What is AI regulation in Oman?
AI regulation: countries and regions
Oman does not yet have a stand-alone AI Act. Instead, AI is governed through a mix of soft law policy and hard law data protection rules. The main binding instrument is the Personal Data Protection Law, supported by executive regulations, while the Ministry of Transport, Communications and Information Technology uses a 2025 AI policy and a national AI programme to steer safe, ethical, human-centred adoption. In practice, the key issues are personal data, permits, notices, security, transfers and governance.
What this means
Oman's approach is quieter than a headline AI Act. The country is building AI governance through ministry policy, a Cabinet-backed national programme, and the wider digital economy agenda. That makes the framework emerging, but not empty.
For most private organisations, the real compliance anchor is data protection. If an AI system trains on, profiles, scores, recommends, or automates activity using identifiable people, the Personal Data Protection Law and its regulations can apply, especially where the system touches sensitive or child data.
The AI policy still matters because it shows where the state wants AI to go: sector adoption, local capability, privacy-aware governance, and trust. So the practical question in Oman is usually not "Is there an AI Act?" but "Which data, governance, transfer and consent duties does this AI use case trigger?"
Why it matters
If you buy, build or deploy AI in Oman, assuming "no AI Act" means "no rules" can be costly. A system may need a ministry permit before it handles health, biometric or other specially protected data; it may need written notice, a data protection officer, a breach plan, and checks on overseas hosting. The law also contains fines, and the ministry has practical reporting and complaint channels. For boards, founders, vendors and governance leads, Oman is therefore a jurisdiction where AI risk management starts with data mapping, role allocation, and ministry-facing compliance, not only with ethics statements.
How it works
No dedicated AI Act
As of June 2026, official Omani sources show policy and programme rather than a stand-alone AI Act. The Ministry of Transport, Communications and Information Technology published the General Policy for the Safe and Ethical Use of Artificial Intelligence Systems on 1 April 2025, after a public consultation that explicitly sought views on legislative, regulatory and technical frameworks for AI. The Cabinet approved the National Program for Artificial Intelligence and Advanced Digital Technologies on 19 September 2024. That programme builds on the 2022 executive AI programme and frames AI governance as human-centred, ethical, fair and safe, with privacy and algorithm governance as core themes.
Data protection is the main hard law
Royal Decree 6/2022 issued the Personal Data Protection Law. The decree says the law takes effect one year after publication in the Official Gazette, so the regime became live in February 2023. For AI tools, this is the main binding layer whenever personal data is collected, used, analysed, disclosed, transferred or otherwise processed by an AI system. The law gives people rights to withdraw consent, correct or update data, obtain a copy, transfer it to another controller, seek deletion where retention is no longer needed, and complain to the ministry. The controller is expected to handle personal data transparently and to be able to evidence explicit consent.
Public sector and ministry-led governance
The Personal Data Protection Law is not Oman's only governance layer. The same ministry leads the AI policy and the wider National Digital Economy Program. That programme has a three-level governance structure: oversight by the Financial and Economic Committee of the Council of Ministers, a Technical Committee for the Digital Economy, and executive teams for individual programmes. At the same time, the Personal Data Protection Law contains important carve-outs, including some state and public-body processing carried out under legal powers. That is why government AI projects should also be read against the separate Personal Data Protection Policy for Units of the State Administrative Apparatus, which treats state data handling as a governed activity even while the statute has exemptions.
Sensitive data and child data
The law uses stronger controls for especially intrusive data. Processing data about health, genetics, biometrics, ethnic origin, sex life, political or religious opinions, beliefs, criminal convictions or security measures requires ministry authorisation under the law and regulations. The executive regulations operationalise that authorisation through a permit process. The applicant must give detailed information about the purpose, categories of data, processors, disclosure recipients, storage and transfer locations, protection systems and breach precautions. A permit can run for up to five years, and it can be suspended or revoked. Child data also has extra safeguards, centred on explicit guardian consent, minimality, clarity and disclosure limits.
Day to day duties for organisations
Oman's rules are operational, not only aspirational. Controllers must set procedures to identify risks, control transfers and implement technical and organisational safeguards. Before processing begins, they must give the data subject written information that covers the controller and processor, the contact details of the data protection officer, the purpose and source of the data, a description of the processing, how disclosure may happen, and the person's rights. The regulations also require visible data protection policies, records of processing activities, retention controls, confidentiality measures, and appointment of a data protection officer with defined tasks. If requested by the ministry, controllers and processors may also need an external audit by an accredited and independent auditor.
