The code, issued jointly by Oman's Ministry of Transport, Communications and Information Technology and the newly established Oman AI Authority, comes into force in stages from Q3 2026. Existing deployments have a 180-day compliance window. The structure, a four-tier risk classification, mandatory audit logging, independent third-party assessment, and public disclosure obligations, maps closely onto the EU AI Act's logic, even if the two frameworks differ in scope and penalty scale.
For the EU's financial services sector, the significance is threefold: the code applies to any AI system making decisions affecting residents regardless of where the system is hosted; financial credit sits explicitly in the high-risk tier; and the independent-audit requirement carries real teeth. Any European bank or fintech with deployments touching that jurisdiction must now treat this as a compliance event, not a monitoring item.
Risk Tiers and What They Require
The Oman code defines four risk tiers. The structure will be immediately recognisable to EU compliance teams:
- Prohibited systems: certain forms of remote biometric identification in public spaces, and any AI used for social scoring of citizens.
- High-risk systems: healthcare diagnostic tools, financial credit decisioning, public-employment screening, and AI used in law enforcement decision support.
- Limited-risk systems: mandatory disclosure obligations only.
- Minimal-risk systems: largely unregulated.
The high-risk tier is where European financial institutions will concentrate their attention. Operators must maintain a structured data-quality assessment, a model card published in a public registry, an immutable audit log of model versions and material configuration changes, and an annual independent assessment by an accredited auditor. The Authority will publish enforcement actions, including the names of breaching organisations, in a quarterly bulletin.
Professor Luc Rocher at the Oxford Internet Institute, who has studied risk-classification frameworks across multiple jurisdictions, has noted that the credibility of any tiered AI code ultimately rests on how the high-risk boundary is drawn and whether the audit function is genuinely independent. On both counts, the Oman code makes substantive commitments that several European member states have yet to match in their own national AI Act implementation plans.
How the Penalties Work
The code sets a maximum single-breach fine equivalent to approximately EUR 240,000, with cumulative caps of roughly EUR 925,000 per organisation per year. Those figures are modest compared with the EU AI Act's upper bounds of EUR 30 million or 6% of global turnover for prohibited-system violations. However, penalty scale relative to market size is the more relevant metric, and on that measure the Oman code is proportionately serious.
Fines are calibrated to the size of the offending entity. Aggravating factors include repeat behaviour, deliberate concealment, and the criticality of the affected system. For a European bank operating in a multi-jurisdiction deployment, repeat-behaviour provisions are particularly relevant: a pattern of non-compliance across markets strengthens regulators' hands in any jurisdiction where the firm holds a licence.
The European Banking Authority has consistently argued, most recently in its February 2024 report on AI in retail banking, that meaningful financial penalties are a necessary condition for effective AI governance. The Oman code meets that test in a way that purely principles-based frameworks do not.
The Disclosure Obligation: A Lesson for European Vendors
The most operationally demanding element of the code for international vendors is the language-specific disclosure obligation. Every high-risk system must publish a model card in formal Modern Standard Arabic, covering intended use, data sources, known limitations, performance metrics, and any human-oversight arrangements. English-only documentation is explicitly insufficient.
This requirement has a direct parallel with the EU AI Act's transparency obligations, which have already forced global AI vendors to invest in proper European-language technical documentation. The pattern is consistent: regulators with serious disclosure frameworks force vendors to localise documentation in ways that meaningfully improve local-market accountability. The downstream effect on digital literacy and informed procurement is substantial.
For European vendors currently operating on English-only model cards, the Oman requirement is a preview of what language-specific disclosure looks like in practice. Vendors that have already invested in multilingual technical documentation for EU markets are structurally better positioned than those that have not.
The Oman AI Authority: Independence by Design
The Oman AI Authority launches with a year-one budget equivalent to approximately USD 18 million, allocated across enforcement, audit, and accreditor-accreditation activities. Its director is appointed by the Council of Ministers, but the body reports through Parliament for audit purposes. That separation of executive appointment from parliamentary oversight is an unusual structural choice, and a deliberate one: it mirrors, loosely, the independence architecture of the UK's Information Commissioner's Office, which reports to Parliament rather than to a sponsoring department.
