Middle East Voice AI Regulations 2026: UAE, Saudi Arabia, Israel, and the GCC

Last updated on June 22, 2026

Talk to AI engineers

We build and advise on production AI systems. Bring your questions to a free intro call.

Talk to us

The Middle East is where Western voice-AI assumptions break. In the US a one-party recording is routine; across the Gulf, recording a call without every participant’s consent is a criminal offence punishable by jail, not a privacy fine. The “ship the data to our US cloud” reflex collides with hard data-localisation rules. The voiceprint feature you toggle on freely in Europe can require a regulator’s permit before processing in Oman or Egypt. And the EU’s “tell callers they are talking to AI” rule has only one black-letter equivalent in the whole region: a single Dubai free zone.

This guide maps the region for founders deploying voice agents: the UAE (three separate regimes in one country), Saudi Arabia (the largest and most actively enforced market), Israel (the most GDPR-aligned, with a recording twist), and the wider GCC plus Egypt and Jordan. It is the companion to the EU/EEA guide, the non-EU Europe guide, and the US founder’s guide.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Several penalty bands and effective dates below are drawn from law-firm summaries of laws published in Arabic; verify against official gazetted texts and local counsel before relying on exact figures, and note that several regimes only entered active enforcement in 2026.


How to read this guide: the four traps and the disclosure gap

There is no shared “floor” here the way the EU AI Act and GDPR cover Europe. Each country, and in the UAE each free zone, is its own regime. What unifies the region is a set of traps a US or EU founder underestimates:

  1. Recording is a crime, not a fine. Across the Gulf, recording without all-party consent triggers the penal or cybercrime code, with imprisonment and inadmissible recordings. Build an explicit consent gate into the call opening everywhere.
  2. Data localisation and transfer controls are real. Saudi Arabia restricts storing or transferring personal data abroad; the UAE mandates localisation for banking and health data; Oman and Egypt require regulator approval to transfer. The EU “standard contractual clauses and you are fine” reflex does not hold.
  3. A voiceprint is often a permit, not a checkbox. In Oman, Bahrain, Egypt, ADGM, and the Qatar free zone, processing biometric data needs advance regulator authorisation. The feature that powers voice authentication is a regulated activity to clear before launch.
  4. Deepfake consent and watermarking are becoming the norm. Saudi Arabia’s Deepfakes Guidelines already expect explicit consent for any cloned voice plus tamper-resistant watermarks.

The disclosure gap: no country here mandates an affirmative “you are speaking to an AI” disclosure in its general data law, except the DIFC free zone, whose Regulation 10 effectively requires it. The one other affirmative rule is sector-specific: Qatar’s central-bank AI Guideline expects financial firms to tell customers when they interact with an AI system. Everywhere else, transparency flows from general data-protection duties. And one functional requirement runs through the region: Arabic is not one language. Modern Standard Arabic, Gulf, Levantine, and Egyptian dialects, gender registers, and Sharia-compliance signalling in Islamic finance are operational necessities, not nice-to-haves.


The reference table

CountryData law + regulatorRecording consentVoiceprint / biometric gateLocalisation / transfer
UAE (federal)PDPL (Decree-Law 45/2021), UAE Data OfficeAll-party, criminal (Penal Code Art. 378 + Cybercrime Law)Sensitive data; heightened rules pending regsBanking and health localised; transfers need safeguards
UAE (DIFC)DP Law No. 5/2020, CommissionerAll-party in practiceSpecial category; Regulation 10 AI dutiesAdequacy or safeguards
UAE (ADGM)DP Regulations 2021, CommissionerAll-party in practiceSpecial category, explicit consentAdequacy or safeguards
Saudi ArabiaPDPL (M/19 2021), SDAIA / NDMOAll-party, criminal (Anti-Cyber Crime Law)Sensitive; explicit consent + enhanced controlsStrong localisation; transfers need safeguards
IsraelPPL + Amendment 13, PPAOne-party (Wiretapping Law)“Especially sensitive”; explicit consentNo hard localisation
QatarPDPPL 13/2016 + QFC regsAll-party, criminal (Penal Code Art. 333)QFC sensitive; CDP prior permissionState permissive; QFC adequacy
OmanPDPL (RD 6/2022), MTCITAll-party, criminalSensitive; MTCIT permit requiredConsent + adequate protection
BahrainPDPL 30/2018, PDPAAll-party, criminalPDPA prior authorisation (Art. 15)Cloud-friendly, no localisation
KuwaitCITRA DPPR (telecom only)All-party, criminal (Wiretap Law 9/2001)Not specially namedMostly liberalised since 2024
EgyptPDPL 151/2020, PDPCConsent-based + telecom secrecySensitive; PDPC licenceAdequacy + PDPC approval
JordanPDPL 24/2023, PDP CouncilConsent-based + Penal Code Art. 384Sensitive (Art. 4)No hard localisation

