The regulatory landscape for artificial intelligence and autonomous systems in the DIFC is changing rapidly. With the introduction of DIFC Regulation 10, organisations that use autonomous or semi-autonomous systems to process personal data must reassess how their AI systems are designed, governed, and deployed.

Regulation 10 came into force on 1 September 2023, with a key compliance deadline of 1 January 2026. Organisations that delay preparation risk significant operational and compliance challenges.

In this article, we explain what Regulation 10 is, which systems must be certified, and how organisations can prepare for certification.

What Is DIFC Regulation 10?

DIFC Regulation 10 governs the processing of personal data through autonomous and semi-autonomous systems. It applies where systems:

• Process personal data for human-defined purposes, system-defined purposes, or both
• Generate outputs based on that processing
• Operate with limited or no human intervention

Unlike traditional data protection rules, Regulation 10 focuses on how decisions are made, not just on data collection or storage. It introduces accountability across the AI lifecycle and allocates responsibilities between:

• Providers – entities that develop or procure autonomous systems
• Operators – entities that operate systems on behalf of deployers
• Deployers – entities that benefit from and exercise authority over the system

This means Regulation 10 can apply even where organisations do not build AI themselves, but simply deploy third-party systems. This is an important difference from other regulatory regimes.

Automated Decision-Making vs Regulation 10

A common misconception is that Regulation 10 only applies to advanced or “self-learning” AI.

In reality, rule-based systems may also fall within scope if they autonomously process personal data and generate outcomes that affect individuals. For example, recruitment tools that automatically screen or disqualify candidates may trigger Regulation 10 obligations alongside other data protection provisions.

The key question is not whether a system uses machine learning, but whether it operates autonomously and processes personal data in a way that creates risk to individuals.

Which Autonomous Systems Must Be Certified?

Certification is mandatory where both of the following apply:

1. The system is autonomous or semi-autonomous
2. The system performs High-Risk Processing for commercial use

What Is High-Risk Processing?

High-risk processing includes scenarios such as:

• Use of new or untested technologies
• Large-scale processing of personal data
• Processing of special categories of personal data (e.g. health data, biometric data)
• Use of AI for employee monitoring or performance evaluation
• Automated decision-making with significant effects (e.g. employment decisions, credit scoring, insurance, fraud detection)
• Processing that creates material risks to data subjects’ rights

Where autonomous systems are used for high-risk processing, Regulation 10 certification is mandatory.

Core Regulation 10 Obligations

Regulation 10 introduces a set of detailed obligations for deployers and operators, including:

• Transparency and notification to users explaining:
  • The purpose of processing
  • How the system functions
  • The logic and principles underpinning outputs
• Evidence of system design and development standards, including applicable certifications
• Registers of processing activities specific to autonomous systems
• Mechanisms ensuring data subjects can exercise their rights under the DIFC Data Protection Law

These obligations go well beyond traditional privacy notices and require organisations to demonstrate meaningful accountability and explainability.

Preparing for Regulation 10 Certification

Certification under Regulation 10 is not a tick-box exercise. It is an evidence-driven assessment that requires organisations to demonstrate maturity across governance, risk, and technical controls.

Typical preparatory artefacts include:

• Company and system profiles
• AI DPIA and risk registers
• Transparency documentation (privacy notices, system explanations, autonomous systems registers)
• Data governance frameworks (inventories, quality controls, PETs)
• Bias and fairness assessments
• Security documentation (risk assessments, incident response and breach plans)
• Appointment of an Autonomous Systems Officer (ASO)
• Third-party due diligence and contractual safeguards
• Complaints, appeals, and dispute resolution procedures
• Lifecycle management documentation

Only accredited certification bodies can certify autonomous systems used for high-risk processing.

The Regulation 10 Certification Process

While certification bodies may differ in approach, the process typically includes:

• Initial Assessment

A high-level determination of whether certification is required.

• Gap Analysis

A detailed review of system operations against Regulation 10 requirements.

• Remediation and Documentation

Implementation of controls and preparation of evidence packs.

• Formal Audit

Independent assessment against Regulation 10 criteria.

• Certification Issuance

Granted upon successful completion of the audit.

Certification is not a one-off exercise. Organisations must also implement ongoing monitoring and renewal processes.

How White Label Consultancy Supports Regulation 10 Readiness

White Label Consultancy supports organisations across the full Regulation 10 journey, including:

• Regulation 10 applicability assessments
• AI impact assessments and DPIAs
• Certification readiness and gap remediation
• Autonomous Systems Officer governance frameworks
• Transparency and explainability documentation
• Alignment with global standards such as ISO 42001

Whether you develop AI, deploy third-party tools, or operate autonomous systems on behalf of others, early preparation is essential.

Final Thoughts

DIFC Regulation 10 represents a significant shift in how autonomous systems are regulated. Certification is mandatory for high-risk use cases and requires organisations to demonstrate robust governance, transparency, and accountability.

With the 2026 compliance deadline approaching, now is the time to assess your systems, identify gaps, and begin preparing for certification.

If you would like support assessing your Regulation 10 obligations or preparing for certification, White Label Consultancy can help.