Modulos Named in the Inaugural Gartner® Magic Quadrant™ for AI Governance PlatformsRead the

Press Release

AI Regulations in the
Middle East

The UAE created a federal AI authority in June 2026, Saudi Arabia declared its Year of AI, and the Gulf's central banks are writing binding rules. Here is what is in force, what is coming, and how to prepare.

Why AI Regulations in the Middle East Matter

Governments across the GCC are investing heavily in artificial intelligence and pairing that investment with stricter oversight. Regulators are responding with new laws and supervisory expectations on data privacy, ethics, and accountability.

Compliance isn't optional. Violations can lead to serious consequences:

Penalties up to SAR 5M under the Saudi PDPL and proposed criminal penalties, including prison terms, under Bahrain’s draft AI law

Disqualification from public tenders and CBUAE supervisory findings for financial institutions

Delays in financing, product launches, and loss of market access

Staying ahead of local laws while aligning with global AI standards like ISO 42001, is now critical for any AI-driven organization operating in the region.

6

Jurisdictions compared, from the UAE to Egypt

48

Saudi PDPL violation decisions in a single year

2

Central banks with AI rulebook entries, Qatar and the UAE

1

Legally binding today: Qatar’s QCB guidelines

Where the Region Stands

The Gulf moved fast in 2026. These are the developments that change what your compliance program has to answer for.

January 2026

Binding rules reach the free zones

DIFC Regulation 10 on autonomous systems is fully enforced, and a National AI System joins the UAE Cabinet as an advisory member.

February 2026

CBUAE Guidance Note

AI/ML expectations for every UAE licensed financial institution, from board accountability to kill-switch capability.

14 June 2026

The UAE gets a federal AI regulator

The Federal Authority for Artificial Intelligence and Data consolidates the AI Office, TDRA’s digital-government arm, and the Emirates Data Office.

1 August 2026

Saudi text-and-data-mining exception

A new law permits reproduction of copyrighted works for AI development without the author’s permission.

Pending

Bahrain's AI statute is still in parliament

Passed the Shura Council in April 2024, faced pushback in the Council of Representatives, and was not enacted as of July 2026.

AI Regulations by Country

Each jurisdiction takes its own path. The UAE and Qatar have issued binding sector rules for financial institutions, Saudi Arabia pairs a national governance ecosystem with real PDPL enforcement, Egypt is finalizing a dedicated law, and Bahrain's statute is still in parliament.

Binding AI-specific rulesPolicy-led frameworksHorizontal statute pending

On 14 June 2026, the UAE announced the Federal Authority for Artificial Intelligence and Data, consolidating the federal AI Office, TDRA's digital-government arm, and the Emirates Data Office into a single body reporting to the Cabinet. It joins Abu Dhabi's AI Authority (AIATC, Law No. 3 of 2024) and the Regulatory Intelligence Office (2025), which embeds AI in the law-making process itself. Core binding legislation remains Federal Decree-Law No. 45/2021 on data protection (PDPL) and Federal Decree-Law No. 34/2021 on cybercrime; the UAE Charter for AI (June 2024) sets out 12 non-binding principles including safety, transparency, and human oversight.

Since January 2026, a National AI System sits as an advisory member of the Cabinet and the boards of federal entities, providing real-time policy analysis. There is still no horizontal AI statute: the UAE regulates AI through this layered structure rather than an EU-style act.

CBUAE AI Guidance for Financial Institutions

Issued February 2026 · Applies to all licensed financial institutions

The Central Bank of the UAE published a Guidance Note on the responsible adoption and use of AI/ML by all licensed financial institutions (LFIs), including banks, insurance providers, exchange houses, and payment service providers. Published in the official CBUAE Rulebook, it carries strong supervisory expectation despite using "should" language.

Board-level accountability for all AI/ML systems and outcomes
Mandatory AI model inventory with name, purpose, and risk rating
Annual bias testing (or upon material model change)
Consumer opt-out rights for high-impact AI decisions
Right to human review of AI-generated decisions
Kill-switch capability: the ability to cease an AI system immediately
Third-party AI vendor due diligence requirements
Arabic and English disclosure requirements

The free zones add binding layers of their own: DIFC's Regulation 10 on autonomous and semi-autonomous systems, administered by the DIFC Commissioner of Data Protection, has been in full enforcement since January 2026, one of the region's few AI-specific rules with teeth. ADGM maintains its own data protection and technology governance framework.

Saudi Arabia has designated 2026 as the "Year of Artificial Intelligence," with the Saudi Data and Artificial Intelligence Authority (SDAIA) leading national AI governance. SDAIA achieved ISO 42001 certification in July 2024, one of the first government agencies to do so.

