UAE issues landmark Child Digital Safety Law: Federal Decree-Law No. 26 of 2025

In a significant move to protect children in the digital environment, the UAE has enacted Federal Decree-Law No. 26 of 2025 on Child Digital Safety. The Decree-Law introduces a comprehensive framework to safeguard minors from harmful content, privacy breaches, and digital exploitation, while ensuring alignment with international best practices, with compliance required by January 2027.

Broader policy context

The Decree-Law forms part of the UAE’s wider legislative and policy focus on child protection, complementing existing child-protection laws such as the Child Rights Law (Wadeema’s Law). It also follows the UAE’s heightened focus on responsible digital governance in recent years, following on from recent changes in the UAE’s media and digital laws as we discussed here: A comprehensive regulatory framework for media content violations: UAE Cabinet Decision No. 42 of 2025.

Scope and Application

The Decree-Law came into force on 1 January 2026 and comprises 20 articles. It applies to: (i) digital platforms and internet service providers (ISPs) operating in the UAE or directed to users in the UAE (including, but not limited to, websites, search engines, applications, messaging platforms, online gaming websites, social media platforms, live streaming services, podcasts, streaming/video-on-demand services, and e-commerce platforms) and (ii) children’s caregivers, who have defined duties relating to safe digital use.

A “child” is defined as an individual under 18 years of age.

Governance

The law introduces a series of obligations and technical measures aimed at creating a safer digital ecosystem for children. These include:

• Child Digital Safety Council: The Decree-Law establishes a Child Digital Safety Council, chaired by the Minister of Family, with functions including proposing relevant policies/legislation, national awareness initiatives, and monitoring emerging digital risks.
• Platform Classification System: A national system will classify digital platforms based on the risk and impact on children, with obligations and disclosure requirements tailored accordingly.
• Privacy and Data Protection: Digital platforms are prohibited from collecting, processing, publishing, or sharing personal data of children under 13 unless strict conditions are met, including verifiable parental consent, an easy withdrawal mechanism, and clear privacy disclosures. The Decree-Law also restricts using such data for commercial purposes and targeted electronic advertising to children. Certain education and health platforms may be exempted by Cabinet decision, subject to safeguards.
• Age Verification: Platforms must adopt effective and reasonable age-verification mechanisms, with the strength of the mechanism proportionate to the platform’s risk classification and the impact of its content on children.

Content Restrictions

Platforms must implement “enhanced child protection” measures, which include (among other requirements):

• privacy-by-default settings for children’s accounts;
• tools to enforce age restrictions and apply age ratings;
• blocking/filtering and controls to limit excessive interaction/participation;
• parental control tools (including usage-time limits and mandatory breaks);
• easy reporting channels and proactive detection/removal/reporting of harmful content, including child sexual exploitation material; and 
• prohibiting children’s access to online games involving gambling and betting (enforced via age-gating and blocking where relevant). 

Caregivers are required to take an active role in safeguarding children online, including monitoring their digital activities, using parental control tools, not creating accounts for children on platforms that are not age-appropriate, and avoiding harmful “sharenting” or any form of negative exploitation of children online (including in virtual worlds). Caregivers must also promptly report harmful content where it arises.

Implementation and Oversight

The Decree-Law mandates that all entities subject to its provisions adjust their practices within one year of its entry into force, with full compliance expected by January 2027 unless the deadline is extended by a Cabinet decision. 

Administrative penalties for non-compliance will be detailed in the implementing regulations and may include blocking, suspension, or fines. From an oversight perspective, the Telecommunications and Digital Government Regulatory Authority (TDRA) will issue relevant policies/standards and supervise ISP compliance, while other competent authorities will monitor platform obligations within their respective remits. 

Implications for Businesses

Digital platforms and ISPs operating in, or targeting users in, the UAE should consider:

• updating privacy notices and consent flows (particularly for users under 13);
• implementing proportionate age-verification and age-gating measures;
• deploying privacy-by-default settings and enhanced child protection controls (including parental controls and reporting tools);
• reviewing advertising practices to ensure compliance with restrictions on targeted electronic advertising to children; and
• preparing for platform classification and ongoing disclosure requirements.

Failure to comply may result in administrative penalties, including suspension or blocking of services.

Conclusion

Federal Decree-Law No. 26 of 2025 represents a landmark in the UAE’s digital governance framework, introducing clear and enforceable standards to protect children online. Businesses operating in the UAE’s digital space should act now to align with these requirements and avoid penalties.

For additional information or to discuss these regulations reach out to Alexandra Lester, Hesham Al Samra, or Ban Lahham.