AI Regulations in the
Middle East
From the UAE's CBUAE AI guidance to Saudi Arabia's Year of AI, Gulf governments are pairing AI investment with stricter oversight. Here's what's in force, what's coming, and how to prepare.
Why AI Regulations in the Middle East Matter
Governments across the GCC are investing heavily in artificial intelligence and pairing that investment with stricter oversight. Today, 15% of public cloud spending in the region goes toward AI, and regulators are responding with new laws on data privacy, ethics, and accountability.
Compliance isn't optional. Violations can lead to serious consequences:
Fines up to SAR 5M (Saudi PDPL) and proposed criminal penalties in Bahrain (3 years / BD 2,000)
Disqualification from public tenders and CBUAE supervisory findings for financial institutions
Delays in financing, product launches, and loss of market access
Staying ahead of local laws while aligning with global AI standards like ISO 42001, is now critical for any AI-driven organization operating in the region.
AI Regulations by Country
Each Gulf state is developing its own approach. The UAE and Qatar have issued sector-specific mandates for financial institutions, Saudi Arabia is building a national AI governance ecosystem, and Bahrain is closest to passing a dedicated AI law.
The UAE operates a multi-tiered AI governance structure led by the AI Office at the federal level, alongside the UAE Council for AI and Blockchain, TDRA, and Abu Dhabi's AI Authority (AIATC, established under Law No. 3 of 2024). Core mandatory legislation includes Federal Decree-Law No. 45/2021 on data protection (PDPL) and Federal Decree-Law No. 34/2021 on cybercrime. The non-binding UAE Charter for AI (June 2024) sets out 12 ethical principles including safety, transparency, and human oversight.
In January 2026, the UAE became the first country to appoint a National AI System as an advisory member of the Cabinet, providing real-time policy analysis and data-driven recommendations across federal entities.
CBUAE AI Guidance for Financial Institutions
Issued 11 February 2026 · Applies to all licensed financial institutions
The Central Bank of the UAE published a Guidance Note on the responsible adoption and use of AI/ML by all licensed financial institutions (LFIs), including banks, insurance providers, exchange houses, and payment service providers. Published in the official CBUAE Rulebook, it carries strong supervisory expectation despite using "should" language.
Dubai's DIFC and Abu Dhabi's ADGM also maintain their own data protection and technology governance frameworks, creating additional compliance layers for financial services firms operating in these free zones.
Saudi Arabia has designated 2026 as the "Year of Artificial Intelligence," with the Saudi Data and Artificial Intelligence Authority (SDAIA) leading national AI governance. SDAIA achieved ISO 42001 certification in July 2024, making it one of the first government agencies globally to do so.
The regulatory landscape combines the Personal Data Protection Law (PDPL, in force since September 2023, fines up to SAR 5M), SDAIA's AI Ethics Principles (updated 2025), Generative AI Guidelines (2024), and an AI Adoption Framework with four maturity levels (September 2024). All AI governance frameworks are currently non-legally binding, but SDAIA accreditation is increasingly required for government contracts.
A dedicated AI law is expected within the next two years. The Draft Global AI Hub Law (2025) proposes a framework for international data hosting with "Virtual Hubs" and "Private Hubs," signaling Saudi Arabia's ambition to become a regional AI hub.
Qatar's regulatory approach combines sector-specific mandates with broader principles. The Qatar Central Bank (QCB) issued mandatory AI guidelines for licensed financial institutions in September 2024, requiring a defined AI strategy, risk assessments, and prescribed disclosure about AI systems. In August 2025, the QCB expanded these into a wider FinTech and Digital Transformation Strategy.
Qatar's Ministry of Communications issued Principles and Guidelines for Ethical AI Development and Deployment (2025). A dedicated AI law is under consideration, with the Minister of Justice seeking recommendations as of September 2025. The Qatar Financial Markets Authority (QFMA) also released draft regulations for AI in capital markets (May 2025).
Bahrain is the furthest along in the GCC toward a comprehensive AI law. A 38-article AI Regulation Law was unanimously approved by the Shura Council in April 2024 and is under review by the Council of Representatives. If enacted, it would include criminal penalties of up to 3 years imprisonment and fines up to BD 2,000.
The General Policy for the Use of AI (Version 1.0, May 2025) is Bahrain's first comprehensive binding policy for government entities. The Central Bank of Bahrain has also issued notices on AI use in open banking, and the Economic Development Board maintains an AI Ethics Pledge for private sector participants.
