The EU failed to reach agreement on AI Act amendments as the August 'high risk' AI deadline loomed, and Anthropic's Mythos sparked cyber security warnings after claims it can pinpoint and exploit as yet undiscovered, "zero-day", software vulnerabilities – our briefing on what it means for your business here. Our Tech Group Chair Jonathan Kewley spoke about Mythos and why boards must rapidly reshape to become match fit for AI  on CBNC's Squawk Box Europe live on 21 April.

April was another busy month – join us for this latest roundup of tech policy news from around the world.

Regulators moved to address specific applications like "anthropomorphic interaction" in China and "agentic AI" in the UAE and UK, and Dubai set out its ambition to become the world's first AI-native financial centre.

Elsewhere, cyber policy saw significant activity globally, but with a clear thread running through much of it: the growing role of AI in amplifying cyber threats. Singapore and the UK both issued guidance flagging that AI is accelerating vulnerability discovery and lowering the barriers to attack, a signal increasingly reflected in regulatory thinking worldwide. Beyond the AI-cyber nexus, Mozambique passed dedicated cybersecurity and cybercrime legislation, Vietnam ratified the UN Hanoi Convention, Nigeria warned of escalating threats to critical infrastructure, and Japan publishing a national cybersecurity workforce framework.

April also saw a steady flow of data protection developments, from EDPB opinions on Europrivacy certification criteria, to Kenya's draft sectoral guidance, Morocco's DataTika compliance programme, and China's simplified compliance rules for small-scale processors. The UK Court of Appeal also used a ruling to clarify that consent under data protection law must be assessed objectively, not by reference to a data subject's personal vulnerabilities.

Against this backdrop, we have published three new resources to help businesses and leaders understand what these developments mean in practice, and what to do next.

Our Artificial Intelligence in 2026: Our Top Ten Trends to Watch briefing examines the transition from aspirational governance to the operational reality of managing AI risk at scale—covering digital sovereignty, the enforcement phase of the EU AI Act, emerging US legislation, escalating privacy litigation and the growing liability gaps created by autonomous, agentic systems. Complementing this, What Mythos means for your business: action to take now provides boards and senior leaders with a practical checklist for responding to AI‑enabled cyber risk, at a moment when AI is dramatically amplifying both defensive capability and the sophistication of attackers. Finally, our refreshed Global Cybersecurity Handbook offers a comprehensive, jurisdiction‑by‑jurisdiction overview of cybersecurity and operational resilience regimes, reflecting sustained enforcement activity and an increasingly dense web of overlapping regulatory obligations.

THE REGIONS IN DETAIL

APAC (Excluding China)

Singapore

CSA releases guidance on cybersecurity threats posed by advanced AI models

On 15 April 2026, the Cyber Security Agency (CSA) of Singapore published an advisory addressing cybersecurity risks associated with advanced AI models. The CSA noted that these models are capable of examining complex codebases, identifying software vulnerabilities and supporting vulnerability management processes, capabilities that could be exploited by malicious actors to increase the speed and effectiveness of cyber-attacks. The CSA recommended immediate actions including patching critical vulnerabilities, enabling multi-factor authentication, securing development environments and strengthening cloud security settings. Over the longer term, organisations were advised to minimise attack surfaces, implement network segmentation, reinforce supply chain security and adopt AI-driven tools to detect vulnerabilities.

CSA issues guidance on defending websites against cyber-attacks

On 6 April 2026, the Cyber Security Agency (CSA) of Singapore released recommendations for protecting websites from cyber-attacks. The advice included updating software, changing default passwords, enabling two-factor authentication, validating user input, implementing reCAPTCHA, installing firewalls and monitoring services. For data security, the CSA recommended regular backups, encryption, application of the least-privilege principle and strict file permissions. In the event of an incident, organisations were advised to display a maintenance page, take the server offline, restore from backup, investigate, remove threats and reinforce security. Cyber-attacks were to be reported to SingCERT.

