DIFC starts 30-day AI data rules consultation, with new Regulation 11 underway

DIFC has opened a 30-day consultation on proposed amendments to its data protection regulations, putting fresh AI governance measures out for comment rather than into force. The consultation runs until July 18, and it is explicitly not an approved rule change inside Dubai’s financial centre, even though it can already influence how banks, fintechs, and other operators plan second-half 2026 AI deployments.

At the center of the proposal is Consultation Paper No. 3 of 2026, which targets amendments to DIFC’s Data Protection Regulations (not the primary Data Protection Law). It addresses AI-related processing of personal data, introduces changes involving accreditation and certification schemes, and clarifies duties for Autonomous Systems Officers, with DIFC describing the package as designed to “tighten governance” as reliance on autonomous and semi-autonomous systems grows.

For compliance leaders, the first reason this matters is structural. DIFC’s legal database lists the Data Protection Law and Data Protection Regulations as separate instruments, and this consultation paper targets the regulations specifically. That distinction is not academic. It frames what teams need to track day-to-day, and it signals that DIFC is iterating through its regulatory layer rather than rewriting the underlying statute. Stakeholders have until July 18, 2026 to file comments on the draft text, and DIFC will decide after that process whether to amend the regulations and in what final form.

Second, the proposal is designed around how AI actually gets built and used, including the “who owns accountability” question that often gets fuzzy in automated systems. DIFC says it will create a new Regulation 11 that would let the Commissioner formally recognize accreditation and certification schemes. Alongside that, DIFC records that the draft would clarify certification obligations and sharpen accountability around ASO roles. If you are a bank or an AI vendor operating in higher-risk scenarios where personal data is processed by autonomous or semi-autonomous systems, that ASO wording can change internal responsibility lines, which in turn can affect audits, governance reporting, and escalation paths.

Third, DIFC is positioning these amendments as part of a broader compliance route, not as a brand-new maze. The paper is anchored to existing Regulation 10, which already covers personal data processed through autonomous and semi-autonomous systems. DIFC describes Regulation 10 as a route to interoperability with the growing body of AI laws and policies that firms face across jurisdictions. In other words, DIFC is not starting from zero. It says Regulation 10 material sits alongside an advisory committee charter, accreditation and certification documents, and a list of approved accredited certification bodies, and the proposed amendments would build on that compliance structure.

DIFC’s AI governance pitch also has cross-border intent. In December 2025, DIFC said it had joined the Global CBPR system, and it pointed to Regulation 10 as a regional first on personal data processed through autonomous and semi-autonomous systems. Consultation Paper No. 3 of 2026 extends that track rather than opening a separate rulebook. DIFC also frames the agenda as strengthening expectations around safe, ethical and privacy-by-design development practices inside what it calls an “AI native jurisdiction.” That “AI native” language is not just marketing. DIFC said in April 2026 that it aims to become the world’s first AI native financial centre, embedding AI across regulation, infrastructure, and talent.

So what should executives and boards take away right now, before any final text is approved? First, certification and accreditation can alter procurement choices, audit scope, and deployment timelines, according to the consultation framing. When firms are buying or building AI systems that handle personal data at scale, the ability to follow a cleaner compliance route, and to know which assurance routes DIFC intends to accept, can become a practical differentiator. Second, the consultation period itself is a window for influence. Teams should evaluate whether their current certification approach, governance model, and ASO responsibilities align with the direction of the draft.

Finally, DIFC Authority Chief Legal Officer Jacques Visser said DIFC wants rules that remain “practical, clear and able to respond” as AI use expands. If you zoom out, this is a regulator trying to keep pace without lowering governance standards. And because DIFC’s innovation community already exceeds 1,670 innovation and tech firms, the compliance ripples are likely to spread quickly across the ecosystem. Until July 18, 2026, firms inside DIFC are responding to a proposal, not an approved set of rules. But that distinction matters, and it will matter more for compliance teams, procurement heads, and legal officers planning AI deployments for the second half of 2026.