Oman's National AI Policy entered into force on 9 April 2025, issued by the Ministry of Transport, Communications and IT (MTCIT). While non-legally binding to allow flexibility, the policy requires entities to apply governance standards, conduct regular assessments, maintain documentation, and submit compliance reports upon request. The National Program for AI and Advanced Digital Technologies (2024-2026) supports implementation.
AI Regulations Across the Gulf
Each Gulf country combines legally binding data protection laws with ethical AI frameworks, sector-specific guidance, and procurement requirements. The pace is accelerating: 2025-2026 saw major new guidance from central banks in the UAE and Qatar, a proposed AI law in Bahrain, and Saudi Arabia declaring its Year of AI.
| Country | Hard Law | Soft Law & Guidelines | Enforcement |
|---|---|---|---|
| UAE | PDPL 45/2021 (in force); DIFC Regulation 10; ADGM data protection framework | UAE Charter for AI (2024); CBUAE AI/ML Guidance (Feb 2026); AI Ethics Toolkit | Data Office audits; CBUAE supervisory examinations; public tender exclusions |
| Saudi Arabia | PDPL (in force since Sep 2023, fines up to SAR 5M); Draft AI Law expected | SDAIA Ethics Principles (2025); Generative AI Guidelines (2024); AI Adoption Framework (2024) | SDAIA accreditation required for government contracts; PDPL fines; "Year of AI 2026" programme |
| Qatar | Personal Data Privacy Law 13/2016; QCB AI Guidelines for banks (mandatory, Sep 2024) | MCIT Ethical AI Principles (2025); QFMA draft AI regulations for capital markets (2025) | QCB mandates AI strategy and risk assessments; regulator approval for cross-border transfers |
| Bahrain | PDPL 30/2018; 38-article AI Regulation Law (approved by Shura Council, Apr 2024, under review) | General Policy for AI Use (May 2025); EDB AI Ethics Pledge | CBB supervisory review; proposed criminal penalties up to 3 years / BD 2,000 |
| Oman | Data protection decrees; National AI Policy (in force since Apr 2025) | National Program for AI and Advanced Digital Technologies (2024-2026) | Compliance reports upon request; governance assessments required |
UAE
PDPL 45/2021 (in force); DIFC Regulation 10; ADGM data protection framework
UAE Charter for AI (2024); CBUAE AI/ML Guidance (Feb 2026); AI Ethics Toolkit
Data Office audits; CBUAE supervisory examinations; public tender exclusions
Saudi Arabia
PDPL (in force since Sep 2023, fines up to SAR 5M); Draft AI Law expected
SDAIA Ethics Principles (2025); Generative AI Guidelines (2024); AI Adoption Framework (2024)
SDAIA accreditation required for government contracts; PDPL fines; "Year of AI 2026" programme
Qatar
Personal Data Privacy Law 13/2016; QCB AI Guidelines for banks (mandatory, Sep 2024)
MCIT Ethical AI Principles (2025); QFMA draft AI regulations for capital markets (2025)
QCB mandates AI strategy and risk assessments; regulator approval for cross-border transfers
Bahrain
PDPL 30/2018; 38-article AI Regulation Law (approved by Shura Council, Apr 2024, under review)
General Policy for AI Use (May 2025); EDB AI Ethics Pledge
CBB supervisory review; proposed criminal penalties up to 3 years / BD 2,000
Oman
Data protection decrees; National AI Policy (in force since Apr 2025)
National Program for AI and Advanced Digital Technologies (2024-2026)
Compliance reports upon request; governance assessments required
Shared AI Governance Trends in the Gulf
Despite different regulatory timelines, several key principles are consistent across Gulf countries:
Privacy by design
Most data protection laws in the region are modeled on GDPR, requiring clear consent, transparency, and data minimization.
Ethics in public procurement
In the UAE, Saudi Arabia, and Bahrain, ethical AI practices are increasingly tied to supplier eligibility. Ethics self-assessments are often required for tender participation.
Compliance benchmark
Agencies like Emirates Health Services and Saudi Arabia's SDAIA are early adopters of ISO 42001. Certification is emerging as a trusted signal of organizational readiness for AI oversight.
AI Risk Categories in the Gulf
Understanding risk levels helps organizations prioritize compliance efforts based on the potential impact of their AI systems.
High-Risk AI
Systems used in healthcare, justice, public safety, or critical infrastructure.
These typically require:
- Human oversight and override mechanisms
- Bias detection and mitigation
- Ongoing performance monitoring
Medium-Risk AI
Includes systems for credit scoring, hiring, insurance, and personalized recommendations.