Korea

KCC introduces certification scheme for bulk text messaging providers

On 10 April 2026, the Korea Communications Commission (KCC) launched the Transmission Qualification Certification System, requiring businesses that send bulk text messages to implement measures to prevent illegal spam. The certification covered five areas and 16 criteria, including documentation, user management and systems designed to prevent misuse. Certified providers were required to comply with the standards and were subject to annual inspections, with non-compliance potentially resulting in the loss of certification. The revised enforcement decree was expected to take effect following government approval, and information sessions for businesses were planned.

Japan

NCO publishes Cybersecurity Human Resources Framework 2026

On 3 April 2026, the Cabinet Secretariat’s National Cyber Coordination Office (NCO) published the “Cybersecurity Human Resources Framework 2026”. The framework set out a structure for defining cybersecurity roles, tasks, knowledge and skills across Japan’s public and private sectors. It identified 13 distinct roles, each with specified responsibilities and four levels of proficiency, to support recruitment, training, education and career development. The framework was intended to be adaptable for organisations of different sizes and is aligned with domestic and international standards.

Japan’s Cabinet approves bill amending Act on the Protection of Personal Information

On 7 April 2026, Japan’s Cabinet approved a bill amending the Act on the Protection of Personal Information to better balance individual rights with data utility. While the Bill significantly relaxes consent requirements for specific purposes—such as AI development and statistical analysis—it simultaneously introduces stricter oversight in other areas. Consent is no longer mandatory where individual interests remain unharmed or when data use is essential for public health and safety. However, the bill offsets this flexibility by mandating notification for facial feature data, banning certain opt-out third-party disclosures, and imposing more stringent management obligations on data contractors. To ensure compliance, the legislation further enhances enforcement through corrective orders, penalty charges, and robust sanctions.

Vietnam

General Secretary and President to Lam ratifies Convention on Cybercrime

On 8 April 2026, Vietnam ratified the United Nations Convention on Cybercrime, known as the Hanoi Convention. The ratification underscored Vietnam’s commitment to international legal standards and strengthened its ability to tackle cybercrime. The Convention set out cybercrime offences, jurisdiction, investigative methods and international cooperation mechanisms. Ratification was expected to strengthen Vietnam’s legal framework, enhance cybersecurity capacity and support international collaboration.

India

India consults on draft amendments to the 2021 IT Rules

On 30 March 2026, India’s Ministry of Electronics and Information Technology (MeitY) began a public consultation on proposed amendments to the 2021 IT Rules, aimed at strengthening compliance and regulatory oversight of digital content. The proposed amendments clarified data retention requirements and intermediary responsibilities, extended certain provisions to non-publisher users and broadened the Inter-Departmental Committee’s authority.  Comments were requested by 14th April 2026.

Indonesia

Indonesia Issues Social Media Governance Guidelines for Banks

On 6 April 2026, the Indonesian Financial Services Authority (OJK) released new guidelines aimed at strengthening digital governance in banks’ use of social media. The guidelines addressed governance, risk management and compliance, including crisis communications measures such as stress testing. They also required transparency in partnerships with financial influencers and emphasised real-time monitoring of public sentiment.

China

Chinese authorities release Measures on the Administration of Cybersecurity Labels

On 2 April 2026, the Cyberspace Administration of China, together with the Ministry of Industry and Information Technology and the Ministry of Public Security, issued the Measures on the Administration of Cybersecurity Labels. The measures introduce a voluntary cybersecurity labeling system for designated internet-connected products, setting out requirements on testing, labeling, filing, and supervision, to enhance product cybersecurity transparency. The measures take effect on 1 July 2026.

Cyberspace Administration of China seek public comments on draft Provisions on Simplified Measures for Personal Information Protection by Small-Scale Personal Information Processors

On 3 April 2026, the Cyberspace Administration of China released the Provisions on Simplified Measures for Personal Information Protection by Small-Scale Personal Information Processors (Consultation Draft) for public comment. The draft applies to small-scale personal information processors in the PRC and introduces simplified compliance requirements to reduce compliance burdens while supporting innovation by small and micro-sized enterprises. Comments are requested by 3 May 2026.