The Authority's first formal tasks include accrediting independent auditors, publishing detailed sector codes for healthcare and financial services, and establishing a public register of all high-risk AI systems operating under the code. The financial-services sector code is scheduled for Q4 2026. European banks and fintechs with any exposure to that market should begin engaging with the draft process now, not after publication.
Industry Concerns: Familiar Arguments, Familiar Risks
Industry reaction has followed a pattern that European policymakers will recognise from the EU AI Act consultation process. Larger established operators have broadly welcomed regulatory clarity; smaller operators and global hyperscalers have raised proportionality objections. The specific concerns raised during the Oman consultation include:
- The cost of mandatory annual independent assessment for smaller operators.
- The breadth of the high-risk tier, particularly its inclusion of certain HR-screening tools.
- The language-specific disclosure obligation, given the limited supply of qualified technical translators.
- Cross-border audit recognition with adjacent jurisdictions.
- The accreditation timeline for independent auditors, which remains undefined.
The Authority has signalled that draft sector-specific guidance on each of these concerns will be issued by Q1 2027. Whether that guidance materially softens the headline requirements is an open question.
The HR-screening concern is directly relevant to European financial services. Under the EU AI Act, employment-related AI systems, including candidate filtering and performance monitoring tools, fall within the high-risk category. European firms that have already worked through their EU AI Act compliance obligations on HR tools will find the Oman framework's logic familiar, even if the specific boundary conditions differ.
What This Means for European Vendors and Compliance Teams
The practical consequences for European AI vendors and financial-services compliance teams are concrete:
- Any high-risk system deployed in that jurisdiction requires a locally appropriate model card, an in-country compliance contact, and a documented relationship with an accredited independent auditor.
- Financial credit systems are unambiguously in the high-risk tier: there is no carve-out for automated decisioning tools that merely assist rather than replace human judgement.
- The 180-day compliance window for existing deployments is short. Firms that have not already begun a deployment audit should start immediately.
- Vendors whose international strategy depended on lightweight regulatory environments should treat the Oman code as a signal of where the global compliance floor is moving, not as an isolated local requirement.
Vera Jourova, European Commission Vice-President for Values and Transparency, has argued publicly that binding AI codes with independent enforcement are the only credible basis for international AI governance convergence. The Oman code, whatever its geographic scope, is a data point in favour of that argument. Marco Cuturi, research director at Google DeepMind Paris and a frequent participant in EU AI policy discussions, has similarly noted that the credibility of any AI governance framework depends on enforcement infrastructure, not on the elegance of its risk taxonomy.
Cross-Border Implications and the Path to Convergence
The most strategically significant question is how a binding national AI code in one jurisdiction interacts with neighbouring frameworks and, by extension, with the EU's own implementation machinery. The EU AI Act is the global reference text. The Oman code is, explicitly, modelled on it. That creates a genuine opportunity for convergence around shared definitions, mutual audit recognition, and aligned prohibited-system lists.
The most plausible near-term scenario is partial convergence. Several non-EU jurisdictions are expected to align key definitions with EU AI Act categories, particularly on prohibited systems and disclosure obligations, while preserving their own sector-specific approaches. The UK's AI Safety Institute is watching these developments closely. A world in which the EU AI Act's four-tier logic becomes the de facto global template is good for European vendors, because it means their EU compliance investment scales internationally.
The biggest single risk in any new enforcement regime is capacity at the new authority. An under-resourced regulator produces paper compliance rather than genuine accountability. The biggest single opportunity is for accredited audit firms and technical documentation specialists: the demand for independent AI auditors is about to increase materially, and European firms with existing EU AI Act audit capability are well placed to serve that demand internationally.
Comments
Sign in to join the conversation. Be civil, be specific, link your sources.