DIFC Data Protection Consultation Puts AI Governance Into Dubai’s Finance Rulebook
DIFC is consulting on amendments to its Data Protection Regulations that would sharpen AI-system safety, certification and Autonomous Systems Officer rules for firms in the Dubai financial centre.
DIFC Opens An AI Data-Governance Consultation
Dubai International Financial Centre is consulting on amendments to its Data Protection Regulations, putting AI-system governance into the rulebook for firms operating from one of Dubai’s main financial free zones.
The consultation, announced in Dubai on 18 June 2026, proposes changes to the DIFC Data Protection Regulations.
DIFC says the amendments are intended to strengthen and streamline the framework by embedding safety requirements in systems that process personal data in an AI-native jurisdiction.
The proposal focuses on three operational areas: requirements for systems that process personal data, certification obligations, and the role of the Autonomous Systems Officer.
DIFC also wants to give the Commissioner new powers to recognise accreditation and certification schemes.
That makes the consultation a market-entry and compliance story, not only a legal update.
Banks, fintech firms, asset managers and technology providers in the centre would have to treat AI-related data controls as part of regulated operating practice if the amendments proceed.
Certification And The ASO Role Move Higher
Jacques Visser, Chief Legal Officer at DIFC Authority, said the framework needs to remain practical, clear and able to respond to the way AI and data-driven systems are being used.
He said the amendments are intended to support clarity, accountability and governance across DIFC.
DIFC had already updated the Data Protection Regulations in 2023 to add safeguards for advanced, AI-enabled systems that process personal data at large scale.
The new consultation builds on that earlier step by refining the regulatory regime rather than creating a separate AI law from scratch.
For regulated companies, the most concrete issue is responsibility.
The Autonomous Systems Officer role gives firms a named governance function around advanced systems, while certification rules create a path for the regulator to judge external accreditation schemes.
DIFC did not announce a final adoption date in the consultation material.
The immediate burden is therefore on firms to assess how existing AI, analytics and data-processing systems would map to the proposed safety and certification language.
Dubai’s Financial AI Push Gets A Compliance Layer
The consultation fits Dubai’s wider effort to make financial technology and AI adoption credible for institutions that handle sensitive customer and commercial data.
DIFC is not presenting AI only as a growth theme; it is asking how personal-data processing should be governed when automated systems become part of financial operations.
That distinction matters for the centre’s business positioning.
A financial free zone can attract AI-driven banking, fintech and asset-management activity only if firms understand who is accountable for data use, what certification counts, and how the Commissioner can recognise governance schemes.
The unresolved issue is procedural: DIFC has opened the consultation, but regulated firms still need final text before they can translate the proposed ASO, certification and accreditation changes into internal controls, vendor reviews and board-level governance.