Cyberspace Administration of China seek public comments on draft Measures for the Administration of Digital Virtual Human Information Services

On 3 April 2026, the Cyberspace Administration of China released the Measures for the Administration of Digital Virtual Human Information Services (Consultation Draft) for public comment. The draft applies to digital virtual human information service providers in the PRC and establishes regulatory requirements on personal information and likeness protection, content compliance, labeling, and data security. Comments are requested by 6 May 2026.

Chinese authorities issue Interim Measures on the Administration of Artificial Intelligence Anthropomorphic Interaction Services

On 10 April 2026, the Cyberspace Administration of China and four other authorities jointly issued the Interim Measures on the Administration of Artificial Intelligence Anthropomorphic Interaction Services. The measures apply to providers of AI-enabled anthropomorphic interaction services and set out requirements on content governance, algorithm and data management, user protection, and security assessment, with enhanced safeguards for minors and elderly users. Violations will be handled in accordance with applicable laws and administrative regulations. The Measures will take effect on 15 July 2026.

Africa

Kenya’s Office of the Data Protection Commissioner publishes draft data protection guidance

On 13 April 2026, Kenya’s Office of the Data Protection Commissioner (ODPC) published four draft guidance notes for public consultation aimed at supporting entities’ compliance with the Data Protection Act 2019. The draft guidance covered: (i) the transport sector, providing a practical interpretation of data protection obligations for transport operators; (ii) cross-border data transfers, setting out the legal, regulatory and operational requirements applicable when personal data is transferred outside Kenya; (iii) data protection policies, outlining the core elements of an organisational data protection policy and how processing practices should be communicated to stakeholders; and (iv) Data Protection Officers (DPOs), clarifying the appointment, roles, responsibilities and qualifications of DPOs. Stakeholders were invited to submit comments by 15 May 2026.

Morocco

Morocco’s National Commission for the Control of Personal Data Protection expands Data‑Tika compliance programme through sector agreements

On 14 April 2026, Morocco’s National Commission for the Control of Personal Data Protection (CNDP) announced that it had signed a series of cooperation agreements with professional federations to expand participation in its Data‑Tika compliance programme. The agreements were made with the National Tourism Confederation, the National Federation of the Hotel Industry, the National Federation of Travel Agencies of Morocco, the National Federation of Road Transport, and the National Federation of Tourist Transport. According to the CNDP, the Data‑Tika programme is intended to support controllers and processors in complying with Law No. 09‑08 on personal data protection by raising awareness of data protection obligations, promoting data governance best practices, facilitating sector‑specific engagement with the regulator, and strengthening customer trust. Under the agreements, the federations committed to encouraging member participation and cooperating on training and awareness‑raising initiatives, while the CNDP reiterated its approach of proactive regulatory support and progressive, sector‑tailored compliance.

Mozambique

Mozambique Assembly approves Cybersecurity Law and Cybercrime Law

On 16 April 2026, Mozambique’s Assembly of the Republic approved the Cybersecurity Law and the Cybercrime Law, as confirmed by the National Institute of Information and Communication Technologies (INTIC). The Cybersecurity Law creates a national legal framework aimed at protecting the State, public bodies and individuals through the security of information systems and critical infrastructure. It provides for measures to mitigate cyber risks, manage and coordinate responses to cyber incidents, and enhance the digital resilience of both public and private sector actors. The Cybercrime Law establishes the substantive and procedural criminal rules applicable to cyber‑related offences, including provisions on cybercrime investigations, the handling of electronic evidence and international cooperation in criminal proceedings. The law applies to all public and private natural and legal persons using electronic communications networks and information systems. INTIC has indicated that the enactment of these laws brings Mozambique into closer alignment with international cybersecurity and cybercrime standards and supports the creation of a secure, trustworthy digital environment to underpin the country’s digital economy.

