On 18 June 2026 the Dubai International Financial Centre (DIFC) published Consultation Paper No. 3 of 2026, opening a 30-day window for stakeholders to comment on proposed amendments to its Data Protection Regulations, with the deadline falling on 18 July 2026. The proposals target three interconnected areas: strengthening safety-by-design requirements under Regulation 10 for autonomous and semi-autonomous systems, clarifying and expanding the role of the Autonomous Systems Officer (ASO), and introducing a new Regulation 11 that would empower the Commissioner of Data Protection to recognise accreditation and certification schemes.
For every DIFC-registered entity that deploys, develops or procures AI-driven tools processing personal data, these AI-focused data protection amendments close a significant regulatory gap and signal a more prescriptive compliance posture ahead.
The DIFC Data Protection Law, DIFC Law No. 5 of 2020, governs the collection, handling and use of personal data within the free zone. It also confers rights and remedies on data subjects whose information is processed by DIFC-registered entities. Regulation 10, enacted in 2023, was a landmark addition addressing personal data processed through autonomous and semi-autonomous systems, including AI, generative AI and machine learning technologies.
Consultation Paper No. 3 of 2026 proposes targeted amendments to the existing regulations rather than a wholesale redraft. The DIFC Commissioner of Data Protection published the paper on 18 June 2026, inviting written responses from regulated entities, industry bodies, technology providers and the wider public. The consultation period runs for exactly 30 days, closing on 18 July 2026.
Industry observers expect the Commissioner to review all submissions and publish a response statement before issuing finalised amendments later in 2026. Entities that wish to shape the regulatory outcome should treat this DIFC data protection consultation as a strategic priority, not a routine notice-and-comment exercise.
The proposed amendments apply to every DIFC-registered controller and processor that deploys or operates autonomous or semi-autonomous systems processing personal data. This includes banks, asset managers, insurance undertakings, fintech platforms, professional services firms, legal-tech providers and any DIFC body as defined in the Founding Law.
DIFC entities face a convergence of regulatory, reputational and contractual pressures that make these amendments operationally significant.
The likely practical effect will be to raise the minimum standard for any organisation that operates AI systems within DIFC, regardless of the entity’s size or sector.
Regulation 10, formally titled “Personal Data Processed Through Autonomous and Semi-Autonomous Systems,” is the core regulatory provision governing High Risk Processing Activities in the DIFC. The proposed amendments introduce “Safety” as an additional principle within Regulation 10.3.1, alongside the existing requirements of fairness, transparency and accountability.
Under the proposed text, data controllers and processors must ensure that autonomous systems are designed and operated with safeguards aimed at identifying, preventing and mitigating potential harm. In practice, safety-by-design AI obligations would require DIFC entities to:
Early indications suggest these requirements are deliberately technology-neutral, applying equally to large language models, automated credit-scoring engines, biometric identification systems and algorithmic trading tools.
Regulation 10 already requires certain DIFC entities to appoint an Autonomous Systems Officer. The proposed amendments clarify and expand the ASO’s responsibilities, moving the role from a compliance checkbox towards a substantive governance function.
The Autonomous Systems Officer in the DIFC context must possess competencies, status and access sufficient to carry out the role effectively, as advised by the DIFC Commissioner. The proposed amendments reinforce this by specifying expected duties that include:
Organisations should note that the Autonomous Systems Officer role is distinct from the Data Protection Officer (DPO). An entity may appoint the same individual to both roles if that person possesses the requisite competencies, but the functions must not be conflated or diluted.
The most structurally novel proposal is the introduction of Regulation 11, which would grant the Commissioner authority to recognise accreditation and certification schemes for autonomous and semi-autonomous systems processing personal data.
Under the proposed framework, the Commissioner could formally endorse third-party certification bodies or industry-led accreditation programmes that meet criteria set by the DIFC. Entities that obtain certification through a recognised scheme may benefit from a streamlined compliance pathway, demonstrating adherence to safety-by-design, transparency and accountability requirements through independent validation rather than purely self-assessment.
The consultation paper does not specify which particular accreditation bodies or standards will be recognised. Industry observers expect the Commissioner to consider internationally established frameworks, potentially including ISO/IEC standards on AI management systems (such as ISO/IEC 42001) and data-protection certification mechanisms already operational under other regimes.
