ISO 42001
in the UAE
The world's first certifiable AI management system standard. It's also the clearest way a UAE organization can demonstrate that its AI is governed, documented and under control. Implementation, certification and PECB-accredited training, delivered in Dubai and across the Emirates.
ISO/IEC 42001:2023 is the international standard for an Artificial Intelligence Management System (AIMS). It is the first AI standard organizations can be certified against by an accredited certification body: the AI equivalent of what ISO 27001 does for information security.
In the UAE, AI is governed through a layered framework rather than a single AI statute: the National AI Strategy 2031, the UAE Charter for the Development and Use of Artificial Intelligence, the federal Personal Data Protection Law, free-zone rules such as DIFC Regulation 10, and emirate-level bodies such as Abu Dhabi's AIATC. In June 2026 the UAE announced a Federal Authority for Artificial Intelligence and Data to bring AI, data and digital government oversight under one body.
ISO 42001 gives UAE organizations a single, certifiable management system that sits underneath all of it: one that boards, regulators, procurement teams and enterprise customers recognize, and one that maps cleanly onto the EU AI Act and NIST AI RMF for organizations operating beyond the UAE.
Key Takeaways
What UAE Organizations
Need to Know.
- ISO 42001 is certifiable. Unlike a framework or a set of principles, an accredited certification body can audit your AI Management System and issue a certificate. That is the artifact procurement teams and boards ask for.
- The UAE governs AI in layers. National strategy, an ethical charter, data protection law, free-zone regulation and emirate-level councils each cover part of the picture. ISO 42001 provides the operating system that sits beneath them.
- DIFC Regulation 10 is binding and in force. It reached full enforcement on 1 January 2026 and places duties on DIFC entities deploying autonomous and semi-autonomous systems that process personal data.
- Oversight is consolidating. The Federal Authority for Artificial Intelligence and Data, announced in June 2026, unifies AI, data and digital government oversight under a single body reporting to Cabinet.
- If you hold ISO 27001, you are already part of the way there. Both standards share the Annex SL high-level structure, so the AIMS can be integrated into your existing management system rather than built from scratch.
- It travels. ISO 42001 maps onto the EU AI Act and the NIST AI Risk Management Framework, so one certified system serves UAE, European and US-facing obligations.
The UAE AI Governance Landscape
How AI Is Governed
in the UAE.
The UAE regulates AI through several instruments operating at different levels, rather than through one comprehensive AI act. Understanding which layer applies to you, and which carry legal force, is the starting point for any AI governance program. The picture below is current as of July 2026.
National AI Strategy 2031
The UAE's foundational AI policy document. The UAE became the first country in the world to appoint a Minister of State for Artificial Intelligence in 2017. The Strategy sets national direction and economic targets for AI adoption across government services, education, and priority sectors. It is guidance rather than enforceable law, but it shapes how regulators interpret existing statutes and which instruments they prioritize next.
UAE Charter for the Development and Use of Artificial Intelligence
Twelve ethical principles, covering safety, algorithmic bias mitigation, data privacy, transparency, human oversight, governance and accountability, technological excellence, and compliance with applicable laws. The Charter creates no penalties. Its practical function is to set the baseline expectations that procurement teams, regulators and public-sector adopters reference when approving or rejecting an AI deployment, which means it shows up in tenders and contracts even though it is not law.
Personal Data Protection Law
The UAE's federal data protection regime, modeled closely on the GDPR. It reaches most AI systems by virtue of the personal data they process. One practical caveat matters: its Implementing Regulations have not yet been issued, which has limited enforcement in practice. The market expectation is that the new Federal Authority will take ownership of finalizing them.
DIFC Regulation 10
Regulation 10 sits within the DIFC data protection regime and imposes specific duties on entities deploying autonomous and semi-autonomous systems that process personal data. It is regarded as the first AI-specific regulation in the wider Middle East, Africa and South Asia (MEASA) region.
Jurisdiction matters here: the DIFC and ADGM each operate their own data protection regime (DIFC under Law No. 5 of 2020, ADGM under its 2021 Regulations), and the federal PDPL does not apply inside either. Whether Regulation 10 applies to you depends on where your entity sits.