Nigeria

Nigeria’s Data Protection Commission issues advisory on escalating data security threats

On 16 April 2026, Nigeria’s Data Protection Commission (NDPC) issued a regulatory advisory warning highlighting growing risk to the nation’s data security landscape. The NDPC noted that coordinated cyber threat actors have recently targeted financial systems and other critical digital infrastructure, giving rise to heightened concerns around the safeguarding of personal and sensitive data. In response, the NDPC reminded Ministries, Departments and Agencies, alongside other data controllers and processors, of their statutory duties to reinforce technical and organisational safeguards. These include appointing certified Data Protection Officers, adopting and implementing privacy policies, carrying out Data Privacy Impact Assessments, and putting effective security frameworks in place. The NDPC also stressed the importance of vulnerability assessments, encryption measures, continuous monitoring and resilience planning, cautioning that inadequate protections could result in regulatory enforcement and legal exposure under the Act.

South Africa

South Africa's National Assembly publishes the Draft Capital Flow Management Regulations

On 17 April 2026, South Africa’s National Treasury published the Draft Capital Flow Management Regulations, 2026 for public comment, changing the country’s exchange control framework. The draft regulations are intended to replace the Exchange Control Regulations, 1961 and signal a shift from a pre‑approval model towards a risk‑based regime focused on reporting, surveillance of high‑risk and high‑impact cross‑border transactions, and the prevention of illicit financial flows. Key proposed changes include the express bringing of crypto assets within the exchange control framework, the introduction of “authorised crypto asset service providers” to facilitate regulated crypto‑related capital flows, expanded foreign and crypto asset declaration requirements, significantly increased penalties and new administrative sanctions for regulated entities, and a modernised exemptions framework with transitional arrangements. These proposals indicate a move towards clearer, more comprehensive and enforcement‑driven regulation of crypto assets. Comments are request by 18 May 2026, and the Regulations will take effect on the date of publication in the Gazette.

Europe

European Union

EU Policymakers Fall Short of Agreeing on AI Act Amendments During Trilogue Negotiations 

The European Commission, Parliament and Council failed to reach a political agreement during the trilogue on the EU AI Act Omnibus which closed on Tuesday 28 April 2026. The original AI Act deadlines remain legally in force, and a follow-up trilogue has been scheduled for mid-May 2026. A press conference scheduled for Wednesday 29 April to provide a debrief on the negotiations was cancelled.

European Commission Preliminarily Finds Meta in Breach of DSA over Under‑13 Access

On 29 April 2026, the European Commission published preliminary findings that Meta (Facebook and Instagram) is in breach of the Digital Services Act (DSA) for failing to effectively prevent children under 13 from accessing its services, criticising its reliance on self‑declared age checks and reporting tools, as well as deficiencies in its risk assessment. The findings, which draw heavily on the 2025 DSA Guidelines on the protection of minors, signal a broader enforcement approach under which platforms may be expected to reflect evidence of child access in their DSA risk assessments and to demonstrate that minimum age rules are actively enforced in practice, even where services are not designed for children.

European Commission Moves Toward Interim Antitrust Measures Against Meta Over WhatsApp AI Access

On 15 April 2026, it was announced that the European Commission sent Meta a Supplementary Statement of Objections in its antitrust investigation concerning WhatsApp. The Commission considers that Meta’s revised policy, reinstating access for third‑party AI assistants subject to fees, has effects equivalent to the original exclusion. According to the Commission, this practice risks foreclosing competition in the fast‑growing market for AI assistants. As a result, the Commission intends to impose interim measures requiring Meta to restore access to WhatsApp under the conditions that applied before October 2025. These measures would apply until a final decision is adopted. The investigation has now been extended to cover the entire EEA, including Italy.

European Commission proposes measures requiring Google to share search engine data under the Digital Markets Act

On 16 April 2026, the European Commission sent preliminary findings to Google setting out proposed measures to specify how the company should comply with its data‑sharing obligations as a designated gatekeeper under the Digital Markets Act. The Commission proposes that Google grant third‑party search services access to certain datasets generated by Google Search, including ranking, query, click and view data, on fair, reasonable and non‑discriminatory terms. The stated objective is to enable eligible third parties to improve and optimise their search services and to compete more effectively with Google Search. The proposed measures address the categories of third parties that may qualify as data beneficiaries (including certain AI systems with search functionalities), the scope of the data to be shared, the technical means and frequency of access, safeguards to ensure the anonymisation of personal data, parameters for setting prices, and governance processes for requesting and granting access. The Commission has opened a public consultation to gather feedback from interested parties before finalising the measures.

