Banking & Finance

UAE Federal Decree-Law No. 26 of 2025 on Child Digital Safety

By Noura Lawyers · UAE Law Update · Federal · 6 min read

Federal Decree-Law No. 26 of 2025 on Child Digital Safety is the UAE's first dedicated statute governing how children interact with the online world. It entered into force on 1 January 2026 and imposes concrete duties on internet service providers and digital platforms — from age verification and default privacy settings to restrictions on processing the data of children under 13 and limits on targeted advertising. Existing operators have a transitional window, with full compliance expected by January 2027.

Update note

Who should read this

General counsel and compliance leads at digital platforms, app publishers, online gaming, streaming and e-commerce businesses, and internet service providers that operate in or target users in the UAE — plus schools and any organisation handling children's personal data online.

Directly affected

digital platformsinternet service providersparentschild caregivers

Key facts

  • Instrument: Federal Decree-Law No. 26 of 2025 on Child Digital Safety.
  • Issued: 1 October 2025. In force: 1 January 2026.
  • Compliance window: existing digital platforms and ISPs are expected to reach full compliance by January 2027; operative detail is set by Cabinet implementing regulations.
  • Scope: internet service providers and digital platforms that operate in the UAE or are directed at users in the UAE — websites, search engines, apps, messaging and social media, online gaming, live-streaming, podcasts, video-on-demand and e-commerce platforms.
  • Under-13 data: collecting, processing, publishing or sharing the personal data of children under 13 is prohibited unless strict conditions (including verifiable parental consent) are met; educational and health platforms may be exempted by Cabinet resolution.
  • Platform controls: default privacy settings, age-verification and age-rating tools, content blocking and filtering, and regulation of targeted electronic advertising to children.
  • Governance: establishes the Child Digital Safety Council, chaired by the Minister of Family, as an advisory and coordinating body across federal and local entities and the private sector.
  • Standing: a new dedicated federal statute; it does not repeal existing law but operates alongside the UAE's data protection, cybercrime and child rights (Wadeema) frameworks.

Executive summary

Federal Decree-Law No. 26 of 2025 gives the UAE a standalone regime for children's safety online. It moves child protection from general principles scattered across data protection, cybercrime and child rights legislation into a single instrument with named obligations for the entities that build and operate digital services. The law reaches any platform or ISP that serves UAE users, regardless of where the operator is established, so the trigger is the audience rather than the place of incorporation. The centre of gravity is the under-13 age band, where the default position is a prohibition on processing personal data, and a set of design and operational controls that platforms must build into the product rather than bolt on later.

Key provisions

The most consequential rule is the restriction on children's data. Platforms may not collect, process, publish or share the personal data of a child under 13 unless narrow conditions are satisfied — chiefly verifiable parental consent, an easy withdrawal mechanism and clear privacy disclosures. The law also curbs the commercial use of that data and restricts targeted electronic advertising aimed at children. Educational and health platforms can be carved out by Cabinet resolution, subject to safeguards.

Alongside the data rules, the Decree-Law requires platforms to engineer safety into the service: default privacy settings for younger users, age-verification and age-assurance mechanisms, tools that enforce age restrictions, and blocking, filtering and age-rating for content. ISPs carry duties around access and the technical measures that support these controls. The statute defines the concepts it turns on — including harmful content and targeted electronic advertising — so that obligations attach to defined categories rather than open-ended judgement.

On governance, the law creates the Child Digital Safety Council, chaired by the Minister of Family, to coordinate federal and local authorities and the private sector, propose policy and legislation, run national awareness efforts and monitor emerging digital risks. Detailed thresholds and procedures are left to implementing regulations, so the enacted Arabic text and the Cabinet resolutions issued under it should be read together before finalising any compliance position.

Practical implications

For platform operators, the practical question is not whether the law applies — if you have UAE users, it does — but how much of your existing product already meets it. Age assurance is the hardest piece: many services rely on self-declared birth dates, which will not satisfy a verification standard aimed at a under-13 cut-off. Consent flows built for adults do not translate to verifiable parental consent, and advertising stacks that segment by behaviour need review where children may be in the audience.

For ISPs, the exposure sits in access controls and the technical cooperation the law contemplates. For schools and organisations that deploy third-party edtech, the law shifts diligence onto procurement: contracts should allocate responsibility for age assurance, data minimisation and the parental-consent record. Because the regime runs in parallel with the UAE's personal data protection law and the cybercrime framework, a single incident can trigger overlapping obligations, and a compliance programme built for one will not automatically cover the others.