Federal Authority for Artificial Intelligence and Data
A unified national body consolidating the UAE Artificial Intelligence Office, the Information and Digital Government Sector of the TDRA, and the Emirates Data Office into a single structure reporting directly to Cabinet, led by the Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications. Its mandate includes setting unified national AI and data policy, proposing legislation, and establishing standards and guidelines for AI and data management.
At emirate level, Abu Dhabi's Artificial Intelligence and Advanced Technology Council (AIATC), established by Law No. 3 of 2024, continues to regulate AI and advanced technology projects within the emirate.
What none of these instruments do is specify how an organization should actually govern an individual AI system: what to document, how to assess AI-specific risk, who signs off on deployment, and what evidence to retain. That is the role ISO/IEC 42001 plays: a certifiable management system that operationalizes the principles the UAE's framework sets out.
The Standard
What ISO 42001
Requires.
ISO/IEC 42001:2023 follows the Annex SL high-level structure common to ISO 27001, ISO 9001 and ISO 22301. If you have implemented a management system before, the shape will be familiar.
Clauses 4–10: the management system
- Clause 4: Context. Determine internal and external issues, interested parties, and the scope of the AIMS. Define your role: are you an AI provider, producer, user, or some combination?
- Clause 5: Leadership. AI policy, top-management commitment, and clearly assigned roles and responsibilities.
- Clause 6: Planning. AI risk assessment and treatment, AI system impact assessment, AI objectives, and the Statement of Applicability against the Annex A controls.
- Clause 7: Support. Resources, competence, awareness, communication and documented information.
- Clause 8: Operation. Operational planning and control for running the AIMS in practice.
- Clause 9: Performance evaluation. Monitoring, measurement, internal audit and management review.
- Clause 10: Improvement. Nonconformity, corrective action and continual improvement.
Annex A: the controls
Annex A sets out the controls an organization selects from, covering AI policy, internal organization, resources for AI systems, impact assessment, the AI system life cycle, data for AI systems, information for interested parties, use of AI systems, and third-party relationships. Annex B provides implementation guidance for each control. As with ISO 27001, you justify inclusion and exclusion in a Statement of Applicability.
Where to Start
Four Ways In,
One Management System.
Implementation & certification
Gap assessment, AIMS design, AI risk methodology, Statement of Applicability, internal audit, and certification-audit readiness. From wherever you are today to audit-ready.
Implementation & certification →ISO 42001 Lead Implementer training
PECB-accredited, face-to-face corporate training for the team who will build and run your AIMS. Delivered in Dubai, Abu Dhabi and across the UAE.
Lead Implementer training →ISO 42001 Lead Auditor training
For internal audit, risk and assurance teams who need to audit an AI Management System against ISO/IEC 42001, or to prepare the organization to be audited.
Lead Auditor training →Not sure yet
Most organizations don't yet know which of the above they need. A short call establishes your scope, your exposure, and whether certification is worth pursuing at all.
Book a consultation →How Certification Works
From Gap Assessment
to Certificate.
Typically three to twelve-plus months, depending on how many AI systems are in scope, overall complexity, and whether you already operate a certified management system. Organizations with ISO 27001 in place move considerably faster.
| Stage | Timing | What happens |
|---|---|---|
| Gap assessment & scoping | Month 1 | Which AI systems are in scope, what already exists, and what ISO/IEC 42001 requires that you don't yet have. This is also where we tell you honestly whether certification is worth pursuing. |
| Build the AIMS | Months 2–4 | AI policy and objectives, AI risk assessment and treatment, AI system impact assessment, Statement of Applicability, roles and responsibilities, and the documented information an auditor will ask for. |
| Operate and evidence | Months 4–6 | The management system has to run before it can be certified. Controls operate, records accumulate, and the system produces the evidence trail an auditor needs to see. |
| Internal audit & management review | Months 6–8 | Mandatory before certification. We run the internal audit, raise the findings an external auditor would raise, and close them while it still costs nothing to do so. |
| Certification audit: Stage 1 & Stage 2 | Months 7–9 | Conducted by one of our partnered, accredited certification bodies. To preserve impartiality, whoever implements your AIMS cannot certify it directly, but certification is included in the package: we coordinate the relationship end to end and sit alongside you through the audit. |
Who Delivers This
reconn, Led by
Shenoy Sandeep.
reconn is an AI-first cybersecurity firm based in Business Bay, Dubai, led by founder Shenoy Sandeep. It is the entity behind every engagement on this page: implementation, certification readiness and PECB-accredited training.
