What’s Ahead for Digital and Data Regulation Across MENA

6 min 33 sec

As the region’s digital economy continues to expand, 2026 is set to be a year of implementation and active supervision. Sandbox pilots will transition to market rules, consent-centric privacy regimes will be tested in sensitive sectors, and content governance frameworks will enter routine enforcement. Below, we outline the most relevent regulatory changes expected to shape corporate strategy, compliance programmes, and dispute exposure in the year ahead, drawing on confirmed instruments with 2026 effective dates, rules adopted in 2025 that will be operationalised over the next 12 months, and late-stage initiatives likely to mature into binding practice.

Dubai: Unified contractor regulation—digital registers, platform compliance and enforcement

Dubai’s Law No. (7) of 2025 Regulating Contractors’ Activities enters into force on 8 January 2026, replacing a fragmented mix of municipal orders with a single, Emirate wide regime that applies across mainland and free zones, including the DIFC. Key features include a mandatory Contractors’ Register, a centralised electronic platform integrated with ‘Invest in Dubai’, a harmonised classification system, and mandatory Professional Competency Certificates for technical staff. Penalties range from AED 1,000 to AED 100,000 (doubling for repeats), alongside suspension, downgrades, and deregistration, with a one-year transition to 8 January 2027 for incumbents. Stakeholders span project owners (barred from engaging unregistered contractors), main and subcontractors, and engineering professionals. Practically, businesses should allocate Q1Q3 2026 to documentation and data readiness: inventory projects and roles, digitise records for platform filings, enhance HR credentialing, and prepare grievance pathways. Disputes risk will centre on deregistration challenges, classification downgrades, and owner–contractor liability for engaging unregistered entities; firms should maintain contemporaneous evidence of compliance and escalation logs to preserve their position if sanctioned.

ADGM: Public interest conditions for sensitive data—insurance and safeguarding under enhanced accountability

ADGM’s Data Protection Regulations (Substantial Public Interest Conditions) Rules 2025, adopted on 9 September 2025, will shape 2026 operations by clarifying when special category data may be processed without consent for insurance purposes and to safeguard children and at-risk adults. The Rules define ‘insurance contract’ and ‘insurance purpose’, authorise processing necessary for underwriting, claims, and legal obligations, and establish a safeguarding basis where consent is not feasible or would prejudice protection. The tradeoff is strict necessity, proportionality, documentation, and technical–organisational safeguards. Impacted stakeholders include ADGM licensed insurers, brokers, TPAs, education providers handling safeguarding issues, and healthcare adjacent services. Expect supervisory focus in 2026 on records of processing, DPIAs evidencing public interest reliance, and independent testing of access controls. Disputes exposure lies in challenges to ‘necessity’ assessments and scope creep beyond the stated purpose; contemporaneous decision logs and retention discipline will be decisive if reviewed or litigated.

UAE media and digital advertising: licensing, age ratings and the influencer permit model—enforcement in focus

The federal media framework under Decree Law No. (55) of 2023—with Executive Regulations effective 31 October 2024—sets baseline content standards, licensing obligations, and penalty bands up to AED 1 million for the most serious violations. In parallel, the UAE Media Council’s mandatory Advertiser Permit for content creators, announced 30 July 2025 with a three-month grace period, has become established practice. In 2026, expect routine auditing of permit display, disclosures of material benefit, and enforcement of prohibitions around misleading claims and culturally sensitive content. Stakeholders include media operators, platforms, brands, agencies, and influencers (resident and visiting). Operationally, align campaign calendars with permit renewals, implement automated disclosures, and build preclearance workflows for regulated sectors. Disputes risk includes takedowns, fines, and licence suspension for noncompliance; contractual indemnities and evidence trails (briefs, approvals, disclaimers) mitigate allocation disputes between brands and creator agencies.