United Arab Emirates

The UAE is three legal systems in one: the federal mainland, plus two financial free zones (DIFC and ADGM) with their own GDPR-grade laws. Which one applies depends on where your client is licensed, so jurisdiction selection is itself a compliance decision.

Federal mainland

Jurisdiction stack: the PDPL (Federal Decree-Law No. 45 of 2021), in force since 2 Jan 2022, regulated by the UAE Data Office. Personal data expressly includes a person’s voice and image. The catch: the PDPL’s Executive Regulations were still not published as of mid-2026, so the federal regime is on the books but lightly enforced, with the real action in the free zones and the criminal code.

Where it bites:

  • Recording is criminal and all-party. Penal Code Article 378 and the Cybercrime Law (Federal Decree-Law No. 34 of 2021, Article 44) criminalise recording or intercepting conversations without consent, with penalties of AED 150,000 to 500,000 and imprisonment. Get explicit, recorded consent at the top of every call.
  • Sector localisation. Banking data is subject to Central Bank localisation rules and health data to MOHAP localisation under the ICT Health Law, and the telecoms regulator (TDRA) adds data-classification and transfer restrictions in its own domain.

DIFC: the region’s only AI-specific rulebook

Jurisdiction stack: the DIFC Data Protection Law No. 5 of 2020, enforced by the Commissioner of Data Protection, with fines up to USD 100,000 per violation and (since July 2025 amendments) a direct right of action in the DIFC Courts.

Where it bites: DIFC Regulation 10 (enacted 1 Sept 2023) governs processing personal data through autonomous and semi-autonomous systems, which is to say AI, and is the closest thing in the region to a mandatory AI-disclosure rule. For voice agents it requires telling users at initial use that non-human automated processing is occurring, explaining the design principles and safeguards, and citing the external standards relied on. High-risk processing triggers DPIAs, certification, and Commissioner consultation. General certification guidance is landing in 2026.

ADGM

Jurisdiction stack: the Abu Dhabi Global Market Data Protection Regulations 2021, enforced by its own Commissioner. Biometric data used for identification is Special Category data requiring explicit consent, and the fine ceiling is high (reported up to around USD 28 million per offence).

The AI posture: the UAE has no standalone federal AI statute yet, but it is the regional AI leader: the National Strategy for AI 2031, the world’s first Minister of State for AI (2017), the non-binding UAE Charter for the Development and Use of AI (July 2024), and the Falcon model family (TII Abu Dhabi), including Falcon Arabic for in-jurisdiction, Arabic-native deployment. In November 2025 the UAE Cybersecurity Council issued public warnings on AI voice and appearance cloning, signalling regulatory direction.


Saudi Arabia

The largest market in the region and the most aggressively enforced, with the heaviest localisation rules.

Jurisdiction stack: the PDPL (Royal Decree M/19 of 2021, amended 2023), in force since 14 Sept 2023 with the compliance deadline passed (14 Sept 2024). Regulator: SDAIA, with the NDMO as its data arm. Unlike the UAE federal regime, Saudi Arabia’s framework is fully operational: the Implementing Regulations were published in September 2023, and the Data Transfer Regulations followed in 2024.

