AI Governance · June 2026
The GCC Has Built a Governance Blueprint for AI in Healthcare
While the world debates how to regulate AI in healthcare, the UAE has already built a layered, enforceable framework — and every healthcare investor and operator in the GCC needs to understand it.
The Scale of What’s Coming
AI adoption in GCC healthcare is accelerating faster than most investors and operators realise. The UAE’s AI healthcare market alone is projected to reach US $137.9 million by 2030, and the country has set an ambitious target to become a global AI leader by 2031.
Across the region, governments are not just welcoming AI — they are actively mandating it. Robotic pharmacies, AI-powered diagnostics, clinical large language models, and metaverse-enabled consultations are no longer concepts. They are operational realities in hospitals across the UAE and Saudi Arabia today.
But with rapid adoption comes regulatory complexity. And in the GCC, that complexity is already codified into law.
A Four-Layer Regulatory Architecture
Unlike many global markets where AI governance remains at the guideline or voluntary framework stage, the UAE has constructed a mandatory, enforceable, four-layer compliance structure for AI in healthcare. Every investor, developer, and operator entering the GCC healthcare market must navigate all four layers simultaneously.
Layer 1 — Federal Laws: The Non-Negotiable Foundation
At the federal level, three key instruments form the compliance baseline:
- Federal Decree-Law No. 38 (2024) on Medical Products — establishes approval and oversight requirements for software as a medical device (SaMD). If your AI solution touches clinical decision-making, it is a medical device under UAE law.
- Federal Law No. 2 (2019) on ICT in Health — requires health data to remain confidential and mandates a 25-year data retention period. This has significant implications for how AI systems are architected, audited, and decommissioned.
- Personal Data Protection Law No. 45 (2021) — classifies health data as sensitive personal data, with the Cybercrimes Law (No. 34, 2021) imposing severe penalties for breaches.
These are not aspirational standards. They are enforceable legal obligations with real consequences for non-compliance.
Layer 2 — Abu Dhabi DOH: The Region’s First AI Framework
In 2018, Abu Dhabi’s Department of Health issued the first AI governance framework in the GCC — years ahead of most global regulators. The framework applies to healthcare providers, insurers, researchers, and pharmaceutical manufacturers operating in the emirate.
Key requirements include:
- Establishment of formal AI governance structures within organisations
- Regular AI audits with continuous improvement cycles based on accuracy feedback
- Clear guidance to patients on how AI is used in their care
- Adherence to principles of transparency, safety, privacy, ethics, and accountability
The DOH retains enforcement authority and can sanction violations — making this framework operationally significant, not merely advisory. In 2025, Abu Dhabi also introduced an updated Responsible AI Standard with enhanced technical and data-privacy requirements.
Layer 3 — Dubai DHA: The Highest Compliance Standard
The Dubai Health Authority issued its AI policy in 2021, building on the DOH framework but going considerably further in several critical areas.
The DHA policy requires that all AI solutions deployed in Dubai’s healthcare system must be:
- Bias-free — systems must be actively tested and demonstrated to be free of algorithmic bias
- Explainable — AI outcomes must be capable of being explained clearly to clinicians, patients, and regulators
- Designed for graceful degradation — systems must fail safely, with clinical processes able to continue without AI in the event of system failure
The DHA policy also mandates interoperability compliance with Malaffi (Abu Dhabi’s health information exchange) and NABIDH (Dubai’s equivalent platform) — meaning AI systems must integrate into the region’s existing health data infrastructure, not operate in isolation.
Layer 4 — Free Zone Rules: An Additional Obligation
For healthcare investors and operators with entities in Dubai’s financial free zones — the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) — a fourth compliance layer applies. Both free zones maintain their own data protection frameworks that stack on top of federal and emirate-level requirements.
This is a frequently overlooked compliance obligation. Investors who structure their GCC healthcare entities through free zones must ensure their AI governance programmes address all four layers simultaneously.
Six Principles That Run Through Every Layer
Across all four regulatory layers, six core principles are consistently required. These are not aspirational values — they are operational requirements that must be demonstrably implemented:
- Transparency — Clear documentation of how AI systems work and how they inform decisions
- Privacy — Robust data protection aligned with PDPL and emirate-level requirements
- Accountability — Defined governance structures with clear ownership of AI outcomes
- Bias-Free Design — Systematic testing and remediation of algorithmic bias
- Explainability — AI decisions must be interpretable to clinicians, patients and regulators
- Safe Failure — Systems must degrade gracefully so clinical care is never interrupted
What This Means for Healthcare Investors and Operators
The implications of this regulatory architecture are significant and often underestimated at the project planning stage:
AI governance cannot be retrofitted. The structural requirements — governance committees, audit cycles, data retention architectures, interoperability compliance — must be designed into healthcare AI projects from the beginning. Attempting to implement them post-deployment is exponentially more complex and expensive.
Compliance is a competitive advantage. Investors and operators who build AI governance into their projects from day one will move through regulatory approvals faster, face fewer authority delays, and earn greater institutional trust from health system partners. Those who treat governance as an afterthought will encounter delays that erode their investment thesis.
The framework will expand. Abu Dhabi’s 2025 Responsible AI Standard update signals that these frameworks are living documents. Investors need governance structures flexible enough to adapt as requirements evolve — not point-in-time compliance programmes.
The Alcura Advisory Perspective
At Alcura Advisory, AI governance is not a separate workstream — it is embedded into how we structure healthcare projects across the GCC from the outset.
Our approach integrates regulatory compliance, governance framework development, and operational readiness into a single programme — ensuring that AI adoption in our clients’ projects is not only technically sound but legally defensible, institutionally trusted, and built to last.
The GCC has built a governance blueprint for AI in healthcare. The question is whether your project is built to meet it.
About Alcura Advisory
Alcura Advisory is a specialist healthcare governance, compliance, and transformation advisory firm serving healthcare investors, developers, and operators across the GCC. Our philosophy — Enable. Empower. Exit Responsibly. — means we build lasting capability in the organisations we work with, not dependency on external support.
📩 [email protected]
🌐 www.Alcura-Advisory.com



Excellent thread