The binding layer is the Personal Data Protection Law (PDPL, in force since September 2023, fines up to SAR 5M), and it is enforced: SDAIA's committees issued 48 decisions confirming PDPL violations in the year to early 2026. Around it sit SDAIA's AI Ethics Principles (updated 2025), the Generative AI Guidelines (updated 2025), and the AI Adoption Framework with four maturity levels (September 2024). These AI frameworks are non-binding, but SDAIA accreditation increasingly carries weight in government procurement.

From 1 August 2026, a new copyright law permits reproduction of copyrighted works for AI development without the author's permission, one of the region's first text-and-data-mining exceptions. A dedicated AI law is expected to follow, and the Draft Global AI Hub Law (2025) proposes "Virtual," "Extended," and "Private" hubs for international data hosting.

Qatar holds a distinction most coverage misses: the Qatar Central Bank's AI guidelines (September 2024) are the region's only legally binding AI-specific rules at national level. Licensed financial institutions need a defined AI strategy, risk assessments, prescribed disclosure, and pre-approval before deploying high-risk AI systems.

Qatar's Ministry of Communications issued Principles and Guidelines for Ethical AI Development and Deployment (2025). A dedicated AI law is under consideration, and the Qatar Financial Markets Authority (QFMA) announced plans for draft AI regulations in capital markets (May 2025).

Bahrain is the furthest along in the GCC toward a standalone AI statute, but the road has been slow. A 38-article AI Regulation Law was unanimously approved by the Shura Council in April 2024; it has since faced pushback in the Council of Representatives, where the government proposed a regulatory sandbox instead, and had not been enacted as of July 2026. If passed, it would carry criminal penalties, with reported prison terms reaching 10 years for the most severe offenses.

The General Policy for the Use of AI (Version 1.0, May 2025) is Bahrain's first binding policy for government entities. The Central Bank of Bahrain regulates automated financial advice through its digital financial advice directives, and its supervisory reviews extend to AI use.

Egypt governs AI through its National AI Strategy (second edition, 2025 to 2030) under the National Council for Artificial Intelligence, whose mandate expanded to quantum and emerging technologies in January 2026, and the Ministry of Communications and Information Technology, alongside the Egyptian Charter for Responsible AI. The data layer is the Personal Data Protection Law (Law 151/2020), whose executive regulations arrived in November 2025 with full enforcement from late 2026.

A dedicated AI and data law is reported to be in the final stages of development. Egypt's strategy places particular weight on Arabic-language models and building regional AI capacity, which shapes how it approaches both regulation and procurement.

Oman's National AI Policy entered into force on 9 April 2025, issued by the Ministry of Transport, Communications and IT (MTCIT). While non-legally binding to allow flexibility, the policy requires entities to apply governance standards, conduct regular assessments, maintain documentation, and submit compliance reports upon request. The National Program for AI and Advanced Digital Technologies (2024-2026) supports implementation.

AI Regulations Across the Gulf

Every jurisdiction here combines binding data protection law with AI frameworks, sector guidance, and procurement requirements. The matrix separates what binds today from what is policy and what is still pending, because that difference decides your obligations.

CountryData protectionNational AI frameworkFinancial-sector AI rulesHorizontal AI statute
UAEPDPL 45/2021 · DIFC Reg 10 enforcedAI Charter · Federal Authority (Jun 2026)CBUAE Guidance Note (Feb 2026)None · layered regime
Saudi ArabiaPDPL · SAR 5M fines · 48 decisionsSDAIA Ethics · GenAI · Adoption FrameworkAI law expected · TDM exception 1 Aug 2026
QatarData Privacy Law 13/2016MCIT Ethical AI Principles (2025)QCB Guidelines · high-risk pre-approvalUnder consideration
BahrainPDPL 30/2018General Policy for AI Use (May 2025)CBB digital-advice directives38-article law in parliament
EgyptPDPL 151/2020 · full enforcement late 2026Strategy 2.0 · Responsible AI CharterFinal stages of drafting
OmanData protection decreesNational AI Policy (Apr 2025)None announced
Binding, in forceSupervisory guidancePolicy, non-bindingDraft or expected

The central-bank wave

The Central Banks Moved First

While horizontal AI statutes are still drafts, the Gulf's financial supervisors already put their AI expectations in writing. If you run AI in a licensed financial institution, these are the documents your program will be examined against.

