ServicesGovern & AssureFinance & TransactionsTransform & DigitizeOperate & Scale
FrameworkAI Policy DevelopmentResponsible AIData Governance
RegulationsGCC regulationsRegulations & standardsResearch & benchmarks
Insights
About
Contact
Book a consultation
GCC regulation

DIFC Regulation 10 — AI and autonomous systems.

The region's first AI-specific regulation. If your DIFC entity operates or deploys systems that process personal data autonomously, Regulation 10 already applies to you.

DIFC

Data protection rules written for machines that decide.

Regulation 10 extends the DIFC Data Protection Law to the processing of personal data through autonomous and semi-autonomous systems — in practice, AI. It was the first regulation in the region to address AI directly, and it treats AI processing as a distinct activity with its own transparency, fairness and accountability duties rather than an afterthought to conventional processing.

Who is in scope

  • DIFC-registered entities operating AI systems that process personal data
  • Entities deploying third-party AI systems on personal data — buying doesn't transfer the duty
  • Providers whose systems process DIFC personal data on behalf of others
  • Groups using shared AI platforms that touch DIFC employee or client data
At a glance
IssuerDIFC Commissioner of Data Protection
InstrumentDIFC Data Protection Regulations, Reg. 10
In forceSeptember 2023
Applies inDubai International Financial Centre
Request a readiness review
Key obligations

What Regulation 10 expects of you.

Transparency & notice

People must be told, in clear terms, when AI processes their personal data and what it is used for — buried clauses don't qualify.

Fair & ethical processing

Systems are expected to be designed and operated to produce fair, non-discriminatory outcomes — an obligation on design, not just outputs.

Accountability of operators and deployers

Whether you built the system or bought it, responsibility for compliant processing sits with you and must be demonstrable.

Human oversight

Meaningful human involvement is expected where autonomous processing materially affects individuals.

Individual rights handling

Access, objection and explanation requests must work even when the processing happens inside a model.

Evidence on demand

The Commissioner can ask how your AI processing complies. The answer needs to exist before the question arrives.

How we help

From applicability to evidence.

Applicability assessment

Which of your systems fall under Regulation 10 — documented, defensible and reviewed against your actual data flows.

Gap analysis & control mapping

Each obligation mapped to an existing or missing control, integrated with your wider DIFC data protection programme.

Audit-ready evidence pack

Notices, records, oversight logs and impact assessments assembled the way a Commissioner's inquiry would ask for them.

Source & disclaimer

This page summarises DIFC Regulation 10 for general information — it is not legal advice. Always verify obligations against the current text of the DIFC Data Protection Regulations.

DIFC laws & regulations

Find out if Regulation 10 applies to your AI.

A scoping conversation tells you which systems are caught and how big the gap is.

Book a consultation