AI Compliance in the Middle East: UAE, Saudi Arabia, and Qatar
Gulf countries are racing to adopt AI — and building their own governance frameworks to do so safely. The UAE, Saudi Arabia, and Qatar each have distinct regulatory approaches. Here is what companies operating in the region need to know.
UAE — The most developed AI governance framework in the Gulf
The UAE has the most comprehensive AI governance infrastructure in the region. The country appointed the world's first Minister of State for Artificial Intelligence in 2017 and has systematically built out its regulatory framework since then.
UAE AI Governance Framework (DGOV)
The Dubai Data & Statistics Establishment (DDSE) and the Digital Government Authority (TDRA) have jointly published the UAE AI Governance Framework, a mandatory framework for government entities and guidance (with compliance pressure) for private companies operating in the UAE. The framework covers:
- AI lifecycle governance: Requirements for AI development, deployment, and decommissioning
- Risk classification: A tiered system (critical, high, medium, low risk) similar to but not identical to the EU AI Act
- Transparency: Disclosure requirements for government AI use affecting individuals
- Accountability: Designated AI responsibility officers in government entities
- Data governance: Requirements for data used in government AI, coordinated with UAE personal data law
UAE Personal Data Protection Law (PDPL)
Federal Decree-Law No. 45 of 2021 — the UAE's first comprehensive data protection law — came into full effect in 2022. It applies to any organization processing personal data in the UAE or about UAE residents. Key provisions affecting AI:
- Legal basis required for processing personal data (consent, contract, legal obligation, legitimate interest)
- Restrictions on processing sensitive data (health, biometrics, financial data) — explicit consent required
- Data subject rights: access, correction, deletion
- Data localization options for certain sensitive categories
- No automated decision-making restrictions equivalent to GDPR Article 22 yet — but the regulatory body has indicated this is under consideration
Dubai DIFC and Abu Dhabi ADGM — Separate frameworks
The Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) are free zones with their own legal systems based on common law. They have their own data protection laws (DIFC DP Law 2020, ADGM DP Regulations 2021) which are similar to GDPR and may apply to AI processing within those zones. Companies operating in DIFC or ADGM face these laws, not the federal PDPL.
Saudi Arabia — AI strategy with emerging governance
Saudi Arabia is investing heavily in AI as part of Vision 2030. The Saudi Data and AI Authority (SDAIA) governs both data protection and AI at the national level — an unusual combination that positions AI governance as central to national strategy.
SDAIA AI Ethics Principles
Saudi Arabia published AI Ethics Principles in 2022 through SDAIA. These are principles-based guidance rather than hard law, covering: transparency, fairness, privacy, safety, reliability, human oversight, and accountability. Companies operating in Saudi Arabia should align their AI governance with these principles.
PDPL — Personal Data Protection Law
Saudi Arabia's PDPL (effective September 2023) covers personal data processing in Saudi Arabia. Key AI implications:
- Explicit consent required for sensitive data including health information and biometrics
- Data localization requirements — certain sensitive data categories must be stored in Saudi Arabia
- Restrictions on cross-border data transfers
- Automated decision-making: individuals must be informed if a fully automated decision is made about them with significant effects
Cloud and data localization
Saudi Arabia has strict requirements about certain data categories being stored locally. For AI companies using cloud infrastructure, this may require deploying in-country infrastructure or using a Saudi-region cloud provider (AWS, Azure, and Google Cloud all have Saudi Arabia regions).
Qatar — Building towards AI governance
Qatar is in an earlier stage of formal AI regulation compared to UAE and Saudi Arabia. The Qatar Centre for Artificial Intelligence (QCAI) is the primary body coordinating AI policy. The country has published national AI strategy documents but has not yet passed comprehensive AI-specific legislation.
Qatar Personal Data Protection Law
Qatar Law No. 13 of 2016 on Privacy and Protection of Personal Data applies to personal data processing in Qatar. It is an older law that does not have specific AI provisions, but its data processing requirements apply to AI systems that process personal data of Qatari residents.
Practical compliance for companies operating in the Gulf
| Requirement | UAE | Saudi Arabia | Qatar |
|---|---|---|---|
| Data protection law | ✓ PDPL 2021 | ✓ PDPL 2023 | ✓ Law 13/2016 |
| AI-specific law | Framework (govt) | Ethics Principles | Strategy only |
| Data localization | Limited | Yes (sensitive) | Limited |
| Automated decision disclosure | Emerging | ✓ Required | Not specified |
| Biometric data restrictions | ✓ Sensitive category | ✓ Explicit consent | ✓ Restricted |
| Cross-border transfer rules | ✓ Adequate protection | ✓ Restricted | ✓ Limited |
What to do if you operate AI in the Gulf
- Map your data flows. Identify what personal data from UAE, Saudi Arabia, and Qatar residents your AI processes and where it is stored.
- Check data localization requirements. Saudi Arabia in particular has requirements for certain sensitive data to remain in-country. Verify your cloud infrastructure has local options.
- Update privacy notices. Ensure your privacy policy covers all three jurisdictions and their specific disclosure requirements.
- Review biometric data use. All three countries restrict biometric data processing. If you use facial recognition or other biometrics, explicit consent and potentially additional approvals are required.
- Monitor for new legislation. All three countries are developing more comprehensive AI regulation. The Gulf is fast-moving — what is guidance today may be law in 12 months.
Check your Middle East compliance requirements
ComplianceIQ covers UAE, Saudi Arabia, and Qatar alongside 105+ other jurisdictions. See exactly what applies to your AI systems in the Gulf.
Check Gulf compliance requirements →