regulation10.ae
DIFC Reg 10 Accelerator

The Participant pathway, end to end.

The Reg 10 Accelerator is a Participant sandbox — not an ACB scheme. regulation10.ae produces the evidence stack the Accelerator Testing Team expects, with §1 and §2 covered line by line.

Participant pathway

Four steps from onboarding to Output Report

The Accelerator Framework treats the Participant as the testee and the Accelerator Testing Team (ATT) as the reviewer. There are four checkpoints between onboarding and the Output Report. regulation10.ae produces a deterministic artefact at every one of them.

  1. Step 01

    Eligibility and abstract

    We capture the Participant abstract — entity, system, purpose, processing categories — through the onboarding wizard and render it on the public AI System Register. That alone clears Accelerator §1 G1.2 and G1.5.

  2. Step 02

    Design dossier

    Modules 1.1 (risk classification), 1.1b (Article 5 prohibition screener), 1.2 (DPIA) and 1.3 (transparency notice EN+AR) generate the redactable design document set required by §1 G1.3 — citation-pinned, content-hashed, regenerable.

  3. Step 03

    Assessment-model declaration

    DPIA §1 names the lens — Open Loop, OECD AI Principles, EU AI Act Article 27, or ISO/IEC 42001 — and lets us cleanly express the Bespoke-criteria pathway under §1 G1.6.

  4. Step 04

    Output report

    Module 4.1 evidence pack plus Module 3.3 WORM audit trail compose the single signed Output Report the ATT and Commissioner expect under §1 G1.10. Re-runnable in under ten minutes if facts change mid-testing-window.

Coverage matrix

§1 Governance and §2 Substantive criteria — line by line

Mapping of the DIFC Reg 10 Accelerator Framework requirements to the regulation10.ae surface that satisfies them. Source of truth: the internal coverage-verification annex dated 12 May 2026, pinned to commit 44fe046.

§1 Governance procedures

9 of 11 substantive items met or exceeded; 2 N/A by design

Accelerator §1 governance coverage
RefRequirementregulation10.ae surfaceVerdict
G1.1NDA between Commissioner / Participant / ATT

Out of platform scope — transactional legal document.

N/A
G1.2Abstract — entity, system and purpose

Five-step onboarding wizard captures system name, tenant, purpose and processing categories; public AI System Register renders the descriptor.

Meets
G1.3Design document (redactable for IP / restricted law)

Modules 1.1 risk classification, 1.2 DPIA and 1.3 transparency notice plus the AI System Register entry compose a complete, redactable design dossier with citation pinning and content hashes.

Exceeds
G1.4Demonstration materials

Tenant dashboard with one-click DPIA and notice generation, reproducible ICP smoke run, sub-eight-minute walkthrough script.

Exceeds
G1.5Participant eligibility (DIFC / non-DIFC with DIFC ops / other with justification)

Multi-tenant from day one; the wizard supports all three categories with explicit eligibility capture.

Meets
G1.6Assessment-model declaration (Open Loop / OECD / Humane Intelligence / Bespoke)

DPIA authority block names OECD AI Principles, EU AI Act Art. 27, ISO/IEC 42001; Bespoke pathway captured via the authority extension.

Meets
G1.7Acceptance criteria — use case, testing criteria, bespoke criteria

Onboarding wizard, Module 1.1 risk-classification report and DPIA together compose the acceptance dossier; the evidence-pack manifest indexes them.

Meets
G1.8Accelerator testing period (long-form up to four weeks; sprint up to one day)

Full evidence pack regenerable in under ten minutes; sprint-format compatible.

Exceeds
G1.9Accelerator Testing Team qualification (CVs, NDAs, abbreviated ACB criteria)

ATT-side concern, not Participant-side — out of platform scope.

N/A
G1.10Output reporting and review (Report to Participant and Commissioner; permitted-third-party access)

Module 4.1 Evidence Pack ZIP plus Manifest.json plus Module 3.3 audit trail produce a single signed bundle with content-hash anchoring.

Exceeds
G1.11Auditability and monitoring (in-life monitoring to fill gaps, ad-hoc submissions)

Module 3.3 audit trail (CSV plus JSON, WORM-fed, UAE-North residency enforced at the schema level). Continuous drift monitoring (Module 3.1) is on the roadmap.

Meets MVP today; Module 3.1 drift monitoring is gated until first paid tenant.

Meets MVP
G1.12Enforcement / enforcement amnesty (3- and 6-month windows)

Out of platform scope — Commissioner-side process.

N/A

§2 Substantive evaluation (Q1–Q7)

All seven answer Yes; three exceed the floor

Accelerator §2 substantive Q1–Q7 coverage
RefRequirementregulation10.ae surfaceVerdict
Q1Evidence on request of system compliance with audit / certification requirements (Reg 10.2.2(c))

Module 4.1 evidence pack, Module 3.3 WORM audit trail (SHA-256 content hashes), ASO appointment letter and AI System Register entry — all automated, hash-verifiable, regenerable in under ten minutes.

Exceeds
Q2Algorithm for human intervention where processing may be unfair / discriminatory, plus risk and impact assessment (Reg 10.2.2(d))

Module 1.2 DPIA HITL section plus the ten-row risk taxonomy (biased output, unfair impact, loss of human review); Module 1.1 flags HRP; Module 1.1b screens prohibited Article 5 categories.

Quantitative bias metrics (Module 2.1, AIF360 / Fairlearn) are on the Sprint 3 contingency plan.

