When a UAE board asks "which AI rules apply to us?", the honest answer is: it depends on where you are incorporated, what you do, and whom you serve. That answer frustrates people, so here is the longer version — the same map we draw in board sessions, layer by layer.
Layer one: the federal baseline
The Personal Data Protection Law — Federal Decree-Law No. 45 of 2021 — applies across onshore UAE. It is not an AI law, but AI systems are intensive personal-data processors: training data, inference inputs and outputs are all processing. Lawful basis, purpose limitation, cross-border transfer conditions and automated decision-making rights all bite. At the time of writing, executive regulations adding operational detail are still awaited, which is a reason to build adaptable controls, not a reason to wait.
Layer two: the financial supervisor
If you are a CBUAE-licensed institution, your AI and machine-learning models sit under supervisory expectations set out in the joint Guidelines for Financial Institutions Adopting Enabling Technologies and the central bank's model management standards. The expectations are recognisably prudential: a complete model inventory, board-level accountability, independent validation, explainable outcomes and fair treatment of customers affected by model-driven decisions. Supervisors increasingly test against these in reviews — institutions discovering this mid-review have a harder quarter than institutions that mapped it in advance.
Layer three: the financial free zones
The DIFC and ADGM each run their own data protection regimes and their own financial regulators. Two things stand out. First, DIFC Regulation 10 — in force since September 2023 — was the region's first AI-specific regulation, governing autonomous and semi-autonomous systems that process personal data. If your DIFC entity deploys AI on personal data, it applies whether you built the system or bought it. Second, the DFSA and ADGM's FSRA both co-issued the Enabling Technologies Guidelines, so financial firms in the free zones face technology-governance expectations that run alongside the data protection duties on the very same systems. One control set should answer both; two parallel paper exercises is the common and expensive mistake.
A single credit model in a DIFC bank can sit under CBUAE-style model expectations, DFSA systems-and-controls rules, and Regulation 10 — simultaneously.
Layer four: Brussels, whether you like it or not
The EU AI Act applies extraterritorially: if the output of your AI system is used in the EU, or you place systems on the EU market, you are in scope. For GCC institutions with EU clients, subsidiaries or distribution, this is not theoretical. The Act's obligations have been arriving in phases since 2025, and the main wave of high-risk system obligations applies from August 2026 — weeks away as this is written. High-risk classification, conformity assessment and technical documentation take months, not weeks, to do properly.
What a board should actually do with this map
- Demand an AI inventory first. You cannot determine which regimes apply to systems you have not listed. Most organisations are surprised by their own inventory — vendor-embedded AI especially.
- Ask for a regime-per-system view, not a regulation-per-department view. The overlaps are where both the cost savings and the gaps live.
- Treat the EU AI Act question as a market-access question, not a compliance question. If EU business matters to strategy, August 2026 is a strategy date.
- Resist the separate-programme instinct. One governance framework, mapped to many regimes, is cheaper and stronger than five parallel ones.
Key takeaways
- Four UAE layers — PDPL, CBUAE, free-zone data protection, free-zone financial regulation — plus the EU AI Act for EU-facing business.
- DIFC Regulation 10 has applied to AI processing personal data since September 2023; it is the region's first AI-specific regulation.
- High-risk EU AI Act obligations land in August 2026 — readiness work takes months.
- One control framework mapped to many regimes beats parallel compliance programmes every time.