Where it bites:

  • Voiceprints are top-tier sensitive data. Voice recordings are explicitly personal data, and biometric voiceprints are sensitive data requiring explicit consent and enhanced controls; cross-border transfer relies on adequacy or approved safeguards plus a risk assessment.
  • Data localisation is the big trap. The PDPL and Transfer Regulations require sensitive personal data to stay in the Kingdom unless exempted, and restrict transfers abroad. The adequacy-country list SDAIA was meant to publish was still not out in 2026, so transfers lean on approved safeguards, explicit consent, and a mandatory risk assessment. The CST cloud framework keeps government data in-country.
  • Recording is criminal. Unauthorised recording is an offence under the Anti-Cyber Crime Law (2007): up to one year and SAR 500,000.
  • Enforcement is live. SDAIA’s committees issued 48 decisions in the first enforcement year (2025–2026), explicitly hitting marketing messages sent without prior consent. General violations draw fines up to SAR 5 million; unlawful disclosure of sensitive data with intent to harm reaches two years and SAR 3 million.

The AI posture: SDAIA has published AI Ethics Principles (2023), Generative AI Guidelines (2024, separate public and government editions), and Deepfakes Guidelines (2024). The Deepfakes Guidelines are the regional benchmark for voice cloning: they expect visible tamper-resistant watermarks, embedded digital watermarks, explicit consent before using anyone’s voice or likeness with auditable records, and consent-management to remove a likeness from training data. Finance adds SAMA’s strong-authentication mandates.


Israel

The most GDPR-aligned and AI-aware privacy regime in the region, with one counter-intuitive twist on recording.

Jurisdiction stack: the Protection of Privacy Law (1981), overhauled by Amendment 13, in force since 14 Aug 2025, enforced by the Privacy Protection Authority. Amendment 13 broadened “personal data,” created a category of “information of especially high sensitivity” covering biometric and genetic data, and mandated data protection officers. The Privacy Protection Authority has separately issued guidance on how the law applies to AI systems.

Where it bites:

  • Recording is one-party, the regional outlier. A participant may record a call they are part of without notifying the other party; the crime is recording a conversation you are not party to (the Wiretapping Law). This is more permissive than the Gulf, but Amendment 13’s consent and disclosure duties still apply, and a voiceprint is “especially sensitive” data needing explicit consent.
  • Penalties scale with turnover. Amendment 13 introduced fines reaching millions of shekels, capped at 5% of annual turnover for large entities.
  • Deepfakes. No dedicated statute yet, but regulators state that using a person’s face or voiceprint in a deepfake without explicit consent violates privacy law; Israel also has a standalone Biometric Database Law.

The AI posture: Israel’s “Responsible Innovation” policy (Dec 2023) is risk-based, sectoral, and non-binding, favouring soft regulation and international alignment over a horizontal AI act.


Qatar, Oman, and Egypt

  • Qatar. A dual regime: the state PDPPL (Law No. 13 of 2016), the first comprehensive GCC data law, regulated by the National Data Privacy Office within the NCSA, plus the stricter QFC Data Protection Regulations 2021 in the financial free zone. Recording is criminal under Penal Code Article 333 (up to two years and/or a fine). The QFC treats biometric data as sensitive and the state law requires prior CDP permission for special-nature data. Enforcement is now active: the QFC imposed a USD 150,000 fine in October 2024.
  • Oman. The PDPL (Royal Decree No. 6/2022) became fully enforceable on 5 Feb 2026, regulated by the MTCIT with Executive Regulations in place. Biometric data is sensitive under Article 5 and processing requires an MTCIT permit (a 45-day review where silence means rejection), a hard gate for voice authentication. Unlawful cross-border transfer carries the region’s steepest band, OMR 100,000 to 500,000, with 72-hour breach notification.
  • Egypt. The PDPL (Law No. 151 of 2020) sat dormant for years until its Executive Regulations issued in November 2025, with hard enforcement beginning 1 Nov 2026. Regulator: the PDPC. The new regime makes licences mandatory for processing sensitive data, cross-border transfers, and electronic direct marketing, the core of outbound voice. Biometric data is sensitive and needs explicit consent, and on some readings a PDPC licence; treat voiceprints conservatively.

