AI Regulations in the
Middle East
The UAE created a federal AI authority in June 2026, Saudi Arabia declared its Year of AI, and the Gulf's central banks are writing binding rules. Here is what is in force, what is coming, and how to prepare.
Why AI Regulations in the Middle East Matter
Governments across the GCC are investing heavily in artificial intelligence and pairing that investment with stricter oversight. Regulators are responding with new laws and supervisory expectations on data privacy, ethics, and accountability.
Compliance isn't optional. Violations can lead to serious consequences:
Penalties up to SAR 5M under the Saudi PDPL and proposed criminal penalties, including prison terms, under Bahrain’s draft AI law
Disqualification from public tenders and CBUAE supervisory findings for financial institutions
Delays in financing, product launches, and loss of market access
Staying ahead of local laws while aligning with global AI standards like ISO 42001, is now critical for any AI-driven organization operating in the region.
Jurisdictions compared, from the UAE to Egypt
Saudi PDPL violation decisions in a single year
Central banks with AI rulebook entries, Qatar and the UAE
Legally binding today: Qatar’s QCB guidelines
Where the Region Stands
The Gulf moved fast in 2026. These are the developments that change what your compliance program has to answer for.
Binding rules reach the free zones
DIFC Regulation 10 on autonomous systems is fully enforced, and a National AI System joins the UAE Cabinet as an advisory member.
CBUAE Guidance Note
AI/ML expectations for every UAE licensed financial institution, from board accountability to kill-switch capability.
The UAE gets a federal AI regulator
The Federal Authority for Artificial Intelligence and Data consolidates the AI Office, TDRA’s digital-government arm, and the Emirates Data Office.
Saudi text-and-data-mining exception
A new law permits reproduction of copyrighted works for AI development without the author’s permission.
No date yet: Bahrain's 38-article AI statute passed the Shura Council in April 2024, has faced pushback in the Council of Representatives, and was not enacted as of July 2026.
Binding rules reach the free zones
DIFC Regulation 10 on autonomous systems is fully enforced, and a National AI System joins the UAE Cabinet as an advisory member.
CBUAE Guidance Note
AI/ML expectations for every UAE licensed financial institution, from board accountability to kill-switch capability.
The UAE gets a federal AI regulator
The Federal Authority for Artificial Intelligence and Data consolidates the AI Office, TDRA’s digital-government arm, and the Emirates Data Office.
Saudi text-and-data-mining exception
A new law permits reproduction of copyrighted works for AI development without the author’s permission.
Bahrain's AI statute is still in parliament
Passed the Shura Council in April 2024, faced pushback in the Council of Representatives, and was not enacted as of July 2026.
AI Regulations by Country
Each jurisdiction takes its own path. The UAE and Qatar have issued binding sector rules for financial institutions, Saudi Arabia pairs a national governance ecosystem with real PDPL enforcement, Egypt is finalizing a dedicated law, and Bahrain's statute is still in parliament.
On 14 June 2026, the UAE announced the Federal Authority for Artificial Intelligence and Data, consolidating the federal AI Office, TDRA's digital-government arm, and the Emirates Data Office into a single body reporting to the Cabinet. It joins Abu Dhabi's AI Authority (AIATC, Law No. 3 of 2024) and the Regulatory Intelligence Office (2025), which embeds AI in the law-making process itself. Core binding legislation remains Federal Decree-Law No. 45/2021 on data protection (PDPL) and Federal Decree-Law No. 34/2021 on cybercrime; the UAE Charter for AI (June 2024) sets out 12 non-binding principles including safety, transparency, and human oversight.
Since January 2026, a National AI System sits as an advisory member of the Cabinet and the boards of federal entities, providing real-time policy analysis. There is still no horizontal AI statute: the UAE regulates AI through this layered structure rather than an EU-style act.
CBUAE AI Guidance for Financial Institutions
Issued February 2026 · Applies to all licensed financial institutions
The Central Bank of the UAE published a Guidance Note on the responsible adoption and use of AI/ML by all licensed financial institutions (LFIs), including banks, insurance providers, exchange houses, and payment service providers. Published in the official CBUAE Rulebook, it carries strong supervisory expectation despite using "should" language.
The free zones add binding layers of their own: DIFC's Regulation 10 on autonomous and semi-autonomous systems, administered by the DIFC Commissioner of Data Protection, has been in full enforcement since January 2026, one of the region's few AI-specific rules with teeth. ADGM maintains its own data protection and technology governance framework.
Saudi Arabia has designated 2026 as the "Year of Artificial Intelligence," with the Saudi Data and Artificial Intelligence Authority (SDAIA) leading national AI governance. SDAIA achieved ISO 42001 certification in July 2024, one of the first government agencies to do so.