Action points

  1. Map whether your service is directed at UAE users and confirm which platform category or ISP definition you fall under.
  2. Audit how you determine user age today and design an age-assurance approach that can support the under-13 threshold.
  3. Build or upgrade verifiable parental-consent flows, with a straightforward withdrawal mechanism and clear child-facing privacy disclosures.
  4. Review targeted-advertising and data-monetisation practices for any segment that may include children, and switch on default privacy settings for younger accounts.
  5. Implement content blocking, filtering and age-rating tools, and document them as evidence of compliance.
  6. Track the Cabinet implementing regulations and align your timeline to the January 2027 compliance expectation.

Directly affected: digital platform operators, app publishers, online gaming and streaming services, e-commerce platforms, internet service providers, edtech providers and schools, and parents and caregivers.

Enforcement and transitional relevance

The Decree-Law is in force now, but the operative compliance date for existing operators runs to January 2027 as implementing regulations are issued. That window is for building and evidencing controls, not for deferring assessment — enforcement and penalty detail will sit in the Cabinet regulations and the enacted Arabic text, which prevail over any English summary. Businesses that scope their obligations early, and keep a documented record of age-assurance, consent and content controls, will be in the strongest position when supervision begins.

Sources and authorities

Federal Decree-Law No. 26 of 2025 on Child Digital Safety — UAE Legislation Portal.
https://uaelegislation.gov.ae/en/legislations/3912
Issued 1 October 2025 · In force 1 January 2026. A new dedicated federal statute; it does not repeal existing legislation but operates alongside the UAE's personal data protection, cybercrime and child rights (Wadeema) frameworks. Cross-checked against leading practitioner analyses. The enacted Arabic text prevails.

Verified against the UAE Legislation Portal and leading practitioner analyses ·
Instrument details
Federal Decree-Law No. 26 of 2025 on Child Digital Safety. Issued 1 October 2025; entered into force 1 January 2026; full compliance expected by January 2027. Applies to internet service providers and digital platforms operating in or directed at users in the UAE. Establishes the Child Digital Safety Council chaired by the Minister of Family, restricts processing of the personal data of children under 13, and mandates age verification, default privacy settings, content blocking and filtering, age rating and controls on targeted electronic advertising. Detailed thresholds and penalties are set by Cabinet implementing regulations. Full text on the UAE Legislation Portal: legislation 3912. The enacted Arabic text is authoritative.

Based on Federal Decree-Law No. 26 of 2025 on Child Digital Safety and cross-checked against leading practitioner analyses. General information only — it does not constitute legal advice, and the enacted Arabic text prevails. For advice on a specific matter, please contact us. Last updated: 2 July 2026.

Related guides

Need advice on banking & finance issues?

Brief our Banking & Finance team in three minutes — same business-day partner response.

Speak to our Banking & Finance team →

Frequently asked questions

When does UAE Federal Decree-Law No. 26 of 2025 on Child Digital Safety take effect?

The Decree-Law entered into force on 1 January 2026. Regulated entities have a transitional grace period, and existing digital platforms and internet service providers are expected to reach full compliance by January 2027. The enacted Arabic text prevails, and implementing regulations issued by the Cabinet set the operative detail.

What changed under the Child Digital Safety Law?

The Decree-Law introduces the UAE's first dedicated framework for child online safety. It restricts the collection and processing of personal data of children under 13 unless strict conditions are met, requires default privacy settings, age-verification and age-rating tools, and content blocking and filtering, regulates targeted electronic advertising to children, and establishes a Child Digital Safety Council chaired by the Minister of Family.

Who must comply with the Child Digital Safety Law?

It applies to internet service providers and a broad range of digital platforms operating in the UAE or directed at users in the UAE, including websites, search engines, apps, messaging and social media platforms, online gaming, live-streaming, podcasts, video-on-demand and e-commerce platforms. Children's caregivers also carry defined duties for safe digital use.

How can Noura Lawyers help?

We advise digital platforms, ISPs and content businesses on scoping their exposure under the Decree-Law, building age-verification and parental-consent flows, updating privacy notices and advertising practices, and preparing for enforcement. Brief us via the contact page for a same business-day partner response.