Bahrain, Kuwait, and Jordan

  • Bahrain. The PDPL (Law No. 30 of 2018), regulated by the PDPA. Recording is all-party and criminal. Biometric processing needs PDPA prior authorisation under Article 15. Bahrain is cloud-friendly with no localisation mandate and a Data Embassy Law, and a draft criminal deepfake bill appeared in November 2025. Penalties run up to BD 20,000 (individuals) or BD 40,000 (corporates) under the PDPL.
  • Kuwait. The regional outlier with no comprehensive data law: a patchwork led by the CITRA Data Privacy Protection Regulation, originally issued in 2021 and narrowed by Decision 26/2024 to bind only CITRA-licensed telecom and ISP operators. Recording without consent is criminal under the Wiretap Law (Law 9/2001), up to two years. Voiceprints are not specially named, so treat them as ordinary personal data, conservatively.
  • Jordan. The PDPL (Law No. 24 of 2023), in force since March 2024 and now past its grace period, regulated by the Personal Data Protection Council within MoDEE. Biometric data is sensitive (Article 4). Penalties run JOD 1,000 to 10,000, with continuing-violation fines capped at 3% of prior-year revenue, plus malicious AI impersonation caught by the Cybercrime Law (No. 17 of 2023).

Sector overlays: where the sector regulator outranks the data law

In a regulated sector, the general data law is the floor and the sector regulator sets the binding ceiling: pre-approval gates, data localisation, mandatory authentication, and retention duties the PDPLs alone do not impose.

Saudi Arabia: SAMA pre-approval and in-Kingdom data

For financial voice agents, SAMA is stricter than the PDPL. Material outsourcing needs SAMA’s written no-objection before you contract (submitted 15 to 30 business days ahead), cloud hosting is in-Kingdom in principle with offshore needing explicit approval (Cyber Security Framework §3.4.3), customer authentication must meet multi-factor standards, and records are kept a minimum of 10 years. Separately, a voice agent that interconnects with the Saudi phone network needs a CST virtual-voice-services permit or a licensed operator; unlicensed telecom provision is fined up to SAR 25 million. A health triage agent is regulated medical-device software under the SFDA.

UAE: the strictest health-data wall in the region

The UAE ICT Health Law (Federal Law No. 2 of 2019) is the hardest sector rule in this guide. Article 13 sets an absolute default ban on storing, processing, or transferring UAE health data outside the country, and “health information” expressly includes audio and recorded data, so a health voice agent’s call recordings and transcripts cannot legally leave the UAE; retention runs 25 years. The federal PDPL’s transfer mechanisms do not help, because the PDPL carves health data out. In finance, the Central Bank requires consumer and payment data to be stored in the UAE, requires its non-objection before material outsourcing, and under Federal Decree-Law No. 6 of 2025 can fine up to AED 1 billion. Voice over IP must run through a TDRA-licensed operator.

Israel and Qatar

Israel’s Bank of Israel directives govern IT and cyber risk (Directive 364) and e-banking authentication (Directive 367), where remote account opening needs prior Banking Supervision approval, a direct hook for a voice or video onboarding agent. Qatar’s central bank requires pre-approval for material cloud arrangements and, through its AI Guideline (Sept 2024), expects financial firms to disclose AI interaction, obtain consent, and keep human oversight.

ObligationThe stricter sector rule (vs the general data law)
Health-data localisationUAE Federal Law 2/2019 (absolute offshore ban, 25-yr retention)
Financial-data localisationUAE Central Bank (consumer and payment data in-UAE); Saudi SAMA cloud (in-Kingdom)
Regulator pre-approval of outsourcing or cloudSaudi SAMA, UAE Central Bank, Qatar QCB, Bank of Israel
Customer authenticationSaudi SAMA (MFA); Israel Directive 367 (prior approval for remote onboarding)
Record retentionSaudi SAMA (10 years); UAE consumer data (5 years); UAE health data (25 years)
AI-specific disclosureDIFC Regulation 10; Qatar QCB AI Guideline (finance)
In the UAE, health-call audio is not allowed to leave the country

The “ship it to our US or EU cloud” architecture is unlawful for UAE health data. Federal Law No. 2 of 2019, Article 13 bans storing or transferring health data outside the UAE without health-authority approval, “health information” includes call recordings and transcripts, and the retention period is 25 years. The federal PDPL cannot rescue you, because it carves health data out. A health voice agent serving the UAE needs in-country storage by design, not as a configuration option.