Transfers, breaches and enforcement
Breach reporting and international transfers are two of the biggest practical issues for AI deployments. The regulations require notification to the competent department within 72 hours where a breach threatens data subject rights, and serious or high-risk breaches must also be reported to the affected person within 72 hours. Transfers outside Oman are allowed, but not casually. In principle, the controller must obtain explicit consent, ensure the foreign recipient offers a level of protection no lower than Oman's, and carry out a documented transfer-risk assessment. The ministry can warn, order correction or deletion, stop processing or transfers, suspend or cancel permits, and impose administrative penalties. The law also provides criminal fines, including especially high fines for unlawful cross-border transfer breaches.
Examples
If a hospital or health insurer deploys an AI triage, imaging or fraud system, the first question is whether the tool uses health, biometric, genetic or child data. If yes, the permit process should be treated as an early gate, not a later formality. The organisation will need to identify the processor, storage location, transfer route, data protection officer, security controls and breach reporting path before real deployment.
If a retailer, platform or telecoms operator uses AI for personalised advertising or promotional messaging, the model is only part of the compliance picture. In Oman, written consent is required before sending advertising, marketing or commercial materials based on personal data, and there must be a way to stop those messages without charge. The privacy notice and processing register should match what the AI system actually does.
If a ministry or other government unit pilots a chatbot, analytics engine or generative assistant, it should not assume that a public-body carve-out removes all governance work. The statutory exclusions need to be mapped carefully, but the state administrative apparatus also has a separate personal data protection policy and sits inside the national digital economy and AI governance framework. Secure data sharing, minimal collection, role clarity and oversight still matter.
Common misunderstandings
Misunderstanding: Oman has no AI law, so AI is unregulated. Correction: Oman has no stand-alone AI Act, but AI use can still be governed by data protection law, executive regulations, ministry policy and programme governance.
Misunderstanding: Only technology companies need to care. Correction: Any organisation that uses AI with personal data can be caught, including banks, hospitals, retailers, telecoms operators, public bodies and buyers of vendor tools.
Misunderstanding: Consent is the whole story. Correction: Oman also uses permits, notices, security controls, records, breach reporting, transfer checks, complaints and enforcement.
Misunderstanding: Government AI is outside the picture. Correction: Some public-body processing has statutory carve-outs, but government units also sit under separate policy and programme governance.
Misunderstanding: Overseas cloud hosting is a routine technical choice. Correction: Cross-border transfer rules can trigger explicit consent, adequacy checks and a documented assessment of transfer risk.
Risks and boundaries
Oman's framework is still emerging. The AI policy is a strategic policy document, not a comprehensive AI code. Official material points to ministry-led governance, permits, reporting channels and programme delivery, but it does not yet show a single horizontal AI statute or a large body of public enforcement decisions on AI-specific cases.
Some boundaries are fact-specific. The Personal Data Protection Law has exemptions, especially around state functions, national security, household use and some research. That makes public-private projects, outsourced government services and cross-border cloud arrangements worth mapping carefully at the design stage. Sector-specific rules, public procurement terms and cybersecurity requirements may also add duties that are not visible from the AI policy alone.
What to do next
Start with an inventory of AI use cases and the data each one touches. Separate personal, sensitive, child and anonymised data. Decide who is controller, processor, public authority, vendor and sub-processor. Check whether any special-category permit is needed, whether a data protection officer has the right mandate, and whether notices, consent language and marketing practices match the actual processing. Build a breach playbook that can meet the 72 hours clock, and test all overseas hosting or model-provider arrangements against Oman's transfer rules. If you sell into government, map the public-sector policy layer as well as the statute.
FAQs
Does Oman have a stand-alone AI law?
Not at the time of writing. Oman has a 2025 AI policy and a national AI programme, while the main binding law for many AI uses is the Personal Data Protection Law and its executive regulations.
Who is the main authority to watch?
The Ministry of Transport, Communications and Information Technology is the central published authority in this framework, including for AI policy, national programme delivery and personal data protection administration.
When does the Personal Data Protection Law matter for AI?
When the AI system processes personal data. That includes collecting, analysing, profiling, disclosing, storing, transferring or otherwise handling data that identifies a person directly or indirectly.
Do I need a permit to use AI on sensitive data?
Often, yes. Specially protected categories such as health, biometric and genetic data, and certain other sensitive data, require ministry authorisation under the law and executive regulations.
Do breaches have to be reported quickly?
Yes. If a personal data breach threatens data subject rights, the competent department must be notified within 72 hours, and serious or high-risk breaches must also be notified to affected individuals within 72 hours.
Can AI providers host Omani personal data outside Oman?
Possibly, but only with care. The regulations expect explicit consent in principle, adequate protection at the foreign recipient, and a documented assessment of transfer risk, with narrow exceptions.
Are government AI projects completely outside the regime?
No. The Personal Data Protection Law contains carve-outs for some state processing carried out under legal powers, but Oman also has a separate personal data protection policy for the state administrative apparatus and a ministry-led AI governance programme.