People new to the UAE regulatory environment often expect a single authority and a single rulebook for AI. There is neither. A financial firm can find itself answerable to the CBUAE, the DFSA, and federal law at the same time, depending on where and how it operates. This is not disorganisation. It is the structure of the country, and once you understand why it exists, working through it becomes a mapping exercise rather than a source of anxiety.
Why the layering exists
The UAE runs financial free zones, the DIFC in Dubai and ADGM in Abu Dhabi, that operate their own legal and regulatory frameworks distinct from the federal onshore system. A firm inside the DIFC answers to the DFSA and the DIFC's data protection regime. A firm onshore answers to federal law and, if it is a licensed financial institution, to the CBUAE. ADGM is its own jurisdiction again. The free zones were designed to offer an independent, internationally aligned legal environment, and that independence is the whole point. The cost of it is that AI obligations are not uniform across the country.
Who covers what
The CBUAE supervises licensed financial institutions onshore and published its responsible AI guidance in February 2026, placing AI accountability at board level. The DFSA regulates DIFC firms and is folding AI into its existing technology-risk and outsourcing expectations, with the DIFC Commissioner of Data Protection actively enforcing data obligations. ADGM operates its own data protection framework and AI guidance, alongside Abu Dhabi's AI Authority. Federal law, the PDPL and the cybercrime decree, sets the baseline that applies regardless of free-zone status.
The trap for multi-jurisdictional firms
The firms that get caught are the ones operating across these boundaries without mapping which obligations apply to which entity and which system. A model used by the onshore entity and the DIFC entity may sit under two different regimes with different expectations. Assuming one approval covers both is how gaps form.
We built exactly this kind of inventory for a fast-growing UAE technology company that operated across more than one market, showing which AI systems sat where and which obligations applied to each. Before that work, leadership could not have told anyone how its systems mapped to the rules. The case study is here.
How to work through it
The practical answer is a single artefact: a mapping document. List every AI system, the entity that runs it, the jurisdictions that entity operates in, and the obligations each of those jurisdictions imposes. Maintain it as systems change. It is unglamorous and it is the thing that lets you answer a regulator's question in any of the jurisdictions you touch without scrambling. Multiple regulators is not a problem to solve once. It is a structure to manage continuously, and the firms that treat it that way stop finding it difficult.
If you are weighing an AI investment, acquisition, vendor selection, or training programme, our team is happy to start with a conversation about scope and approach.
The views and findings in this article are shared for general information only. They are high-level perspectives, not legal, financial, regulatory, or other professional advice, and should not be relied upon for any specific decision or circumstance. For guidance tailored to your situation, please consult a qualified adviser.