European Commission Publishes First Monitoring Results Under Revised Code of Conduct on Illegal Hate Speech Online

On 16 April 2026, the European Commission published the first results of the monitoring exercise carried out under the revised Code of Conduct on countering illegal hate speech online+. The assessment combines an independent monitoring exercise and self‑assessment reports submitted by signatory platforms. The monitoring focused on how quickly platforms respond to notifications of allegedly illegal hate speech, with results showing that platforms largely maintained their commitment to review most notifications within 24 hours and to provide feedback. The exercise took place between early November and mid‑December 2025, with several companies receiving relevant notices. However, the evaluation also revealed a high number of contested or erroneous cases, attributed in part to incorrect reporting channels. The Commission highlights that this monitoring exercise is a core commitment under the revised Code, which is integrated into the Digital Services Act framework.

European Commission awards €180 million sovereign cloud tender to four European providers

On 17 April 2026, the European Commission announced the award of a framework tender worth up to €180 million for the provision of sovereign cloud services to EU institutions, bodies, offices and agencies. The tender, launched in October 2025, is intended to enable Union entities to procure cloud services meeting defined sovereignty requirements over a period of up to six years. The selection was based on compliance with the Commission’s Cloud Sovereignty Framework, which sets out criteria relating to legal, strategic and operational control, environmental considerations, security, and supply chain transparency, as well as conformity with EU law.

EDPB Adopts Two Opinions on Europrivacy Certification Criteria Under the GDPR

The EDPB has adopted Opinions 14/2026 and 15/2026 concerning the Europrivacy certification criteria, following the Article 64 GDPR consistency mechanism. In Opinion 14/2026, the Board assessed the certification criteria for their approval as a European Data Protection Seal under Article 42(5) GDPR, concluding that the scheme covers core GDPR requirements, including lawfulness, data protection principles, data subject rights, risk management, and technical and organisational measures. In Opinion 15/2026, the EDPB examined a separate set of Europrivacy criteria intended to be used as an appropriate safeguard for international data transfers under Articles 42 and 46 GDPR. Together, the two opinions clarify the conditions under which Europrivacy may function both as a general GDPR certification scheme and as a transfer tool, subject to compliance with the Board’s recommendations and final approval steps at EU level.

United Kingdom

UK Government Mandates ICO Code of Practice on AI and Automated Decision‑Making

On 21 April 2026, the Secretary of State enacted regulations requiring the Information Commissioner’s Office (ICO) to develop a statutory code of practice on the use of AI and automated decision‑making under the UK GDPR and the Data Protection Act 2018. The regulations, which take effect on 12 May 2026, mandate guidance on good practice for AI‑enabled processing and automated decision‑making subject to Article 22 UK GDPR and equivalent provisions in the Data Protection Act, including specific requirements relating to children’s personal data. The measures signal increased regulatory focus on compliance expectations for high‑risk AI and automated decision‑making systems.

ICO publishes updated guidance on use of storage and access technologies

The Information Commissioner's Office (ICO) has published finalised guidance on Storage and Access Technologies (SATs), clarifying how PECR and the UK GDPR apply to cookies, tracking pixels, and device fingerprinting following updates from the Data (Use and Access) Act. This new guidance aims to provide regulatory certainty and practical examples for online service providers while sitting separately from ongoing reviews of online advertising regulations. Alongside the guidance, the ICO reported that its direct enforcement actions have led to 99% of the UK’s top 1,000 websites meeting cookie banner compliance standards, though the regulator will continue further interventions to ensure a transparent tracking ecosystem that grants users meaningful control over their data.

