Most jurisdictions are regulating artificial intelligence the way you patch a building after it is built: a rule here, a guidance note there, a penalty bolted onto a statute that never imagined the technology. Dubai is trying the opposite. It wants to write AI into the foundations of a financial centre’s rulebook — and it is using data-protection law to do it.
On 21 April 2026, the Dubai International Financial Centre announced an aim to become the world’s first “AI-native financial centre,” embedding the technology across its legal and regulatory frameworks, its business environment, talent, infrastructure and even the physical fabric of the district (DIFC). The centre projects the programme will add about USD 3.5 billion (AED 12.9 billion) to the local economy and create some 25,000 jobs. Those are aspirational figures. The concrete move came two months later.
A rulebook change, not a manifesto
In June, DIFC opened a 30-day public consultation — Consultation Paper No. 3 of 2026 — on amendments to its Data Protection Regulations, with feedback due 18 July 2026 (DIFC, Gulf News). This is the part that matters. A vision statement is cheap. A change to the binding rulebook that every firm in the centre operates under is not.
The amendments refine Regulation 10, which governs the safe, ethical and privacy-by-design handling of personal data in automated systems, and add a new Regulation 11 that lets the Commissioner of Data Protection recognise external accreditation and certification schemes. They also clarify the role of the Autonomous Systems Officer — an accountable human function for organisations deploying AI that processes personal data.
“These amendments are intended to help provide that clarity, while supporting high standards of accountability and governance,” said Jacques Visser, Chief Legal Officer of the DIFC Authority (Gulf News).
Note what DIFC did not do. It did not draft a standalone AI Act. It extended the law it already had — data protection — to carry AI obligations. That is a deliberate choice, and it is the whole story.
Regulatory competition, not just regulation
The default frame for AI rules is restraint: the state drawing a line a company must not cross. The European Union’s AI Act is the archetype. It is statute, it is tiered by risk, and it is backed by penalties that can reach 6 to 7 percent of global turnover (Latham & Watkins). Compliance is a cost of admission, and the deterrent is the fine.
The Gulf is running a different play. The United Arab Emirates governs AI in finance largely through non-binding instruments. In February 2026 the Central Bank of the UAE issued a Guidance Note on the responsible adoption of AI, setting out expectations across governance and accountability, consumer protection, transparency and explainability, human oversight, and data management (CBUAE, Pinsent Masons). It is guidance, not a rule with teeth. Pinsent Masons notes generative-AI use among UAE financial institutions rose sharply over 2024–2025.
DIFC’s data-protection track is the harder edge of that approach: codified obligation, but routed through a rulebook a firm chooses when it sets up in the free zone, rather than a penalty-backed statute it cannot escape. The centre is not trying to deter AI. It is trying to attract the firms building it — by offering a place where the rules are clear, AI-specific and already written, instead of pending.
That is regulatory competition. A financial free zone is using the speed of its own rulebook as a product feature. Where the EU sells legal certainty through comprehensiveness and the threat of enforcement, DIFC is selling certainty through being early and being narrow.
The limits worth naming
Two cautions keep this honest.
First, the instrument is modest relative to the slogan. “AI-native financial centre” is a branding line; the binding change in front of regulators is an amendment to data-protection regulations, not a sweeping AI code. The obligations bite where AI touches personal data — automated decisions, profiling, the systems that need an Autonomous Systems Officer — and not much further. That is a real but bounded perimeter.
Second, soft-law-plus-rulebook is a bet that clarity attracts capital faster than penalties deter misuse. It works only if firms believe a recognised certification scheme under Regulation 11 will travel — that compliance inside the zone earns trust outside it. If global counterparties and home regulators treat a DIFC accreditation as marketing rather than assurance, the regulatory-competition pitch loses its edge.
Implications
The contest in AI finance regulation is no longer only about how strict the rules are. It is about who writes usable ones first.
The EU’s strength is universality: one law, one market, one penalty schedule. Its weakness is speed and the cost of ambiguity while guidance catches up to statute. DIFC’s wager is the inverse — give firms a small, clear, AI-specific rulebook now, and let the certainty pull deployment into the zone. The 18 July consultation deadline is the near-term tell. Watch whether the final text keeps the Regulation 11 certification machinery, because that is the part designed to make compliance portable, and portability is what turns a local rule into a competitive advantage.
For everyone else, the lesson is structural. AI obligations do not need a new statute to land. They can be threaded through the laws that already govern data, decisions and accountability — faster, and with less political friction, than a bespoke AI act. Dubai is testing whether bolting AI into the foundations beats bolting it on afterward. The buildings are not finished. But the blueprint is now public, and it is short on purpose.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.