While Brussels argues about the residual scope of its AI Liability Directive and Washington debates whether to pre-empt state AI laws, a much smaller jurisdiction has been quietly building one of the world's most concrete frameworks for AI accountability. The Dubai International Financial Centre (DIFC) — a 110-hectare common-law enclave inside a civil-law federation — is operationalising Regulation 10 of 2023, an amendment to its Data Protection Law that imposes specific obligations on operators of autonomous and semi-autonomous systems. Paired with the UAE's 2024 Charter for the Development and Use of Artificial Intelligence and a DIFC Courts bench actively positioning itself for AI commercial disputes, Dubai is making a deliberate play to become a regional forum for AI liability questions.
It is worth taking seriously. The architecture being assembled is, on early inspection, considerably more proportionate than the regimes being debated in larger jurisdictions — and that matters for any company shipping AI products into the Gulf, into emerging markets routed through Dubai, or into the cross-border financial services that the DIFC was built to serve.
What Regulation 10 actually does
DIFC's Data Protection Law (DIFC Law No. 5 of 2020) is already one of the GDPR-aligned regimes in the region. Regulation 10 of 2023 layers onto it a set of obligations that apply specifically when personal data is processed by what the regulation calls autonomous or semi-autonomous systems — essentially, AI and algorithmic decision-making tools. The headline requirements, as published by the DIFC Commissioner of Data Protection, include risk and impact assessments before deployment, demonstrable human oversight, restrictions on solely automated decisions with legal effect, and accountability obligations that travel with the system across the developer–deployer chain.
Crucially, the regulation does not invent a new strict-liability tort. It works through the existing data-protection architecture, with administrative enforcement by the Commissioner and private rights of action available in the DIFC Courts. That is a meaningfully lighter touch than the EU's now-shelved AI Liability Directive proposal, which would have introduced a rebuttable presumption of causation against operators of high-risk systems.
The Charter — soft law, but load-bearing
The UAE's 2024 Charter for the Development and Use of AI is, formally, a set of principles rather than binding law. It articulates twelve commitments around fairness, accountability, human oversight, privacy, transparency, and security. The Charter is not directly enforceable, but Emirati courts and regulators are likely to treat it the way English courts treat statutory codes of practice: as evidence of the standard of care that a reasonable developer or deployer was on notice to meet.
That matters for civil liability. In a negligence claim against the deployer of a credit-scoring or claims-triage model, the question of whether the operator behaved reasonably will be answered against the Charter's principles — even where no specific provision was breached.
The DIFC Courts and the allocation problem
The hardest open question in AI liability everywhere is not whether someone should pay when an autonomous system causes harm, but who — the model developer, the company that fine-tuned and deployed it, the integrator that wired it into a workflow, or the user who relied on its output. The Court of Justice of the EU has not yet had a clean AI liability case. US federal courts are processing AI claims through doctrines built for static products. The DIFC Courts, by contrast, sit on English common-law foundations and have signalled — through judicial speeches and recent procedural updates — that they are willing to apply familiar tort and contract doctrines to AI disputes flexibly.
That includes contractual allocation (likely the dominant mechanism in B2B AI deployments), negligence against deployers who fail to maintain human oversight, and a probable refusal to treat AI systems as autonomous legal persons. The latter is the right call: granting legal personhood to algorithms would create a liability sink that benefits no one except careless developers.
What a proportionate regime looks like
From a pro-innovation perspective, three features of the Dubai approach stand out:
- Risk-tiering through existing law. Regulation 10 piggybacks on data-protection obligations rather than creating a parallel AI-specific liability regime. That avoids the regulatory duplication that companies operating across EU jurisdictions complain about.
- No reversed burden of proof. Claimants must still show fault and causation. This preserves the basic structure of common-law tort while leaving room for evidentiary rules to evolve as cases arise.
- Forum specialisation. The DIFC Courts' technology and construction division has the institutional capacity to develop AI doctrine carefully, rather than having it shaped by whichever case happens to reach a generalist appellate court first.
What to watch
The interesting friction will come at the boundary between DIFC common law and federal UAE civil law. The federal civil code's tort provisions are strict and largely codified, and a plaintiff who can choose forum may prefer them. Companies deploying AI into the UAE should be reviewing their dispute-resolution clauses now — DIFC arbitration or court jurisdiction clauses are likely to become standard for AI-heavy contracts.
The bigger story is that a small, agile jurisdiction is producing concrete answers to questions that larger regimes are still framing in principle. Whether the DIFC's approach ends up as a regional template or a quiet outlier will depend on the first contested AI judgment — which, on current trajectories, is likely within the next eighteen months.