For DIFC, ADGM & GCC AI teams selling into Europe

If your AI features touch EU users, you’re already liable.

The EU AI Act applies extraterritorially. A UAE-licensed company that ships AI to EU customers is a “provider” or “deployer” under Article 2(1)(c) — and on the hook for fines up to €35M or 7% of global turnover from 2 August 2026. Regula audits your codebase locally in one command. Free, open-source, no consultants.

no account · no API key · runs on your machine · read the trust pack

Why this matters for UAE companies

Four facts about EU AI Act extraterritoriality that GCC general counsel are double-checking right now.

Extraterritorial by design

Article 2(1)(c) of Regulation (EU) 2024/1689 explicitly applies to providers and deployers established outside the EU when the output of the AI system is used in the Union. Where you incorporate is irrelevant.

Source: Regulation (EU) 2024/1689 Article 2(1)(c)

The provider carries the liability

If your DIFC or ADGM company places an AI system on the EU market — directly, through a reseller, or via an EU-based customer using your API — you are the provider. Compliance liability sits with you, not your distributor.

Source: Regulation (EU) 2024/1689 Article 3(3) and Article 16

Fines up to €35M or 7% of global turnover

Article 99 sets the maximum administrative fine at €35 million or 7% of worldwide annual turnover, whichever is higher. For a DIFC fintech with EU exposure, this is materially worse than DFSA and DPDP enforcement combined.

Source: Regulation (EU) 2024/1689 Article 99

Enforcement begins 2 August 2026

Annex III high-risk obligations apply from 2 August 2026. The proposed Digital Omnibus delay to 2 December 2027 is not yet law and is currently in trilogue. Plan for August.

Source: Regulation (EU) 2024/1689 Article 113; Council 13 March 2026 mandate

Sectors with the highest exposure in the UAE

Where DIFC, ADGM, Dubai Internet City, and Abu Dhabi Hub71-licensed companies most often hit EU AI Act high-risk categories.

Fintech & lendingCredit scoring, loan approval, KYC risk → Annex III Cat 5 (essential services)

InsurtechHealth/life insurance pricing, claim assessment → Annex III Cat 5

HR & recruitment SaaSCV screening, candidate ranking → Annex III Cat 4 (employment)

Health-techClinical decision support, diagnostic AI → Article 6(1) + MDR/IVDR

ProptechTenant screening, rental decisions → Annex III Cat 5

Smart city / mobilityADAS, traffic management, biometrics → Annex III Cat 1, 2, safety components

DIFC, ADGM, and the federal layer: who regulates AI in the UAE today?

The UAE does not yet have a federal AI Act. AI governance today sits across sectoral and free-zone regulators, plus the federal Data Office and the Council for AI and Blockchain. Most UAE AI teams encounter the three regulators below. None of them displace the EU AI Act when your product reaches EU users.

DIFC — Dubai International Financial CentreDIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020) + Regulation 10 on processing personal data through autonomous and semi-autonomous systems. Dubai Financial Services Authority (DFSA) regulates AI deployed in regulated financial services. Personal data triggers DP law; financial use triggers DFSA rules.

ADGM — Abu Dhabi Global MarketADGM Data Protection Regulations 2021 (modelled on GDPR). Financial Services Regulatory Authority (FSRA) regulates AI in licensed financial activities. ADGM's Office of Data Protection issued AI-specific guidance on automated decision-making in 2023.

Federal — UAE Data Office + AI CouncilFederal Decree-Law No. 45 of 2021 (PDPL) governs personal data across the mainland. The UAE Council for AI and Blockchain and the Minister of State for AI coordinate national strategy. No federal AI Act has been enacted; sectoral regulators (Central Bank, DHA, MoHAP, TDRA) hold the levers.

The practical takeaway: regardless of which UAE regulator sits over your company, if your AI touches EU users, EU AI Act obligations apply on top of your local rules. Regula checks against the EU layer locally, in one command, with no data leaving your machine.

What it looks like

Real session against a one-file Python script that calls OpenAI to score a CV — the canonical Annex III Category 4 case.

$ pipx install regula-ai
Successfully installed regula-ai-1.7.0

$ cat demo.py
import openai
def classify_resume(resume_text):
    client = openai.OpenAI()
    reply = client.chat.completions.create(
        model='gpt-4',
        messages=[{'role':'user','content':f'Score this resume: {resume_text}'}])
    return reply.choices[0].message.content

$ regula quickstart

Regula Quickstart

  Created: ./regula-policy.yaml

  First scan complete (0.0s)
  Files scanned:      1
  BLOCK findings:     1

  Top findings:
    [BLOCK] [ 88] demo.py
          Annex III, Category 4
          Employment and workers management

$ regula classify --file demo.py
HIGH-RISK: Employment and workers management - Articles 9, 10, 11, 12, 13, 14, 15

$ # From pip install to a categorised, article-cited finding in under 10 seconds.

$ pipx install regula-ai && regula quickstart

How you verify Regula independently

Procurement teams in DIFC and ADGM ask the same questions. Here are the answers, all in one document.

✓ Trust Pack — every claim is paired with the exact shell command anyone can run to verify it. docs/TRUST.md
✓ Published precision & recall — 100% on the synthetic Annex III/Article 5 corpus, 0 false positives at the BLOCK tier on five mature OSS projects. Reproducible methodology. benchmark report
✓ SHA-256 tamper-evident audit log — verify the chain yourself with regula audit verify.
✓ Zero runtime dependencies — Regula's core only uses Python's standard library. The Software Bill of Materials is empty by design.
✓ Runs entirely on your machine — no SaaS, no API, no data leaves your environment. regula check is fully offline.
✓ Open source under MIT — read every line at github.com/kuzivaai/getregula.