Why regulation10.ae exists
A specific kind of problem
In late 2023 the Dubai International Financial Centre issued Regulation 10 — the operating rulebook for how regulated entities in the DIFC must govern the AI systems they deploy. It is not a guidance note. It is enforceable, supervised, and time-bound. By the time it lands in full force, every firm in the centre that procures, integrates, or operates an AI system is expected to be able to answer the same set of questions: who owns it, what does it decide, what could go wrong, who is accountable when it does, and how would we prove any of that to the Commissioner on demand.
That sounds like an obvious compliance ask. In practice it is the same scope of work that GDPR Article 35 demanded for personal-data processing, layered onto the kind of model-risk discipline that banking regulators have spent fifteen years building for credit-scoring systems, layered again onto the procurement-and-vendor controls that ISO 42001 is just starting to formalise globally. There is no off-the-shelf playbook because no single regulator has shipped one. The DIFC has shipped Reg 10, the DPL 2020, and a series of guidance notes, and it expects firms to translate those into operating reality on their own.
What we found when we looked
We spent the first quarter of the build cycle on three things in parallel. First, reading every word the DIFC has published on Reg 10, the DPL 2020, and the Commissioner's guidance — including the consent guidance, the assessor accreditation regulations, and the cross-border transfer regime. Second, talking to the people inside DIFC firms whose names will end up on the appointed-officer letters — heads of compliance, DPOs, CISOs, general counsel, and the first cohort of newly minted ASOs (Appointed Senior Officers). Third, looking at what already exists in the market — the EU AI Act conformity toolkits, the NIST AI RMF playbooks, the big-four advisory decks, the ISO 42001 readiness assessments.
The honest finding was that none of those, on their own, would survive a Commissioner inspection in the DIFC. Most are jurisdiction-agnostic frameworks dressed as products. They give you a taxonomy and a maturity curve and a 60-page report. They do not give you an AI System Register that maps to Reg 10's specific definition of an "AI system in scope". They do not give you an ASO appointment letter that the Commissioner will accept. They do not generate a DPIA that cites the DPL 2020's six lawful bases by article. And they do not give the firm's compliance team a defensible record of what was decided, by whom, and why — which is the single thing the supervisor will ask for first.
What we built instead
regulation10.ae is the platform. It is a productised end-to-end Reg 10 readiness system, hosted in the UAE North region, designed around the actual artefacts a firm needs to hold in evidence: a structured AI System Register, per-system DPIAs, an ASO governance binder, a vendor and processor inventory, an incident and breach log keyed to Article 41 of the DPL, and a cross-border transfer ledger that maps DIFC SCCs to the systems that need them. It is opinionated about the workflow because the rule itself is opinionated about the outcome.
This site — regulation10.ae — is the front door. The signed-in product at app.regulation10.ae is where the platform actually runs. It exists for one reason: there is a window of about eighteen months during which DIFC entities, their non-DIFC parents with DIFC operations, and global firms with EU AI Act or OECD-aligned obligations need to stand up real, supervisable AI governance. We would rather they did it on something built for the regime than on a spreadsheet copied between MBAs at quarter-end.
What you should expect here
This blog will be small. We will write when we have something specific to say — a published Commissioner guidance note worth reading, a build decision that affects how the platform behaves, a Reg 10 interpretation we have stress-tested with counsel, an ICP archetype that maps to a meaningful share of the market. We will not write think-pieces about AI in general. There are enough of those.
If you are a DIFC entity in scope of Reg 10, a non-DIFC firm with DIFC-supervised operations, or a global firm aligning to the EU AI Act or NIST AI RMF and looking for a defensible base, the rest of this site is for you. The contact form goes to a human. We reply within one UAE business day.