Every AIMS we build is implemented by a team with hardcore cybersecurity backgrounds, both offensive and defensive, and a proven track record delivering ISO/IEC 42001 in practice, not a certificate earned once and never applied. The same team delivers the training below, so the people teaching the standard are the same people implementing it.
- Hands-on offensive and defensive AI security experience, not GRC theory alone
- Proven ISO/IEC 42001 implementation track record across live AI systems
- PECB-accredited Lead Implementer and Lead Auditor training, delivered in-house
- Led by Shenoy Sandeep, PECB Certified Trainer and founder of reconn
Frequently Asked Questions
Questions,
Answered.
Is ISO 42001 mandatory in the UAE?
No. ISO/IEC 42001 is a voluntary international standard. In practice, it has become the way UAE organizations demonstrate AI governance to boards, regulators, procurement teams and enterprise customers, because it is the only AI management standard you can be independently certified against.
How is AI regulated in the UAE?
Through a layered framework rather than a single AI act: the National AI Strategy 2031, the UAE Charter for the Development and Use of Artificial Intelligence (2024, non-binding, twelve ethical principles), the federal Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), free-zone rules such as DIFC Regulation 10, emirate-level bodies such as Abu Dhabi's AIATC, and sector-specific regulation. In June 2026 the UAE announced a Federal Authority for Artificial Intelligence and Data consolidating national oversight.
What is DIFC Regulation 10, and does it apply to us?
Regulation 10 sits within the DIFC data protection regime and places duties on entities deploying autonomous and semi-autonomous systems that process personal data. It reached full enforcement on 1 January 2026 and is regarded as the first AI-specific regulation in the MEASA region. It applies to DIFC entities; mainland organizations fall under the federal PDPL instead.
How long does ISO 42001 certification take?
Typically three to twelve-plus months from gap assessment to certification audit, depending on the number of AI systems in scope, overall complexity, the maturity of your existing management systems, and whether ISO 27001 is already in place.
Can ISO 42001 be integrated with ISO 27001?
Yes, and it usually should be. Both follow the Annex SL high-level structure, so context, leadership, planning, support, operation, performance evaluation and improvement can run as one integrated management system with a shared risk process, internal audit program and management review.
Who can certify our AI Management System?
An independent, accredited certification body, not a consultant or trainer. To preserve impartiality, the organization that implements your AIMS cannot also certify it. Certification is included in our package: we've partnered with multiple reputable, accredited certification bodies, so we coordinate that relationship for you rather than leaving you to source an auditor on your own.
What's the difference between ISO 42001 and the EU AI Act?
The EU AI Act is legislation; ISO 42001 is a certifiable management standard. They are complementary: the Act tells you what obligations apply to your AI systems, while ISO 42001 gives you the management system to meet them and evidence that you did. For UAE organizations selling into Europe, the two are usually run together.
Do you deliver on-site in the UAE?
Yes. Implementation engagements and face-to-face training are delivered on-site in Dubai, Abu Dhabi and across the Emirates.
Book a Consultation
Start With an
Honest Answer.
A thirty-minute call. We establish which AI systems you actually have in scope, where your exposure sits across the UAE's regulatory framework, and whether ISO 42001 certification is worth pursuing for your organization, including when the answer is that it isn't.
No sales deck. You'll speak to the person who would do the work.
- Based in Business Bay, Dubai, and on-site across the UAE
- Implementation, certification readiness and PECB-accredited training
- Direct access to the practitioners doing the work, not a coordinator
We reply within one business day. Your details are never shared.