The UAE Governance Reset: How 2026’s Regulatory Cluster Is Forcing Boards to Prove Control Effectiveness

Key Takeaways

• A Governance Overhaul, Not a Routine Update: The creation of the Capital Market Authority and the introduction of a rewritten Commercial Companies Law have combined with recent governance reforms to fundamentally reshape the UAE’s corporate governance framework.
• Boards Must Demonstrate Control Effectiveness: The focus of governance is shifting from documenting risks and policies to providing evidence that controls, oversight mechanisms, and assurance processes are functioning as intended.
• Independence Requirements Raise the Bar: Companies seeking to maintain a combined Chairman and CEO structure must satisfy stringent independence requirements, including a board that is at least 75% independent and committees composed entirely of independent directors.
• Internal Controls Face Greater Scrutiny: New requirements around internal audit independence, COSO-aligned control frameworks, audit committee reporting, and potential external opinions on internal controls increase expectations for control assurance and documentation.
• Director Liability and Regulatory Intervention Risks Have Increased: Expanded statutory liability provisions and the authority’s ability to appoint independent directors to lapsed boards underscore the growing personal and governance consequences of ineffective oversight.

Deep Dive

The simultaneous arrival of a new capital-market authority, a rewritten companies law, and stricter governance and audit rules is transforming UAE corporate governance from a compliance exercise into a demonstrable system of control.

For much of the past decade, governance reform in the United Arab Emirates arrived in waves: a new code here, an amended article there, each important but rarely so concentrated that it demanded a fundamental re-examination of how boards organise themselves. That era has now closed. On 1 January 2026, the Securities and Commodities Authority ceased to exist, replaced by the Capital Market Authority under Federal Decree-Law No. 32 of 2025. On the same day, Federal Decree-Law No. 20 of 2025, a substantial rewrite of the Commercial Companies Law, also took effect.

These two instruments, layered atop the Governance Code amendments already in force since early 2024 and the board composition rules introduced by SCA Decision No. 24 of 2025, do not merely update the UAE’s corporate rulebook. They reset the standard of proof that boards must meet, shifting the centre of gravity from identifying governance risks to demonstrating that controls actually work.

The institutional architecture of that reset begins with the CMA itself. Established as a federal public authority with legal, financial, and administrative independence, the CMA inherits the full regulatory mandate of the former SCA while gaining expanded powers over securities markets, listed public joint-stock companies, central counterparties, and clearing and settlement.

All prior SCA decisions remain in force unless they conflict with the new decree-laws, meaning the governance obligations that boards have been absorbing since 2024 now sit under a regulator with a fresh mandate and, critically, a heightened expectation of enforcement coherence. For directors, the message is unambiguous: the governance framework they must navigate is no longer a patchwork of legacy instruments but a unified architecture designed to test control effectiveness.

That architecture is reinforced by the most significant amendments to the Commercial Companies Law in years. Federal Decree-Law No. 20 of 2025, effective from the same 1 January 2026 date, introduces multiple share classes, statutory drag-along and tag-along rights, and a mechanism for re-domiciliation without dissolution.

Yet the provisions most likely to concentrate boardroom attention are those that widen personal liability for directors. Breach of duty, conflicts of interest, and gross negligence now carry an explicit statutory basis for personal liability that goes beyond the general duties previously articulated. The law also empowers the competent authority to appoint independent directors for a term of up to one year when a board’s term has expired, a measure that signals a low tolerance for governance vacuums.

These changes mean that board composition and director conduct are no longer matters of private ordering alone; they are subject to a statutory backstop that can impose both personal consequence and external intervention. The most structurally demanding element of the reset, however, lies in the rules governing the separation of the chairman and chief executive roles. Under SCA Decision No. 24 of 2025, effective 26 August 2025, a combined Chairman and CEO is permitted only if a company satisfies a cumulative set of conditions that effectively mandate a super-majority independent board.

The requirements are:

• The articles of association must expressly allow the combination;
• A special shareholder resolution must be passed;
• At least 75% of the board must be independent;
• All permanent board committees (Audit, Nomination, Remuneration) must be composed entirely of independent directors;
• A fully independent Governance Committee must be established;
• The Vice Chairman must be independent and must chair meetings where the Chairman has a conflict of interest.

For many listed companies, meeting a 75% independence threshold will require a substantial re-composition of the board, and the obligation to populate every standing committee exclusively with independent directors leaves no room for executive influence in the very structures that oversee audit integrity, nominations, and pay.