Meets
Q3Algorithm for human intervention on law-enforcement access, plus risk assessment (Reg 10.2.2(e))

DPIA §1.2 cross-border block plus §3 risk row 'use of data spreads beyond first purpose'; HITL section captures the algorithm description; audit trail flags any law-enforcement-access event.

Meets
Q4Algorithm for human intervention on potential Regulation 9 non-compliance, plus risk assessment (Reg 10.2.2(f))

DPIA risk taxonomy explicitly lists data-subject-rights risks; §2.4 information-rights block; citation-required compliance agent enforces Reg 9 citations on every generated artefact.

Meets
Q5System designed for Ethical / Fair / Transparent / Secure / Accountable concepts (Reg 10.3.1)

DPIA §1 description, §3 risk, §4 mitigations and §5 FRIA overlay cover all five concepts; Module 1.3 transparency notice (EN + AR) addresses 'Transparent'; banned-token list and Article 5 screener address 'Ethical'; WORM plus SHA-256 hashing address 'Accountable'; citation pinning is also an Accountable control.

Exceeds
Q6Processing only for human-defined / approved purposes, and compliance with 10.3.1 plus audit / certification (Reg 10.3.2)

Onboarding wizard captures purpose; Module 1.1 verifies stated purpose against rules and citations; the Article 5 screener flags any subliminal / manipulation use case where the system defines its own purpose; the evidence pack carries audit-ready proof.

Meets
Q7ASO appointed with DPO-equivalent competencies (Articles 17 / 18 of DPL 2020; Reg 10.3.3(d))

ASO appointment-letter generator produces the actual signed-letter instrument mapped to DPL Articles 17 and 18 — not merely a written attestation.

Exceeds

Frame

No ACB accreditation needed to enter.

The ACB scheme and the Accelerator are different instruments

DIFC Reg 10.3.3 vs Accelerator Framework §1

The DIFC Reg 10 ACB Framework defines an Accredited Certification Body as an entity with the ability to certify a Certification Applicant's System for High Risk Processing. Part 1 of that framework is what an ACB applicant has to prove — Independence, Expertise, Written Undertakings, Established Procedures, Conflicts of Interest, and so on.

The Accelerator Framework is different. It is a sandbox for Participants — developers, deployers and operators — to test their own systems for privacy-by-design compliance. The Accelerator Testing Team is the reviewer, not an ACB. The framework explicitly lets Participants pick the assessment model (Open Loop / OECD / Humane Intelligence / Bespoke) and can be run as a bolt-on to UAE Reg Lab, UK ICO or EU AI Act Article 57 sandboxes.

Nowhere in the Accelerator Framework does a Participant need to be — or use — an ACB. ACB certification is what an entity does for commercial deployment under Reg 10.3.3. It is not what an entity does to enter the sandbox. The entire Part 1 of the ACB Framework (Independence, Expertise, Written Undertakings, Established Procedures, Transparency, Conflicts of Interest, Communications with the Commissioner, Certification Application Review, Certification Programme Requirements Review) is orthogonal to Accelerator participation.

The only place the ACB criteria intersect with the Accelerator is on the tester side, in abbreviated form, as part of ATT qualification. That is the Commissioner's selection problem, not the Participant's.

Bespoke-criteria readiness · v2.4 — 24 May 2026

Modules 2.1 (Bias) and 2.2 (Threat Model) shipped in v2.4.

Accelerator Framework §2 reserves the right of the Accelerator Testing Team or Commissioner to impose Bespoke criteria — for example quantitative bias metrics or STRIDE threat models. Modules 2.1 (Bias / Fairness) and 2.2 (Threat Model) shipped in v2.4 (24 May 2026), so the Bespoke pathway is met out of the box. Module 2.3 red-team report remains bundled into the Reg 10 Sprint engagement; Module 3.1 drift monitoring is provisioned on first Enterprise tenant signup.

Module 2.1 Bias / Fairness

Shipped · v2.4

5–6 working days

  • AIF360 + Fairlearn metric suite (demographic parity, equalised odds, disparate-impact ratio, predictive parity, calibration-by-group).
  • Citations: EU AI Act Annex III; DPL Article 9 sensitive data; OECD AI Principle 1.2.
  • Output: BiasReport-<SYSTEM_ID>.pdf + .md plus a new MODULE_2_1_BIAS_FAIRNESS audit row.

Module 2.2 Threat Model

Shipped · v2.4

4–5 working days

  • Deterministic TS engine mapping system facts to STRIDE rows (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation).
  • Citations: ISO/IEC 27001 A.5/A.8/A.12; NIST AI RMF Govern/Map/Measure; MITRE ATLAS prompt-injection IDs.
  • Output: ThreatModel-<SYSTEM_ID>.pdf plus a new MODULE_2_2_THREAT_MODEL audit row.

v2.4 decision rule: Modules 2.1 and 2.2 are now live in packages/module-engines as TS-only deterministic engines on plain arrays — no Python runner, no Fairlearn or pytm install — so a Bespoke criterion from the ATT triggers an existing artefact rather than a build. Module 2.3 (quarterly red-team) ships through the Reg 10 Sprint engagement; Module 3.1 (drift monitoring) is provisioned on first paid Enterprise tenant signup. The §2 floor is exceeded.

Ready to file?

Walk into your Accelerator Testing Team session with the §1 / §2 matrix in hand.

A 30-minute readiness call maps your system facts onto the matrix, flags any §2 row that needs a Bespoke-criteria contingency, and gives you a one-page submission summary.