The legislative reform phase in the UAE now appears largely complete, with regulators increasingly focused on implementation, supervisory engagement and accountability rather than further rulemaking. As a result, the key question for the market is no longer what the regulatory framework requires in principle, but how these developments are reshaping governance standards, operational models and risk management in practice.
New Insurance Law
Federal Decree-Law No. (48) of 2023 (the new Insurance Law), in force since 30 November 2023, codified the transfer of insurance supervision to the Central Bank of the UAE (CBUAE) and established a consolidated regime for onshore insurers and insurance-related professions. While much of its structure mirrors the previous framework, several provisions signal enhanced supervisory oversight reflecting a more active, not reactive, regulatory approach.
In an expansion of the CBUAE’s supervisory and enforcement toolkit, the regulator now holds broad powers to inspect insurers’ financial soundness and compliance and oversee “Key Employees” such as the CEO. A wide range of sanctions is at its disposal, including financial penalties and restrictions on entering into new insurance contracts. These powers extend to Insurance Related Professionals, which expressly include claims handlers for the first time. The framework also provides the CBUAE with the authority to mandate compulsory insurance and the power to set Emiratisation targets for the insurance sector.
At the same time, a degree of flexibility has been introduced into the licensing framework by permitting non-admitted insurance where coverage is unavailable locally, subject to controls determined by the CBUAE’s Board. The replacement of the former Insurance Dispute Settlement Committee with the Banking and Insurance Dispute Resolution Unit (BIDRU) represents a deliberate recalibration of the dispute framework.
Taken together, change generated by the new Insurance Law combines strengthened enforcement authority, dispute reform and regulatory adaptability. Its systemic importance lies not only in its text, but in how supervisory engagement evolves under its framework.
Brokers’ regulation
Effective 15 February 2025, the Insurance Brokers’ Regulation (the “Regulation”) introduced a structural shift in the regulation of brokerage activity.
The prohibition on brokers collecting premiums or claims payments removes a long-standing intermediary function: premiums must now flow directly between insureds and insurers, and commission must be paid by insurers within defined timelines. Whilst enhancing transparency in premium handling, the changes reallocate credit exposure to insurers and affect broker liquidity.
The Regulation also formalises governance expectations through the three lines of defence model. Brokers must implement structured compliance oversight and documented risk management. This represents a shift from relationship-led brokerage models toward more formalised compliance frameworks. For larger international brokers, alignment may be incremental, while for smaller or locally established firms, the organisational impact may be more significant.
Outsourcing rules have tightened, requiring prior CBUAE non-objection for material activities and prohibiting outsourcing outside the UAE. Detailed risk assessments and contractual safeguards must accompany non-objection requests. The policy intent is clear: greater supervisory visibility and localisation of key control functions. While proportionality is recognised, supervisory discretion and rising compliance demands may affect market structure over time.
New Federal Law, Executive Regulations, DIFC & DFSA Rulebook
The Federal Decree-Law No. (10) of 2025 on Anti Money Laundering (AML), Counter Terrorism Financing (CTF) and Counter Proliferation Financing (CPF) (the new AML/CTF/CPF Law), effective February 2025; its Executive Regulations (Cabinet Resolution No. (134) of 2025), in force since 14 October 2025; and amendments to the Dubai Financial Services Authority (DFSA) AML Rulebook, effective March 2026, confirm cross-jurisdictional alignment, including within the DIFC.
Together, these measures fundamentally strengthen the existing framework, enhance supervisory authority and increase governance accountability for regulated entities. The new regime aligns the UAE with Financial Action Task Force (FATF) standards and reinforces its post–grey list compliance commitments.
The new AML/CTF/CPF Law incorporates proliferation financing as a third offence alongside money laundering and terrorist financing, widening the AML regulatory perimeter. The Executive Regulations operationalise the legislative changes. Firms must maintain clearly articulated risk appetites and governance expectations for risk identification, risk assessment (enterprise and customer) and risk mitigation. These must be incorporated into policies, procedures and controls approved by senior management and proportionate to the nature and scale of the business. Enhanced customer due diligence requirements set out in the DFSA Rulebook amendments must be incorporated into firms’ AML compliance frameworks.
The Federal reforms also broaden the definition of predicate offences to include direct and indirect tax evasion, including conduct occurring outside the UAE where dual criminality applies. The definition of “proceeds” now extends to indirect and derivative benefits from criminal property, and liability may arise where a person “knew or should have known” of the illicit origin of funds based on factual circumstances.
The reforms crucially increase personal liability exposure for managers. Where money laundering, terrorist financing, proliferation financing or related offences are committed by or on behalf of a legal entity, both the entity and the individuals responsible for its management may incur criminal liability where the offence occurred with their knowledge or as a result of a breach of their duties. Documented and defensible risk assessments are likely to be key in mitigating personal liability exposure.
Financial free zones, jurisdictional alignment and expanding accountability
Federal Decree-Law No. (6) of 2025 Regarding the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business reinforces the CBUAE’s supervisory authority across regulated financial and insurance activities. Its introduction has prompted discussion not about substance, but about territorial application within the UAE’s regulatory structure, particularly the interaction between the federal licensing framework and the financial free zones.
For insurance groups operating across mainland and financial free zone entities, questions of operational alignment may affect licensing expectations, governance standards and supervisory engagement.
In parallel, developments within financial free zones reinforce a broader shift toward stronger governance and individual accountability. In the DIFC, the DFSA’s thematic reviews and the Feedback Statement on Consultation Paper 165 signal expanded individual accountability, including more granular fit and proper assessments and oversight of individuals holding functions across multiple entities. The ADGM has similarly intensified supervisory focus on AML/CTF/CPF governance and senior management oversight, with regulators increasingly expecting governance frameworks to demonstrate clear reporting lines, documented oversight and defensible accountability structures.
Stronger governance is also evidenced in the data protection sphere. Enforcement of Regulation 10 of the DIFC Data Protection Regulations began on 1 January 2026. It strengthens transparency, governance and accountability in the use of AI systems processing personal data as part of activities carried out by an organisation in the DIFC or otherwise subject to DIFC data protection law. Requirements have been introduced for organisations that develop, deploy or operate artificial intelligence systems, either autonomous or semi-autonomous, which may cover underwriting, fraud detection, onboarding, customer analytics and claims assessment.
Specifically, Regulation 10 establishes a governance framework requiring firms to provide clear notice where AI is used and to maintain an internal register documenting the purpose, providers and personal data processed by such systems. Additional safeguards apply to high-risk processing, including automated decision-making with significant effects on individuals. In such cases, certification from a DIFC-accredited body may be required and firms must appoint an Autonomous Systems Officer to oversee compliance.
Conclusion
The new Insurance Law, the Brokers’ Regulation and the reinforced AML/CTF/CPF Federal framework collectively signal a structural shift in the UAE insurance regulatory landscape. The reform phase is giving way to supervisory implementation and governance accountability. Enforcement powers have expanded, intermediary mechanics have been restructured, and financial crime exposure has widened. Across mainland and financial free zone jurisdictions, supervisory expectations are converging.
For insurers, reinsurers and intermediaries, the emphasis is now on demonstrable control effectiveness, consistent risk assessment and active board and senior management oversight. The market’s next phase should be defined by execution rather than further legislative change. M
Mr Johnson John is CEO of Callidus while Ms Jo Marshall is Associate Director.