← Insights / Compliance

Middle East AI Compliance 2025: UAE's Cabinet-Level AI System and Saudi Arabia's Data Protection Enforcement

The Middle East is no longer a secondary consideration in global AI compliance planning. With Saudi Arabia's Personal Data Protection Law now fully enforced, the UAE preparing to seat an AI system as an advisory member of its Cabinet, and Qatar mandating AI governance across its financial sector, th

Compliance 4 July 2026 6 min read

Middle East AI Compliance 2025: What UAE's Cabinet-Level AI and Saudi Arabia's Data Law Mean for Your Business

The Middle East is no longer a secondary consideration in global AI compliance planning. With Saudi Arabia's Personal Data Protection Law now fully enforced, the UAE preparing to seat an AI system as an advisory member of its Cabinet, and Qatar mandating AI governance across its financial sector, the region has moved decisively from aspiration to obligation. For international professional services firms and global enterprises operating across multiple jurisdictions, the compliance picture in the Gulf has become considerably more complex — and considerably more consequential.

The UAE's Regulatory Architecture: Fragmented but Fast-Moving

The UAE does not yet have a single, comprehensive AI law. What it has instead is an evolving architecture of strategic frameworks, ethical guidelines, and sector-specific rules, coordinated across multiple regulatory bodies at both federal and emirate level.

The UAE National Strategy for Artificial Intelligence 2031, updated in 2023, sets the overarching direction. Sitting beneath it, the June 2024 Charter for the Development and Use of Artificial Intelligence establishes 12 ethical principles — covering data privacy, transparency, human oversight, and accountability — though it remains non-binding. The UAE has also aligned itself with UNESCO's AI Ethics Recommendation and adopted ISO/IEC 42001:2023, the first international AI management system standard, signalling that international benchmarks are being taken seriously.

At emirate level, Abu Dhabi's Artificial Intelligence and Advanced Technology Council (AIATC), formally established in January 2024, now regulates AI projects, research, and investment within the emirate. Dubai, meanwhile, has introduced the Dubai AI Seal — a verification mechanism for trusted AI providers — and the Dubai Health Authority has issued a mandatory AI policy for healthcare settings, requiring patient safety protocols, transparency, and human oversight.

The headline development, however, is what comes next. In April 2025, the UAE announced it would deploy an AI-supported Regulatory Intelligence Office to assist in drafting new legislation — potentially including AI regulations drafted with AI input. More significantly still, from January 2026, the UAE will adopt a National Artificial Intelligence System as an advisory member of its Cabinet and federal entities. This is a global first, and it signals the depth of institutional commitment to AI integration at the highest levels of government.

For businesses, the practical implication is this: the UAE's regulatory environment is not waiting for a single consolidated law before it begins to bite. Sector-specific obligations are already live, ethical frameworks are hardening, and the infrastructure for more formal regulation is being built at pace.

Saudi Arabia's PDPL: Enforcement Is Real, Fines Are Significant

Saudi Arabia's Personal Data Protection Law came into full effect on 14 September 2024, and the compliance window has closed. Enforced by the Saudi Data & Artificial Intelligence Authority (SDAIA), the PDPL governs how personal data is collected, handled, processed, and shared — with direct implications for any AI system that relies on personal data to function, which is to say most of them.

The requirements are substantive. Organisations must obtain explicit consent for data processing, respect data subject rights including access, correction, and deletion, conduct Data Protection Impact Assessments for high-risk processing activities, and comply with strict conditions governing cross-border data transfers. Non-compliance carries fines of up to SAR 5 million.

SDAIA has also issued a suite of supplementary instruments: AI Ethics Principles updated in 2025, Generative AI Guidelines published in 2024, and an AI Adoption Framework from September 2024 that provides sector-wide guidance on responsible AI deployment. Saudi Arabia has designated 2026 as the Year of AI and is actively developing a dedicated AI law, with SDAIA working alongside the OECD through the AI Policy and Incident Observatory for the Middle East, launched in September 2024.

For international organisations, the PDPL's cross-border transfer provisions deserve particular attention. Businesses that process Saudi personal data as part of AI workflows — whether in model training, inference, or analytics — must now assess whether their data flows comply with the law's conditions. The assumption that data protection obligations only apply when a company is physically present in a jurisdiction is no longer tenable.

Qatar's Financial Sector Mandate

Qatar's AI compliance framework is largely sector-specific, but the Qatar Central Bank's AI Guidelines — which became mandatory for all licensed financial institutions in September 2024 — represent a firm regulatory commitment in one of the region's most significant sectors. Financial institutions operating in or with Qatar are now required to implement a formal AI strategy, establish AI governance structures, and demonstrate oversight mechanisms. For global banks, insurers, and financial services firms with regional operations or correspondent relationships, this is an active obligation, not a future consideration.

What This Means for International Businesses

The collective direction of travel across the Gulf is clear: voluntary principles are giving way to enforceable requirements, and the pace of change is accelerating rather than stabilising.

Several cross-cutting implications apply to international organisations regardless of their primary jurisdiction.

Multi-jurisdictional data mapping is essential. The Saudi PDPL, the UAE's sector-specific frameworks, and Qatar's financial sector rules all impose data governance requirements that interact with GDPR, DIFC, and ADGM data protection regimes. Organisations need to understand where personal data flows within their AI systems and which regulatory obligations attach to each flow.

AI governance documentation must be jurisdiction-aware. A single global AI policy is unlikely to satisfy regulators in Riyadh, Abu Dhabi, and Doha simultaneously. Governance frameworks need to be modular enough to demonstrate compliance with local requirements, including DPIAs, ethics documentation, and human oversight mechanisms.

ISO/IEC 42001 is becoming a baseline expectation. The UAE's alignment with the standard, combined with its use in international AI governance discussions more broadly, means that organisations without an AI management system aligned to 42001 will find it increasingly difficult to demonstrate credible governance to clients, regulators, and partners in the region.

The window for reactive compliance is narrowing. With enforcement already live in Saudi Arabia and mandatory requirements in place in Qatar's financial sector, organisations that have not yet conducted a Gulf-specific AI compliance review are operating with unquantified risk.

The Compliance Challenge Ahead

The Middle East's AI regulatory landscape will not simplify over the next 12 to 24 months. Saudi Arabia's dedicated AI law is in development. The UAE's Regulatory Intelligence Office will begin producing new legislation. Qatar's sector-specific rules are likely to expand. Organisations that treat Gulf compliance as a future consideration are likely to find themselves managing reactive remediation rather than structured governance.

The businesses best positioned to operate in this environment will be those that have mapped their obligations now, built adaptable governance frameworks, and established clear lines of accountability for AI compliance across jurisdictions.


Ops Intel helps international businesses navigate AI compliance obligations across multiple jurisdictions, including the UAE, Saudi Arabia, Qatar, and beyond. Whether you need a gap analysis against the PDPL, an ISO/IEC 42001 readiness assessment, or a cross-jurisdictional AI governance framework, our team works with you to build compliance that holds up under scrutiny. Get in touch with Ops Intel to discuss your compliance position.

Work with Ops Intel

Need help navigating AI compliance?

We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.

Call Now Claim Your Free Audit