The Governance Committee, a new mandatory body under these conditions, adds a further layer of structural separation. The practical effect is that the combined role, while still legally possible, becomes an option only for boards that have already embedded independence to a degree that few UAE public joint-stock companies currently exhibit.

The governance reset extends deep into the control environment. Amendments to the Governance Code, effective 16 January 2024 under SCA Decision No. 2/R.M of 2024, require a formal separation of the compliance officer and internal audit functions, ending the practice of combining them in a single individual.

Boards must adopt an internal control framework aligned with international standards, with the COSO framework explicitly referenced as a benchmark. The audit committee, in turn, must produce an annual report on its activities, and its chair is required to attend the annual general meeting to answer shareholder questions.

Perhaps most tellingly, the external auditor may now issue a separate opinion on the effectiveness of internal controls, a provision that transforms the control environment from a private board concern into a matter of public assurance.

These changes are reinforced by tighter definitions of related parties and more demanding disclosure timelines. The amended Governance Code expands the definition of “Related Parties” to include parent companies and major shareholders holding 5% or more of share capital or voting rights, widening the net of transactions that require independent scrutiny.

Companies must also publish an Integrated Report within three months of the financial year-end or at least ten days before the AGM, whichever is earlier, compressing the timeline for producing a holistic account of financial and non-financial performance.

Audit committees, the frontline of control assurance, face their own mandatory standards. For UAE mainland public joint-stock companies under the CMA Governance Code, the audit committee must comprise at least three members, a majority of whom are independent, including at least one financial expert; the chair cannot be the board chair, and the committee must convene at least four times a year.

Parallel requirements apply in the Dubai International Financial Centre and Abu Dhabi Global Market, where the DFSA and FSRA rulebooks similarly mandate independent audit committees with prescribed composition and meeting frequencies. The convergence of these standards across onshore and offshore jurisdictions within the UAE removes any ambiguity about the baseline: audit committees are expected to be active, professionally equipped, and structurally insulated from executive influence.

What makes this cluster of instruments more than a routine regulatory update is the way it operationalizes a global shift that GRC Report has identified as the defining theme of 2026: the move from identifying risk to proving control effectiveness. For years, governance codes asked boards to acknowledge risks and maintain a framework of policies. The new UAE regime asks boards to demonstrate, through independent committee composition, separated control functions, external assurance, and public reporting, that those frameworks actually work. The question is no longer “Do you have a risk register?” but “Can you show that your controls prevented or detected a material breakdown, and if not, why not?”

This shift carries immediate practical implications. Boards will need to reassess their independence calculations, not merely against the one-third independence threshold of the past, but against the 75% standard if they wish to retain a combined chair and CEO. Nomination committees will have to source and vet independent directors with the specialized skills to populate audit, remuneration, and governance committees simultaneously, a supply challenge in a market where qualified independent directors are in high demand.

Internal audit functions, long accustomed to reporting administratively to the CEO, will need to demonstrate functional reporting lines to the audit committee that satisfy the new separation requirements. And the external auditor’s potential opinion on internal controls introduces a level of scrutiny that will force many firms to upgrade their control documentation, testing, and remediation processes well before the audit cycle begins.

The liability dimension adds urgency. With the Commercial Companies Law now explicitly linking director liability to breach of duty, conflicts of interest, and gross negligence, and with the Governance Code requiring boards to adopt internal-control frameworks aligned with global standards, and the external auditor now able to issue a separate opinion on internal controls, the paper trail matters.

Directors who cannot show that they exercised reasonable oversight, relied on competent advice, and acted on control deficiencies may find that the legal protections they once assumed are thinner than they believed. The competent authority’s power to appoint independent directors to a lapsed board further signals that governance gaps will not be left to fester; the regulator has the tools to intervene and stabilize.

The UAE’s governance reset is likely to accelerate three trends. First, board composition will become a strategic priority rather than an annual compliance exercise, with companies competing for a limited pool of independent directors who meet the financial literacy and industry expertise requirements. Second, the internal audit and compliance functions will gain stature and budget as their structural separation and external visibility make them central to the control assurance narrative. Third, the integrated reporting requirement will push companies to connect governance, strategy, and sustainability data in ways that go beyond boilerplate disclosure, because the compressed timeline and the AGM presentation by the audit committee chair create a direct line of accountability to shareholders.

The 2026 regulatory cluster does not merely add new rules; it rewires the expectations that underpin UAE corporate governance. For boards, the task is no longer to document a governance framework but to prove, with evidence, that the framework produces effective control. That is a higher bar, and it is now the law.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.