Navigating The New Governance Landscape In DIFC And ADGM

The financial free zones of Dubai and Abu Dhabi have each long offered businesses a credible, internationally respected legal and regulatory framework to operate from. That dynamic has driven both the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) to continuously refine their governance standards, aligning them with the most rigorous international benchmarks, and signaling to global investors, regulators, and counterparties that operating in these jurisdictions carries real legal substance.

Two significant regulatory developments in 2025 have raised the compliance bar for businesses operating in or through the DIFC and the ADGM. The DIFC has amended its Data Protection Law, introducing a direct private right of action for data subjects and enhanced enforcement mechanisms (A). The ADGM has enacted a revised and comprehensive framework governing the registration and conduct of auditors (B).

Both sets of reforms carry immediate and practical implications for businesses operating in or through these jurisdictions. This article examines each in turn, setting out what has changed, why it matters, and what steps businesses should now be taking in response.

A. Amendments to the Data Protection Law in DIFC

On 8th July 2025, the DIFC Law No. 1 of 2025 amended the Data Protection Law No. 5 of 2020. The following changes have been introduced by this amendment:

1. Introduction to the privacy right of action

A new Article 64A was introduced, under which individuals have the right to directly bring their legal claims before the DIFC Courts in case of violation of their data protection rights. Prior to this amendment, although Article 64 of the original Law permitted data subjects to apply to the DIFC Courts for compensation, that right was subject to a mandatory pre-condition: the data subject was first required to lodge a complaint with the DIFC Commissioner, and court access was further contingent on the Commissioner either declining to take enforcement action or having taken action with which the data subject disagreed. These claims can include both financial loss and non-financial harm, for example, emotional distress.

2. Clarification on the scope of the law

Article 6 now explicitly applies to entities incorporated in the DIFC, even if their data processing occurs outside the DIFC. The amended Article 6(3) also captures controllers and processors that are not incorporated in the DIFC, where they process personal data in the DIFC as part of stable arrangements, whether directly or indirectly through third parties located in the DIFC.

3. Changes to the application of the data disclosure rules to public authorities

Under the pre-amendment position, controllers and processors bore responsibility for ensuring that public authorities requesting personal data complied with data subject rights. The amendment removes that obligation. Controllers and processors are now required to verify that the request received is lawful, proportionate, and necessary before making any disclosure.

4. Introduction of higher financial penalties

The DIFC has increased administrative fines for non-compliance:

1. Failure to conduct and submit an annual assessment – A fine of up to USD 25,000 (twenty-five thousand US dollars).
2. Failure to carry out the required Data Protection Impact Assessment (DPIA) – A fine of up to USD 50,000 (fifty thousand US dollars).
3. Failure to meet the obligations for handling data disclosure requests from public authorities – A fine of up to USD 50,000 (fifty thousand US dollars).

Relevance of this amendment to the businesses

Businesses should reassess their data protection practices, taking into consideration the liability exposure under the amended DIFC Data Protection Law, given the introduction of the private right of action and the amended provisions relating to the territorial scope of the Law and data disclosure obligations. In practical terms, businesses should consider the following steps: (1) reviewing and updating data processing agreements to reflect the extended territorial scope and any consequential changes to processing arrangements; (2) auditing current Data Protection Impact Assessment (DPIA) coverage to confirm that all high-risk processing activities are captured; (3) reviewing and strengthening internal procedures for handling data disclosure requests received from public authorities to ensure compliance with the lawfulness, proportionality, and necessity test now required under Article 28; and (4) assessing and quantifying litigation exposure arising from the new private right of action, including reviewing the categories of individuals whose data is processed and the potential for direct claims.

