What is AI regulation in Bahrain?
AI regulation: countries and regions
Bahrain has no single, in-force AI statute. AI is governed through adjacent laws, chiefly the Personal Data Protection Law (Law No. 30 of 2018, effective 1 August 2019), plus soft-law strategy: the iGA's General Policy for the Use of Artificial Intelligence (2025), the GCC AI ethics manual, sector rules such as the Central Bank of Bahrain's sandbox, and a 38-article AI Regulation Law approved by the upper house in 2024 but not yet enacted.
What this means
Bahrain governs AI the way most jurisdictions did before bespoke AI rules arrived: through existing law plus policy. The binding legal anchor for anyone handling personal data is the Personal Data Protection Law (PDPL), Law No. 30 of 2018, which came into force on 1 August 2019 and was fleshed out by ten ministerial resolutions in March 2022. Because almost all AI systems process personal data, the PDPL is the rulebook that bites first.
Layered on top is a soft-law architecture. In 2025 the Information and eGovernment Authority (iGA) published the General Policy for the Use of Artificial Intelligence and adopted the GCC Guiding Manual on the Ethics of Artificial Intelligence Use. These set principles such as human oversight, transparency, fairness and accountability, but they bind government entities rather than creating new private-sector duties.
A dedicated, standalone AI law exists only as a draft. Bahrain's Shura Council (the upper house) unanimously approved a 38-article AI Regulation Law on 28 April 2024, but the government pushed back, and it has not been enacted. For now, AI regulation in Bahrain means data protection law, sector regulation and policy, not a single AI Act.
Why it matters
If you build, buy or deploy AI in Bahrain, your compliance obligations come mainly from data protection and sector rules, not from an AI-specific statute. That has practical consequences. The PDPL applies extraterritorially: it catches businesses outside Bahrain that process personal data using means located in the Kingdom, so a foreign company running models on Bahraini infrastructure is in scope. The PDPL carries criminal as well as administrative liability, with imprisonment of up to one year and fines from BD 1,000 to BD 20,000 for serious breaches. It also restricts cross-border transfers and requires prior authorisation for certain automated processing, which directly affects how AI training data and pipelines are arranged. Getting the data-protection layer right is therefore the single highest-value compliance task, and it is the layer most likely to be enforced today. The soft-law policy layer matters because it shapes public-sector procurement: government buyers increasingly expect transparency, human oversight and ethics commitments, so vendors who can evidence those will win work.
How it works
The model: adjacent law plus soft-law strategy
Bahrain regulates AI through a stack rather than a single instrument. At the base sits binding law that pre-dates AI but applies to it: the PDPL, the Cybercrime Law (Law No. 60 of 2014), the Electronic Communications and Transactions Law, and sector regulation such as the Central Bank of Bahrain's rulebook. Above that sits policy and ethics guidance that is binding on government but advisory in tone for the wider market. At the top, still pending, is the draft standalone AI Regulation Law. This is the same pattern seen across much of the Gulf and helps explain why understanding the difference between hard law and soft-law standards matters when you assess your obligations.
The Personal Data Protection Law (PDPL)
The PDPL is Law No. 30 of 2018, in force since 1 August 2019. It is modelled on European data-protection thinking but is not identical to it. Scope is broad: it covers individuals residing or working in Bahrain, businesses established in Bahrain, and entities outside Bahrain that process personal data by means available in the Kingdom (other than mere transit). Processing generally requires the data subject's written, explicit, specific and informed consent, subject to limited alternative bases such as contract performance and legal obligation. Sensitive personal data attracts stricter controls.
The supervisory body is the Personal Data Protection Authority. By Royal Decree No. 78 of 2019, the duties and powers of the Authority were assigned to the Ministry of Justice, Islamic Affairs and Waqf, so in practice the Ministry performs the regulator's role. Data subjects have rights to be informed, to access, to rectification, blocking and erasure, to object to direct marketing, and to lodge complaints. Larger or higher-risk controllers must appoint a Data Protection Guardian (Bahrain's term for a data protection officer).
Automated processing and automated decisions
Two PDPL provisions matter most for AI. First, Article 15 prohibits certain automated processing without the Ministry's prior written authorisation: automatic linkage of personal data files held by different controllers for different purposes, automatic processing of biometric data used to verify identity, and visual recording used for surveillance. Second, the PDPL gives data subjects a right against purely automated decisions: where a decision is based solely on automated processing to assess someone's work performance, financial standing, creditworthiness, reliability or conduct, the individual can require that the decision not be taken on a solely automated basis, and reconsideration is mandatory and free. This right does not apply where the decision is part of entering into or performing a contract and suitable safeguards exist. These two articles are the closest thing Bahrain currently has to AI-specific statutory duties.