The binding layer is the Personal Data Protection Law (PDPL, in force since September 2023, fines up to SAR 5M), and it is enforced: SDAIA's committees issued 48 decisions confirming PDPL violations in the year to early 2026. Around it sit SDAIA's AI Ethics Principles (updated 2025), the Generative AI Guidelines (updated 2025), and the AI Adoption Framework with four maturity levels (September 2024). These AI frameworks are non-binding, but SDAIA accreditation increasingly carries weight in government procurement.
From 1 August 2026, a new copyright law permits reproduction of copyrighted works for AI development without the author's permission, one of the region's first text-and-data-mining exceptions. A dedicated AI law is expected to follow, and the Draft Global AI Hub Law (2025) proposes "Virtual," "Extended," and "Private" hubs for international data hosting.
Qatar holds a distinction most coverage misses: the Qatar Central Bank's AI guidelines (September 2024) are the region's only legally binding AI-specific rules at national level. Licensed financial institutions need a defined AI strategy, risk assessments, prescribed disclosure, and pre-approval before deploying high-risk AI systems.
Qatar's Ministry of Communications issued Principles and Guidelines for Ethical AI Development and Deployment (2025). A dedicated AI law is under consideration, and the Qatar Financial Markets Authority (QFMA) announced plans for draft AI regulations in capital markets (May 2025).
Bahrain is the furthest along in the GCC toward a standalone AI statute, but the road has been slow. A 38-article AI Regulation Law was unanimously approved by the Shura Council in April 2024; it has since faced pushback in the Council of Representatives, where the government proposed a regulatory sandbox instead, and had not been enacted as of July 2026. If passed, it would carry criminal penalties, with reported prison terms reaching 10 years for the most severe offenses.
The General Policy for the Use of AI (Version 1.0, May 2025) is Bahrain's first binding policy for government entities. The Central Bank of Bahrain regulates automated financial advice through its digital financial advice directives, and its supervisory reviews extend to AI use.
Egypt governs AI through its National AI Strategy (second edition, 2025 to 2030) under the National Council for Artificial Intelligence, whose mandate expanded to quantum and emerging technologies in January 2026, and the Ministry of Communications and Information Technology, alongside the Egyptian Charter for Responsible AI. The data layer is the Personal Data Protection Law (Law 151/2020), whose executive regulations arrived in November 2025 with full enforcement from late 2026.
A dedicated AI and data law is reported to be in the final stages of development. Egypt's strategy places particular weight on Arabic-language models and building regional AI capacity, which shapes how it approaches both regulation and procurement.
Oman's National AI Policy entered into force on 9 April 2025, issued by the Ministry of Transport, Communications and IT (MTCIT). While non-legally binding to allow flexibility, the policy requires entities to apply governance standards, conduct regular assessments, maintain documentation, and submit compliance reports upon request. The National Program for AI and Advanced Digital Technologies (2024-2026) supports implementation.
AI Regulations Across the Gulf
Every jurisdiction here combines binding data protection law with AI frameworks, sector guidance, and procurement requirements. The matrix separates what binds today from what is policy and what is still pending, because that difference decides your obligations.
| Country | Data protection | National AI framework | Financial-sector AI rules | Horizontal AI statute |
|---|---|---|---|---|
| UAE | PDPL 45/2021 · DIFC Reg 10 enforced | AI Charter · Federal Authority (Jun 2026) | CBUAE Guidance Note (Feb 2026) | None · layered regime |
| Saudi Arabia | PDPL · SAR 5M fines · 48 decisions | SDAIA Ethics · GenAI · Adoption Framework | — | AI law expected · TDM exception 1 Aug 2026 |
| Qatar | Data Privacy Law 13/2016 | MCIT Ethical AI Principles (2025) | QCB Guidelines · high-risk pre-approval | Under consideration |
| Bahrain | PDPL 30/2018 | General Policy for AI Use (May 2025) | CBB digital-advice directives | 38-article law in parliament |
| Egypt | PDPL 151/2020 · full enforcement late 2026 | Strategy 2.0 · Responsible AI Charter | — | Final stages of drafting |
| Oman | Data protection decrees | National AI Policy (Apr 2025) | — | None announced |
The central-bank wave
The Central Banks Moved First
While horizontal AI statutes are still drafts, the Gulf's financial supervisors already put their AI expectations in writing. If you run AI in a licensed financial institution, these are the documents your program will be examined against.
