UAE Consolidates AI Oversight; New Federal Authority Takes Control of Data Operations

UAE Consolidates AI Oversight; New Federal Authority Takes Control of Data Operations

Unified regulator consolidates fragmented AI and data functions to clarify enforcement responsibility.

Federal Authority for Artificial Intelligence and Data: UAE Consolidates AI and Data Oversight Under One Roof

Three existing institutional functions, some of them operating without full operational status, will now be absorbed into a single federal body. On 14 June 2026, Sheikh Mohammed bin Rashid Al Maktoum announced the creation of the Federal Authority for Artificial Intelligence and Data, a unified institution consolidating oversight of AI policy, digital government operations, and data regulation under one structure reporting directly to the Cabinet. The move addresses a substantive problem that has persisted in practice: jurisdictional confusion and enforcement gaps that left regulatory responsibility unclear across multiple agencies.

The Authority will be led by the Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications. It absorbs three existing functions: the UAE’s Artificial Intelligence Office, the Information and Digital Government Sector that previously operated within the Telecommunications and Digital Government Regulatory Authority (TDRA), and the Emirates Data Office, which had been formally announced but never achieved full operational status. This is not a simple administrative merger.

The Authority’s mandate is broad. It spans setting unified national AI and data policy, proposing legislation and strategies, ensuring coordination between federal and local digital initiatives, establishing standards and guidelines for data and AI management, driving compliance across federal entities, building national research and development capacity, and expanding international AI partnerships.

One area remains ambiguous in the announcement: the extent of the Authority’s responsibility for Internet of Things regulation. TDRA has historically been the primary federal body managing IoT deployment and data governance in connected device environments. The Authority absorbs TDRA’s digital government functions, but TDRA continues to exist as a telecom regulator. Whether IoT oversight will be split between the two bodies depending on whether issues involve connectivity or data governance is not yet clear, and this will likely become one of the Authority’s first jurisdictional challenges.

For businesses operating on the UAE mainland, the most pressing operational question concerns enforcement of the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, the PDPL). The law has been in force for several years, but the Implementing Regulations necessary to operationalise key concepts around legal basis for processing, data subjects’ rights, cross-border transfers, and breach notifications have not been issued. No supervisory authority has been unambiguously designated for private sector oversight. Businesses have operated in prolonged regulatory uncertainty as a result. The market expectation is that the Authority will take ownership of finalising these regulations and bring meaningful PDPL enforcement within its mandate. Whether this happens quickly, or whether AI governance and digital government priorities crowd out data protection enforcement in the Authority’s early phase, remains to be seen. The structural conditions for progress are now in place for the first time.

Meanwhile, the Authority may benefit from examining what has already been built within the UAE’s own free zones. Both the DIFC Commissioner of Data Protection and the ADGM Commissioner of Data Protection operate independently within their respective jurisdictions and have developed active, increasingly sophisticated enforcement practices under their own data protection frameworks, issuing decisions, imposing sanctions, and providing substantive regulatory guidance. The mainland PDPL draws on many of the same principles. For companies operating across the UAE with entities or processing activities spanning both free zone and onshore jurisdictions, regulatory coherence between these frameworks substantially reduces compliance complexity. Building the Authority’s enforcement posture with reference to the body of practice that DIFC and ADGM have already developed would be the most logical path forward.

This consolidation sits within a broader pattern of deliberate ecosystem building. The UAE National AI Strategy sets an ambitious target of 2031 for developing an integrated system employing AI in vital areas including education, government services, and community well-being, with an economic target of AED 335 billion (around $91 billion) in additional growth. Against this backdrop, the Authority’s creation reads less as administrative housekeeping and more as deliberate infrastructure investment, constructing the institutional architecture that a serious AI economy requires. More information on UAE AI and data governance frameworks is available at https://www.morganlewis.com/pubs/2026/06/uae-establishes-federal-authority-for-artificial-intelligence-and-data.

The consolidation reflects the UAE’s consistent approach to technology governance: pairing ambition with pragmatism and recognising that regulatory design and commercial growth are not competing objectives. A regulator whose mandate explicitly spans policy, standards, compliance, and international partnership is structured to engage with the market rather than simply control it. Businesses operating in AI, data processing, and digital infrastructure in the UAE should monitor how the Authority structures its stakeholder engagement in its formative phase. The approach it takes early is likely to shape industry relations for years ahead, and the first jurisdictional decisions, particularly around IoT and PDPL enforcement, will signal how much of that ambition translates into operational reality.

Q&A

What three existing institutional functions does the Federal Authority absorb?

The UAE Artificial Intelligence Office, the Information and Digital Government Sector (previously within TDRA), and the Emirates Data Office (which had been announced but never achieved full operational status).

What is the primary operational bottleneck the Authority must address for private sector compliance?

The Implementing Regulations for the UAE Personal Data Protection Law (PDPL) have not been issued despite the law being in force for several years, leaving businesses in regulatory uncertainty. The Authority must finalize these regulations and establish clear supervisory authority for private sector oversight.

What jurisdictional ambiguity remains unresolved in the Authority's mandate?

The extent of responsibility for Internet of Things regulation is unclear. TDRA continues as the primary telecom regulator, but the Authority absorbs TDRA's digital government functions. Whether IoT oversight will be split based on connectivity versus data governance issues has not been determined.

What economic target underpins the Authority's creation within the broader UAE AI strategy?

The UAE National AI Strategy targets AED 335 billion (approximately $91 billion) in additional economic growth by 2031 through integrated AI deployment in education, government services, and community well-being.