Cross-border transfers, breach notification and penalties
Transfers of personal data outside Bahrain are restricted. They are permitted to countries the Authority lists as providing adequate protection, with the data subject's specific consent, or under a case-by-case authorisation; the relevant rules sit in Article 12 and the 2022 ministerial resolutions. The 2022 resolutions also introduced a breach-notification duty: controllers must notify the Authority within 72 hours of discovering a breach that is likely to affect data subjects' rights, and notify affected individuals where the risk is high. Penalties are layered: criminal liability of up to one year's imprisonment and fines of BD 1,000 to BD 20,000 for offences such as unlawful processing, unlawful cross-border transfer, or processing without notification; administrative penalties including daily fines and lump-sum fines; and a right for individuals to claim compensation.
The national AI policy and ethics layer
In 2025 the iGA published the General Policy for the Use of Artificial Intelligence (Version 1.0) and adopted the GCC Guiding Manual on the Ethics of Artificial Intelligence Use. The policy applies to government entities and is built on four pillars: legal compliance, AI use and adoption, public education and awareness, and local and international cooperation. It anchors AI use to existing law, naming the PDPL, the law on protection of state documents and information, and the Open Data Policy. It sets a set of guiding principles including human oversight, safety, fairness and non-discrimination, transparency and explainability, accountability, data accuracy, privacy, reliability, and innovation. The recurring theme is that AI assists human decision-making but that final decisions in matters affecting rights must remain under human control, which is conceptually close to a built-in AI impact assessment mindset for the public sector.
Digital government, cloud-first and the institutional map
Bahrain's AI push rests on a long digital-government programme. In 2017 it became, on its own account, the first country in the MENA region to adopt a Cloud First policy, directing government entities to prioritise cloud over on-premise infrastructure. Amazon Web Services announced its Middle East (Bahrain) Region on 30 July 2019; per AWS, the region "is the first AWS Region in the Middle East and consists of three Availability Zones". This cloud base is what makes large-scale public-sector AI feasible. The institutional landscape is multi-body: the iGA leads digital government and the national AI policy; the Ministry of Justice, Islamic Affairs and Waqf performs the data-protection regulator role; the Central Bank of Bahrain regulates financial-sector technology; and the National Cybersecurity Centre and Telecommunications Regulatory Authority cover their domains. There is no single dedicated AI regulator in force, although the draft AI law would create one.
The Central Bank of Bahrain sandbox
The Central Bank of Bahrain (CBB) launched a regulatory sandbox in 2017, the first of its kind in the region, letting licensees and start-ups test technology-based financial services in a controlled setting before full rollout. It is complemented by FinHub 973, a cross-border digital innovation platform. AI-driven financial products such as fraud detection, credit scoring and robo-advice are tested through this regime. The PDPL also expressly contemplates the CBB's role: the Authority must notify the CBB Governor before inspecting financial institutions under CBB supervision.
Examples
A fintech testing an AI credit-scoring model: a start-up applies to the CBB regulatory sandbox to trial an AI model that scores loan applicants. Because the model assesses creditworthiness on a solely automated basis, the PDPL's automated-decision right is engaged: applicants can demand a non-automated reconsideration unless the decision is part of contract formation with safeguards. The firm builds a human-review step and documents its lawful basis before going live.
A government body deploying a service chatbot: a ministry building an AI assistant must align with the iGA General Policy, which requires human oversight, transparency and compliance with the PDPL and the state-documents law. Where the service uses biometric identity verification, Article 15 requires prior written authorisation from the Ministry before that automated processing begins.
A multinational running models on Bahraini cloud infrastructure: a company headquartered abroad processes personal data using servers in Bahrain's AWS region. Even without a local office, it is caught by the PDPL because it processes data by means available in the Kingdom, so it must meet consent, transfer and notification duties.
Common misunderstandings
"Bahrain has passed an AI law." It has not. The 38-article AI Regulation Law was approved by the Shura Council on 28 April 2024 but the government pushed back and it has not been enacted. Treat it as pending, not in force.
"The PDPL only applies to Bahraini companies." Wrong. It reaches entities outside Bahrain that process personal data by means available in the Kingdom, which captures foreign firms using Bahraini infrastructure.
"Bahrain is just a copy of the UAE or Saudi approach." Each Gulf state differs. Bahrain leans on its data-protection law plus policy and a fintech sandbox, rather than a dedicated AI authority of the kind Saudi Arabia and Abu Dhabi have established.
"The national AI policy binds everyone." The iGA General Policy is aimed at government entities. Private firms should treat it as a strong steer and a procurement expectation, not a directly enforceable private duty.
"The PDPL bans automated decisions." It does not ban them. It gives individuals a right to require non-automated reconsideration in specific assessment contexts, subject to a contract exception.
