The Participant pathway, end to end.
The Reg 10 Accelerator is a Participant sandbox — not an ACB scheme. regulation10.ae produces the evidence stack the Accelerator Testing Team expects, with §1 and §2 covered line by line.
Participant pathway
Four steps from onboarding to Output Report
The Accelerator Framework treats the Participant as the testee and the Accelerator Testing Team (ATT) as the reviewer. There are four checkpoints between onboarding and the Output Report. regulation10.ae produces a deterministic artefact at every one of them.
Step 01
Eligibility and abstract
We capture the Participant abstract — entity, system, purpose, processing categories — through the onboarding wizard and render it on the public AI System Register. That alone clears Accelerator §1 G1.2 and G1.5.
Step 02
Design dossier
Modules 1.1 (risk classification), 1.1b (Article 5 prohibition screener), 1.2 (DPIA) and 1.3 (transparency notice EN+AR) generate the redactable design document set required by §1 G1.3 — citation-pinned, content-hashed, regenerable.
Step 03
Assessment-model declaration
DPIA §1 names the lens — Open Loop, OECD AI Principles, EU AI Act Article 27, or ISO/IEC 42001 — and lets us cleanly express the Bespoke-criteria pathway under §1 G1.6.
Step 04
Output report
Module 4.1 evidence pack plus Module 3.3 WORM audit trail compose the single signed Output Report the ATT and Commissioner expect under §1 G1.10. Re-runnable in under ten minutes if facts change mid-testing-window.
Coverage matrix
§1 Governance and §2 Substantive criteria — line by line
Mapping of the DIFC Reg 10 Accelerator Framework requirements to the regulation10.ae surface that satisfies them. Source of truth: the internal coverage-verification annex dated 12 May 2026, pinned to commit 44fe046.
§1 Governance procedures
9 of 11 substantive items met or exceeded; 2 N/A by design
| Ref | Requirement | regulation10.ae surface | Verdict |
|---|---|---|---|
| G1.1 | NDA between Commissioner / Participant / ATT | Out of platform scope — transactional legal document. | N/A |
| G1.2 | Abstract — entity, system and purpose | Five-step onboarding wizard captures system name, tenant, purpose and processing categories; public AI System Register renders the descriptor. | Meets |
| G1.3 | Design document (redactable for IP / restricted law) | Modules 1.1 risk classification, 1.2 DPIA and 1.3 transparency notice plus the AI System Register entry compose a complete, redactable design dossier with citation pinning and content hashes. | Exceeds |
| G1.4 | Demonstration materials | Tenant dashboard with one-click DPIA and notice generation, reproducible ICP smoke run, sub-eight-minute walkthrough script. | Exceeds |
| G1.5 | Participant eligibility (DIFC / non-DIFC with DIFC ops / other with justification) | Multi-tenant from day one; the wizard supports all three categories with explicit eligibility capture. | Meets |
| G1.6 | Assessment-model declaration (Open Loop / OECD / Humane Intelligence / Bespoke) | DPIA authority block names OECD AI Principles, EU AI Act Art. 27, ISO/IEC 42001; Bespoke pathway captured via the authority extension. | Meets |
| G1.7 | Acceptance criteria — use case, testing criteria, bespoke criteria | Onboarding wizard, Module 1.1 risk-classification report and DPIA together compose the acceptance dossier; the evidence-pack manifest indexes them. | Meets |
| G1.8 | Accelerator testing period (long-form up to four weeks; sprint up to one day) | Full evidence pack regenerable in under ten minutes; sprint-format compatible. | Exceeds |
| G1.9 | Accelerator Testing Team qualification (CVs, NDAs, abbreviated ACB criteria) | ATT-side concern, not Participant-side — out of platform scope. | N/A |
| G1.10 | Output reporting and review (Report to Participant and Commissioner; permitted-third-party access) | Module 4.1 Evidence Pack ZIP plus Manifest.json plus Module 3.3 audit trail produce a single signed bundle with content-hash anchoring. | Exceeds |
| G1.11 | Auditability and monitoring (in-life monitoring to fill gaps, ad-hoc submissions) | Module 3.3 audit trail (CSV plus JSON, WORM-fed, UAE-North residency enforced at the schema level). Continuous drift monitoring (Module 3.1) is on the roadmap. Meets MVP today; Module 3.1 drift monitoring is gated until first paid tenant. | Meets MVP |
| G1.12 | Enforcement / enforcement amnesty (3- and 6-month windows) | Out of platform scope — Commissioner-side process. | N/A |
§2 Substantive evaluation (Q1–Q7)
All seven answer Yes; three exceed the floor
| Ref | Requirement | regulation10.ae surface | Verdict |
|---|---|---|---|
| Q1 | Evidence on request of system compliance with audit / certification requirements (Reg 10.2.2(c)) | Module 4.1 evidence pack, Module 3.3 WORM audit trail (SHA-256 content hashes), ASO appointment letter and AI System Register entry — all automated, hash-verifiable, regenerable in under ten minutes. | Exceeds |
| Q2 | Algorithm for human intervention where processing may be unfair / discriminatory, plus risk and impact assessment (Reg 10.2.2(d)) | Module 1.2 DPIA HITL section plus the ten-row risk taxonomy (biased output, unfair impact, loss of human review); Module 1.1 flags HRP; Module 1.1b screens prohibited Article 5 categories. Quantitative bias metrics (Module 2.1, AIF360 / Fairlearn) are on the Sprint 3 contingency plan. | Meets |
