UAE Creates Single Regulator for AI and Data Protection, Reshaping Privacy Rules for Milli
New federal body consolidates AI and data oversight, leaving data protection enforcement timeline uncertain.
On June 14, 2026, Sheikh Mohammed bin Rashid Al Maktoum announced the creation of the Federal Authority for Artificial Intelligence and Data, a single federal body that will govern how personal data and AI systems are regulated across the UAE. For residents and businesses alike, the change is immediate in its implications, even if the full consequences will take time to unfold.
The new Authority merges three previously separate institutions: the UAE’s Artificial Intelligence Office, the digital government functions of the Telecommunications and Digital Government Regulatory Authority (TDRA), and the Emirates Data Office, which had been formally announced but never fully launched. It will report directly to the Cabinet and be led by the Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications.
The most pressing public concern is data protection. The UAE Personal Data Protection Law (PDPL) has been in force since 2021, yet its implementing regulations remain unpublished. Those regulations would clarify how companies must handle personal data, obtain consent, manage cross-border transfers, and report breaches. Without them, residents have had limited practical recourse, and businesses have faced genuine uncertainty about their obligations. The Authority’s creation opens the possibility that these long-delayed rules will finally be issued and enforced.
Whether the new body prioritizes data protection enforcement or channels its early energy toward AI governance and digital government initiatives remains to be seen. That question matters directly to citizens whose personal data sits in corporate systems with no clear enforcement mechanism behind it.
The consolidation also leaves an unresolved question about Internet of Things devices and connected systems. TDRA retains its role as a telecom regulator and is not absorbed into the Authority. The announcement does not clarify whether IoT oversight will be divided between the two bodies based on whether an issue involves connectivity or data. That jurisdictional ambiguity will need an early answer, given how deeply connected devices are woven into daily life.
Meanwhile, the Authority’s mandate is broad. It spans setting national AI and data policy, proposing legislation, aligning federal and local digital initiatives, establishing standards, driving compliance across government entities, building research and development capacity, and expanding international AI partnerships. This positions the regulator as a market-shaping body, not simply an enforcement agency.
The UAE National AI Strategy targets 2031 for deploying integrated AI systems across education, government services, and community well-being, with an economic growth target of approximately AED 335 billion (around $91 billion) in additional value. The Authority sits at the center of that ambition.
One practical path toward regulatory coherence already exists within the UAE’s own borders. The DIFC Commissioner of Data Protection and the ADGM Commissioner of Data Protection have each built active enforcement practices within their respective free zone jurisdictions, issuing decisions, imposing sanctions, and providing regulatory guidance. Companies operating across both free zone and onshore jurisdictions currently face compliance complexity when those approaches diverge. If the Authority builds its enforcement posture with reference to the body of practice already established in the free zones, it could reduce that burden for multizone operators and give residents a clearer picture of their rights.
The consolidation signals that the UAE views regulatory design and commercial growth as complementary rather than competing objectives. How the Authority engages with the public and with industry in its formative phase will set the tone of that relationship for years. The more immediate question is whether residents will finally see the data protection rules that have been promised to them since 2021.
More information on the UAE’s regulatory framework is available at https://www.morganlewis.com/pubs/2026/06/uae-establishes-federal-authority-for-artificial-intelligence-and-data.
Q&A
What is the Federal Authority for Artificial Intelligence and Data and when was it created?
On June 14, 2026, Sheikh Mohammed bin Rashid Al Maktoum announced the creation of the Federal Authority for Artificial Intelligence and Data, a single federal body that will govern how personal data and AI systems are regulated across the UAE. It merges the UAE's Artificial Intelligence Office, the digital government functions of the Telecommunications and Digital Government Regulatory Authority (TDRA), and the Emirates Data Office.
Why is data protection a pressing public concern in the UAE?
The UAE Personal Data Protection Law has been in force since 2021, but its implementing regulations remain unpublished. Without these regulations, residents have had limited practical recourse and businesses have faced uncertainty about their obligations. The new Authority's creation opens the possibility that these long-delayed rules will finally be issued and enforced.
What unresolved question does the consolidation leave regarding Internet of Things devices?
The announcement does not clarify whether IoT oversight will be divided between the new Authority and the retained TDRA based on whether an issue involves connectivity or data. This jurisdictional ambiguity will need an early answer given how deeply connected devices are woven into daily life.
What economic targets does the UAE National AI Strategy set for the new Authority?
The UAE National AI Strategy targets 2031 for deploying integrated AI systems across education, government services, and community well-being, with an economic growth target of approximately AED 335 billion (around $91 billion) in additional value.