UAE AI Governance Profile

This profile maps UAE data protection and AI governance requirements to AEEF controls, enabling organizations deploying AI products in the United Arab Emirates to align their AEEF implementation with UAE legal and regulatory obligations. The UAE has a multi-layered regulatory landscape with federal legislation, free zone-specific regulations, and a national AI strategy.

Assessment date: February 22, 2026

Status Note (Assessment-Based Profile) This document is a framework-maintained implementation profile based on publicly available sources and framework interpretation as of February 24, 2026. It is not legal advice and does not imply regulator endorsement, approval, or recognition.

Applicability

This profile applies when:

• AI systems process personal data of individuals in the UAE
• The organization is established in the UAE mainland, ADGM, DIFC, or other free zones
• AI products are offered to UAE-based customers or data subjects
• AI systems interact with UAE government services or infrastructure

Annex Precedence and Interaction

This profile is a national annex-style overlay on top of AEEF core controls. Where federal UAE, ADGM, or DIFC obligations diverge, organizations MUST follow the applicable jurisdiction-specific obligation for the operating entity and data flow in scope. Sector-specific obligations remain additive.

UAE Regulatory Landscape

Federal Data Protection Law (Federal Decree-Law No. 45 of 2021)

UAE's comprehensive data protection legislation governing personal data processing across the UAE (excluding free zones with their own frameworks). Effective January 2022.

Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021

ADGM's standalone data protection framework, closely aligned with GDPR, applicable to entities operating within ADGM.

Dubai International Financial Centre (DIFC) Data Protection Law (DIFC Law No. 5 of 2020)

DIFC's data protection law, closely aligned with GDPR, applicable to entities within DIFC.

UAE National AI Strategy 2031

UAE's strategic framework for AI development and governance, emphasizing responsible AI, sector-specific AI adoption, and public-private collaboration.

UAE Overlay Control Set

Control ID	Regulatory Reference	Control Title	AEEF Mapping	Priority
UAE-01	Federal DPL Art. 2-5	Data Processing Scope	Pillar 2 Data Classification	High
UAE-02	Federal DPL Art. 6-12	Lawful Processing and Consent	PRD-STD-014	High
UAE-03	Federal DPL Art. 22	Cross-Border Data Transfer	PRD-STD-014 REQ-014-09/10/11	High
UAE-04	Federal DPL Art. 13-17	Data Subject Rights	PRD-STD-014 REQ-014-15/22	High
UAE-05	Federal DPL Art. 28-30	Data Breach Notification	Pillar 2 Incident Response	High
UAE-06	ADGM DPR 2021	ADGM-Specific Data Protection	PRD-STD-014	Medium
UAE-07	DIFC Law No. 5/2020	DIFC-Specific Data Protection	PRD-STD-014	Medium
UAE-08	National AI Strategy	Responsible AI Alignment	PRD-STD-010, PRD-STD-015	Medium
UAE-09	Federal DPL Art. 7, 10	Sensitive Data Processing for AI	PRD-STD-014, PRD-STD-011	High
UAE-10	Federal DPL Art. 20	Automated Decision-Making	PRD-STD-014 REQ-014-22/23	High

UAE-01: Data Processing Scope and Classification

The Federal DPL applies to processing personal data of individuals in the UAE (with free zone carve-outs). Personal data includes any data that identifies or can identify an individual.

Organizations MUST identify whether their AI products are subject to federal DPL, ADGM regulations, DIFC law, or multiple frameworks simultaneously. AEEF data classification MUST be mapped to UAE data categories. AI features processing data of UAE residents MUST be tagged for jurisdictional tracking.

UAE-02: Lawful Processing and Consent

Federal DPL requires lawful basis for processing. Consent must be clear, specific, and informed. Processing of children's data requires guardian consent.

AI features MUST document the lawful basis for processing UAE personal data. Consent for AI-specific processing MUST be separately obtained when consent is the legal basis. AI features processing data of minors (under 18 in UAE) MUST implement guardian consent verification.

UAE-03: Cross-Border Data Transfer

Cross-border transfers require adequate protection in the receiving jurisdiction or approved safeguards. The UAE Data Office maintains guidance on adequacy.

AI inference using providers outside the UAE MUST have documented transfer mechanisms. Organizations MUST assess adequacy status and apply appropriate safeguards. AI data flows involving UAE personal data MUST be inventoried with transfer mechanisms documented.

