AI Regulation Tracker / Regulator
UAE creates a federal AI and data authority reporting to the Cabinet
The UAE has consolidated artificial intelligence and data governance under one national regulator that reports to the Cabinet. Firms running AI or data operations in the country now face a single federal supervisor and should expect implementing rules under the Personal Data Protection Law.
The United Arab Emirates has folded its artificial intelligence and data oversight into a federal regulator. In mid-June 2026, the UAE announced the Federal Authority for Artificial Intelligence and Data, a national body that reports directly to the Cabinet and takes on AI policy, data governance, and digital-government functions that were previously divided among separate offices.
For firms operating in the UAE, the practical change is structural. Where compliance teams once had to track which office held which mandate, there is now one federal address for AI and data supervision.
What the authority is
The authority was created by a federal decree and sits directly under the Cabinet. According to the government announcement, it brings together functions from the country's AI Office, the information and digital-government sector, and its data-governance work into one institution. The stated aim is a unified national approach to data, artificial intelligence, and digital government rather than a patchwork of overlapping bodies.
The consolidation matters because it signals where authority now rests. When binding AI standards and data rules are issued, they are expected to come from this single body, and enforcement is expected to run through it as well.
The structural point is easy to underrate. A regulator that reports straight to the Cabinet, rather than sitting inside a line ministry, tends to carry cross-government reach. That positioning suggests the authority is meant to set standards other federal entities follow, not merely advise them. For a compliance officer, the near-term task is less about reading new rules, which do not yet exist in final form, and more about correctly identifying who now owns the questions they will need answered.
The Personal Data Protection Law connection
The most immediate consequence concerns data. The UAE Personal Data Protection Law, Federal Decree-Law No. 45 of 2021, has been on the books for years, but its implementing regulations have not been issued. Those regulations are the part that operationalizes the law: the legal basis for processing, data-subject rights, cross-border transfer conditions, and breach-notification duties.
As the law firm Morgan Lewis noted in its analysis, the market expects the new authority to finalize and enforce these regulations. Until they appear, much of the PDPL remains framework rather than day-to-day obligation. Firms that process personal data in the UAE should treat the authority's creation as a signal that the operational rules are coming, and prepare their processing records, consent practices, and transfer arrangements accordingly.
There is precedent to draw on. The DIFC and the Abu Dhabi Global Market free zones have each developed mature data-protection practice over several years, and Morgan Lewis suggested the new authority is likely to look to that existing body of work when it sets its own enforcement approach. That gives firms a useful reference point: the shape of the coming federal rules is unlikely to be alien to anyone already familiar with the free-zone regimes or with comparable international standards.
What it does not do yet
It is worth being precise about limits. The authority has been established, but a detailed public mandate and a full set of binding AI standards have not yet been published. The reporting line to the Cabinet and the consolidation of existing bodies are confirmed. The specific rules that will bind a given bank, insurer, or clinic are still anticipated rather than in force. Firms should plan for those rules without assuming their exact content.
The cross-border angle
For US firms with Gulf operations, the reform is a simplification. Rather than engaging several UAE bodies, they get one federal regulator for AI and data questions. This federal layer sits alongside, not instead of, existing sector rules. The UAE Central Bank has issued its own responsible-AI expectations for financial institutions, and the Dubai International Financial Centre operates its own data-protection regime within the DIFC free zone. Firms in regulated sectors will need to reconcile the new federal authority's requirements with those sector and free-zone regimes as the picture fills in.
The direction of travel is consistent with a broader pattern across major jurisdictions: consolidating AI and data oversight into a clearly identified national regulator, then issuing binding rules through it. Firms that identify their regulator early and align their data governance to the anticipated PDPL implementing rules will be better positioned than those that wait for the first enforcement notice.
Frequently Asked Questions
What exactly did the UAE change?
It created the Federal Authority for Artificial Intelligence and Data, a single national regulator that reports to the Cabinet and consolidates AI, data, and digital-government oversight that was previously spread across several bodies.
Who does this affect?
Any firm that processes personal data or deploys AI systems in the UAE, including banks, insurers, healthcare providers, professional-services firms, and US companies with Gulf operations.
Does this mean the UAE data protection law is now fully enforceable?
Not on its own. The Personal Data Protection Law has been in force since 2021, but its implementing regulations, which set concrete obligations, have not been issued. The new authority is expected to finalize and enforce them.
Does it replace the UAE Central Bank or DIFC rules?
No. It adds a federal AI and data layer. Sector regulators such as the UAE Central Bank and the DIFC's data-protection regime continue to apply, and firms must reconcile both.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.