations. That is unusual, and the implication runs the opposite direction from where most boards have settled.

Article 51 of the PDPL grants controllers a six-month transition window — but the clock runs from the issuance of the Executive Regulations, which has not happened. Boards reading that clause have concluded, reasonably on its face and incorrectly in substance, that the law is not yet operational. The body that will issue those regulations and enforce the law is the UAE Data Office, established under the PDPL itself as the federal regulator; its operational guidance is incomplete and its enforcement levers are partial in the absence of the Executive Regulations. The principles in Articles 5 through 7 (lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity), the rights in Articles 13 through 19, and the cross-border transfer regime in Articles 22 and 23 are in force now. What is not in force is the schedule of fines, the adequacy list, the DPIA threshold matrix, and the formal DPO appointment criteria.

Six things the regulations were supposed to clarify and have not:

1. The fine schedule — penalty bands, aggravating factors, repeat-offender uplift.
2. The adequacy list — which jurisdictions outside the UAE are deemed to provide adequate protection for cross-border transfers under Article 22.
3. DPIA triggers — when a Data Protection Impact Assessment is mandatory rather than advisable.
4. DPO appointment thresholds — which controllers must appoint a Data Protection Officer under Article 11, and on what criteria (sectoral, volume, sensitivity).
5. Standard contractual clause templates for the cross-border transfer derogations under Article 23.
6. Notification timelines for personal data breaches under Article 9.

A board that defers AI governance until these answers arrive will defer past every product cycle it has scheduled. The principles, meanwhile, were enforceable on day one. The widely cited AED 50,000–5,000,000 penalty range that circulates in compliance webinars is industry-reported commentary, not codified text — those numbers do not appear in the Decree-Law and will only have legal force once the Executive Regulations publish them. Treat them as orientation, not as the rulebook.

There is also a fact that should be stated and is rarely mentioned. As of April 2026, no significant public PDPL enforcement action has been published. That absence is not a green light. It is a function of the regulations gap — the UAE Data Office's enforcement levers are partial because the Executive Regulations that codify them are not yet issued. The principles bind today. The public enforcement record will follow the operative detail.

Three Regulatory Worlds in One Country

The UAE is a federation, and AI governance does not stop at the federal layer. A controller incorporated in the Dubai International Financial Centre operates under one regime. A controller in the Abu Dhabi Global Market operates under another. A controller on the federal mainland operates under PDPL. The three do not converge.

Federal mainland — PDPL. Principles binding, operative detail pending. Article 18 governs automated decisions. Cross-border transfers under Articles 22–23. No horizontal AI statute layered on top.

DIFC — the only AI-specific data regulation in the region. In September 2023, the DIFC Commissioner of Data Protection issued Regulation 10: Processing Personal Data through Autonomous and Semi-Autonomous Systems under DIFC Data Protection Law No. 5 of 2020. Regulation 10 took effect on 1 September 2023, with a grace period that has now closed; it is in full enforcement. It is the first instrument in the Middle East, North Africa and South Asia to regulate AI as AI rather than as a side-effect of data processing. It introduces the concept of an Autonomous Systems Officer — a designated accountable person for AI deployment, distinct from the DPO — and it builds toward a certification regime for high-impact systems.

ADGM — general principles, recently amended. The ADGM Data Protection Regulations 2021 follow GDPR-aligned principles but contain no AI-specific overlay. The September 2025 amendments tightened transparency and cross-border requirements but did not introduce an AI-specific layer.

The practical implication is rarely stated plainly, so I will state it. Where you incorporate determines which AI regime governs you. This is not a tax-residency point — it is an operational one. AI startups and AI-heavy financial services firms have been gravitating to DIFC partly because Regulation 10 provides a clear governance scaffold that the federal regime, in the absence of Executive Regulations, does not. The 3-Worlds framework — Federal, DIFC, ADGM — is the napkin sketch every UAE-deploying board should be able to draw before it commissions its first AI policy. If a director cannot name which world the company sits in, the AI governance work has not started. (For the broader Gulf and MENA regulatory landscape, see AI Governance in the Gulf States: A MENA Guide.)

“Where you incorporate determines which AI regime governs you. That is an operational question, not a tax one.”

The Sectoral Stack On Top

The 3-Worlds map is not the full picture. On top of all three regulatory worlds sits a sectoral stack that, for many UAE AI deployments, is more binding day-to-day than PDPL itself.

For banks and financial institutions, the Central Bank of the UAE (CBUAE) issues Model Management expectations and Consumer Protection rules that govern credit scoring, fraud detection, anti-money-laundering, and customer-facing decisioning. Its 2020 Consumer Protection Regulation (CPR) and the 2024 Open Finance Regulation each touch directly on AI deployment in regulated banking. For Islamic finance, the Higher Sharia Authority overlays Sharia-governance requirements on top of the same models.

For insurance, CBUAE — having absorbed the former Insurance Authority — applies market-conduct circulars that constrain underwriting and claims-handling AI. For listed entities, asset managers, and broker-dealers, the Securities and Commodities Authority (SCA) layers disclosure and conduct rules on algorithmic decisions. For health systems, the Dubai Health Authority (DHA) and the Department of Health Abu Dhabi (DoH) add clinical-decision and patient-data rules on top of PDPL, and the federal Ministry of Health and Prevention sets baseline standards across emirates.