September 2024Binding

Qatar Central Bank

AI Guidelines for licensed financial institutions

  • Pre-approval before high-risk AI systems go live
  • A defined AI strategy and documented risk assessments
  • Prescribed disclosure about AI systems in use
February 2026Supervisory guidance

Central Bank of the UAE

Guidance Note on AI/ML in the CBUAE Rulebook

  • Board accountability and a complete AI model inventory
  • Annual bias testing, opt-out rights, human review
  • Kill-switch capability to cease AI use immediately
2019 · ongoingDirectives

Central Bank of Bahrain

Directives on digital financial advice

  • Written expectations for automated financial advice
  • Supervisory reviews extend to AI and RPA use

Running AI in a bank or insurer? See how the same evidence serves financial supervisors everywhere

Shared AI Governance Trends in the Gulf

Despite different regulatory timelines, several key principles are consistent across Gulf countries:

Privacy by design

Most data protection laws in the region are modeled on GDPR, requiring clear consent, transparency, and data minimization.

Ethics in public procurement

In the UAE, Saudi Arabia, and Bahrain, ethical AI practices are increasingly tied to supplier eligibility. Ethics self-assessments and accreditations carry growing weight in tenders.

Compliance benchmark

Agencies like Emirates Health Services and Saudi Arabia's SDAIA are early adopters of ISO 42001. Certification is emerging as a trusted signal of organizational readiness for AI oversight.

How Gulf Rules Define AI Risk

The Gulf has no binding EU-style risk law. SDAIA's AI Ethics Principles sketch a four-tier classification, from unacceptable down to little risk, but as non-binding guidance. Where risk carries legal consequences, it is defined in sector rules and in data protection law. These are the definitions that exist.

CBUAE Guidance Note

UAE licensed financial institutions

Defines "high-impact decisions": any AI determination that materially affects a customer's access to financial products or services.

Triggers consumer opt-out rights, human review, and annual bias testing.

QCB AI Guidelines

Qatar licensed financial institutions

Classifies AI systems by risk and requires regulatory pre-approval before a high-risk system is deployed.

The strictest gate in the region: approval comes before go-live, not after.

PDPL regimes

UAE, Saudi Arabia, Qatar, Bahrain, Egypt

Data protection laws attach duties to the processing of personal data, whatever the AI system's risk label.

A "low-risk" chatbot handling customer data still carries full PDPL obligations.

Elsewhere the frameworks grade organizations, not systems: SDAIA's AI Adoption Framework measures maturity levels, and Oman's National AI Policy requires assessments without a classification scheme. If your AI also reaches EU persons, the EU AI Act's own categories apply on top; that law has no "medium risk" tier either.

Your AI Compliance Roadmap for the Middle East

Five steps from an unmapped AI estate to audit-ready, each tied to the Gulf rule that asks for it.

Document every AI system and use case, then risk-rate each one. The CBUAE expects a complete model inventory with name, purpose, and risk rating, and the PDPL layers of the UAE, Saudi Arabia, and Egypt attach duties wherever personal data flows.

CBUAE model inventoryUAE & Saudi PDPL

In Modulos: a living AI registry with lifecycle stage and risk rating per system.

AI inventory with lifecycle stages in the Modulos platform

Trusted by 200+ organizations

Modulos customers include aDigital, SCSK, ETH, PwC, Berner Fachhochschule, Mobile Health, Serai, CertX, JobCloud, Xayn, Beyond Gravity, Armasuisse.

aDigital
SCSK
ETH
PwC
Berner Fachhochschule
Mobile Health
Serai
CertX

Regional Advisory

PwC

Modulos works with advisory partners across the region, including PwC Middle East, on AI governance programmes aligned to UAE and Saudi regulatory frameworks. See the partner ecosystem

Gartner Magic Quadrant

Named in the inaugural Magic Quadrant™ for AI Governance Platforms

Published by Gartner® on 16 June 2026. Read the full announcement.

Gartner, Magic Quadrant for AI Governance Platforms, Lauren Kornutick, Sumit Agarwal, Priya Sundararaman, Nader Henein, Brandon Medford, 16 June 2026. GARTNER is a registered trademark and service mark, and MAGIC QUADRANT is a registered trademark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

FAQ about Middle East AI Regulations

The UAE combines federal data protection (PDPL, Decree-Law 45/2021), the UAE Charter for AI (2024, non-binding), and sector-specific guidance. In June 2026 the UAE announced the Federal Authority for Artificial Intelligence and Data as a single Cabinet-level regulator. For financial institutions, the CBUAE published a Guidance Note on AI/ML in February 2026 covering governance, bias testing, transparency, and human oversight. DIFC and ADGM maintain separate frameworks, and DIFC Regulation 10 on autonomous systems has been in full enforcement since January 2026.

Ready to Simplify AI Compliance in the Gulf?

Modulos gives you the structure, automation, and documentation tools to meet AI regulations across the Middle East, with less overhead and more confidence. Book a demo to see how Modulos helps you stay ahead of CBUAE guidance, PDPL, SDAIA frameworks, and ISO 42001.