Qatar Central Bank
AI Guidelines for licensed financial institutions
- Pre-approval before high-risk AI systems go live
- A defined AI strategy and documented risk assessments
- Prescribed disclosure about AI systems in use
Central Bank of the UAE
Guidance Note on AI/ML in the CBUAE Rulebook
- Board accountability and a complete AI model inventory
- Annual bias testing, opt-out rights, human review
- Kill-switch capability to cease AI use immediately
Central Bank of Bahrain
Directives on digital financial advice
- Written expectations for automated financial advice
- Supervisory reviews extend to AI and RPA use
Running AI in a bank or insurer? See how the same evidence serves financial supervisors everywhere
Shared AI Governance Trends in the Gulf
Despite different regulatory timelines, several key principles are consistent across Gulf countries:
Privacy by design
Most data protection laws in the region are modeled on GDPR, requiring clear consent, transparency, and data minimization.
Ethics in public procurement
In the UAE, Saudi Arabia, and Bahrain, ethical AI practices are increasingly tied to supplier eligibility. Ethics self-assessments and accreditations carry growing weight in tenders.
Compliance benchmark
Agencies like Emirates Health Services and Saudi Arabia's SDAIA are early adopters of ISO 42001. Certification is emerging as a trusted signal of organizational readiness for AI oversight.
How Gulf Rules Define AI Risk
The Gulf has no binding EU-style risk law. SDAIA's AI Ethics Principles sketch a four-tier classification, from unacceptable down to little risk, but as non-binding guidance. Where risk carries legal consequences, it is defined in sector rules and in data protection law. These are the definitions that exist.
CBUAE Guidance Note
UAE licensed financial institutions
Defines "high-impact decisions": any AI determination that materially affects a customer's access to financial products or services.
Triggers consumer opt-out rights, human review, and annual bias testing.
QCB AI Guidelines
Qatar licensed financial institutions
Classifies AI systems by risk and requires regulatory pre-approval before a high-risk system is deployed.
The strictest gate in the region: approval comes before go-live, not after.
PDPL regimes
UAE, Saudi Arabia, Qatar, Bahrain, Egypt
Data protection laws attach duties to the processing of personal data, whatever the AI system's risk label.
A "low-risk" chatbot handling customer data still carries full PDPL obligations.
Elsewhere the frameworks grade organizations, not systems: SDAIA's AI Adoption Framework measures maturity levels, and Oman's National AI Policy requires assessments without a classification scheme. If your AI also reaches EU persons, the EU AI Act's own categories apply on top; that law has no "medium risk" tier either.
Your AI Compliance Roadmap for the Middle East
Five steps from an unmapped AI estate to audit-ready, each tied to the Gulf rule that asks for it.
Document every AI system and use case, then risk-rate each one. The CBUAE expects a complete model inventory with name, purpose, and risk rating, and the PDPL layers of the UAE, Saudi Arabia, and Egypt attach duties wherever personal data flows.
In Modulos: a living AI registry with lifecycle stage and risk rating per system.

Use ISO/IEC 42001 as the governance backbone and extend existing ISO 27001 structures to the AI lifecycle. It is the standard the region’s own institutions reach for: SDAIA certified against it, and DIFC’s AI rules reference it for high-risk systems.
In Modulos: one control set mapped across ISO 42001 and the frameworks that reuse it.

The UAE AI Office publishes an AI Ethics Self-Assessment, Dubai runs the tiered Dubai AI Seal certification, and SDAIA offers a self-assessment against its Ethics Principles. All are voluntary today, and all carry growing weight in government procurement.
In Modulos: assessment workflows that keep the answers and the supporting evidence together.

The CBUAE expects bias testing at least annually or on material model change, and QCB-licensed institutions maintain documented risk assessments. Track drift, bias metrics, and data quality as ongoing evidence rather than an annual scramble.
In Modulos: risk and performance dashboards with history an examiner can walk through.

Qatar’s QCB reviews high-risk AI before it goes live, including training, validation, and testing results. Audit-ready evidence packages answer that today, and ISO/IEC 42001 certification differentiates in competitive tenders.
In Modulos: evidence packages traceable from each artifact back to the requirement that asked for it.

Trusted by 200+ organizations
Modulos customers include aDigital, SCSK, ETH, PwC, Berner Fachhochschule, Mobile Health, Serai, CertX, JobCloud, Xayn, Beyond Gravity, Armasuisse.

Regional Advisory
Modulos works with advisory partners across the region, including PwC Middle East, on AI governance programmes aligned to UAE and Saudi regulatory frameworks. See the partner ecosystem
Gartner Magic Quadrant
Named in the inaugural Magic Quadrant™ for AI Governance Platforms
Published by Gartner® on 16 June 2026. Read the full announcement.