| Q3 | Algorithm for human intervention on law-enforcement access, plus risk assessment (Reg 10.2.2(e)) | DPIA §1.2 cross-border block plus §3 risk row 'use of data spreads beyond first purpose'; HITL section captures the algorithm description; audit trail flags any law-enforcement-access event. | Meets |
| Q4 | Algorithm for human intervention on potential Regulation 9 non-compliance, plus risk assessment (Reg 10.2.2(f)) | DPIA risk taxonomy explicitly lists data-subject-rights risks; §2.4 information-rights block; citation-required compliance agent enforces Reg 9 citations on every generated artefact. | Meets |
| Q5 | System designed for Ethical / Fair / Transparent / Secure / Accountable concepts (Reg 10.3.1) | DPIA §1 description, §3 risk, §4 mitigations and §5 FRIA overlay cover all five concepts; Module 1.3 transparency notice (EN + AR) addresses 'Transparent'; banned-token list and Article 5 screener address 'Ethical'; WORM plus SHA-256 hashing address 'Accountable'; citation pinning is also an Accountable control. | Exceeds |
| Q6 | Processing only for human-defined / approved purposes, and compliance with 10.3.1 plus audit / certification (Reg 10.3.2) | Onboarding wizard captures purpose; Module 1.1 verifies stated purpose against rules and citations; the Article 5 screener flags any subliminal / manipulation use case where the system defines its own purpose; the evidence pack carries audit-ready proof. | Meets |
| Q7 | ASO appointed with DPO-equivalent competencies (Articles 17 / 18 of DPL 2020; Reg 10.3.3(d)) | ASO appointment-letter generator produces the actual signed-letter instrument mapped to DPL Articles 17 and 18 — not merely a written attestation. | Exceeds |
Frame
No ACB accreditation needed to enter.
The ACB scheme and the Accelerator are different instruments
DIFC Reg 10.3.3 vs Accelerator Framework §1
The DIFC Reg 10 ACB Framework defines an Accredited Certification Body as an entity with the ability to certify a Certification Applicant's System for High Risk Processing. Part 1 of that framework is what an ACB applicant has to prove — Independence, Expertise, Written Undertakings, Established Procedures, Conflicts of Interest, and so on.
The Accelerator Framework is different. It is a sandbox for Participants — developers, deployers and operators — to test their own systems for privacy-by-design compliance. The Accelerator Testing Team is the reviewer, not an ACB. The framework explicitly lets Participants pick the assessment model (Open Loop / OECD / Humane Intelligence / Bespoke) and can be run as a bolt-on to UAE Reg Lab, UK ICO or EU AI Act Article 57 sandboxes.
Nowhere in the Accelerator Framework does a Participant need to be — or use — an ACB. ACB certification is what an entity does for commercial deployment under Reg 10.3.3. It is not what an entity does to enter the sandbox. The entire Part 1 of the ACB Framework (Independence, Expertise, Written Undertakings, Established Procedures, Transparency, Conflicts of Interest, Communications with the Commissioner, Certification Application Review, Certification Programme Requirements Review) is orthogonal to Accelerator participation.
The only place the ACB criteria intersect with the Accelerator is on the tester side, in abbreviated form, as part of ATT qualification. That is the Commissioner's selection problem, not the Participant's.
Bespoke-criteria readiness · v2.4 — 24 May 2026
Modules 2.1 (Bias) and 2.2 (Threat Model) shipped in v2.4.
Accelerator Framework §2 reserves the right of the Accelerator Testing Team or Commissioner to impose Bespoke criteria — for example quantitative bias metrics or STRIDE threat models. Modules 2.1 (Bias / Fairness) and 2.2 (Threat Model) shipped in v2.4 (24 May 2026), so the Bespoke pathway is met out of the box. Module 2.3 red-team report remains bundled into the Reg 10 Sprint engagement; Module 3.1 drift monitoring is provisioned on first Enterprise tenant signup.
Module 2.1 Bias / Fairness
Shipped · v2.45–6 working days
- AIF360 + Fairlearn metric suite (demographic parity, equalised odds, disparate-impact ratio, predictive parity, calibration-by-group).
- Citations: EU AI Act Annex III; DPL Article 9 sensitive data; OECD AI Principle 1.2.
- Output: BiasReport-<SYSTEM_ID>.pdf + .md plus a new MODULE_2_1_BIAS_FAIRNESS audit row.
Module 2.2 Threat Model
Shipped · v2.44–5 working days
- Deterministic TS engine mapping system facts to STRIDE rows (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation).
- Citations: ISO/IEC 27001 A.5/A.8/A.12; NIST AI RMF Govern/Map/Measure; MITRE ATLAS prompt-injection IDs.
- Output: ThreatModel-<SYSTEM_ID>.pdf plus a new MODULE_2_2_THREAT_MODEL audit row.
v2.4 decision rule: Modules 2.1 and 2.2 are now live in packages/module-engines as TS-only deterministic engines on plain arrays — no Python runner, no Fairlearn or pytm install — so a Bespoke criterion from the ATT triggers an existing artefact rather than a build. Module 2.3 (quarterly red-team) ships through the Reg 10 Sprint engagement; Module 3.1 (drift monitoring) is provisioned on first paid Enterprise tenant signup. The §2 floor is exceeded.
Ready to file?
Walk into your Accelerator Testing Team session with the §1 / §2 matrix in hand.
A 30-minute readiness call maps your system facts onto the matrix, flags any §2 row that needs a Bespoke-criteria contingency, and gives you a one-page submission summary.