The full picture is not one law. It is a stack. PDPL Article 18 sets the federal floor. DIFC Regulation 10 sets the only AI-specific scaffold in the region. ADGM mirrors GDPR principles. Sectoral regulators sit on top of all three. Boards that cannot draw the full stack are not yet governing AI in the Emirates; they are deploying it and hoping.

“The UAE's de facto AI regime is not one law but a stack.”

Article 18 Is Wider Than GDPR Article 22 — In Both Directions

The reflex move for legal teams encountering PDPL has been to map it onto the GDPR. The structure is similar, the vocabulary is similar, the rights catalogue is similar. The reflex produces a specific class of error. (For the strategic GDPR / EU AI Act picture this comparison hinges on, see The EU AI Act: A Strategic Guide for AI Leaders.)

Article 18 is arguably stricter than GDPR Article 22 in some respects, and the practitioner consensus has not converged. The threshold for engagement, on a textual reading, is "legal consequences or seriously affects" — the GDPR's "solely automated" qualifier is absent. The aggressive reading is that a human-in-the-loop architecture that would shelter a controller under Article 22 does not automatically shelter a controller under Article 18; what matters is the consequence to the data subject, not the routing of the decision. The conservative reading is that Article 18(1)'s heading — Automated Processing and the Data Subject's Rights — limits the provision to decisions issued by automated systems rather than decisions assisted by them. Until the Executive Regulations or a published UAE Data Office position resolves it, both readings are defensible. The contract-based permission ground in Article 18(2) is also drafted more broadly than GDPR's, and the PDPL contains no equivalent of GDPR's explicit "right to obtain human intervention, to express their point of view, and to contest the decision" enumerated in Article 22(3). The right to object exists; the procedural scaffolding for exercising it is left to the Executive Regulations.

Article 18 is looser than GDPR Article 22 in other respects. PDPL has no separate, free-standing DPIA mandate; impact assessment obligations are embedded in the controller's general accountability duties under Article 7 rather than itemised in their own article. The transparency catalogue in Article 13 is leaner than GDPR Article 13–14. Specific categories of data are protected, but the enumeration is shorter.

The counterintuitive result is the part boards most often miss. The looser law is harder to comply with, not easier. When the consent specification is less prescribed, the burden of demonstrating that consent was informed and specific shifts to the controller's evidentiary record. When the right to explanation is not codified, but Article 18(1) still grants the right to object, the controller has to design an objection mechanism without the GDPR's procedural template to copy. Boards that import their GDPR playbooks tend to under-comply on consent specificity and over-comply on explainability — solving the wrong problem with the wrong instrument.

Reading Article 18 against Article 22 line by line, rather than in summary, is the work. It takes a long afternoon. It is the cheapest governance investment a UAE-deploying board can make.

What to Do Before the Regulations Drop

The Executive Regulations may publish in 2026. They may publish in 2027. The leadership question is not when they arrive — it is what posture the board holds in the interval. Five moves, in order.

1. Inventory AI systems against the Article 18 trigger. Not against an EU risk-tier taxonomy. Against the specific question Article 18 asks: does this system produce decisions with legal consequences or that seriously affect a data subject? The inventory is shorter than people expect and the answers are clearer than people expect. The exercise also surfaces the systems that are not in scope, which is where most current spending is misallocated.

2. Treat DIFC Regulation 10 as the practical governance benchmark, even if you sit on the mainland. The DIFC framework — Autonomous Systems Officer, system register, impact assessment, certification pathway — is the most concrete AI governance scaffold the UAE has produced. My forecast — and it is a forecast, not a fact — is that it will inform the federal Executive Regulations when they arrive. Boards that adopt it now buy optionality at low cost.

3. Document cross-border training-data flows under Article 22–23 assumptions. Most large models are trained or fine-tuned on data that crosses borders. The Executive Regulations have not published an adequacy list, so controllers cannot rely on one. Document the legal ground for each flow now — consent, contractual necessity, derogation — and keep the documentation auditable.

4. Appoint a DPO or ASO-equivalent now. Do not wait for the Executive Regulations to set the threshold. Article 11 already prescribes DPO duties; Regulation 10 already prescribes ASO duties in DIFC. The cost of appointing early is small. The cost of being non-appointed when the threshold publishes and the six-month transition clock starts running is operational, not just legal.

5. Align with the 2024 UAE AI Charter. It is non-binding. It is also the most explicit signal the federal authorities have given about what they consider ethical AI deployment, and it is the document the Executive Regulations will reference when they reach AI-specific obligations. Treat its twelve principles as the ethical floor, not the ceiling.

The posture I recommend to boards is not defensive. It is the posture of a director who has read the law, drawn the three-worlds map, walked the Article 18 inventory, and decided where the company sits before the regulators decide for it. That is leadership in a regulatory vacuum. Compliance follows. It does not lead.

