UAE: DIFC, ADGM & Federal AI Governance

DIFC Regulation 10

In Force

The Dubai International Financial Centre's Regulation No. 10 of 2024 (Regulation of Autonomous and Semi-Autonomous Systems) is already in force and establishes binding obligations for entities operating within the DIFC. It is one of the most specific pieces of AI regulation globally, with requirements that go beyond principles to prescribe concrete governance mechanisms.

Key Requirements

Meaningful human oversight: Entities must maintain meaningful human oversight over autonomous and semi-autonomous systems, with the level of oversight proportionate to the risk and impact of the system's decisions.
Right to contest decisions: Individuals affected by decisions made by autonomous systems have the right to contest those decisions and receive a human review. This creates practical obligations for system design, not just policy documentation.
Impact assessments: Entities must conduct and maintain impact assessments for autonomous systems, evaluating risks to individuals, markets, and the financial system. These assessments must be updated when systems change materially.
Transparency obligations: Clear disclosure requirements when autonomous systems are used in client-facing interactions or decision-making processes.
Record-keeping: Comprehensive logging and audit trail requirements for all decisions made by autonomous systems.

DIFC Regulation 10 is not a set of principles or guidelines — it is binding regulation with enforcement authority. Financial institutions operating in the DIFC must comply now, not prepare for future compliance.

ADGM: Abu Dhabi Global Market

The Abu Dhabi Global Market has taken a distinctive approach to AI governance by establishing a digital sandbox environment for controlled agentic AI experimentation in financial services. This allows institutions to test and iterate on AI governance frameworks in a supervised environment before full production deployment.

The ADGM framework complements DIFC Regulation 10 but operates under a separate regulatory authority with its own expectations, reporting requirements, and oversight mechanisms. For financial institutions operating across both free zones, this creates a dual-compliance obligation within a single country.

ADGM's approach reflects a deliberate balance between fostering innovation and managing risk — providing a structured pathway for institutions to deploy increasingly autonomous AI systems while maintaining regulatory confidence in the governance frameworks surrounding them.

Federal PDPL

The UAE's federal Personal Data Protection Law (PDPL), effective since 2022, applies to personal data processing across the country, including automated decision-making. While the DIFC and ADGM operate under their own data protection regimes, the federal PDPL establishes baseline obligations that apply to operations outside these free zones.

For financial institutions with operations spanning onshore UAE, DIFC, and ADGM, the interaction between the federal PDPL and the free zone-specific regulations creates a layered data protection landscape that must be navigated carefully, particularly where AI systems process personal data across jurisdictional boundaries within the UAE.

UAE AI Strategy 2031

The UAE's national AI Strategy 2031 positions the country as a global leader in artificial intelligence across government services, economic sectors, and society. For financial institutions, the strategy signals continued investment in AI-friendly infrastructure and regulatory frameworks, but also creates multi-authority complexity:

DIFC for financial services entities operating in Dubai's financial centre
ADGM for financial services entities operating in Abu Dhabi's financial centre
Federal PDPL for data protection obligations nationally
Central Bank of the UAE for banking and financial stability oversight
Securities and Commodities Authority for capital markets regulation

This multi-authority landscape means that a single financial institution operating across the UAE may be subject to requirements from three or more regulatory bodies simultaneously, each with different expectations for AI governance.

Relevance for Singapore-Based Institutions

For institutions expanding from Singapore to Dubai or Abu Dhabi, the additional complexity of navigating DIFC, ADGM, and federal requirements within a single country adds another dimension to the governance challenge. An institution already building for MAS AIRG compliance must layer UAE-specific requirements on top of an already complex governance architecture.

A Singapore-based institution expanding to the UAE faces not one additional jurisdiction but three — DIFC, ADGM, and federal — each with its own authority, expectations, and enforcement mechanisms.

Corvair's unified governance architecture is designed precisely for this scenario: building once to the most demanding standard, then mapping outputs to each regulatory authority's expectations. The alternative — building separate compliance programmes for MAS, DIFC, ADGM, and federal UAE requirements — is neither efficient nor sustainable.

Explore Other Jurisdictions

Navigate UAE AI Governance

Understand the multi-authority landscape and build a governance architecture that satisfies DIFC, ADGM, and federal requirements.

Schedule a Briefing