UAE 2026 Compliance Update: E-Invoicing, Tax & Data Rules
The UAE's New 2026 Digital & Tax Rulebook: E-Invoicing, Tax Procedures and Data Protection Explained
2026 has brought one of the busiest regulatory years the UAE has seen since the introduction of VAT and Corporate Tax. Within a few months, businesses have had to absorb a new e-invoicing mandate, amended tax procedures rules, a landmark Child Digital Safety Law, and tighter scrutiny of cross-border data transfers under the Personal Data Protection Law (PDPL).
Each of these changes affects a different part of how a business operates - finance, legal, IT, and marketing - but they share one thing in common: real deadlines, real penalties, and very little room for a "we'll deal with it later" approach. This guide breaks down what changed, who is affected, and what UAE businesses should do before the next milestone hits.

At a Glance: Key 2026 - 2027 Compliance Deadlines
| Regulatory Change | Key Deadline |
|---|---|
| E-invoicing - ASP appointment (businesses with revenue ≥ AED 50 million) | 30 October 2026 |
| E-invoicing - mandatory go-live (revenue ≥ AED 50 million) | 1 January 2027 |
| Cabinet Decision No. 17 of 2026 - amended tax procedures (already in effect) | 1 April 2026 |
| Child Digital Safety Law - full enforcement | 1 January 2027 |
| PDPL - ongoing enforcement, fines already applicable | Now in effect |
1. The UAE's New E-Invoicing Mandate
What the E-Invoicing Mandate Requires
Under Ministerial Decisions No. 243 and No. 244 of 2025, the UAE is moving all in-scope businesses away from PDF and paper invoices toward structured, machine-readable e-invoices. Invoices must be issued in XML format, transmitted through a Ministry of Finance-Accredited Service Provider (ASP), and reported to the Federal Tax Authority through a Peppol-based five-corner network. A PDF tax invoice, however well formatted, will no longer count as a valid e-invoice once the mandate applies to your business.
Key Deadlines for 2026 and 2027
The rollout is phased by annual revenue:
- A voluntary pilot phase opens on 1 July 2026 for early adopters and a selected Taxpayer Working Group.
- Businesses with annual revenue of AED 50 million or more must appoint an Accredited Service Provider by 30 October 2026 (this deadline was extended from an original date of 31 July 2026) and go live by 1 January 2027.
- Businesses below the AED 50 million threshold must appoint an ASP by 31 March 2027 and go live by 1 July 2027.
- Government entities follow a later timeline, going live by 1 October 2027.
- B2C transactions remain outside the mandate for now.
Free zone companies, including Qualifying Free Zone Persons, are not exempt - the same phased timeline applies once a business crosses the relevant revenue threshold.
What Businesses Should Do Now
If your business is anywhere near the AED 50 million threshold, treat 30 October 2026 as the real deadline, not 1 January 2027 - selecting and onboarding an Accredited Service Provider, mapping ERP fields, and testing invoice flows typically takes several months, not weeks.
Key point. Non-compliance is not a one-time fine. Penalties can accrue monthly for failing to appoint an ASP or issue compliant e-invoices, and non-compliant invoices can jeopardise input VAT recovery and corporate tax deductions on the buyer's side too.
2. Tax Procedures Law Update - Cabinet Decision No. 17 of 2026
Extended Record Retention for Pending Refunds
Cabinet Decision No. 17 of 2026, issued on 23 March 2026 and effective from 1 April 2026, amended the Executive Regulation of the Tax Procedures Law (Federal Decree-Law No. 28 of 2022). The headline change for most businesses: if you have submitted a refund application that is still pending a decision from the Federal Tax Authority, you must now retain the related supporting records for an additional two years beyond the standard retention period, provided the claim was filed within the statutory window.
Other Changes Under Cabinet Decision No. 17 of 2026
- The FTA now has express authority to extend the seizure and retention period for documents or assets during an audit, with notification to the taxpayer where feasible.
- Voluntary disclosure rules were clarified: errors of AED 10,000 or less can generally be corrected in the next available tax return rather than requiring a separate filing.
- Refund terminology was updated to "credit balance refund procedures," aligning the regulation with how VAT and corporate tax credit positions actually work in practice.
- Rules on disclosing taxpayer information to other government entities were tightened, with a stronger emphasis on confidentiality.
What This Means for Your Business
If you have an open refund claim with the FTA, your document retention obligations just got longer - and if your business is later selected for a tax audit, having complete, accessible records for the extended period is now a legal requirement, not just good practice.
Key point. Businesses should revisit their document retention policies now, particularly for any refund applications filed in the past two to three years that are still pending an FTA decision.
3. The Child Digital Safety Law: What It Means for E-Commerce and App Businesses
Who the Child Digital Safety Law Applies To
Federal Decree-Law No. 26 of 2025 on Child Digital Safety came into force on 1 January 2026, with a one-year grace period before full enforcement. It applies broadly to digital platforms and internet service providers operating in the UAE, or targeting users in the UAE - including e-commerce platforms, apps, social media, gaming platforms, streaming services, and websites, regardless of where the operator is physically based.