NCSC Publishes Updated Guidance on Cross‑Domain Architecture

On 21 April 2026, the National Cyber Security Centre (NCSC) announced the publication of new guidance on cross‑domain architecture to support organisations operating systems with different levels of trust. The guidance responds to increasingly capable and persistent cyber threats, including risks to critical national infrastructure, and notes that developments in AI may further accelerate vulnerability discovery and exploitation. It sets out an updated end‑to‑end architectural approach based on zones of trust, trust boundaries and control points, and largely replaces the NCSC’s earlier cross‑domain security principles for new architectures, while existing principles will continue to be used for assurance in the medium term.

Ofcom Launches Online Safety Act Investigations

On 21 April 2026, Ofcom announced the launch of investigations under the Online Safety Act. The regulator cited evidence indicating the presence of child sexual abuse material (CSAM) on various platforms and raised concerns that teen‑focused chat services may lack adequate safeguards to mitigate children's exposure to grooming and other illegal activity. Ofcom is assessing whether the providers have failed to carry out appropriate risk assessments and implement effective mitigation measures. Alongside these investigations, Ofcom highlighted the impact of its enforcement work on file‑sharing services, signalling a more assertive approach to early enforcement under the Online Safety Act.

Ofcom Seeks Stakeholder Input on Transparency Reporting under the Online Safety Act

On 15 April 2026, Ofcom published a stakeholder engagement notice outlining its next steps on transparency reporting under the Online Safety Act 2023. Building on its Final Transparency Guidance issued in July 2025, the regulator confirmed that it is developing formal transparency notices that will require service providers to disclose information about their online safety systems and processes. Ofcom is seeking views from civil society groups, researchers and the wider public on the scope of information to be covered, which may include content moderation practices, risk assessment frameworks and the handling of illegal and harmful content. Stakeholder feedback will inform the design of the notices, with draft transparency notices expected to be issued to providers of categorised services following publication of the Register of Categorised Services, anticipated in summer 2026. Responses are invited by 30 April 2026.

FCA Announces Second Cohort for AI Live Testing Initiative

On 21 April 2026, the Financial Conduct Authority (FCA) announced the second cohort of its AI Live Testing initiative, selecting eight firms – including Barclays, Experian, Lloyds Banking Group (Scottish Widows) and UBS – to test a range of AI applications in live environments. The cohort will explore use cases such as anti‑money laundering detection, credit scoring insights and investment support, including the deployment of agentic AI and neurosymbolic models. Working in partnership with technical specialist Advai, the FCA will support participating firms in developing approaches to risk management and live monitoring, with testing scheduled to conclude by the end of 2026. The FCA has also committed to publishing a Good and Poor Practice report later in 2026 and a final evaluation report in early 2027, aimed at informing the safe and responsible adoption of AI across UK financial markets.

Court of Appeal Clarifies Objective Test for Data Protection Consent

On 21 April 2026, in RTM v Bonne Terre Ltd [2026] EWCA Civ 488, the Court of Appeal allowed an appeal and clarified that consent under UK data protection law must be assessed using an objective test, rather than by reference to a data subject’s subjective state of mind. The Court held that the relevant question is whether a data subject’s identifiable communications or clear affirmative actions amount to a freely given, specific, informed and unambiguous indication of consent. It rejected the High Court’s focus on personal vulnerabilities, such as gambling addiction, and confirmed that data controllers are not required to establish an individual’s internal decision‑making capacity. The Court also found that the High Court’s reliance on a “subjective consent” analysis was procedurally unfair, as it had not been advanced by the respondent, and concluded that consent had been validly given on the facts when assessed objectively.

UK Department for Science, Innovation & Technology (DSIT) Warns Businesses of Rising Cyber Risks from Frontier AI Models

On 15 April 2026, the DSIT published an open letter warning businesses of increasing cybersecurity risks posed by frontier AI models. Drawing on testing by the AI Security Institute (AISI), DSIT highlighted that newer models are significantly more capable of supporting cyber‑offensive activity, lowering barriers to cybercrime and accelerating the speed and scale of attacks, with AI cyber capabilities now assessed as doubling every four months. The letter cautions that organisations of all sizes and sectors are potential targets and calls on businesses to strengthen cyber resilience, including by treating cybersecurity as a board‑level issue, adopting Cyber Essentials, and using National Cyber Security Centre (NCSC) tools and services such as the Early Warning Service.

