DIFC Regulation 10 — AI & autonomous systems
Note: this explainer is informational and framework references are never a compliance guarantee — align your program with your legal counsel.
DIFC Regulation 10 was enacted by the Dubai International Financial Centre on 1 September 2023 as part of its amended Data Protection Regulations, with full enforcement from 1 January 2026. It is the first regulation in the MEASA region to govern the processing of personal data through autonomous and semi-autonomous systems — including artificial intelligence, generative, and machine-learning technology. Official text: DIFC — Regulation 10.
Who it applies to
Regulation 10 places accountability on the visible parties that authorise or benefit from a System's operation:
- A Deployer — the person under whose authority or for whose benefit the System operates — is treated as the controller.
- An Operator — the provider that runs or supervises the System on the Deployer's direction — is treated as the processor.
If your organisation runs AI tools that touch personal data in or from the DIFC, you are most likely a Deployer.
The core obligations
Regulation 10 requires Deployers and Operators to assess, document, and mitigate privacy risks before they process personal data through an autonomous system, and to make transparency a first-class part of the design — affected individuals must be told such systems are in use and given enough information to evaluate the associated risks.
That presupposes something more basic: knowing which AI systems your organisation actually uses, and being able to govern the data that flows into them.
How Shield maps to it
Shield gives you the operating layer those duties assume:
- Discovery surfaces every AI tool in real use, so your inventory of Systems is real, not assumed — see review discovered tools.
- Policies and enforcement modes govern what data may reach an AI tool — transform personal data, block secrets, warn on the rest — see enforcement modes.
- The audit log keeps a tamper-resistant, exportable record you can show when documenting risk decisions — see audit log and export.
Applying the DIFC Regulation 10 bundle from the preset library turns these into framework-labelled policies in minutes. Shield does not inspect file contents, so file-upload channels are governed by blanket controls rather than inspection.
Was this article helpful?
Related articles
Apply policy presets and bundles
Deploy compliance-ready policies from the preset library — EU AI Act, GDPR, DIFC, Korea AI Basic Act, US AI in Employment, and ISO 42001/NIST bundles.
Read articleISO/IEC 42001 — AI management system
ISO/IEC 42001 is the world's first AI management system standard. What an AIMS requires, who it is for, and how Shield contributes operational controls toward it.
Read articleNIST AI Risk Management Framework (AI RMF)
The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework for managing AI risk. Its four functions — Govern, Map, Measure, Manage — and how Shield supports them.
Read articleEU AI Act Article 26 — Deployer obligations
Article 26 defines your duties when deploying high-risk AI — applicable from December 2027 under the Digital Omnibus. What paragraphs (1), (5), and (6) require and how Shield prepares you now.
Read articleStill stuck?
Send us the details — we answer within one business day.