The UAE has now put a clear “child digital safety” governance framework into law, and it’s one that will materially affect how schools select, govern, and use digital platforms with children.
Federal Decree-Law No. (26) of 2025 Regarding Child Digital Safety enters into force 1 January 2026, with a one-year regularisation window for those in scope.
While the law’s direct obligations sit primarily with digital platforms and internet service providers, the practical reality for schools is simple: if your students use digital platforms, your school will be expected to show that you have taken reasonable steps to protect children from harmful content, inappropriate features, privacy risks, and exploitative design, and that you can evidence your decisions.
Below is a school-focused interpretation: what’s in the law, what changes in day-to-day operations, and what schools in the UAE should be doing now.
What the law is trying to achieve (in plain English)
The objectives are explicit: protect children from digital risks and harmful content, raise awareness of rights and obligations, and establish a governance framework with defined roles and coordination across authorities.
This is not just about “blocking bad websites”. It’s a broader view of safety that includes:
- platform design, defaults, and controls (privacy settings, parental controls, time limits),
- behavioural risks (excessive engagement mechanics, harmful interactions),
- advertising and profiling, and
- privacy and data protection, especially for younger children.
Who is in scope (and why schools still need to act)
The law applies to:
- digital platforms operating in the UAE or directed at users in the UAE, across websites, apps, messaging, games, social media, streaming, e-commerce, etc.
- internet service providers
- and it also sets obligations for child caregivers (parents/guardians).
Schools are not named as the primary regulated entity in the same way as platforms/ISPs, but schools operate in the middle:
- you choose platforms,
- you deploy accounts,
- you approve age groups / year groups,
- you manage safeguarding reporting routes,
- you set expectations with parents,
- and you’re typically the organisation asked to evidence “what controls were in place” when something goes wrong.
So, for schools, the compliance pattern is: govern what you use, understand platform controls, tighten privacy/consent, and build evidence.
The biggest operational shifts for schools
1) A risk-based platform classification system is coming (and it will drive expectations)
The law establishes a Cabinet-led digital platform classification system based on risk assessment, including criteria, age-category restrictions, age verification expectations, required protection controls, disclosure requirements, and compliance verification mechanisms.
Impact on schools
- Expect increased scrutiny of which platforms are used by which ages, and whether schools can justify it.
- Your current “we use it because it’s popular” stance won’t stack up as an argument.
What to do now
- Build (or update) your school app register: tool name, purpose, age group, features, vendor controls, and your mitigations.
2) Stronger child privacy rules for under-13s — with explicit limits on profiling and targeted ads
Digital platforms are prohibited from collecting/processing/publishing/sharing personal data of children under 13 unless conditions are met, including explicit, documented, verifiable parental consent, easy withdrawal, clear privacy disclosure, restricted access, and no commercial use / targeted advertising / tracking beyond the authorised purpose.
There is also a future Cabinet resolution to define what personal data can be collected and how parental consent is verified.
Notably, the law indicates that platforms used for educational or health purposes may be exempted, but this depends on a Cabinet Resolution and requires measures to protect safety and privacy.
Impact on schools
- If your school deploys platforms to under-13s, you need to understand whether:
- the platform obtains verifiable parental consent (or expects the school to),
- the platform uses data for commercial purposes,
- the platform enables targeted advertising or profiling,
- the privacy policy is child-understandable and caregiver-understandable,
- and whether the product claims “education exemption” without clear legal basis.
What to do now
- For every platform used by under-13s:
- confirm advertising is disabled (or not present),
- confirm profiling/behavioural tracking is not used for marketing,
- confirm the consent model and evidence it,
- update your parent communications so consent is informed and withdrawable.
3) Age verification is no longer optional “best practice”
Digital platforms must adopt effective and reasonable age-verification mechanisms, aligned to platform risk classification.
Impact on schools
- Schools should stop pretending that “students will be honest about their age” is a control.
- If pupils can access higher-risk platforms via school devices, unmanaged accounts, or BYOD, you have a gap.
What to do now
- Review your device/BYOD posture:
- which year groups have access to app stores,
- whether browser access is restricted,
- whether accounts are provisioned centrally (SSO) with age-based policies,
- what controls exist offsite (home use still affects school safeguarding).
4) Parental controls and time/usage restrictions are explicitly part of the safety model
The law defines “enhanced child protection controls” and parental control tools, including age restrictions, content controls, reporting channels, the ability to manage child accounts, and in places even time limits and rest/disconnection periods.
Impact on schools
- This will influence expectations on:
- what schools recommend to parents,
- what controls exist on school-provided devices,
- and whether schools enable or disable high-risk features in platforms.
What to do now
- Consider the access controls and restrictions you apply to devices provided to children if you have 1:1 technology programme,
What schools in the UAE should be doing now (practical prep plan)
1) Treat this as a safeguarding + technology programme, not an IT policy tweak
Make it owned jointly by academic, safeguarding, technology, and privacy leaders, because the law sits across risk, content, privacy, and reporting.
2) Create (or refresh) your school platform register and age-map it
For each platform used with students, record:
- age groups and intended use,
- key features (messaging, media upload, open search, content sharing),
- privacy settings defaults,
- advertising/profiling status,
- reporting and moderation features,
- age verification approach,
- vendor assurances and contracts (what they commit to).
3) Tighten your under-13 consent model
- make parental consent explicit and evidenced where required,
- update privacy notices and parent comms so they are clear and practical.
4) Watch for Executive / Cabinet resolutions
Several key mechanics (classification, consent verification details, exemptions for education platforms, penalties) rely on implementing decisions and standards. You don’t need to wait to act, but you do need a plan to incorporate those details quickly when published.
Where 9ine fits
If you want to make Child Digital Safety readiness a manageable programme rather than a last-minute policy scramble, the winning pattern is the following modules from the 9ine platform:
- Application Library – centralise and govern what platforms are used, by age group, with feature-level notes and controls.
- Vendor Management – assess platform providers for child safety controls, privacy posture, advertising/profiling risk, and evidence of their commitments.
- 9ine Academy – train staff on privacy, cybersecurity and AI
Your call to action today should be to book a meeting with one of our team so we can show you how the tools we have developed over many years enable you, in a quick, efficient and cost effective way, to meet the obligations of current, and the near-future Child Digital Safety legal requirements.