The Digital Security Law for Children Enacted in the United Arab Emirates

In a significant advancement aimed at protecting children in the digital environment, the United Arab Emirates (UAE) has enacted Federal Decree-Law No. 26 of 2025 on child digital safety. This new legislation, which came into effect on January 1, 2026, establishes a comprehensive framework to protect minors from harmful content, privacy violations, and digital exploitation, while adhering to international best practices. Affected entities must comply with these provisions by January 2027.

An Integrated Approach to Child Protection

This decree-law is part of the broader UAE policy on child protection, complementing existing laws such as the Child Rights Law, known as the Wadeema Law. It also reflects the emphasis placed in recent years on responsible digital governance in the country, as evidenced by recent adjustments to media and digital laws.

Scope of Application

Comprising 20 articles, the Decree-Law applies to several stakeholders:

• Digital platforms and Internet Service Providers (ISPs) operating in the UAE or targeting users located in the country, including websites, search engines, applications, messaging platforms, online games, social networks, streaming services, podcasts, and e-commerce platforms.
• Individuals responsible for the care of children, designated as having specific obligations to ensure safe digital usage.

The law defines a "child" as any person under the age of 18.

Governance Measures and Obligations

To build a safer digital ecosystem for children, several key measures have been introduced:

• Child Digital Safety Council: The decree-law establishes a Child Digital Safety Council, chaired by the Minister of Family. This council is responsible for proposing policies and legislation, launching national awareness initiatives, and monitoring emerging digital risks.

• National Platform Classification System: A system will be implemented to classify digital platforms based on risks and their impact on children. Specific obligations and transparency requirements will be tailored to these classifications.

• Data Protection and Privacy: Digital platforms may only collect, process, or share personal data of children under 13 under strict conditions, including verifiable parental consent, easy withdrawal options, and clear privacy disclosures. The use of this data for commercial or targeted advertising purposes will also be restricted. Certain exemptions may apply, particularly for educational or health platforms, subject to specific safeguards.

• Age Verification: Platforms must implement age verification mechanisms, tailored to the level of risk associated with their content.

Content Restrictions

Digital platforms are required to implement enhanced child protection measures, including:

• Privacy settings enabled by default for children's accounts;
• Tools to enforce age restrictions and content classification systems;
• Filtering and blocking mechanisms, as well as controls to limit excessive online interactions or participation;
• Parental control tools, including usage time limits and mandatory breaks;
• Easily accessible reporting channels, as well as proactive systems to detect, remove, and report harmful content, including child sexual exploitation material;
• Prohibition of access for children to online games involving betting or gambling, through blocking mechanisms and age restrictions.

Individuals responsible for the care of children also have important responsibilities, such as monitoring minors' digital activities, using parental control tools, avoiding the creation of age-inappropriate accounts for children, and refraining from any negative digital exploitation, including in virtual environments. They must also promptly report any harmful content.

Implementation and Sanctions

Affected entities have one year from the enactment of the decree-law to adjust their practices, until January 2027, unless an extension is decided by the Cabinet. Administrative sanctions for non-compliance will be specified in the implementing regulations and may include fines, suspensions, or service blocks.

Compliance oversight will fall to several competent authorities. The Telecommunications and Digital Government Regulatory Authority (TDRA) will be responsible for developing the necessary policies and standards to regulate Internet Service Providers.

Implications for Businesses

Digital businesses operating in the UAE or targeting users in the country are encouraged to prepare for these new provisions. This includes:

• Updating privacy notices and consent flows for users under 13;
• Implementing age verification mechanisms and default privacy settings;
• Reviewing advertising practices to comply with restrictions on targeted advertising aimed at children.

Failure to comply may expose businesses to administrative sanctions.

Conclusion

Federal Decree-Law No. 26 of 2025 marks a turning point in the digital governance of the United Arab Emirates, establishing clear and enforceable standards to protect children online. Affected businesses must act promptly to comply with these requirements and avoid penalties.

Read the source