Saudi Arabia—autonomous vehicles: from pilots to codified standards and data rules

Saudi Arabia’s layered AV enablement will be consolidated in 2026. The Transport General Authority’s regulatory sandbox has run 12 month robotaxi pilots with live tracking and safety officers, aimed at commercialisation pathways. Road standards are now codified in Saudi Highway Code Volume 801 on autonomous vehicle requirements, while SASO’s draft Technical Regulations for Autonomous Vehicles completed public consultation in June 2025 and are expected to finalise into product conformity obligations and SABER certification. In parallel, the Communications, Space and Technology Commission has relaxed some localisation features in IoT and tracking rules, enabling global platforms with regional overlays, while preserving local connectivity requirements. Stakeholders include OEMs, AV operators, telecoms, mapping and geospatial providers, and mobility platforms. In practice, 2026 programmes should plan for dual compliance workstreams: vehicle level conformity (SASO, SABER; cybersecurity) and service level authorisations (TGA sandbox, geofencing, real time monitoring). Data governance is pivotal: map data flows to reconcile CST rules with public sector hosting expectations. Disputes risk clusters around incident attribution, product defects, and sandbox permit conditions; contracts should clarify liability allocation, telemetry access, and regulatory notification protocols.

AI governance and liability: contracted risk management amid tightening regional and global expectations

Across MENA, AI deployment will be governed in 2026 primarily by general private law, data protection regimes, and sector rules, augmented by contractual controls. In Saudi Arabia, AI licensing terms must address PDPL constraints on consent, purpose limitation, cross border transfers, and role allocation; alignment with SDAIA AI Principles and relevant outsourcing rules is increasingly expected, especially in regulated sectors. Contracts should specify training data rights, model update controls, auditability, accuracy thresholds, and bias remediation, with exit rights and model escrow to avoid locking. As courts and regulators worldwide test AI liability via negligence, misrepresentation, and product defect theories, GCC authorities are beginning to apply existing laws to AI misuse, signaling growing enforcement appetite. For 2026 transactions and deployments, anticipate diligence queries on dataset provenance, automated decision making, and transparency obligations—particularly where EU facing products must meet AI Act transparency and copyright training disclosures that begin phasing in. Disputes exposure covers output harms, IP claims over training and outputs, and data protection violations; calibrated indemnities, verification rights, and incident playbooks mitigate downside.

Copyright and AI generated content: human authorship and training data transparency

MENA copyright statutes remain anchored in human authorship, with no express recognition of machine authorship. For 2026, businesses commercialising AI assisted outputs should document human input and creative control to preserve protectability and licensing strategies. Internationally, the EU AI Act’s transparency requirements for general purpose models and the EU’s text and data mining optout regime signal a compliance vector that will affect regional actors placing AI systems into EU markets or partnering with EU providers. Expect counterparties to contract for dataset summaries, optout honouring, and provenance governance. Dispute risk arises from misattribution, weak registration footing where human contribution is thin, and training data claims; internal policies on dataset curation and recordkeeping are now a baseline expectation for cross border operations.

UAE dispute infrastructure for digital processes: remote mediation and PDPL aligned data handling

The UAE’s mediation framework recognises remote mediation with enforceable settlements and imposes PDPL driven consent and confidentiality obligations. In 2026, technology enabled dispute resolution will continue to expand, but with closer scrutiny of data handling terms, platform security, and cross border processing. Stakeholders include mediation centres, family practices, and platform vendors. Practical priorities are PDPL compliant notices, encryption, access logs, and clear consent trails for AI assisted tools. Disputes risk will turn on privacy breaches and enforceability challenges where process documentation is weak; embedding data handling clauses into mediation agreements is critical.

What to prioritise in 2026

For boards and general counsel, three crosscutting priorities are paramount. First, digitise compliance readiness where regimes hinge on platforms and registers, and maintain audit ready records to defend sanctions or classification decisions. Dubai’s contractor system is the model here. Second, rebuild AI and data contracts to reflect regulator expectations: clear role allocation, dataset provenance, model update control, audit rights, and exit mechanics—expect counterparty and insurer scrutiny. Third, operationalise media and content governance as a continuous control, not a campaign by campaign sprint, with permits, disclosures, age ratings, and sector approvals aligned to quarterly calendars. These steps will not only lower penalty and dispute risk but also unlock faster approvals, procurement eligibility, and counterparties’ trust in a region where digital growth is now regulated growth.