Key Obligations for Digital Platforms
In-scope platforms must:
- implement age-verification mechanisms proportionate to the platform's risk classification
- apply default privacy settings and content filtering appropriate for children
- obtain explicit, documented, and verifiable parental consent before collecting, processing, or sharing personal data of children under 13
- avoid using children's data for targeted advertising or commercial profiling
- prohibit children from accessing or participating in online commercial gaming involving bets or wagers
These obligations sit alongside - and must be read together with - the UAE's Personal Data Protection Law, since a platform's data-handling practices for children touch both regimes at once.
Compliance Timeline
In-scope businesses have until 1 January 2027 to reach full compliance, unless the Cabinet extends the deadline. Detailed platform classification rules and penalties are expected through further Cabinet decisions, so businesses should expect additional implementing regulations during the transition period.
Key point. If your e-commerce platform, app, or website could reasonably be accessed by users under 18 in the UAE, this law likely applies to you - even if your business is based outside the UAE.
4. PDPL Cross-Border Data Transfers: What Companies Get Wrong
When Cross-Border Data Transfers Are Restricted
Federal Decree-Law No. 45 of 2021 (the PDPL) restricts transferring personal data of individuals in the UAE outside the country unless one of the recognised legal bases applies: the destination country has been assessed as offering an adequate level of protection, appropriate contractual safeguards are in place (such as standard contractual clauses), or the individual has given explicit, informed consent to the transfer.
This matters directly for UAE companies that route HR data, customer records, or CRM data to a global headquarters, a regional office, or a cloud provider located outside the UAE - a routine practice that many groups have not yet formally reviewed against PDPL requirements.
Penalties for Non-Compliance
Administrative fines under the PDPL can reach AED 5,000,000 per violation, and criminal liability can apply in cases of intentional unlawful processing or disclosure. Separately, DIFC and ADGM-licensed entities are subject to their own data protection regimes, which do not automatically align with the federal PDPL - a transfer that is compliant under one regime is not necessarily compliant under another.
Practical Steps for UAE Companies
- Map where personal data is collected, stored, and transferred to, including intra-group transfers to a parent company or regional hub
- Identify the legal basis relied on for each cross-border transfer
- Put contractual safeguards in place for transfers to jurisdictions without a recognised adequacy status
- Maintain a documented record of processing activities, ready to produce on request
Key point. Sending customer or employee data to your own headquarters abroad is still a cross-border transfer under the PDPL. Corporate group structure does not create an automatic exemption.
2026 Compliance Checklist for UAE Businesses
- Step 1. Confirm your annual revenue against the AED 50 million e-invoicing threshold and identify your phase
- Step 2. If in Phase 1, begin the Accredited Service Provider selection process well before 30 October 2026
- Step 3. Review any pending FTA refund applications and confirm your extended record retention obligations
- Step 4. Assess whether your website, app, or platform falls within the scope of the Child Digital Safety Law
- Step 5. Map all cross-border personal data flows, including transfers to your own group entities abroad
- Step 6. Update internal data retention, consent, and vendor agreements to reflect the 2026 regulatory changes
At QLegal, we help businesses work through this checklist in practice - not just in theory - by reviewing actual contracts, data flows, and documentation against the current legal requirements.
How QLegal Consultants Helps with 2026 Compliance
QLegal Consultants is a UAE-based legal and business consultancy supporting companies across commercial law, corporate structuring, and regulatory compliance. As regulatory change accelerates across tax, data protection, and digital platform obligations, we help businesses translate new legal requirements into practical action.
Our compliance support includes:
- reviewing your business against the e-invoicing phased timeline and readiness requirements
- advising on tax record retention and audit-readiness under the updated Tax Procedures Law
- assessing whether your digital platform falls within the scope of the Child Digital Safety Law
- reviewing cross-border data transfer practices against PDPL requirements
- supporting business setup and structuring decisions that account for current and upcoming compliance obligations
- general legal advisory support for businesses navigating multiple overlapping regulatory changes
If your business is also managing overdue payments alongside these compliance changes, our related guide on unpaid invoices and debt recovery in the UAE may also be useful.
Key point. If you are unsure which of these 2026 changes apply to your business, or where to start, contact QLegal today for a confidential consultation.
Contact QLegal: 2026 Compliance Advice for UAE Businesses
QLegal Consultants provides practical legal support for businesses navigating tax, data protection, and digital compliance changes across the UAE, including Dubai, Abu Dhabi, Sharjah, and the Northern Emirates.
To discuss how these changes affect your business, contact our team via WhatsApp, email, or through our website at qlegal.ae. We typically respond within one business day.

Contact QLegal Consultants today for tailored UAE legal support. Discuss Your 2026 Compliance Requirements via WhatsApp.
Call / WhatsApp: +971 56 991 6077
Email: info@qlegal.ae
Location: Dubai, United Arab Emirates
** Disclaimer: This article is for general informational purposes only and does not constitute legal advice. You should seek advice from a qualified UAE legal professional before taking action.**