Compliance Framework for the Middle East

1. Pick the jurisdiction before the architecture

In the UAE especially, federal, DIFC, and ADGM impose different duties. Decide where your client is licensed first, because DIFC Regulation 10 (AI disclosure, DPIAs) and ADGM’s explicit-consent biometric rule do not apply to a mainland deployment, and vice versa.

In the Gulf, an unconsented recording is a crime with inadmissible evidence. Open every call with an explicit, recorded all-party consent step. Israel is the lone one-party exception, but its consent and disclosure duties still apply.

3. Clear the voiceprint permit before launch

In Oman, Bahrain, Egypt, ADGM, and the Qatar free zone, biometric processing needs advance regulator authorisation. Treat voice authentication as a permit-gated feature with lead time, not a configuration toggle.

4. Map data residency before you store anything

Saudi Arabia and the UAE (banking, health) restrict where personal data can live, and Saudi Arabia’s adequacy list is unpublished. Default to in-region storage for sensitive data, and budget for a transfer risk assessment and explicit consent where transfer is unavoidable.

Saudi Arabia’s Deepfakes Guidelines (explicit consent, tamper-resistant watermarks, auditable consent records) are the regional bar for any cloned voice. Build consent-of-likeness and provenance marking now if your product clones voices.

6. Engineer for Arabic, not “Arabic”

Dialect coverage (Gulf, Levantine, Egyptian), gender registers, and Sharia-compliance signalling in finance are functional requirements. Regulators increasingly expect Arabic-native, in-jurisdiction models for government, finance, and telecom work.


Regulatory Horizon (Next 12 Months)

DevelopmentStatusPractical preparation
UAE PDPL Executive RegulationsStill unpublished mid-2026Watch for biometric and transfer detail; the criminal recording rule already binds
DIFC Regulation 10 certificationGeneral guidance landing 2026Prepare AI-processing notices and DPIAs for DIFC deployments
Oman PDPL enforcementLive since 5 Feb 2026Secure the MTCIT biometric permit before any voice-auth launch
Egypt PDPL enforcementHard enforcement from 1 Nov 2026Obtain PDPC licences for marketing and sensitive-data processing
Saudi adequacy listStill unpublishedDefault to in-Kingdom storage; use safeguards plus consent for transfers
Bahrain deepfake billDraft, Nov 2025Prepare voice-clone consent and labelling if it passes

Conclusion

The Middle East does not reward the US or EU compliance playbook. The recording rule that is a fine in Europe is a criminal offence across the Gulf. The data that flows freely under EU adequacy may be forbidden to leave Saudi Arabia. The voiceprint feature that needs only a lawful basis in London needs a regulator’s permit in Muscat. And the one affirmative AI-disclosure rule in the region lives inside a single Dubai free zone.

The two markets that justify real engineering effort are Saudi Arabia (largest, most enforced, localisation-heavy, with the region’s clearest deepfake bar) and the UAE (the commercial hub, where jurisdiction selection across federal, DIFC, and ADGM is the first compliance decision you make). Israel is the most GDPR-familiar entry point, with a one-party recording rule that is the regional exception. Get the criminal consent gate, the voiceprint permit, and data residency right, build for real Arabic, and the region becomes navigable rather than hostile.


Frequently Asked Questions

Is it legal to record calls in the Gulf without consent?

No. Across the UAE, Saudi Arabia, Qatar, Bahrain, Oman, and Kuwait, recording a conversation without all parties’ consent is a criminal offence under the penal or cybercrime code, with imprisonment and inadmissible recordings, not merely a privacy fine. Build an explicit, recorded all-party consent step into the start of every call. Israel is the regional exception, with one-party consent.

Do I need a permit to run voice authentication in the Middle East?

Often, yes. In Oman (an MTCIT permit), Bahrain (PDPA authorisation under Article 15), Egypt (a PDPC licence), ADGM, and the Qatar financial free zone, processing biometric data such as a voiceprint requires advance regulator authorisation. Treat voice authentication as a permit-gated feature with lead time, not a configuration toggle.

