What is AI regulation in the Middle East?
AI regulation: countries and regions
As at June 2026, AI regulation in the Middle East is led far more by national strategy and state investment than by binding AI law. The Gulf states, especially the UAE and Saudi Arabia, set the pace with ambitious strategies, dedicated authorities and large public spending, supported by non-binding ethics principles and growing data protection regimes. Israel takes a deliberately sectoral, soft-law approach. Hard, AI-specific statutes remain rare across the region, so most legal force comes from data protection and sector rules.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
The Middle East does not yet have a single, binding AI law in the way the European Union has its AI Act. Instead, most governments in the region have published national AI strategies, created institutions to drive adoption, and issued non-binding ethics principles and guidelines. Data protection laws, many modelled on the EU GDPR, supply much of the actual legal force that touches AI today.
This is most visible in the Gulf. The United Arab Emirates and Saudi Arabia have built a strategy-and-investment-led model: set a national vision, create a powerful coordinating body, pour money into compute and talent, and govern through guidance and existing law rather than a dedicated AI statute. Israel, by contrast, has chosen a decentralised, sectoral approach driven by a 2023 policy document and existing regulators.
This hub page orients you to the regional picture and routes you to the individual country articles for detail. It summarises and links down rather than restating each country in full. Where strategy outpaces binding law, this page says so plainly.
Why it matters
For organisations deploying AI in the region, the practical compliance pressure today comes mostly from data protection law, cybersecurity rules and sector regulators, not from a standalone AI act. Understanding that distinction matters. Leaders who wait for an AI law may miss the obligations that already bite, such as consent requirements, restrictions on automated decision-making, and cross-border data transfer rules. The region is also a magnet for AI investment and infrastructure, which raises the stakes for getting governance right early and tracking how positions evolve.
How it works
The Gulf strategy-and-investment-led model
The UAE was the first country in the world to appoint a dedicated AI minister, naming Omar Sultan Al Olama as Minister of State for Artificial Intelligence in October 2017. Its National Strategy for Artificial Intelligence 2031, adopted by the UAE Cabinet, sets eight objectives and aims to make AI a major contributor to the national economy. Governance runs through the AI Office, the UAE Council for Artificial Intelligence and Blockchain, and, at emirate level, Abu Dhabi's Artificial Intelligence and Advanced Technology Council. The UAE has issued the non-binding UAE Charter for the Development and Use of Artificial Intelligence in June 2024, setting out twelve principles, alongside earlier AI ethics guidance from 2022. Binding force comes mainly from data protection and sector rules rather than an AI statute.
The investment dimension is large. Stargate UAE, announced on 22 May 2025 by G42, OpenAI, Oracle, NVIDIA, SoftBank Group and Cisco, is a 1-gigawatt AI compute cluster built by G42's Khazna Data Centers inside a newly established 5-gigawatt UAE-US AI Campus in Abu Dhabi, with NVIDIA supplying its Grace Blackwell GB300 systems and the first 200 megawatts expected to go live in 2026. This illustrates the model: govern lightly through strategy and guidance, while competing hard for infrastructure and talent.
Saudi Arabia and SDAIA
Saudi Arabia follows a similar model through the Saudi Data and Artificial Intelligence Authority (SDAIA), established by royal order in 2019. SDAIA runs the National Strategy for Data and AI, launched in 2020, and acts as both promoter and regulator through its subsidiary bodies, the National Data Management Office and the National Center for AI. It has issued AI Ethics Principles in 2023 and Generative AI Guidelines for Government in January 2024, both non-binding, and it administers the binding Personal Data Protection Law. The investment dimension is again prominent: HUMAIN, launched on 13 May 2025 and chaired by Crown Prince Mohammed bin Salman, is a wholly owned Public Investment Fund company anchoring a roughly 100 billion US dollar AI programme, and is also launching a venture fund and has built ALLaM, an Arabic large language model.
Israel's sectoral, soft-law approach
Israel has deliberately chosen not to enact a horizontal AI law. Its December 2023 policy document, "Responsible Innovation: Israel's Policy on Artificial Intelligence Regulation and Ethics", produced by the Ministry of Innovation, Science and Technology with the Ministry of Justice, favours a risk-based, sector-led approach aligned with OECD principles. Existing regulators are expected to apply existing law, supported by a planned AI policy coordination centre. The financial sector has moved furthest, with an inter-ministerial team reporting on AI in finance. Israel's privacy regime was significantly strengthened by Amendment 13 to the Protection of Privacy Law, which took effect in August 2025, and the Privacy Protection Authority has circulated draft guidance on applying privacy law to AI systems.
Data protection as the real legal backbone
Across the region, data protection laws supply most of the binding obligations relevant to AI. The UAE's Federal Decree-Law No. 45 of 2021 (the PDPL) and the UAE Data Office sit alongside separate, GDPR-style regimes in the DIFC and ADGM financial free zones, which are excluded from the federal law. Saudi Arabia's PDPL is fully enforced and overseen by SDAIA. Bahrain has had a standalone law since 2019, Qatar since 2017, and Oman's law became fully enforceable in February 2026; Kuwait does not yet have a comprehensive personal data law. The DIFC has gone furthest on AI specifically, with Regulation 10 on processing personal data through autonomous and semi-autonomous systems, enacted in September 2023.
