The Dubai International Financial Centre (DIFC) has initiated a 30-day consultation period to discuss proposed changes to its data protection regulations, particularly focusing on AI governance measures. This consultation signals an opportunity for industry stakeholders to provide feedback rather than an immediate enforcement of new rules.

### Overview of the Consultation Process

The consultation, labeled as Consultation Paper No. 3 of 2026, will remain open until July 18, allowing firms and other interested parties to submit their comments. It is important to note that this process does not equate to an approval of rule changes; rather, it seeks to refine the regulatory framework as it pertains to data protection.

The proposed amendments delve into issues related to AI and personal data processing, including suggestions for new accreditation and certification schemes, as well as clearer definitions of the responsibilities assigned to Autonomous Systems Officers (ASOs). The DIFC aims to establish a governance structure that accommodates the increasing reliance on automated systems by banks, fintech companies, and other enterprises operating within the financial hub.

### Key Proposals in the Consultation Paper

The updates proposed in Consultation Paper No. 3 primarily target the existing Data Protection Regulations, which are distinguished from the overarching Data Protection Law within DIFC’s legal framework. A new Regulation 11 is proposed, enabling the Commissioner to formally acknowledge accreditation and certification schemes, thereby enhancing industry compliance.

Moreover, the draft aims to streamline the certification obligations while clarifying the roles of ASOs, thereby improving accountability in the processing of personal data through autonomous technologies. According to Jacques Visser, Chief Legal Officer at DIFC Authority, the goal is to enact rules that are “practical, clear, and responsive” as AI technology continues to evolve.

### Strengthening Existing Regulations

Currently, Regulation 10 governs the processing of personal data via autonomous systems, serving as a means to align with a growing array of global AI-related regulations. Proposed amendments will build upon this framework by enhancing its interoperability with existing rules, advisory committee charters, and approved certification bodies.

These revisions are part of a broader commitment by DIFC to ensure responsible governance amid the rapid rise of AI technologies. By further clarifying expectations regarding safe and ethical practices in personal data management, the Centre aims to reinforce its identity as an AI-native jurisdiction, fostering innovation while maintaining high standards.

### Implications for DIFC Firms

For banks, asset managers, insurers, and other firms in the DIFC, this consultation is critically important as it could directly influence procurement strategies, audit processes, and project timelines. The wording associated with ASO roles is particularly significant, as it delineates operational accountability in sensitive contexts where AI systems handle personal data.

The recognition of certification schemes by the Commissioner will provide essential clarity for firms regarding which compliance pathways DIFC intends to recognize, thereby impacting operational decisions. With over 1,670 innovation and tech firms already established in DIFC, these proposed changes aim to bolster an environment conducive to cutting-edge advancements in AI and associated regulations.

### Conclusion and Next Steps

As DIFC expresses its ambition to position itself as the world’s first AI-native financial center, the proposed data protection amendments are part of a vital strategy to ensure that regulatory frameworks keep pace with technological advancements while sustaining robust data protection measures. Stakeholders have until July 18 to voice their opinions, after which DIFC will decide on potential amendments based on the feedback received. This consultation reflects the Centre’s ongoing efforts to align its regulations with industry innovations while upholding high standards for data governance and accountability.