The proposals, published under Consultation Paper No. 3 of 2026, are aimed at reinforcing the framework for autonomous and semi-autonomous systems, clarifying certification obligations and defining the responsibilities of Autonomous Systems Officers. Stakeholders have until 18 July 2026 to submit comments before the amendments move towards the next stage of the legislative process.
The changes would strengthen Regulation 10, the AI-focused provision introduced in 2023 to govern personal data processed through autonomous and semi-autonomous systems. They would also add a new Regulation 11, giving the Commissioner of Data Protection powers to recognise accreditation and certification schemes. The move reflects the growing use of AI in financial services, compliance, client onboarding, credit assessment, fraud monitoring, wealth management and automated customer interaction.
DIFC’s proposal seeks to embed stronger safety standards into systems handling personal data, with emphasis on privacy-by-design, transparency, accountability and human oversight. The amendments are expected to require firms to demonstrate that automated systems operate within defined human-approved purposes, particularly where high-risk processing is involved.
Jacques Visser, chief legal officer at DIFC Authority, said the framework must remain practical, clear and responsive as AI and data-driven systems evolve. The proposed changes, he said, are intended to support high standards of accountability and governance across the centre.
The consultation comes as DIFC’s corporate base expands sharply. The centre had 8,844 active registered companies at the end of 2025, up 28 per cent year on year, and a financial services-related workforce of about 50,200. That scale has increased the importance of clear rules for data governance, particularly as firms deploy machine-learning tools across regulated and non-regulated operations.
Regulation 10 already requires organisations using autonomous or semi-autonomous systems to consider risks to privacy, fairness, security and lawful processing. The proposed amendments would sharpen that regime by making certification and accreditation routes clearer, reducing uncertainty for firms seeking to prove compliance.
Autonomous Systems Officers are expected to play a central role in the amended framework. Their function is broadly aligned with senior governance responsibilities, including oversight of system risks, data protection impact assessments, accountability measures and internal reporting to management. The amendments would give firms clearer guidance on when the role is required and how it fits into wider compliance structures.
The proposed certification framework is also significant for companies using AI in high-risk activities. These may include automated decisions affecting access to financial services, profiling, staff monitoring, processing of sensitive personal data, fraud detection and systems that generate material outcomes for individuals. Firms may need to show that algorithms can trigger human intervention where there is a risk of unfair, discriminatory or biased results.
The consultation also places DIFC within a broader shift among financial centres seeking to regulate AI without slowing adoption. The European Union’s AI Act, the United Kingdom’s principles-based approach, Singapore’s model governance framework and emerging guidance from financial regulators have all pushed firms towards stronger internal controls over automated systems. DIFC’s approach appears designed to remain interoperable with these frameworks while reflecting its own common-law regulatory environment.
For financial institutions, the amendments could lead to more formal documentation of AI use cases, clearer registers of systems, evidence of risk assessments, vendor due diligence and stronger board-level oversight. Technology providers offering AI tools to DIFC-based firms may also face greater scrutiny over model design, explainability, security controls and data handling arrangements.
The changes are likely to affect banks, asset managers, insurers, fintech companies, family offices, professional services firms and digital platforms operating from the centre. Smaller firms may face higher compliance costs if they rely on third-party AI tools but lack mature governance structures. Larger institutions, already subject to internal model-risk controls and regulatory reviews, may find the amendments easier to absorb but will still need to map systems against DIFC-specific obligations.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