Risks and boundaries
The biggest source of uncertainty is the standalone AI law. The draft, unanimously approved by the Shura Council on 28 April 2024 and described by the Library of Congress as "comprising seven chapters and a total of 38 articles", would create an AI oversight unit, licensing, civil liability and administrative and criminal penalties. Per the Library of Congress, sanctions under the draft "include imprisonment for up to three years and fines ranging from BHD 1,000 (approx. USD$2,660) to BHD 20,000 (approx. USD$53,200), depending on the severity of the offense." But in late 2024 the government formally pushed back: per The Daily Tribune, the government said current laws already address the aims and that "Bahrain could adopt a forward-looking stance by introducing a 'Regulatory Sandbox,' allowing safe testing of AI technologies in controlled settings." It also criticised the draft's narrow reach: again per The Daily Tribune, "Unlike the Personal Data Protection Law, which applies to anyone using infrastructure in Bahrain regardless of location, the proposed bill would only apply to entities based in the Kingdom. Officials warned this restriction could leave international AI activities unregulated." As of 2026 the bill remains under review in the Council of Representatives and has not been enacted, formally rejected or finally voted on. Lexology, in "GCC: Navigating AI Regulations: the Current Landscape," states plainly that "The status of this draft law is currently unclear." Do not plan around its specific provisions yet.
What Bahrain's framework is not: it is not a comprehensive, risk-tiered AI Act on the EU model, and the iGA policy is not a private-sector statute. Claims in vendor materials that Bahrain has an in-force standalone AI law, or that breach notification is universally 72 hours regardless of risk, should be checked against the primary text; the 72-hour duty applies to breaches likely to affect data subjects' rights. Where you see speculative or forward-looking phrasing ("will likely be enacted"), treat it as opinion.
What to do next
Start with the PDPL, because it is the binding layer that applies now. Map your AI data flows, confirm your lawful basis (usually explicit written consent), and check whether any processing triggers Article 15 prior authorisation (biometric identity verification, surveillance recording, or cross-controller data linkage). Build a human-review path for any solely automated decision that assesses performance, creditworthiness, reliability or conduct.
Lock down cross-border transfers: confirm whether destination countries are on the Authority's adequacy list, or rely on specific consent or case-by-case authorisation. Put a 72-hour breach-notification process in place and appoint a Data Protection Guardian if your processing is large-scale or sensitive.
If you sell to government, align voluntarily with the iGA General Policy and the GCC ethics manual: document human oversight, transparency and accountability, because these are becoming procurement expectations. If you are in financial services, engage the CBB sandbox early. Finally, monitor the draft AI Regulation Law's progress through the Council of Representatives; if it is enacted, expect licensing and an oversight unit, and revisit your governance then. The trigger to act on the new law is its publication in the Official Gazette, not its committee stages.
FAQs
Does Bahrain have a dedicated AI law?
Not in force. A 38-article AI Regulation Law was unanimously approved by the Shura Council on 28 April 2024, but the government pushed back and it remains under review in the Council of Representatives. AI is currently governed through the PDPL, sector rules and policy.
When did Bahrain's Personal Data Protection Law take effect?
The PDPL, Law No. 30 of 2018, was promulgated on 12 July 2018 and came into force on 1 August 2019. Ten ministerial resolutions supplementing it took effect in March 2022.
Who enforces data protection in Bahrain?
The Personal Data Protection Authority. By Royal Decree No. 78 of 2019 its duties and powers were assigned to the Ministry of Justice, Islamic Affairs and Waqf, which performs the regulator role in practice.
Does the PDPL apply to companies outside Bahrain?
Yes. It applies to entities outside Bahrain that process personal data by means available in the Kingdom, unless the processing is solely to pass data through Bahrain. Foreign firms using Bahraini infrastructure are caught.
What does the PDPL say about automated decisions?
Where a decision is based solely on automated processing to assess someone's work, financial standing, creditworthiness, reliability or conduct, the person can require a non-automated reconsideration, which is mandatory and free, subject to a contract exception. Article 15 also requires prior authorisation for certain automated processing.
What are the penalties under the PDPL?
Serious breaches can attract imprisonment of up to one year and fines of BD 1,000 to BD 20,000, plus administrative daily and lump-sum fines and a right for individuals to claim compensation.
How is Bahrain's approach different from the UAE, Saudi Arabia and Qatar?
Bahrain relies on its data-protection law plus the iGA policy and the CBB fintech sandbox, and has no dedicated AI authority in force. Saudi Arabia has SDAIA and the UAE has dedicated AI bodies including Abu Dhabi's AI council; Qatar has issued sector AI guidance for financial firms.
Can I test AI financial products in Bahrain?
Yes, through the Central Bank of Bahrain's regulatory sandbox, launched in 2017, and the FinHub 973 platform, which let licensees and start-ups trial technology-based financial services under supervision.