UAE-04: Data Subject Rights

Data subjects have rights to: access, rectification, erasure, restriction, portability, and objection.

AI products MUST fulfill data subject rights for UAE individuals per PRD-STD-014 timelines. Access requests MUST disclose AI processing activities.

UAE-05: Data Breach Notification

Data breaches must be reported to the UAE Data Office and affected individuals per implementing regulation timelines.

AI-related data breaches MUST trigger UAE-specific notification procedures. Cross-tenant data leakage in multi-tenant AI products MUST be assessed against breach notification thresholds. Incident Response procedures MUST include UAE regulatory notification workflows.

UAE-06: ADGM-Specific Data Protection

ADGM's regulations are closely aligned with GDPR and include additional provisions for financial services data.

AI products serving ADGM-regulated entities MUST comply with ADGM DPR requirements including: Commissioner notification, DPIA obligations for high-risk processing, DPO appointment for systematic large-scale monitoring, and ADGM-specific breach notification (72 hours to Commissioner).

UAE-07: DIFC-Specific Data Protection

DIFC Data Protection Law includes AI-specific provisions and requires DPIAs for high-risk processing.

AI products serving DIFC-regulated entities MUST comply with DIFC requirements including: Commissioner registration, DPIA for automated profiling and systematic monitoring, DPO appointment requirements, and DIFC-specific cross-border transfer adequacy assessment.

UAE-08: Responsible AI Alignment

UAE National AI Strategy 2031 promotes responsible AI development with emphasis on ethical AI, transparency, and sector-specific AI adoption in healthcare, education, energy, transportation, and government.

Organizations deploying AI products in UAE government or regulated sectors SHOULD align with UAE responsible AI principles including: transparency in AI decision-making, human oversight for high-impact decisions, fairness and non-discrimination, and privacy-preserving AI techniques.

UAE-09: Sensitive Data Processing for AI

Federal DPL defines sensitive data including: health, genetic, biometric, financial, religious, racial/ethnic origin, political opinions, criminal records, and children's data.

AI features processing sensitive data of UAE individuals MUST implement enhanced controls including: explicit consent for AI processing of sensitive categories, DPIA before launch, restricted access controls for model training with sensitive data, and enhanced audit logging.

UAE-10: Automated Decision-Making

Federal DPL and free zone regulations address automated decision-making that produces legal or significant effects.

AI features making automated decisions affecting UAE individuals MUST provide transparency about AI involvement. Data subjects MUST have access to human review. Organizations MUST document the logic, significance, and consequences per PRD-STD-014 REQ-014-22/23.

Free Zone Compliance Matrix

Jurisdiction	Framework	DPIA Required	DPO Required	Breach Notification	Cross-Border Transfer
UAE Federal	DPL 2021	Recommended	Above threshold	UAE Data Office + data subjects	Adequacy or safeguards
ADGM	DPR 2021	High-risk processing	Systematic monitoring	72 hours to Commissioner	Adequacy assessment
DIFC	Law No. 5/2020	Automated profiling	Systematic monitoring	72 hours to Commissioner	Adequacy or binding rules

UAE AI Governance Audit Readiness Checklist

• Jurisdictional applicability determined (Federal, ADGM, DIFC, or multiple)
• Data classification mapped to UAE personal and sensitive data categories
• Lawful processing basis documented for each AI feature
• Consent mechanisms implemented (including guardian consent for minors)
• Cross-border transfer safeguards documented
• Data subject rights fulfillment workflow operational
• Breach notification procedures include UAE-specific workflows
• ADGM/DIFC-specific requirements addressed (if applicable)
• UAE responsible AI principles alignment documented
• Automated decision-making transparency and human review available
• AI data flow inventory includes UAE-origin data

Coverage Limitations

• This profile provides implementation mapping guidance and evidence patterns; it is not a legal determination of compliance.
• UAE sector-specific requirements (including telecom and certain public-sector obligations) may require additional overlays beyond this profile.
• Adoption of this profile does not imply recognition in other GCC or Middle East jurisdictions.

Related AEEF Content

• National Annex Specification
• Regional Coverage Matrix
• Compliance & Regulatory
• AI Standards Crosswalk
• KSA Regulatory Profile
• Egypt PDPL Profile
• PRD-STD-014: AI Product Privacy & Data Rights
• PRD-STD-010: AI Product Safety & Trust
• PRD-STD-013: Multi-Tenant AI Governance
• Incident Response