Legal teams and compliance officers should treat the consultation window as a catalyst for immediate internal action. The following checklist maps responsibilities by function and provides template language where relevant.
| Role | Immediate Actions | Suggested Evidence |
|---|---|---|
| General Counsel / Head of Legal | Review consultation paper; coordinate DPIA refresh; draft consultation response; assess ASO appointment requirement | Marked-up consultation paper; DPIA register; ASO appointment letter or board minute |
| Chief Technology Officer / Head of Engineering | Conduct safety-by-design audit; verify logging and monitoring; initiate adversarial testing | System inventory with risk ratings; monitoring dashboard screenshots; red-team report |
| Head of HR / COO | Designate or recruit ASO; update job descriptions; schedule training | ASO terms of reference; training attendance records; organisational chart showing reporting line |
| Head of Procurement | Issue updated vendor questionnaires; review AI-vendor SLAs; request certification evidence | Completed questionnaires; updated contract clauses; vendor certification documents |
The proposed Regulation 11 marks a shift from purely prescriptive regulation towards a model that blends mandatory requirements with market-driven assurance. If enacted, the Commissioner of Data Protection would have the authority to recognise specific accreditation and certification schemes, effectively creating an approved list of third-party validators.
Accreditation schemes for AI-focused data protection typically operate on a three-tier model: the standard-setting body defines criteria, an accreditation body assesses certifiers, and the certifiers audit individual organisations. Early indications suggest the DIFC Commissioner may recognise internationally established frameworks rather than building a bespoke scheme from scratch. Relevant international standards that could inform recognition decisions include:
Organisations that already hold ISO 27001 or ISO 42001 certification are likely well positioned to pursue DIFC-recognised accreditation once the Commissioner publishes recognition criteria. For entities without existing certification, the consultation period is an opportunity to begin scoping the effort and engaging with prospective certification bodies.
Responses to Consultation Paper No. 3 of 2026 should be submitted through the channels specified on the DIFC Commissioner of Data Protection’s consultation page. The DIFC typically accepts written submissions in English, with no prescribed length or template, though structured, concise responses receive the most engagement from the regulator.
When preparing a submission, legal teams should consider including the following elements:
The table below summarises the key obligations under the proposed amendments, segmented by entity type, alongside the most pressing next step for each category before the AI-focused data protection amendments close on 18 July 2026.
| Entity Type | Key Obligations (Proposed Amendments) | Immediate Next Step (by 18 July 2026) |
|---|---|---|
| DIFC-registered data controllers, banks, financial services, insurers | Safety-by-design for all AI processing; appoint ASO where required; prepare for accreditation framework once recognised by Commissioner | Conduct DPIA and safety-by-design gap analysis; prepare consultation comments; designate ASO or document why appointment is not required |
| Technology vendors and AI deployers | Provide evidence of safety-by-design to clients; explain vendor accreditation, certification or testing results; support client DPIAs | Produce vendor security and safety dossier; update contracts and SLAs to reflect proposed obligations; offer to support client DPIA processes |
| SMEs, startups and non-AI-native businesses | Follow scaled, risk-based expectations; document mitigations proportionate to processing risks; engage legal counsel | Conduct rapid risk triage; prepare proportionate DPIA; submit any practical concerns through the consultation response |
The DIFC’s AI-focused data protection amendments close for consultation on 18 July 2026, and the window for influence is narrowing. Organisations that act now, by conducting gap analyses, designating an ASO, refreshing DPIAs and submitting a structured consultation response, will be materially better prepared when the final amendments take effect. For tailored compliance guidance, DPIA reviews or assistance drafting a consultation response, DIFC-registered entities can connect with experienced data-protection practitioners through the Global Law Experts lawyer directory.
posted 10 minutes ago
posted 10 minutes ago
posted 10 minutes ago
posted 57 minutes ago
posted 1 hour ago
posted 1 hour ago
posted 1 hour ago
posted 1 hour ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
No results available
Find the right Advisory Expert for your business
Sign up for the latest advisor briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisors, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message