Blog

AI Implementation

AI Compliance in the UAE: What Infrastructure Firms Actually Need to Know

A fact-checked guide to AI compliance for UAE infrastructure firms: what actually governs AI use in energy, construction, transport, and utilities, and why the widely repeated "UAE AI Act 2026" does not exist.

Abu Dhabi skyline skyscrapers by the water in daytime, representing UAE government and regulatory institutions
Photo by Nick Fewings on Unsplash Source

Search for "UAE AI Act 2026" and you will find several articles describing a comprehensive national law: four risk tiers, mandatory algorithm audits, fines ranging from AED 500,000 to AED 10 million, and a September 2026 enforcement deadline. It reads like a real regulation, and it has been repeated across enough websites that it looks authoritative. It is not real. As of mid-2026, the UAE has not passed a standalone federal AI law of that kind, a point confirmed by multiple international law firms tracking AI regulation across the region, including Latham & Watkins in its review of the UAE's AI regulatory landscape.

That matters for infrastructure firms specifically, because construction, energy, utilities, and transport companies tend to hold the kind of data (critical asset locations, utility networks, government contract details) that draws regulatory attention first. Getting the compliance picture wrong, either by ignoring it or by chasing a fictional law, wastes time a compliance team does not have. This guide sets out what actually governs AI use in the UAE today, what is binding versus voluntary, and what an infrastructure firm should be doing about it before its next AI rollout.

There Is No Single "UAE AI Act", Yet

Unlike the European Union, which passed the EU AI Act as one horizontal law, the UAE regulates AI through a layered combination of federal data protection law, non-binding ethical guidance, free zone rules, and sector or emirate-specific policy. Latham & Watkins describes this as a multi-tiered governance structure: the AI Office sets federal strategic direction, the Telecommunications and Digital Government Regulatory Authority (TDRA) oversees ICT policy, Abu Dhabi's Artificial Intelligence and Advanced Technology Council (AIATC), established by law in January 2024, adds an emirate-level layer, and free zones such as the DIFC and ADGM run independent legal frameworks for the businesses registered inside them.

For an infrastructure firm, the practical effect is that "AI compliance" is not one checklist. It is a set of obligations that depends on where the company is registered (mainland versus a free zone), which sector it serves (energy, transport, and finance each have their own guidance), and what kind of data its AI tools touch. Treating compliance as a single document to sign off on is the most common mistake infrastructure firms make when a vendor first asks about "AI governance."

The UAE Charter for the Development and Use of Artificial Intelligence

The closest thing the UAE has to a national AI ethics standard is the UAE Charter for the Development and Use of Artificial Intelligence, issued in June 2024. It sets out twelve guiding principles, including strengthening the human-AI relationship, safety, algorithmic fairness, data privacy, transparency, human oversight, governance and accountability, and compliance with existing laws and treaties.

The charter is voluntary, not enforceable law. No fines attach to it directly. But it functions as the reference point regulators, government clients, and larger partners increasingly expect infrastructure firms to be able to speak to, particularly on government-adjacent projects such as smart city contracts, utility networks, or transport infrastructure, where the client itself is bound by the same national strategy. An infrastructure firm that can point to how its AI use aligns with these twelve principles, even informally, is in a materially stronger position during a tender or partner due diligence review than one that has never considered them.

PDPL Article 18: The Binding Rule Already in Force

The one part of this picture that is unambiguously binding law is the UAE's Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), in force since 2 January 2022. Article 18 gives data subjects the right to object to automated decision-making that has legal consequences or seriously affects them, unless specific exceptions such as consent or contractual necessity apply.

This provision was written before generative AI reached the mainstream, but it is broad enough to cover a large share of what infrastructure firms now deploy: automated safety flagging on a construction site that could affect a contractor's standing, AI-driven credit or vendor scoring, or automated scheduling decisions that affect a worker's pay. Any infrastructure firm using AI to make or heavily influence a decision that affects a person, whether an employee, subcontractor, or member of the public, needs a documented process for how that person could contest the outcome. That single requirement is worth building into a vendor contract before signing, not after.

DIFC Regulation 10: A Preview of Stricter Rules to Come

Infrastructure firms operating through the Dubai International Financial Centre, or that expect mainland rules to eventually mirror free zone practice, should look closely at DIFC Regulation 10, which governs the processing of personal data through autonomous and semi-autonomous systems. Enacted as part of the DIFC's updated Data Protection Regulations on 1 September 2023, it requires a Data Protection Impact Assessment (DPIA) for AI systems given their novel risk profile, and establishes an Accreditation and Certification Framework, an Advisory Committee, and Approved Accredited Certification Bodies to verify compliance. Full enforcement, including certification requirements, is being phased in through 2026.

Very few infrastructure firms are DIFC-registered entities themselves, but the regulation is worth reading anyway. It is the clearest signal available of the direction UAE AI governance is heading: mandatory impact assessments before deployment, a named internal role accountable for autonomous systems (the DIFC calls this an Autonomous Systems Officer), and third-party certification rather than self-declaration. An infrastructure firm that builds a lightweight version of this now, a short written risk assessment before any AI system goes live, and one person accountable for it, will not be caught flat-footed if similar requirements extend to the mainland.

