How is AI in healthcare being regulated in the UAE?

Monday 11 May 2026

Shantanu Mukherjee
Founder, Ronin Legal, Dubai
shantanu@roninlegalconsulting.com

Varun Alase
Associate, Ronin Legal, Bengaluru East, Karnataka, India
varun@roninlegalconsulting.com

A growing field

For regulators, hospital groups, clinicians, and healthtech founders alike, artificial intelligence (AI) in healthcare has shifted from a niche compliance issue to a central regulatory concern.

This shift is particularly pronounced in the United Arab Emirates (UAE). The country has committed to global AI leadership by 2031,[1] while simultaneously operating one of the most tightly regulated healthcare environments in the region. As a result, the healthcare sector has become a real-world testing ground for translating high-level AI policy ambitions into concrete, enforceable legal obligations.

Market momentum only adds to the urgency. Recent research[2] projects that the UAE’s AI-in-healthcare market will reach approximately US$137.9m by 2030, driven by public-private partnerships, hospital digitisation initiatives, and a growing ecosystem of healthtech startups.

Against this backdrop, understanding how AI systems are classified, regulated, and governed under UAE law is essential for any organisation developing, deploying, or relying on AI-enabled healthcare solutions in the country.

Regulatory foundation

The UAE's approach to healthcare AI regulation operates through jurisdictional layers, with the federal regulations setting overarching principles while individual emirates develop their own detailed frameworks. The broad structure is as follows.

Federal Level:

  • Ministry of Health and Prevention (MOHAP);
  • Emirates Health Services Establishment

Emirate Level:

  • Dubai Health Authority (DHA):
    • Dubai Healthcare City Authority;
    • Dubai Biotechnology and Research Park;
    • Dubai Academic Health Corporation (Dubai Health);
  • Abu Dhabi Department of Health (DOH):
    • Abu Dhabi Health Services Company (SEHA).

Regulatory framework

The MOHAP governs the regulation of Software as a Medical Device (SaMD) through registration guidelines that align closely with European Union Medical Device Rules and Food and Drug Administration (FDA) standards.

Medical devices, explicitly defined to include software, must undergo a classification-based registration process which determines the stringency of approval requirements. Higher risk devices require more extensive documentation of safety, efficacy, and compliance with international standards such as ISO 13485 and ISO 14971.​​

The primary legislation governing SaMD is Federal Decree-Law No (38) of 2024 concerning Medical Products, the Pharmacy Profession, and Pharmaceutical Establishments. This comprehensive law, which became effective from 2 January 2025, establishes a centralised system for the approval, circulation, and oversight of medical products, including medical software.

Federal Law No (2) of 2019[3] Concerning the Use of Information and Communication Technology in Health Fields establishes foundational data protection requirements, mandating that health data remain confidential, valid, credible, and available to authorised parties.

This law applies across all UAE jurisdictions, including free zones, creating a unified baseline for health information management. Importantly, it mandates data retention (keep medical records for minimum 25 years) and local storage and processing of health data (unless the data falls under any of the exceptions mentioned in Ministerial Decision No (51) of 2021).

The Personal Data Protection Law (Federal Decree-Law No (45) of 2021)[4] provides comprehensive regulations for processing personal data, with health data explicitly classified as sensitive personal data requiring stricter protection measures.

The cybersecurity dimension receives particular attention through Federal Decree-Law No (34) of 2021 on Countering Rumours and Cybercrimes,[5] which establishes severe penalties for health data breaches. Unauthorised use or dissemination of medical records triggers imprisonment of at least six months and fines ranging from AED 20,000 to AED 100,000, with penalties doubling for health-related violations.

Apart from these federal regulations, free zones in the UAE may have their own laws that apply within their zones. For example, the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) have Data Protection Law No 5 of 2020 and Data Protection Regulations 2021 respectively. Accordingly, entities operating in DIFC or ADGM must comply with both the free zone’s data protection rules, and federal health-sector obligations under Federal Law No 2 of 2019.

DHA and DOH policies

Though characterised as policies, the AI frameworks established by Abu Dhabi's Department of Health (DOH) and Dubai Health Authority (DHA) effectively function as binding regulations that apply to healthcare sector stakeholders and establish clear compliance pathways.

DOH policy

  • Published in 2018, the DOH's Policy on Use of Artificial Intelligence in the Healthcare Sector became the region's first emirate-level AI governance framework.[6] The policy's scope extends to DOH licensed healthcare providers, pharmaceutical manufacturers, healthcare insurers, licensed healthcare researchers, and ‘every national and locally based international end-user that utilises Abu Dhabi based population or patient clinical and non-clinical data in AI endeavours’.
  • The policy establishes six guiding principles: transparency, user assistance, safety and security, privacy, ethics, and accountability. These principles translate into concrete operational requirements. Healthcare entities must establish clear governance structures for AI use, conduct regular audits of AI functionality with reporting obligations to DOH, and provide clear guidelines on access to and sharing of any patient information to protect confidentiality and ownership of such information.
  • The DOH policy also requires continuous improvement cycles based on accuracy feedback from end-users, with feedback directed to the Drug and Medical Products Regulation Department, DOH, and the manufacturing company. Regular technology audits by providers using relevant methodologies ensure ongoing compliance.​
  • The policy requires compliance with its terms and the DOH explicitly retains authority to impose sanctions for policy breaches. The DOH monitors compliance through a dual mechanism: proactive audits and inspections, and reactive reporting from end-users obligated to report incidents, deficiencies, or issues affecting patient safety.

