Arabian Post Staff -Dubai
The proposed changes are aimed at strengthening governance, accountability and privacy protections across the financial free zone as banks, asset managers, insurers, fintech firms and professional services companies expand the use of automated tools. The consultation, announced on June 18, forms part of DIFC’s effort to keep its regulatory framework aligned with fast-moving AI deployment while preserving confidence in a jurisdiction built around cross-border finance, data flows and institutional trust.
The amendments focus on AI-enabled systems, certification requirements, data governance and the role of compliance officers overseeing autonomous and semi-autonomous technologies. They seek to clarify how firms should embed safety and accountability into systems that use personal data, particularly where automated tools influence decisions, risk assessments, client onboarding, profiling, fraud detection or operational monitoring.
DIFC said the draft regulations are designed to make existing requirements more practical and clearer for businesses while giving the Commissioner of Data Protection stronger tools to recognise accreditation and certification schemes. The changes would also refine the responsibilities of the Autonomous Systems Officer, a role created under the centre’s AI-related data protection framework to ensure organisations applying advanced technologies maintain proper oversight.
Jacques Visser, Chief Legal Officer at DIFC Authority, said the framework had to remain practical, clear and responsive as AI and data-driven systems become more common. He said the amendments were intended to support high standards of accountability and governance across the centre.
The proposal builds on Regulation 10 of the DIFC Data Protection Regulations, which was introduced in 2023 to address the processing of personal data through autonomous and semi-autonomous systems. That regime placed DIFC among the earliest financial jurisdictions in the region to frame AI governance through data protection law rather than a standalone technology statute. It also reflected a risk-and-outcomes-based approach, seeking to balance innovation with privacy, security, transparency and human oversight.
The latest consultation comes at a time when financial centres are adjusting rules for AI use in regulated and data-intensive sectors. Generative AI, machine-learning models and automated decision systems are increasingly being used to analyse client behaviour, detect suspicious transactions, process large volumes of financial information and improve customer service. Those gains have also raised concerns over explainability, bias, cyber security, model drift, consent, data minimisation and the use of personal information in training or fine-tuning systems.
DIFC’s move is significant because of the scale of the ecosystem it regulates. The centre ended 2025 with about 8,840 active registered firms after new registrations rose sharply during the year. Its innovation-focused community also expanded, with 1,677 AI and fintech organisations operating in the centre, supported by DIFC Innovation Hub and Dubai AI Campus. The expansion has increased the volume and complexity of personal and commercial data being handled within the jurisdiction.
The data protection regime is anchored in DIFC Data Protection Law No. 5 of 2020, which is modelled in part on global privacy principles and administered separately from federal data rules. Amendments enacted in 2025 introduced wider protections, including a private right of action allowing data subjects to seek compensation through DIFC Courts for breaches of their rights. The proposed regulatory update would add another layer by dealing more directly with how AI systems are developed, deployed and certified.
For firms operating in DIFC, the practical impact is likely to be felt in compliance documentation, vendor due diligence, internal governance and technology procurement. Organisations using third-party AI tools may need to show how they assess model risks, monitor outcomes, protect personal data, and maintain clear accountability between controllers, processors and technology providers. Firms developing in-house systems may face closer scrutiny over system design, testing, auditability and the handling of sensitive or high-risk data.
The certification element could prove especially important. Recognition of accredited certification bodies and schemes may give companies a clearer route to demonstrate compliance, while giving the regulator a more structured way to assess whether AI systems meet expected standards. That approach may also help multinational firms operating across several jurisdictions manage overlapping obligations under DIFC rules, the EU AI Act, the General Data Protection Regulation and other emerging privacy and AI frameworks.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
