DIFC Regulation 10 — the operator's compliance checklist

Reg 10 is not specifically an AI regulation — it is a data-protection regulation. But every AI deployment in a DIFC entity processes personal data, makes automated decisions, or both, and that is where Reg 10 bites.

The operating obligations: lawful basis for processing; documented model + dataset inventory; human oversight for high-risk decisions; data-subject rights including a meaningful explanation of automated decisions; an audit trail durable enough to survive a Commissioner review.

A board-level question that we get repeatedly: "does using OpenAI / Anthropic / Microsoft Copilot put us out of scope?" No. The vendor is a processor; the DIFC entity is the controller. Reg 10 obligations stay with you.

1. No model + dataset inventory. The entity uses AI in 5 places, knows about 2 of them, has the data classification for none.

2. No documented lawful basis for training-data use. Vendor terms changed in 2025; the SOC2 dossier from 2024 no longer covers the actual model.

3. No human-oversight design on automated decisions that affect customers or staff. The agent acts; nobody can show who reviews what.

4. No subject-access-request workflow for AI outputs. Reg 10 gives data subjects rights over their data; the workflow has to exist before the request lands.

5. No audit trail. Logs are at the application layer, not the AI layer — prompts, retrieval sources, and decisions don't survive to the next review.

On 21 April 2026 the DIFC announced its strategy to become the world's first AI-Native financial centre (USD 3.5bn target, 25,000 jobs). This is a strategy, not new binding rules — but it is a clear signal that the entities the DIFC already regulates can expect more, not less, supervisory attention on their AI use.

Practical implication: an entity that is non-compliant on Reg 10 today is on a worsening trajectory. The cost of the catch-up audit increases as the supervisor's tolerance for "we hadn't gotten around to it" decreases.