Middle East Regulatory Policy Brief

This week's Middle East RegWatch covers five developments across sanctions enforcement, cybersecurity, and global health regulation — a week dominated by OFAC action against Iranian petroleum networks.

OFAC reached a $275 million settlement with Adani Enterprises Limited resolving 32 apparent violations involving liquefied petroleum gas shipments linked to Iran processed through US financial institutions. OFAC separately designated Amin Exchange and 19 associated vessels under Executive Order 13902 for Iranian petroleum and petrochemical shipments — requiring US persons to block and report all property interests. The SDN List was further expanded under Executive Order 13224 adding individuals, entities, and vessels supporting Hamas — requiring immediate screening updates across all compliance and sanctions systems.

In the UAE, a critical cybersecurity vulnerability was identified in the Drupal Date iCal module — CVE-2026-8495 — allowing anonymous unauthorised access to sensitive data. Organisations must update to Drupal version 4.0.15 or later immediately. The UAE Cyber Security Council recommends circulating the advisory to all subsidiaries and partners.

The 79th World Health Assembly update covers entry into force of 2024 International Health Regulations amendments and ongoing negotiations on the Pathogen Access and Benefit Sharing Annex relevant to UAE member state obligations.

Essential listening for CCOs, sanctions compliance officers, heads of AML, CISOs, and legal counsel operating across the Middle East, with exposure to Iran-linked counterparties or US financial institutions.

Carver RegWatch delivers weekly regulatory intelligence across jurisdictions. Published May 24, 2026.

Show Notes

This week's Middle East RegWatch
 
Covers five developments across sanctions enforcement, cybersecurity, and global health regulation
A week dominated by OFAC action against Iranian petroleum networks.

  • OFAC reached a $275 million settlement with Adani Enterprises Limited resolving 32 apparent violations involving liquefied petroleum gas shipments linked to Iran processed through US financial institutions. As part of the settlement Adani will implement remedial measures and cooperate fully with the ongoing OFAC investigation.
  • OFAC separately designated Amin Exchange and 19 associated vessels under Executive Order 13902 for Iranian petroleum and petrochemical shipments — requiring US persons to block and report all property interests immediately. Transactions involving designated parties are prohibited unless authorised or exempt.
  • The SDN List was further expanded under Executive Order 13224 adding individuals, entities, and vessels supporting Hamas — requiring immediate screening updates, blocking of dealings, and compliance system updates across all affected organisations.
  • In the UAE, a critical cybersecurity vulnerability was identified in the Drupal Date iCal module — CVE-2026-8495 — allowing anonymous unauthorised access to sensitive data through improper access control and input sanitisation failures. Organisations must update to Drupal version 4.0.15 or later immediately. The UAE Cyber Security Council recommends circulating the advisory to all subsidiaries and partners.
  • The 79th World Health Assembly update covers entry into force of 2024 International Health Regulations amendments and ongoing negotiations on the Pathogen Access and Benefit Sharing Annex relevant to UAE and regional member state obligations.
  • Essential listening for CCOs, sanctions compliance officers, heads of AML, CISOs, and legal counsel operating across the Middle East with exposure to Iran-linked counterparties or US financial institutions.
Carver RegWatch delivers weekly regulatory intelligence across jurisdictions. Published May 24, 2026

For more information, visit the Carver Agents website.

Also from Carver RegWatch this week:
  • This Week in AI Regulations — EU AI Act high-risk classification guidelines, CNIL €487M record fines, China AI deepfake enforcement
  • ASEAN RegWatch — Bank Indonesia 50bps rate hike to 5.25%, MAS revokes Bsquared payment licence, Singapore insider trading convictions
  • USA Regulatory Updates — SEC novel ETF regulatory review, California Hermes Bitcoin kiosk enforcement, IOSCO AI supervisory toolkit
  • EU Regulatory Updates — EU AI Act consultation deadline June 23, CNIL cybersecurity enforcement priorities 2026, EU Solidarity Fund climate allocation
  • India Regulatory Updates — RBI restricts Nagar Sahakari Bank, RBI cancels Yashwant Co-operative Bank licence, SEBI Investor Onboarding Regulatory Sandbox
  • Global Regulatory Briefing — Bank of England CCP resolution paper, Malta tokenisation consultation, ASIC sustainability reporting focus 2026-27
Find all series at The Carver Agent Podcast 

Articles mentioned:
  1. Settlement Agreement between the U.S. Department of the Treasury's Office of Foreign Assets Control and Adani Enterprises Limited
  2. Seventy-ninth World Health Assembly – Daily update: 19 May 2026
  3. Economic Fury Targets Networks Generating Billions for Iran’s Terrorist Regime
  4. Counter Terrorism Designations; Iran-related Designations
  5. 432318977 - Critical Vulnerability in Drupal Date iCal Module.pdf
  6. NEWS BRIEF 18-05-26

What is Middle East Regulatory Policy Brief?

Regulatory news, updates, and insights for countries in the Middle East presented by the Carver Agents team

Welcome to Carver's Middle East Regulatory Updates for May 24, 2026.

The United States Department of the Treasury's Office of Foreign Assets Control, or OFAC, has reached a settlement agreement with Adani Enterprises Limited. The Indian conglomerate agreed to pay $275 million to resolve 32 apparent violations involving liquefied petroleum gas shipments linked to Iran. These shipments were processed through U.S. financial institutions. As part of the settlement, Adani Enterprises Limited will implement remedial measures and cooperate fully with the ongoing OFAC investigation.

In the United Arab Emirates, a critical cybersecurity vulnerability has been identified in the Drupal Date iCal module. The vulnerability, tracked as CVE-2026-8495, allows unauthorized access to sensitive data due to improper access control and input sanitization. This flaw enables anonymous attackers to access restricted information without authentication. Organizations using this module are advised to update to version 4.0.15 or later, as released by Drupal. The UAE Cyber Security Council recommends circulating this advisory to subsidiaries and partners and sharing any relevant findings.

Turning to sanctions enforcement, OFAC has designated the Iranian foreign currency exchange house Amin Exchange, along with its front companies and 19 vessels involved in Iranian petroleum and petrochemical shipments. These designations, made under Executive Order 13902, require U.S. persons to block and report any property and interests of the designated parties. Transactions involving these blocked persons are prohibited unless authorized or exempt.

Additionally, OFAC has expanded its Specially Designated Nationals, or SDN, List under Executive Order 13224 and Iran-related Executive Orders. Multiple individuals, entities, and vessels supporting Hamas and other designated groups have been added. Businesses are now required to screen transactions and counterparties against the updated SDN List, block or reject dealings with these designated parties, and update their compliance and sanctions screening systems accordingly.

Finally, the Seventy-ninth World Health Assembly provided a daily update on May 19, 2026, highlighting activities relevant to the United Arab Emirates and other member states. The report covers the 2025 calendar year, including the entry into force of the 2024 amendments to the International Health Regulations. It also notes ongoing negotiations on the Pathogen Access and Benefit Sharing Annex and extensions of standing recommendations for mpox and COVID-19. The update emphasizes progress in preparedness, response, and coordination among World Health Organization member states and partners.

That wraps up today's regulatory updates. Visit carveragents.ai for more information.