UAE Creates Single AI Regulator to Unify Fragmented Digital Oversight

UAE consolidates fragmented AI oversight under single federal authority to clarify regulatory boundaries.

On 14 June 2026, Sheikh Mohammed bin Rashid Al Maktoum announced the creation of the Federal Authority for Artificial Intelligence and Data, a single national institution designed to consolidate the UAE’s fragmented oversight of AI policy, digital government operations, and data regulation under unified Cabinet-level authority. The move signals something deeper than administrative tidying. It reflects a deliberate commitment to building the institutional infrastructure a serious artificial intelligence economy requires.

The new Authority will serve as the federation’s centralised hub for managing data, artificial intelligence, and digital government. Led by the Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications, it absorbs three existing bodies: the UAE’s Artificial Intelligence Office, the Information and Digital Government Sector within the Telecommunications and Digital Government Regulatory Authority (TDRA), and the Emirates Data Office, which had been formally announced but never became fully operational in practice.

Additional reference context is available at https://www.morganlewis.com/pubs/2026/06/uae-establishes-federal-authority-for-artificial-intelligence-and-data.

This is not a simple merger of functioning institutions. The consolidation addresses a real problem that has persisted in the UAE’s regulatory landscape: fragmentation that left meaningful questions about jurisdictional boundaries and enforcement authority unresolved. Bringing these functions under one roof is an attempt to create clarity where ambiguity has previously complicated business operations and policy coherence.

The Authority’s mandate spans multiple dimensions. It will set unified national AI and data policy direction, propose legislation and strategies, ensure alignment between federal and local digital initiatives, establish standards and guidelines for data and AI management, drive compliance across federal entities, build national research and development capacity, and expand international AI partnerships. One boundary remains unclear from the announcement: the extent to which the Authority will oversee Internet of Things regulation. TDRA has historically been the primary federal body managing IoT deployment and data governance in connected device environments. The Authority absorbs TDRA’s digital government functions, but TDRA continues to exist as a telecom regulator. Whether IoT oversight will be split between the two bodies depending on whether the issue involves connectivity or data governance is not yet specified, and this will likely be one of the Authority’s first jurisdictional challenges.

For businesses operating on the UAE mainland, the most pressing practical question concerns the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, the PDPL). The law has been in force for several years, yet its Implementing Regulations remain unissued. Those regulations are essential for operationalising key concepts around legal basis for processing, data subjects’ rights, cross-border transfers, and breach notifications. Enforcement has remained elusive because no supervisory authority has been unambiguously designated for private sector oversight. Businesses have operated in prolonged regulatory uncertainty. The market expectation is that the Authority will finalise those regulations and bring meaningful PDPL enforcement within its mandate. Whether that happens quickly, or whether AI governance and digital government crowd out data protection enforcement in the Authority’s early phase, remains to be seen. As detailed in analysis published at www.morganlewis.com/pubs/2026/06/uae-establishes-federal-authority-for-artificial-intelligence-and-data, the Authority’s approach to enforcement in its first year will be closely watched by the business community. The structural conditions for progress are, for the first time, genuinely in place.

By contrast, the UAE’s own free zones offer a useful reference point. Both the DIFC Commissioner of Data Protection and the ADGM Commissioner of Data Protection operate independently within their respective jurisdictions and have developed active, increasingly sophisticated enforcement practices under their own data protection frameworks. They issue decisions, impose sanctions, and provide substantive regulatory guidance that has given the market clearer understanding of how privacy obligations are interpreted and applied in practice. The mainland PDPL draws on many of the same principles. For companies operating across the UAE with entities or processing activities spanning both free zone and onshore jurisdictions, regulatory coherence between these frameworks substantially reduces compliance complexity. The Authority building its enforcement posture with reference to the body of practice that DIFC and ADGM have already developed would be the most logical and constructive path forward.

This development sits within a much broader pattern. The UAE has been building one of the world’s most active AI ecosystems with deliberate intent and consistency. The UAE National AI Strategy sets an ambitious 2031 horizon for developing an integrated system employing AI in vital areas including education, government services, and community well-being, with an economic target of AED 335 billion (approximately $91 billion) in additional growth. Against that backdrop, the creation of the Authority reads less like administrative housekeeping and more like deliberate infrastructure investment for building the institutional architecture a serious AI economy requires.

The consolidation reflects the UAE’s consistent approach to technology governance: pairing ambition with pragmatism and recognising that regulatory design and commercial growth are not competing objectives. A regulator whose mandate explicitly spans policy, standards, compliance, and international partnership is structured to engage with the market rather than simply control it. Businesses operating in AI, data processing, and digital infrastructure in the UAE should monitor how the Authority establishes stakeholder engagement in its formative phase. The approach it takes early is likely to shape the tone of industry relationships for years ahead, and the question of how quickly it moves on PDPL enforcement will be the first real test of that intent.

Q&A

What three existing bodies did the Federal Authority for Artificial Intelligence and Data absorb?

The UAE's Artificial Intelligence Office, the Information and Digital Government Sector within the Telecommunications and Digital Government Regulatory Authority (TDRA), and the Emirates Data Office.

What is the primary practical concern for businesses operating on the UAE mainland?

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) has been in force for several years, but its Implementing Regulations remain unissued, leaving businesses in prolonged regulatory uncertainty about legal basis for processing, data subjects' rights, cross-border transfers, and breach notifications.

What is the UAE's economic target for AI development by 2031?

AED 335 billion (approximately $91 billion) in additional growth through an integrated system employing AI in vital areas including education, government services, and community well-being.

How do the DIFC and ADGM data protection commissioners provide a reference model for the new Authority?

Both operate independently within their respective jurisdictions and have developed active, sophisticated enforcement practices, issuing decisions, imposing sanctions, and providing substantive regulatory guidance that has given the market clearer understanding of how privacy obligations are interpreted and applied in practice.