DIFC Proposes Regulation 11 and AI-Data Rule Overhaul | TLY

AI Regulation Tracker  /  Public consultation

DIFC Proposes Regulation 11 and Tighter AI Rules in Data Protection Overhaul

Regulatory summary: The Dubai International Financial Centre published Consultation Paper No. 3 of 2026 on June 18, 2026, proposing amendments to its Data Protection Regulations: a refined Regulation 10 for autonomous systems, a new Regulation 11 letting the Commissioner recognize certification schemes, and clarified ASO duties. Comments close July 18, 2026.

The Gulf's first purpose-built AI-data regime moves to add a certification-recognition power and sharpen its autonomous-systems safety duties.

Primary source

DIFC Proposes Regulation 11 and Tighter AI Rules in Data Protection Overhaul regulation briefing
The Leveraged Years AI Regulation Tracker

Key takeaways

  • The DIFC Commissioner of Data Protection proposes to refine Regulation 10 (safe, ethical, privacy-by-design duties for autonomous systems), add a new Regulation 11 giving the Commissioner power to recognize accreditation and certification schemes, and clarify Autonomous Systems Officer certification requirements. Nothing is in force yet.
  • DIFC-registered financial and non-financial firms, general counsel and DIFC-based legal teams, Data Protection Officers, newly named Autonomous Systems Officers, fintech and AI compliance leads, and vendors offering AI governance certification
  • Status: Consultation open.
  • Read the full Consultation Paper No. 3 of 2026 and submit comments to the Commissioner of Data Protection by July 18, 2026.
DateJurisdictionRuleAffected professionalsStatus or effective date
2026-07-09United Arab EmiratesThe DIFC Commissioner of Data Protection proposes to refine Regulation 10 (safe, ethical, privacy-by-design duties for autonomous systems), add a new Regulation 11 giving the Commissioner power to recognize accreditation and certification schemes, and clarify Autonomous Systems Officer certification requirements. Nothing is in force yet.DIFC-registered financial and non-financial firms, general counsel and DIFC-based legal teams, Data Protection Officers, newly named Autonomous Systems Officers, fintech and AI compliance leads, and vendors offering AI governance certificationConsultation open; comment deadline July 18, 2026

Frequently Asked Questions

Is Consultation Paper No. 3 of 2026 now law in the DIFC?

No. It is a draft consultation published June 18, 2026, with comments open until July 18, 2026. Current DIFC Data Protection Law and Regulations remain in force unchanged until any amendment is finalized and enacted.

Does this apply to companies under UAE federal law or in the ADGM?

No. The DIFC is a separate financial free zone with its own data-protection regime. These proposed amendments apply to DIFC-registered entities, not to firms governed by UAE federal data protection law or by the Abu Dhabi Global Market.

What is the difference between the ASO and the DPO?

The Data Protection Officer oversees general data-protection compliance. The Autonomous Systems Officer is the DIFC's dedicated accountability role for autonomous and AI systems processing personal data. The consultation proposes to clarify the ASO's certification requirements and role.

What would a new Regulation 11 actually let the Commissioner do?

It would give the Commissioner formal power to recognize accreditation and certification frameworks tied to data protection governance. It creates the recognition mechanism; it does not yet publish a list of approved schemes.

What is the single most important next step?

Read the full Consultation Paper No. 3 of 2026 and submit comments to the DIFC Commissioner of Data Protection by July 18, 2026, focusing on the refined Regulation 10, the new Regulation 11, and ASO certification duties.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.