Americas

The United States of America

NIST Revises Foundational Cybersecurity Guidance for IoT Product Manufacturers

On April 20, 2026, the National Institute of Standards and Technology (NIST) issued a revised version of Foundational Cybersecurity Activities for IoT Product Manufacturers. The publication describes recommended cybersecurity activities for manufacturers developing Internet of Things (IoT) products, covering both pre‑market and post‑market phases of the product lifecycle. Revision 1 expands discussion of IoT product scope and clarifies recommended approaches to customer communications, maintenance, support, and product end‑of‑life. The guidance outlines nine foundational activities intended to help manufacturers improve the securability of IoT products by providing appropriate technical and non‑technical cybersecurity capabilities and related information to customers.

California Legislature Proposes Study on AI’s Workforce Impact

On April 19, 2026, the California State Assembly advanced Assembly Bill 2545, which would establish the California Artificial Intelligence Worker Impact Data Assessment Project within the Employment Development Department. The initiative is designed to research the effects of artificial intelligence on California’s labor force, analyze job displacement trends across industries, and develop policy recommendations to support workers affected by AI-driven automation. The bill responds to concerns about job losses and potential tax revenue impacts, while also highlighting opportunities for workforce adaptation in sectors less susceptible to automation.

Middle East

UAE

CBUAE updates guidance for technology firms after regulation shift

 On 14 April 2026, the Central Bank of the UAE (CBUAE) issued clarifying guidance for technology firms following recent changes to the country’s financial regulatory framework. The guidance, published as a new FAQ, addresses uncertainty arising from Federal Decree‑Law No. 6 of 2025, which expanded the scope of regulation for banking and insurance activities and reflected a shift toward technology‑neutral oversight. CBUAE confirmed that the law does not create new regulated activities for standalone technology providers and that firms offering purely technical services to licensed financial institutions do not require authorisation unless they themselves conduct licensed financial activities. The clarification is intended to support regulatory certainty, consumer protection and innovation, particularly as financial services increasingly rely on digital, decentralised and Web3‑enabled delivery models.

G42, R/GA launch 'Alpha.G42.ai' interface

G42 and R/GA have launched Alpha.G42.ai, a interface that replaces traditional websites with an AI‑driven, conversational digital experience. Powered by integrated large language models, the platform dynamically generates and curates content in real time based on user intent, offering personalised, adaptive interactions and signalling a shift toward an “agentic web.”

Dubai

DIFC announces plans to become the world’s first AI Native financial centre

On 21 April 2026, the Dubai International Financial Centre (DIFC) announced plans to become the world’s first AI‑native financial centre, embedding artificial intelligence at the core of its legal, regulatory and operational framework. Rather than deploying AI on a pilot basis, DIFC intends to integrate it across regulation, business operations, talent development, ecosystem infrastructure and the district’s physical environment. The initiative builds on DIFC’s five‑year AI strategy launched in 2023, including data governance measures and the incorporation of AI into its Data Protection Law. DIFC also plans to establish ethics and governance frameworks addressing both human and AI‑driven activity. The move aims to position DIFC as a global benchmark for responsible AI adoption in financial services, supporting innovation, competitiveness and long‑term economic growth.

VARA Issues Detailed Guidance on Virtual Asset Issuance

On 9 April 2026, Dubai’s Virtual Assets Regulatory Authority (VARA) issued detailed guidance on the Virtual Asset Issuance Rulebook, providing interpretative clarity on the regulation of virtual asset issuances in the emirate. The guidance outlines how virtual assets should be classified, created, disclosed and distributed within a regulated framework and applies broadly to entities issuing virtual assets “in the course of a business”. It introduces a tiered classification system that determines applicable licensing, disclosure and compliance requirements, with stricter obligations for asset‑referenced and fiat‑linked virtual assets. A central focus is placed on pre‑issuance and issuance‑stage obligations, including mandatory whitepapers and risk disclosure statements that meet prescribed standards of transparency, completeness and accessibility. Overall, the guidance reflects VARA’s intent to embed regulatory oversight at the point of issuance to strengthen market integrity and investor protection in Dubai’s virtual asset ecosystem.

