Comparison tableUpdated June 2026

DIFC Regulation 10 vs PDPL vs ADGM DPR: UAE AI Governance Comparison Table

Dimension	PDPL	DIFC Regulation 10	ADGM DPR
Effective date	Full compliance Jan 2027	In force Jan 2026	In force 2021
Who it covers	All organisations processing UAE residents' personal data	DIFC-licensed entities using autonomous systems to process personal data	ADGM-registered entities processing personal data
Legitimate interest basis	No	No	Yes (GDPR-aligned)
Dedicated AI rule	No dedicated AI provision	Yes — Regulation 10 specifically governs autonomous systems	Automated decision provisions only
Pre-deployment risk assessment	No specific mandate	Yes — required for all High and Medium risk autonomous systems	Implied by DPIA requirements
Explainability required	Implied	Explicit — for all consequential decisions	Explicit
Fines	Up to AED 5 million	USD 25,000–50,000 per violation	Up to USD 28 million
Private right of action	No	Yes — data subjects can sue directly	Yes
Data residency	Yes for certain sensitive categories	Free zone boundary controls	Free zone boundary controls
Cross-border transfers	Adequacy or appropriate safeguards required	Adequacy assessment required for transfers outside DIFC	SCCs or adequacy list (tracks EU list)

Firms operating in multiple jurisdictions — such as a DIFC-licensed entity with mainland UAE clients — may be subject to two or more of these frameworks simultaneously. A single AI system with a data breach could trigger penalties under DIFC, PDPL, and ADGM concurrently. This table is current as of June 2026 and does not constitute legal advice.