DIFC Regulation 10: AI Transparency Requirements
Full enforcement since January 2026. If your business is registered in DIFC and uses AI, here are the compliance obligations your business now faces.
DIFC Regulation 10 on Automated Processing and Profiling was introduced in September 2023 as a supplement to DIFC Data Protection Law No. 5 of 2020. After approximately a 2.5-year transition period, it entered full enforcement in January 2026. As of June 2026, DIFC-based businesses that deploy AI systems face multiple mandatory transparency notice obligations, a DPIA requirement, and fines of up to USD 50,000 for non-compliance. This guide covers what the regulation requires, what it doesn't, and why on-premise deployment simplifies your DPIA.
What this means for your business
- Transparency notice requirement 1: Disclose whether the AI system can define its own processing purposes beyond the purposes you have defined
- Transparency notice requirement 2: Disclose the AI system's outputs and how those outputs are used by your business
- Transparency notice requirement 3: Disclose the design principles underpinning the system, including built-in safeguards
- DPIA before deploying high-risk AI — mandatory under DIFC DPL as amended July 2025 (maximum fine of USD 50,000 under Article 20 for non-compliance)
- Maintain records of how the AI system was assessed and how all transparency and documentation obligations are fulfilled
How on-premise AI addresses these obligations
The DPIA for an on-premise LLM is materially shorter than for a cloud deployment. When the model runs inside your DIFC office network, the risk inventory shrinks: no cross-border transfer section, no sub-processor disclosure for the AI vendor, no dependency on a vendor's data handling practices. The DPIA still needs to address the system's outputs, safeguards, and purpose — but the surface area is smaller. SGON.AI ships a DPIA template alongside every deployment.
Frequently Asked Questions
- When did DIFC Regulation 10 come into force?
- DIFC Regulation 10 on Automated Processing was introduced September 1 2023, with a transition period ending in January 2026. As of January 2026, full enforcement is operative — DIFC-based businesses that have not yet assessed their AI systems against the regulation's transparency notice requirements and DPIA obligation are already non-compliant.
- What are the fines for non-compliance with DIFC Regulation 10?
- Under DIFC Amendment Law No. 1 of 2025 (effective July 15 2025), two distinct fines apply to data protection failures. Failure to conduct a mandatory DPIA under Article 20 carries a maximum fine of USD 50,000 (increased from the previous ceiling of USD 20,000). A separate fine of USD 25,000 applies under Article 19 for failure to complete the mandatory annual DPO necessity assessment — a different obligation. These are two separate penalties for two distinct obligations, not a single graduated range. Sources: Baker McKenzie, Clyde & Co, and DLA Piper.
- Does DIFC Regulation 10 apply to every AI system or only high-risk ones?
- The three transparency notice requirements apply to AI systems that process personal data under DIFC Data Protection Law — which includes most AI tools used in a DIFC-based business. The mandatory DPIA applies to 'high-risk' AI, which includes systems processing sensitive data or making decisions about individuals. The regulation does not require registration or certification of AI systems, and the 'Autonomous Systems Officer' requirement cited in some secondary sources has not been verified in the regulation's text.
- Our DIFC law firm uses an AI document assistant. Does Regulation 10 apply?
- Yes, almost certainly. An AI system that retrieves and summarises client documents, answers queries about case files, or assists with contract review processes personal data (client identities, legal matter details) and produces outputs that influence professional decisions. This puts it squarely within the scope of Regulation 10's transparency requirements. An on-premise deployment — where the model runs on hardware inside your network — keeps your data within the DIFC perimeter and simplifies the DPIA significantly.