These typically require:
- Transparency for users
- Periodic audits
- Documented risk assessments
Low-Risk AI
Covers tools like spam filters or internal chat assistants. While regulatory obligations are minimal, general compliance with PDPL and ethics principles still applies.
Your AI Compliance Roadmap for the Middle East
Modulos helps organizations meet regional requirements faster by guiding you through a clear, five-step compliance path tailored to Gulf regulations.
Map Your AI Portfolio
Document all AI systems and use cases. Tag each one against obligations from the UAE PDPL, Saudi PDPL, SDAIA Principles, and local AI charters.
Build an AI Management System (AIMS)
Use ISO 42001 as the foundation for governance. Extend your existing ISO 27001 or risk frameworks to include the full AI lifecycle.
Complete Required Ethics Assessments
Prepare and submit forms like the MOAI AI Seal (UAE) and SDAIA Self-Assessment (Saudi Arabia) for high-risk use cases, often required before tenders or go-lives.
Establish Ongoing Monitoring
Set up dashboards to track model drift, bias metrics, and data quality over time. Continuous monitoring is increasingly expected by Gulf regulators.
Prepare for Audits and Certifications
Generate audit-ready documentation and evidence packages. ISO 42001 certification can differentiate your organization in competitive tenders.
Trusted by 200+ organizations
FAQ about Middle East AI Regulations
The UAE combines federal data protection (PDPL, Decree-Law 45/2021), the UAE Charter for AI (2024, non-binding), and sector-specific guidance. For financial institutions, the CBUAE published a Guidance Note on AI/ML in February 2026 covering governance, bias testing, transparency, and human oversight. Dubai's DIFC and Abu Dhabi's ADGM maintain separate data protection frameworks.
The CBUAE Guidance Note (February 2026) applies to all licensed financial institutions. Key requirements include board-level accountability for AI outcomes, a complete AI model inventory, annual bias testing, consumer opt-out rights on high-impact decisions, the right to human review, kill-switch capability for all AI systems, and third-party vendor due diligence. While framed as guidance, it is published in the official Rulebook and carries strong supervisory expectation.
Saudi Arabia's AI governance is led by SDAIA (Saudi Data and AI Authority), which issues non-binding AI Ethics Principles, Generative AI Guidelines, and an AI Adoption Framework. The PDPL (in force since September 2023) provides mandatory data protection with fines up to SAR 5M. SDAIA accreditation is increasingly required for government contracts. Saudi Arabia designated 2026 as the "Year of AI" and a dedicated AI law is expected within the next two years.
Not yet mandated, but it is rapidly becoming the governance baseline. SDAIA achieved ISO 42001 certification in July 2024, and Emirates Health Services uses it as their AI governance standard. Regulators across the Gulf increasingly reference ISO 42001, and certification provides a competitive advantage in government tenders.
It can. If your AI system processes data from EU residents or your services are offered to EU customers, the EU AI Act applies regardless of infrastructure location. Many Gulf organizations are aligning with both regional and EU requirements to serve international markets.
Bahrain. A 38-article AI Regulation Law was unanimously approved by the Shura Council in April 2024 and is under review by the Council of Representatives. If enacted, it would include criminal penalties of up to 3 years imprisonment and fines up to BD 2,000, making it the most stringent proposed AI legislation in the GCC.
PDPL (Personal Data Protection Law) focuses on data privacy, consent, and handling, similar to GDPR. AI-specific frameworks (like SDAIA Ethics Principles, CBUAE AI Guidance, or Qatar's QCB guidelines) address broader concerns: algorithmic fairness, model explainability, human oversight, bias testing, and AI governance. Both may apply to your AI systems simultaneously.
High-risk typically includes AI used in healthcare decisions, financial services (credit scoring, insurance, loan applications), criminal justice, critical infrastructure, or systems that significantly affect individuals' rights. The CBUAE guidance specifically defines "high-impact decisions" as any AI determination that materially affects a customer's access to financial products or services.
Start documenting your AI systems and their risk levels now. Regulators generally look favorably on organizations that demonstrate good-faith compliance efforts. Penalties vary: Saudi PDPL fines reach SAR 5M, Bahrain's proposed AI law includes criminal penalties, and the CBUAE can raise non-compliance during supervisory examinations. The regulatory environment is tightening, not loosening.
Ready to Simplify AI Compliance in the Gulf?
Modulos gives you the structure, automation, and documentation tools to meet AI regulations across the Middle East, with less overhead and more confidence. Book a demo to see how Modulos helps you stay ahead of CBUAE guidance, PDPL, SDAIA frameworks, and ISO 42001.