Which Middle East country requires telling callers they are talking to AI?

Only the DIFC free zone in Dubai, via Regulation 10, which requires telling users at initial use that non-human automated processing is occurring. No other jurisdiction in the region mandates an affirmative AI-disclosure as black-letter law; elsewhere transparency flows from general data-protection duties. If you serve EU residents, the EU AI Act Article 50 disclosure also reaches you extraterritorially.

Can I store Middle East caller data in my US or EU cloud?

Not always. Saudi Arabia restricts sensitive personal data to in-Kingdom storage and has not published an adequacy list, and the UAE mandates localisation for banking and health data. Oman and Egypt require regulator approval for cross-border transfers. Default to in-region storage for sensitive data and run a transfer risk assessment where moving it abroad is unavoidable.

What are the rules on AI voice cloning in Saudi Arabia?

Saudi Arabia’s SDAIA Deepfakes Guidelines (2024) set the regional bar: explicit consent before using anyone’s voice or likeness with auditable records, visible tamper-resistant watermarks plus embedded digital watermarks, and consent-management to remove a likeness from training data. They are advisory but backed by the PDPL and the Anti-Cyber Crime Law.

Which Middle East market should a voice-AI founder prioritise?

Saudi Arabia and the UAE. Saudi Arabia is the largest and most actively enforced market (48 SDAIA enforcement decisions in its first enforcement year) with strict localisation and the clearest deepfake rules. The UAE is the commercial hub, where choosing among the federal, DIFC, and ADGM regimes is the first compliance decision. Israel is the most GDPR-familiar entry point, with the regional one-party recording exception.

Pay-by-Bank and Agentic Commerce: What ACP, AP2, MCP, and UCP Actually Enable

Can Pay-by-Bank Work With Agentic Commerce Protocols?

Native AI checkout distribution is still gated. Pay-by-Bank providers can still build hosted sessions, bank authorization handoff, webhooks, status APIs, and AP2-ready consent records now.

AI Commerce Payments: How Checkout Works in ChatGPT, Gemini, and Claude

How AI Checkout Actually Works

How AI shopping payments work today: what is live, whether you can connect your store now, and the concrete steps a US merchant can take this week.

How to Make Your Store Visible to AI Shopping Agents

How to Make Your Store Visible to AI Shopping Agents

AI shopping visibility starts with distribution paths, but it only works when your catalog, variants, inventory, policies, and checkout can be read by agents without guessing.

EU Voice AI Regulations 2026: AI Act, GDPR & Call Recording

EU & EEA Voice AI Regulations 2026: AI Act, GDPR, ePrivacy, and the Country Mosaic

One rulebook on paper, 27 regimes in practice. The same recorded call is routine in Dublin and a criminal offence in Berlin.

UK, Switzerland & Non-EU Europe Voice AI Regulations 2026: Adequacy, Recording Consent, AI Rules

UK, Switzerland & Non-EU Europe Voice AI Regulations 2026

Outside the EU there is no single floor. A call recorded freely in London is a criminal offence in Zurich – and one EU caller pulls you back under the AI Act.

Multilingual Voice AI Agents and Code-Switching: The Engineering Guide for Real-Time ASR and TTS

The Code-Switching Gap: Where Multilingual Voice AI Loses Callers Mid-Sentence

Hinglish and Spanglish callers do not speak one language per call. Here is how to build an ASR-to-TTS pipeline that follows them across the switch instead of breaking on it.

Lowest-Latency Voice AI Agents: The Engineering Budget From Microphone to Speaker

The Core Latency Budget: Every Millisecond Between Microphone and Speaker

Streaming is not an answer. Here is the full turn-gap budget broken into twelve components, each in milliseconds, with the techniques that actually move the number.

Voice Prompt Engineering for AI Agents: Why Text Prompts Break in Real-Time Audio

Voice-Specific Prompt Engineering: Why Text Prompts Break in Real-Time Audio

A prompt that works in ChatGPT reads markup aloud, says 'two thousand five' for a year, and talks over the caller. Here is the prompt-engineering playbook for streaming voice agents.