Dubai launches ‘Amer’ cybersecurity reporting service to combat online fraud

On 2 April 2026, Dubai’s General Directorate of Identity and Foreigners Affairs (GDRFA) launched a new cybersecurity incident reporting service through the Amer Contact Centre to help combat rising online fraud. The initiative enables residents to report suspected cyber incidents and suspicious digital activities, including fake accounts misusing official names, websites impersonating government entities, and fraudulent or misleading online transactions. Authorities urged the public to remain vigilant when receiving suspicious messages or engaging with unfamiliar websites and emphasised the importance of prompt reporting in preventing cybercrime. The service forms part of Dubai’s broader efforts to strengthen digital safety and protect the community, with GDRFA reaffirming that safeguarding users’ digital security remains a top priority and calling for public cooperation in addressing cyber threats.

Saudi Arabia

SDAIA opens public consultation on Responsible AI Policy

On 3 April 2026, the Saudi Data & Artificial Intelligence Authority (SDAIA) opened a public consultation on its draft Responsible Artificial Intelligence Policy, setting out a national framework for the development, deployment and use of AI systems in Saudi Arabia. The draft policy aims to balance AI innovation with responsible use by mitigating risks, enhancing preparedness for high‑impact harms, and clarifying roles and responsibilities across the AI lifecycle. It introduces seven ethical principles and a risk‑based classification system, ranging from prohibited critical‑risk systems to low‑risk uses. SDAIA would oversee a national registry for higher‑risk AI systems and impose enhanced governance, safety assessments and human‑oversight obligations on high‑risk deployments.

Key Dates on the Horizon

May 2026

• 3 May 2026
  Deadline for stakeholders to submit public comments to the Cyberspace Administration of China on the draft Provisions on Simplified Measures for Personal Information Protection by Small‑Scale Personal Information Processors. Consultation
• 6 May 2026
  Deadline for stakeholders to submit public comments to the Cyberspace Administration of China on the draft Measures for the Administration of Digital Virtual Human Information Services. Consultation
• 12 May 2026
  UK regulations requiring the ICO to develop a statutory code of practice on the use of AI and automated decision‑making under the UK GDPR and Data Protection Act 2018 take effect. The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulation 2026
• 15 May 2026
  Deadline for stakeholders to submit comments regarding the draft guidance notes on compliance with the Data Protection Act 2019 published by Kenya's Office of the Data Protection Commissioner (ODPC). Guidance Notes
• 18 May 2026
  Deadline for stakeholders to submit comments on South Africa's Draft Capital Flow Management Regulations. Consultation
• Mid‑May 2026 
  WhatsApp must comply with DSA VLOP obligations.  Designation

June 2026

• 1 June 2026
  Singapore–Japan Mutual Recognition of IoT Cybersecurity Labels Enters into Force.  MoC Link

July 2026

• 1 July 2026 
  DRC New Authorization Rules for Key Digital Services enforced. Article Link
• 1 July 2026
  China's Measures on the Administration of Cybersecurity Labels take effect. Article Link
• 15 July 2026
  China's Interim Measures on the Administration of Artificial Intelligence Anthropomorphic Interaction Services take effect. Article Link

August 2026

• 2 August 2026    
  • Providers of GPAI models that have been placed on the market / put into service before this date need to be compliant with the EU AI Act by this date.* EU AI Act
  • Transparency requirements for certain AI systems under Article 50 of the EU AI Act expected to enter into force, following the development of guidelines and a voluntary code of practice.* EU AI Act

January 2027

• 1 January 2027

 China’s mandatory standard on information erasure in electronic products takes effect. 

 More info

* Both these dates would be delayed/changed if proposals in the EU Digital Omnibus on AI are adopted.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.