Sector and Emirate Rules That Matter Specifically for Infrastructure

Beyond the federal baseline, several sector and emirate-level rules apply more directly to infrastructure companies than the general AI conversation suggests. Financial regulators have issued guidelines for financial institutions adopting enabling technologies, requiring governance frameworks, model reliability monitoring, and clear disclosure and redress mechanisms, a template that utility and energy regulators are widely expected to adapt for AI-driven billing, forecasting, and grid management systems. Dubai's 2023 autonomous vehicle law is directly relevant to transport and logistics infrastructure, requiring RTA licensing, safety standard approval, and clear operator liability for any AI-driven vehicle or system operating on public roads.

Abu Dhabi's AIATC, meanwhile, gives infrastructure firms working on federal capital projects a specific emirate-level body to track, separate from Dubai's TDRA-anchored approach. Firms that operate across both emirates, which is common in construction and utilities, need to track both sets of expectations rather than assuming a single national standard applies everywhere. This layered structure is precisely why our guide to AI infrastructure readiness treats governance as one of four foundational requirements rather than a footnote: a firm cannot separate "are we ready to deploy AI" from "do we know which rules apply to us," because the two questions have the same answer.

A Practical Compliance Checklist for Infrastructure Firms

Before an AI system goes live on a project site, in a control room, or inside a back-office process, an infrastructure firm should be able to answer yes to the following:

  • We know whether our entity is mainland, DIFC, or ADGM registered, and which data protection regime that puts us under.
  • We have identified every AI use case where a system makes or heavily influences a decision affecting a person, and documented how that person could contest it, in line with PDPL Article 18.
  • We have written a short risk or impact assessment for any AI system handling personal, operational, or asset data, even if no law strictly requires it yet.
  • One named person is accountable for AI governance internally, not a committee that meets quarterly.
  • We have checked whether our specific sector, energy, transport, utilities, or construction, has issued its own AI or automation guidance beyond the federal baseline.
  • We have reviewed data residency and storage terms with every AI vendor, given how much infrastructure data (asset locations, utility networks, government contract terms) is sensitive by default.

Building Compliance Into the Rollout, Not Bolting It On After

The mistake that costs infrastructure firms the most time is not ignorance of the rules; it is treating compliance as a final step before launch rather than part of the design of the AI use case itself. A predictive maintenance tool designed without first asking who can contest a false alert, or a scheduling system rolled out without a documented data flow, ends up needing to be re-engineered after the fact, which is slower and more expensive than building the governance conversation in from day one.

This is also where change management and vendor selection intersect with compliance. Our guide to implementing AI safely and securely covers the operational side of this same problem: rolling out AI tools without creating new data, compliance, or trust problems in the process. And because so much of the national conversation around infrastructure and AI is shaped by government-level policy, understanding what the UAE AI Strategy 2031 actually means for infrastructure firms helps explain why regulators and larger clients increasingly expect infrastructure vendors to have governance answers ready, not improvised.

Bringing It Together

The honest answer to "what compliance rules apply to AI in UAE infrastructure" is less dramatic than a single named act with fixed fines, but more useful in practice. PDPL Article 18 is binding today and applies to any automated decision affecting a person. The UAE AI Charter, while voluntary, sets the ethical bar regulators and clients expect. DIFC Regulation 10 previews where mainland rules are likely heading, with impact assessments and named accountability becoming the norm rather than the exception. And sector or emirate-specific rules, from Dubai's autonomous vehicle law to Abu Dhabi's AIATC, mean infrastructure firms working across multiple emirates or sectors need more than one reference point.

None of this requires a large legal department to get right. It requires one person accountable for the answers, a short written assessment before each AI system goes live, and a habit of checking sector-specific guidance rather than assuming a single national law covers everything. Infrastructure firms that build that habit now will be far better positioned than competitors relying on secondhand summaries of a law that does not exist.

Research sources used

FAQ

Common questions.

Is there a "UAE AI Act" that infrastructure firms need to comply with?

No. Despite several websites describing a comprehensive "UAE AI Act 2026" with specific fines and risk tiers, no such standalone federal law exists as of mid-2026. AI use in the UAE is governed instead by a combination of the binding PDPL, the voluntary UAE AI Charter, free zone regulations such as DIFC Regulation 10, and sector or emirate-specific guidance.

What is the one AI compliance rule that is definitely binding today?

Article 18 of the PDPL (Federal Decree-Law No. 45 of 2021), in force since January 2022, gives individuals the right to object to automated decisions that have legal consequences or seriously affect them. Any infrastructure firm using AI to make or heavily influence a decision affecting a person needs a documented way for that person to contest it.

Do infrastructure firms outside the DIFC or ADGM need to worry about DIFC Regulation 10?

Not directly, since it only binds DIFC-registered entities. But it is the clearest indicator of where UAE AI governance is heading nationally: impact assessments before deployment and named internal accountability. Building a lightweight version of these practices now is a low-cost way to stay ahead of future mainland requirements.

Does the UAE AI Charter carry any legal penalties?

No, the charter is a voluntary ethical framework, not enforceable legislation. However, government clients and larger partners increasingly expect infrastructure firms bidding on public or government-adjacent projects to be able to demonstrate alignment with its principles during tenders and due diligence.

Which UAE authority regulates AI for infrastructure and construction firms specifically?

There is no single regulator. Firms need to track the federal AI Office and TDRA for national policy, Abu Dhabi's AIATC if working on federal capital projects, and any sector-specific guidance relevant to their work, such as transport rules for autonomous vehicles or emerging utility and energy sector guidance.