There is no AI law in the UAE. There is one already in force. The boards that read it govern. The ones that wait for the press release will be governed.

Frequently Asked Questions

Does the UAE have an AI law?

No. As of May 2026, the UAE has no horizontal AI statute. The 2024 UAE Charter for the Development and Use of AI is twelve principles of ethical guidance, explicitly non-binding. The UAE Strategy for AI 2031 is a national vision, not law. What governs AI in the UAE is Federal Decree-Law 45/2021 (PDPL) — specifically Article 18, which restricts automated decisions with legal or significant effects on data subjects — plus DIFC Regulation 10 inside the Dubai International Financial Centre, plus sectoral regulators (CBUAE, SCA, DHA, DoH). Anyone citing a federal "UAE AI Act 2026" is conflating these instruments with the EU AI Act.

What is PDPL Article 18 and how does it apply to AI?

Article 18 of Federal Decree-Law 45/2021 grants data subjects the right to object to and not be subject to decisions issued by automated processing that have legal consequences or seriously affect them, unless the decision rests on consent, contract necessity, or other legislation in force. For AI deployments, the trigger is the consequence to the data subject — not whether the system is fully automated. Credit scoring, hiring algorithms, fraud flagging, insurance underwriting, eligibility scoring and content moderation routed to enforcement all fall inside the perimeter the moment they affect a person significantly. Article 18 has been in force since 2 January 2022.

What is the difference between DIFC Regulation 10 and federal PDPL?

They govern different territories under different instruments. The federal PDPL (FDL 45/2021) applies to controllers on the UAE mainland and contains no AI-specific provisions beyond Article 18's automated-decisions clause. DIFC Regulation 10, issued under DIFC Data Protection Law No. 5 of 2020 and in force since 1 September 2023, is the first AI-specific data protection instrument in MENA. It introduces the Autonomous Systems Officer mandate (distinct from the DPO), requires impact assessments for autonomous and semi-autonomous systems, and is building toward a certification regime for high-impact systems. Where you incorporate determines which regime governs you — DIFC firms operate under both DIFC DPL and Regulation 10; mainland firms operate under federal PDPL.

When will the UAE PDPL Executive Regulations be published?

Unknown. As of May 2026, the Executive Regulations have been pending for over fifty months since the PDPL took effect on 2 January 2022. The UAE Data Office has not published a target date. Article 51 grants controllers a six-month transition window — but the clock runs from issuance of the regulations, which has not happened. Boards waiting for the regulations to start governing are deferring past every product cycle they have scheduled. The principles in Articles 5–7, the rights in Articles 13–19, and the cross-border regime in Articles 22–23 bind today; only the operative detail (fine schedule, adequacy list, DPIA triggers, DPO thresholds, SCC templates) awaits.

Does GDPR apply to companies in the UAE?

Indirectly, yes — through extraterritorial reach. GDPR applies to any controller anywhere that processes personal data of EU residents in connection with offering goods or services to them or monitoring their behaviour in the EU. A UAE-incorporated company with EU customers, EU-resident users of its app, or models trained on EU personal data is subject to GDPR alongside PDPL. The two regimes overlap but diverge: PDPL Article 18 is wider on text than GDPR Article 22 in some respects (no "solely automated" qualifier), looser in others (no standalone DPIA mandate). Boards copying GDPR playbooks tend to under-comply on consent specificity and over-comply on explainability. See the GDPR AI compliance guide for the full Article 22 deep dive.

What is an Autonomous Systems Officer under DIFC Regulation 10?

The Autonomous Systems Officer (ASO) is a designated accountable person for AI deployment within DIFC, distinct from the Data Protection Officer. Where the DPO covers personal data processing generally, the ASO is responsible specifically for autonomous and semi-autonomous systems — risk assessment, system register, impact assessment, incident reporting and the certification pathway as it develops. The ASO mandate is in full enforcement since the grace period closed in January 2026. There is no federal equivalent under PDPL. UAE-mainland boards considering AI governance scaffolds increasingly adopt ASO-equivalent roles voluntarily, on the working assumption that DIFC Regulation 10 will inform the federal Executive Regulations when they arrive.

How this was sourced: Chambers Global Practice Guide, Data Protection & Privacy 2026 — UAE Trends and Developments; UAE Government Portal — Data Protection Laws (Federal Decree-Law No. 45 of 2021); KPMG English translation of FDL 45/2021 (used to verify Article 18 text); DIFC Commissioner of Data Protection — Regulation 10 of 2023; IAPP Global AI Governance — UAE (regulatory landscape and AI Charter coverage). Post-publication verification (May 2, 2026): Latham & Watkins on the UAE regulatory landscape; CBUAE Rulebook — AI/ML Guidance Note (Feb 23 2026, non-binding); Pinsent Masons coverage of the CBUAE guidance; Mayer Brown on DIFC Regulation 10. Every URL was reachable on the date of publication or last update; readers who hit a 4xx/5xx are encouraged to flag it.

This is a strategic position, not legal advice. The author is not licensed to practise UAE law. Confirm specifics with UAE-licensed counsel before action.