B. Introduction of the Companies Regulations (Auditors) Rules 2025 (A) in the ADGM

On 28th October 2025, the ADGM introduced “Companies Regulations (Auditors) Rules 2025 (A)”, which is the operative framework governing the auditors. These rules repealed the earlier “Companies Regulations (Auditors) Rules 2025”, which were enacted on 7th January 2025. The objective of the new rules is to strengthen the audit quality, enhance the regulatory oversight, and align the ADGM’s audit standards with international standards, so that there is greater clarity for audit and the companies conducting business operations in the ADGM.

Important provisions under the Companies Regulations (Auditors) Rules (A):

1. Registration framework for auditors and audit principals

The rules mandate that all audit firms and individuals who sign audit reports be formally registered with the registration authority. The authority maintains an electronic public register which sets out the details of the registered auditors, including the details of any additional permits that they hold. These electronic registers allow the businesses to verify whether the auditor is properly authorized to act in the ADGM.

2. Requirements of holding additional permits for higher-risk audits

The rules have introduced a permit-based approach for specific types of audit work. A registered auditor may carry out standard audits in the ADGM, but an additional permit is required to carry out audits of public companies and financial institutions. These additional permits reflect the higher regulatory standards that apply to such audits and also ensure that the appointed auditors for these entities have appropriate experience.

3. Strong focus on professional conduct and compliance

Registered auditors and audit principals must adhere to the established standards of integrity, competence, and independence. The rules require auditors to maintain professional indemnity insurance, maintain appropriate records, and continue to meet the qualification and experience requirements throughout their registration. Auditors must also notify the Registrar of material changes taking place, such as any change in the ownership, the senior personnel, or any disciplinary matters, thus ensuring transparency.

4. Greater emphasis on audit quality and record keeping

The rules state how the audit should be conducted and documented. Auditors must retain audit working papers and supporting documents for the prescribed periods and ensure that the audit reports meet the expected standards. The registrar is empowered to review the audit documents and assess compliance; this places the audit quality and consistency at the center of this regulatory framework.

5. Supervisory and enforcement powers

The registration authority has broad powers to monitor compliance and take action as needed. This includes the ability to impose conditions, suspend or withdraw registrations or permits, and take enforcement action where auditors have failed to meet regulatory or professional standards. The rules also provide procedural safeguards, including notice and appeal mechanisms. This ensures that the regulatory action follows a structured and transparent process.

Relevance of these rules to the businesses

For companies operating in the ADGM, these rules provide greater clarity and certainty around the audit practices. Businesses should ensure that their appointed auditors are properly registered and hold any required additional permits, particularly if their company entails a higher risk, such as being a public company or a financial institution. Overall, the rules reinforce ADGM’s position as a jurisdiction that prioritizes transparency, accountability, and international best practices in corporate regulation. Companies should note that the 2025 (A) Rules do not appear to contain published transitional or grandfathering provisions specifically addressing the status of auditors registered under the January 2025 Rules. Businesses with incumbent auditors should therefore seek written confirmation from their appointed auditors that they hold the required registration under the 2025 (A) Rules and, where applicable, the appropriate additional permits for audits of public companies or financial institutions. Companies requiring further information on the registration process or applicable timelines should contact the ADGM Registration Authority directly.

Conclusion

The two 2025 regulatory developments discussed above represent a material shift in the compliance and governance environment for businesses operating in or through DIFC and ADGM. On the DIFC side, the combined effect of the new private right of action and the extended territorial scope means that data protection is no longer solely a regulatory risk, it is now also a litigation risk, actionable directly by affected individuals. The heightened penalties reinforce the need for businesses to maintain robust DPIA processes and internal procedures for handling public authority data requests. On the ADGM side, the introduction of a structured registration and permit framework for auditors raises the bar for audit quality and independence. Boards and management of ADGM companies should confirm that their appointed auditors hold the requisite registration and, where their entity is a public company or financial institution, the applicable additional permit. Both sets of reforms reflect the continuing trajectory of DIFC and ADGM towards international regulatory standards and demonstrate an expectation that businesses operating in these zones will keep pace accordingly.