DHA policy

  • Launched in August 2021, the DHA's Policy for Use of Artificial Intelligence in the Healthcare in the Emirate of Dubai[7] applies to all AI applications used by healthcare facilities and professionals, pharmaceutical manufacturers, health insurers, public health centres, and researchers within the DHA’s jurisdiction.​
  • The DHA policy has similar core principles: ethics, accountability, transparency, safety and security, and privacy, but operationalises them with greater specificity. All AI solutions must be free of bias and benefit society, conforming with international, UAE federal, and Dubai laws regarding human values, patient autonomy, rights, and acceptable ethics.​
  • The DHA policy delves deeper into accountability and transparency requirements than the DOH policy, however. On accountability, it mentions that outcomes of the AI solution in healthcare must be agreed between designer, researcher, developer, operators, and end users. Furthermore, it mandates sufficient transparency in AI systems, obligating developers to build systems whose failures can be diagnosed and controlled, as well as a slew of other disclosure requirements. Users must also have rights to obtain clear and meaningful explanations of the AI system's role in healthcare, the data being used, etc. This aligns with international standards in the EU AI Act, which similarly requires explainability and higher controls for high-risk systems.​
  • All stakeholders are required to comply with the policy’s terms. Enforcement mechanisms operate through the DHA Health Regulation Sector, which monitors compliance with the policy and has the power to impose sanctions for policy breaches.

Regulatory environment

While both policies share foundational AI governance principles, the DHA distinguishes itself through more granular treatment of critical areas. That said, Abu Dhabi is also keeping up with the times by introducing standards like its Responsible AI Standard[8] (2025) which introduces updated technical and data privacy conditions for healthcare AI, as well as fleshed out transparency and explainability requirements.

A particularly distinctive requirement of both policies is ‘graceful degradation’ mechanisms – automatic alerts integrated with the ability to cease operation gradually in the event of hardware or software malfunction.

More importantly, the DOH and DHA policies both expressly clarify that they are not standalone documents but are embedded within the UAE’s broader regulatory ecosystem. Both require compliance with all applicable federal and emirate laws relating to healthcare, data protection, and digital infrastructure.

This includes the requirements for health information exchange interoperability (Malaffi in Abu Dhabi and NABIDH in Dubai). Both regulators also link compliance to national cybersecurity and information security standards, recognising that AI safety depends as much on secure infrastructure as on sound algorithms.

Conclusion

Globally, healthcare AI is increasingly regulated as both a medical technology and a high‑risk digital system, with regimes like the EU AI Act and the United States FDA guidance layering AI‑specific obligations on top of traditional medical device and safety rules.

The UAE is following a similar trajectory, using federal health, data protection, and cybersecurity laws, together with emirate‑level AI policies, to create a coherent framework that enables AI deployment while mitigating its risks.

For anyone building, procuring, or deploying AI in UAE healthcare, this means treating governance as a design requirement: embedding transparency, explainability, security, and human oversight into the lifecycle of each system to avoid regulatory friction, safeguard patients, and preserve long‑term market access. Fail a single element and one risks market exclusion, enforcement action, and reputational damage.

Notes

[1] See https://staticcdn.mbzuai.ac.ae/mbzuaiwpprd01/2022/07/UAE-National-Strategy-for-Artificial-Intelligence-2031.pdf.

[2] See UAE AI in Healthcare Market Size & Outlook, 2026-2033 available at: www.grandviewresearch.com/horizon/outlook/ai-in-healthcare-market/uae.

[3] See https://uaelegislation.gov.ae/en/legislations/1209/download.

[4] See Federal Decree by Law Concerning the Protection of Personal Data at https://uaelegislation.gov.ae/en/legislations/1972.

[5] See https://uaelegislation.gov.ae/en/legislations/1526/download.

[6] DOH, ‘Policy on Use of Artificial Intelligence (AI) in the Healthcare Sector of the Emirate of Abu Dhabi’ (30 April 2018).

[7] See https://services.dha.gov.ae/sheryan/wps/portal/home/circular-details?circularRefNo=CIR-2021-00000141&isPublicCircular=1&fromHome=true.

[8] DOH, ‘Responsible Artificial Intelligence (AI) Standard’ (2025).

International Bar Association 2026 © Privacy policy Terms & conditions Cookie Settings Harassment policy

International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.

The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.