The excuse “we got hacked” no longer works. Under the new 2026 federal mandate, if your company loses millions to a deepfake CFO because you didn’t implement biometric liveness detection, the boardroom pays the price.
In 2024, when a Hong Kong multinational lost $25 million because an employee was tricked by a deepfake video call of their CFO, the world called it a tragedy. In 2026, the UAE legal system calls it negligence.
This week, the Ministry of Justice, in coordination with the UAE Cybersecurity Council, clarified the executive regulations of the new UAE deepfake laws 2026 (an amendment to the Federal Decree-Law on Cybercrimes). The update includes a provision that has sent shockwaves through DIFC and ADGM: Executive Personal Liability.
For the first time, CEOs and Board Directors can be held personally and financially liable if their organization falls victim to deepfake fraud due to a “failure to implement standard biometric defenses”.
The “Reasonable Defense” Standard
The core of the new regulation is the definition of “reasonable defense.”
In 2023, a password and an SMS code were considered secure. Today, they are legal liabilities. With the Central Bank of the UAE (CBUAE) officially mandating the phase-out of SMS and email OTPs by March 31, 2026, any company still relying on text-based authentication is now technically non-compliant.
“The law effectively says that if you are using 2020 security in 2026, you are complicit,” explains Dr. Ahmed Al-Ketbi, a cyber-law partner in Dubai. “If a hacker uses an AI voice clone to authorize a transfer, and your bank didn’t require biometric voice verification, the bank’s leadership can be fined for insufficient governance.”
The March 2026 Deadline: The End of OTPs
The immediate trigger for this legal shift is the CBUAE’s aggressive timeline. By the end of next month (March 2026), all financial institutions must eliminate SMS One-Time Passwords (OTPs) in favor of app-based biometric authentication.
This move addresses “SIM Swapping” and SS7 attacks, but it also creates a new standard of care.
“We are telling our corporate clients: ‘Turn off the SMS’,” says the Chief Risk Officer of a major UAE bank. “If a fraud occurs via SMS OTP after March 31, the liability shifts 100% to the bank, not the customer. The UAE deepfake laws 2026 have made the text message the most dangerous tool in finance.”
Biometrics: The “Liveness” Test
The only legal shield against the UAE deepfake laws 2026 is “Liveness Detection.”
Deepfakes have become terrifyingly convincing. However, AI struggles to replicate the micro-blood flow patterns (rPPG) in a human face or the subtle breath pauses in a human voice.
New regulations require companies handling sensitive data to use “Active Liveness” checks, where the user is asked to blink, smile, or turn their head during the login process to prove they are human and not a looped video.
Read More: The “Unicorn” IPO Class of 2026: Fintech Boom Explained
The Insurance Gap
Perhaps the most alarming detail for executives is the reaction of the insurance market.
Major cyber-insurers in the region have begun inserting “Deepfake Exclusions” into their 2026 policies. If a company loses funds to social engineering (like a deepfake video call) and did not have multi-factor biometric authentication (MFA) in place, the policy pays out zero.
This leaves the balance sheet exposed, further heightening the risk of shareholder lawsuits against the board.
Read More: Saudi Landbridge Project 2026: The $7 Billion Rail Revolution
What CEOs Must Do Today
To avoid the crosshairs of the UAE deepfake laws 2026, legal experts advise three immediate steps:
- Audit the “C-Suite” Digital Footprint: Hackers train deepfakes using public YouTube videos of CEOs. Executives are now being advised to “watermark” their public audio to disrupt AI training models.
- Implement “Duress Words”: A low-tech solution where executives agree on a secret offline code word to verify urgent transfer requests.
- Deploy Biometric Access Control: Move physical office access to facial recognition to prevent “tailgating” by impostors.
The era of trusting your eyes and ears is over. In 2026, if you can’t cryptographically prove it’s you, you don’t exist.
