The United Arab Emirates has introduced a new federal law aimed at protecting children in the digital environment by imposing comprehensive safety obligations on digital platforms, internet service providers and custodians of minors. Federal Decree-Law No. 26 of 2025 on Child Digital Safety (the “Child Safety Law”) came into force on January 1 2026 and creates a risk-based regulatory framework to reduce children’s exposure to harmful online content, strengthen privacy protections and require age-based safeguards. Businesses have a transitional period of one year to align with the law before full enforcement from January 2027.
The Child Safety Law applies broadly to digital platforms and service providers operating within the UAE or targeting users in the UAE. Platforms covered include websites, social media, streaming services, gaming platforms, online marketplaces, smart applications and other entities that provide digital content or services. The law’s extraterritorial reach means foreign companies with users in the Emirates may also be subject to its provisions.
A key element of the framework is a risk classification system to be set by Cabinet decision that will determine the obligations platforms must meet. Age-based access controls will vary according to platform type, user demographics and content risk, with platforms that pose greater potential harm to children expected to adopt more rigorous age verification systems and safeguards. Platforms must implement age verification mechanisms proportionate to these risks and appropriate to the services they offer.
Under the Child Safety Law children under 18 are defined as “children” for regulatory purposes and platforms must adopt measures to prevent access to inappropriate material. Platforms are prohibited from permitting children to access online commercial games involving gambling, betting or similar high-risk activities, and must deploy technical and administrative controls to enforce these restrictions, including age verification and blocking tools.
The law introduces strict controls on children’s personal data. Platforms cannot collect, process, publish or share personal data of children under 13 unless they obtain explicit, documented, verifiable parental consent. Platforms must clearly communicate privacy practices and are barred from using children’s data for behavioural profiling, targeted advertising or other commercial purposes unless Cabinet-approved exemptions, such as for educational or health-related services with strong safeguards, are in place.
Content moderation obligations require platforms to implement blocking and filtering systems, content classification and advertising controls to reduce children’s exposure to harmful or age-inappropriate content. Platforms must also offer custodians (parents or legal guardians) tools to manage children’s digital use, including supervision features, account controls and usage limits designed to help fulfil caregiver responsibilities under the law.
Internet service providers licensed in the UAE must adopt complementary safeguards such as network-level content filtering, parental control tools and reporting measures for harmful content, including child sexual abuse material. Both platforms and service providers are subject to mandatory reporting obligations and must cooperate with the Telecommunications and Digital Government Regulatory Authority, which will oversee compliance and enforcement efforts.
The law establishes a governance structure including a national Child Digital Safety Council, chaired by the Minister of Family, to guide policy, coordinate efforts and advise on standards for online child protection. Non-compliance may lead to administrative actions including blocking, suspension or closure of digital services, with specific penalties and enforcement mechanisms to be defined in future regulations.
With the Child Safety Law now in effect and implementing regulations forthcoming, businesses operating in or targeting the UAE should begin assessing existing age verification, content moderation and privacy controls, and prepare for differentiated compliance obligations tied to platform risk classifications.