Gartner, Magic Quadrant for AI Governance Platforms, Lauren Kornutick, Sumit Agarwal, Priya Sundararaman, Nader Henein, Brandon Medford, 16 June 2026. GARTNER is a registered trademark and service mark, and MAGIC QUADRANT is a registered trademark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
FAQ about Middle East AI Regulations
The UAE combines federal data protection (PDPL, Decree-Law 45/2021), the UAE Charter for AI (2024, non-binding), and sector-specific guidance. In June 2026 the UAE announced the Federal Authority for Artificial Intelligence and Data as a single Cabinet-level regulator. For financial institutions, the CBUAE published a Guidance Note on AI/ML in February 2026 covering governance, bias testing, transparency, and human oversight. DIFC and ADGM maintain separate frameworks, and DIFC Regulation 10 on autonomous systems has been in full enforcement since January 2026.
The Federal Authority for Artificial Intelligence and Data, announced on 14 June 2026, consolidates the federal AI Office, the digital-government arm of TDRA, and the Emirates Data Office into one body reporting to the Cabinet. Sector regulators keep their mandates: the CBUAE for financial institutions, AIATC in Abu Dhabi, and the free-zone authorities in DIFC and ADGM.
The CBUAE Guidance Note (February 2026) applies to all licensed financial institutions. Key requirements include board-level accountability for AI outcomes, a complete AI model inventory, annual bias testing, consumer opt-out rights on high-impact decisions, the right to human review, kill-switch capability, and third-party vendor due diligence. While framed as guidance, it is published in the official Rulebook and carries strong supervisory expectation.
Saudi Arabia’s AI governance is led by SDAIA, which issues non-binding AI Ethics Principles, Generative AI Guidelines, and an AI Adoption Framework. The PDPL (in force since September 2023) provides mandatory data protection with penalties up to SAR 5M, and SDAIA’s committees issued 48 decisions confirming violations in 2025 alone. From 1 August 2026, a new copyright law permits reproduction of copyrighted works for AI development, one of the region’s first text-and-data-mining exceptions. Saudi Arabia designated 2026 as the Year of AI and a dedicated AI law is expected to follow.
Not yet mandated, but it is rapidly becoming the governance baseline. SDAIA achieved ISO 42001 certification in July 2024, and Emirates Health Services uses it as their AI governance standard. Regulators across the Gulf increasingly reference ISO 42001, and certification provides a competitive advantage in government tenders.
It can. The EU AI Act applies when your system’s output is used in the EU or your AI-powered products and services are offered to EU customers, regardless of where the system is hosted. Many Gulf organizations are aligning with both regional and EU requirements to serve international markets.
Bahrain, on paper: a 38-article AI Regulation Law was unanimously approved by the Shura Council in April 2024, with criminal penalties including multi-year prison terms for the most severe offenses. It has since faced pushback in the Council of Representatives and had not been enacted as of July 2026. Meanwhile Qatar already has the region’s only binding national AI-specific rules, through the central bank’s guidelines for licensed financial institutions.
PDPL (Personal Data Protection Law) focuses on data privacy, consent, and handling, similar to GDPR. AI-specific frameworks (like SDAIA Ethics Principles, CBUAE AI Guidance, or Qatar’s QCB guidelines) address broader concerns: algorithmic fairness, model explainability, human oversight, bias testing, and AI governance. Both may apply to your AI systems simultaneously.
High-risk typically includes AI used in healthcare decisions, financial services (credit scoring, insurance, loan applications), criminal justice, critical infrastructure, or systems that significantly affect individuals’ rights. The CBUAE guidance specifically defines "high-impact decisions" as any AI determination that materially affects a customer’s access to financial products or services, and Qatar’s QCB requires pre-approval before high-risk AI systems are deployed.
Start documenting your AI systems and their risk levels now. Regulators generally look favorably on organizations that demonstrate good-faith compliance efforts. Penalties vary: Saudi PDPL penalties reach SAR 5M and are being imposed, Bahrain’s proposed AI law includes criminal penalties, and the CBUAE can raise non-compliance during supervisory examinations. The regulatory environment is tightening, not loosening.
Yes. Modulos is available as SaaS, private cloud, or VPC deployment, so organizations subject to data-residency or localization expectations can run the platform inside their own environment and region. Deployment options are described in detail on the Modulos deployment page.
Ready to Simplify AI Compliance in the Gulf?
Modulos gives you the structure, automation, and documentation tools to meet AI regulations across the Middle East, with less overhead and more confidence. Book a demo to see how Modulos helps you stay ahead of CBUAE guidance, PDPL, SDAIA frameworks, and ISO 42001.
