In force. The data-protection regulation that already governs how DIFC entities use AI.
DIFC Regulation 10 is the Dubai International Financial Centre's data-protection regulation. It is in force and applies to every entity operating in the DIFC. For AI deployments it governs lawful basis, model + dataset inventory, human oversight, automated-decision rights, and audit trail — independently of the UAE federal PDPL (Decree-Law 45/2021), which applies in parallel.
Reg 10 is not specifically an AI regulation — it is a data-protection regulation. But every AI deployment in a DIFC entity processes personal data, makes automated decisions, or both, and that is where Reg 10 bites.
The operating obligations: lawful basis for processing; documented model + dataset inventory; human oversight for high-risk decisions; data-subject rights including a meaningful explanation of automated decisions; an audit trail durable enough to survive a Commissioner review.
A board-level question that we get repeatedly: "does using OpenAI / Anthropic / Microsoft Copilot put us out of scope?" No. The vendor is a processor; the DIFC entity is the controller. Reg 10 obligations stay with you.
1. No model + dataset inventory. The entity uses AI in 5 places, knows about 2 of them, has the data classification for none.
2. No documented lawful basis for training-data use. Vendor terms changed in 2025; the SOC2 dossier from 2024 no longer covers the actual model.
3. No human-oversight design on automated decisions that affect customers or staff. The agent acts; nobody can show who reviews what.
4. No subject-access-request workflow for AI outputs. Reg 10 gives data subjects rights over their data; the workflow has to exist before the request lands.
5. No audit trail. Logs are at the application layer, not the AI layer — prompts, retrieval sources, and decisions don't survive to the next review.
On 21 April 2026 the DIFC announced its strategy to become the world's first AI-Native financial centre (USD 3.5bn target, 25,000 jobs). This is a strategy, not new binding rules — but it is a clear signal that the entities the DIFC already regulates can expect more, not less, supervisory attention on their AI use.
Practical implication: an entity that is non-compliant on Reg 10 today is on a worsening trajectory. The cost of the catch-up audit increases as the supervisor's tolerance for "we hadn't gotten around to it" decreases.
For DIFC and ADGM funds, family offices, and financial operations: assess AI use cases, document the workflows, then build the governed systems that survive an investor or regulator question.
Before you spend on AI, get a governed plan: where it pays off, where the data risk sits, and what to build first.
Get your AI service documentation, evidence, and governance in order before you submit for the Dubai AI Seal.
Build logs, working systems, and field notes from running a portfolio of AI ventures. Sent weekly, never more.