Examples
A bank operating in the DIFC and deploying an AI credit-scoring tool falls under DIFC Regulation 10, which requires that affected individuals are informed that autonomous systems are being used and given enough information to evaluate the associated risks and decide whether to object or withdraw consent. For higher-risk commercial uses, the regulation also contemplates audit, certification and the appointment of an autonomous systems officer.
A government entity in Saudi Arabia adopting a generative AI tool is expected to follow SDAIA's Generative AI Guidelines for Government, issued in January 2024, and to comply with the binding PDPL, including notifying SDAIA of a personal data breach within 72 hours.
A financial institution in Qatar must follow the Qatar Central Bank's Artificial Intelligence Guideline, issued on 4 September 2024, under which an entity must receive official QCB approval before launching a new AI system as a provider and must maintain a register of AI systems disclosed to the QCB annually, alongside governance structures, risk assessments and human oversight.
Common misunderstandings
"The Gulf has comprehensive AI laws." Mostly false. The Gulf leads with strategy, investment and non-binding ethics principles; binding obligations come from data protection, cybersecurity and sector rules.
"There is no regulation, so anything goes." False. Data protection laws, including restrictions on automated decision-making and cross-border transfers, already apply across most of the region.
"Israel has an AI Act." False. Israel deliberately relies on existing law and sector regulators, guided by its December 2023 policy.
"One regional framework covers the whole Middle East." False. Each country, and each financial free zone such as the DIFC and ADGM, has its own regime and its own regulator.
"Data protection laws are not enforced." Increasingly false. SDAIA enforces Saudi Arabia's PDPL and has responded promptly to complaints, and Israel's Privacy Protection Authority has expanded enforcement powers and issued sanctions.
Risks and boundaries
This hub is a regional overview, not legal advice, and positions are forming quickly. Where binding AI law is limited, organisations should not assume freedom from regulation; the practical risk lies in data protection, cybersecurity and sector compliance. Enforcement maturity varies widely between jurisdictions and free zones, and some regimes are newer or less tested than others. This page is fast-dating: the position is stated as at June 2026 and several frameworks are expected to change, particularly in finance and in the operationalisation of the DIFC's AI regulation.
What to do next
Map which jurisdiction and which free zone each AI deployment touches, because the rules and regulators differ. Treat data protection compliance as the immediate priority, including consent, automated decision-making and cross-border data transfers. Adopt the relevant national AI ethics principles voluntarily, as procurement teams and sector regulators increasingly reference them. Watch for binding developments, especially in financial services where central banks are moving first. For the detail behind each jurisdiction, read the individual country articles linked from this hub.
The benchmarks that would change this advice: the enactment of a binding, horizontal AI statute in any Gulf state or Israel; the start of active enforcement under the DIFC's Regulation 10; or the issuance of long-awaited executive regulations giving the UAE federal PDPL full practical effect.
Explore individual entries: AI regulation in Armenia, AI regulation in Azerbaijan, AI regulation in Bahrain, AI regulation in Iran, AI regulation in Iraq, AI regulation in Israel, AI regulation in Jordan, AI regulation in Kuwait, AI regulation in Lebanon, AI regulation in Oman, AI regulation in Qatar, AI regulation in Saudi Arabia, AI regulation in Syria, AI regulation in the United Arab Emirates, AI regulation in Yemen.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does the Middle East have a binding AI law like the EU AI Act?
Not as a region. As at June 2026, no Gulf state or Israel has a comprehensive horizontal AI statute; governance relies on national strategy, non-binding ethics principles and data protection law.
Which country leads on AI in the region?
The UAE and Saudi Arabia are the clear leaders, both pursuing a strategy-and-investment-led model with dedicated authorities, large public investment and active ethics guidance.
Who was the world's first AI minister?
The UAE's Omar Sultan Al Olama, appointed Minister of State for Artificial Intelligence in October 2017.
What does SDAIA do?
SDAIA is Saudi Arabia's Data and Artificial Intelligence Authority, established in 2019. It runs the national data and AI strategy, issues AI ethics and generative AI guidance, and enforces the Personal Data Protection Law.
Are AI ethics principles in the Gulf legally binding?
Generally no. The UAE Charter and SDAIA's principles are non-binding, though they influence procurement and sector rules and sit alongside binding data protection law.
What is Israel's approach?
A decentralised, sector-led, risk-based approach set out in its December 2023 policy, relying on existing regulators rather than a new AI law, with privacy law strengthened by Amendment 13 in August 2025.
Does data protection law apply to AI?
Yes. Data protection laws across the region restrict automated decision-making and regulate consent and cross-border data transfers, all of which are central to AI deployment.
Which Middle East countries have data protection laws?
The UAE, Saudi Arabia, Bahrain, Qatar and Oman have standalone laws, with the DIFC and ADGM operating their own regimes; Kuwait does not yet have a comprehensive personal data law.