The Gulf Cooperation Council states are not typically the first jurisdictions that come to mind when operators map their AI compliance landscape. They should be. The UAE hosts the world's first Ministry of Artificial Intelligence, runs one of the most ambitious national AI strategies in existence, and has enacted data protection legislation with specific automated decision-making provisions that apply to AI agents. Saudi Arabia is developing AI regulations with the explicit intention of being competitive with the EU framework. For any operator with Gulf operations, Gulf clients, or Gulf data subjects, the regulatory picture is more developed than most compliance teams assume.

Key takeaways

  • The UAE established the world's first Ministry of AI in 2017 and operates under the UAE National AI Strategy 2031, with overlapping federal and free-zone regulatory frameworks covering AI deployments.
  • UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection includes automated decision-making notification and human review rights that apply to AI agents handling UAE residents' data.
  • Operators in Dubai's DIFC and Abu Dhabi's ADGM are subject to distinct regulatory frameworks enforced by the DFSA and FSRA respectively, not the federal regime.
  • Saudi Arabia's National Data Management Office has published AI governance guidelines with sector-specific requirements, and Saudi PDPL imposes fines up to SAR 5 million for automated processing violations.
  • For EU operators expanding into Gulf markets, the EU AI Act remains the primary compliance burden. Gulf frameworks add data localisation requirements, automated decision-making disclosures, and sector-specific controls that must be layered on top.

Why Gulf AI governance matters for international operators

Three factors make Gulf AI governance relevant for a wider set of operators than those with physical Gulf operations. First, the extraterritorial scope of Gulf data protection laws. UAE Federal Decree-Law No. 45 of 2021 applies to any processing of personal data that targets UAE residents, whether the processing entity is located inside or outside the UAE. An operator in Germany running an AI agent that handles enquiries from UAE customers is processing UAE residents' personal data and is within scope. Second, the significant scale of Gulf enterprise contracts for European service providers. Companies operating in the Gulf rely heavily on European professional services, technology platforms, and SaaS tools; any of these that use AI agents to service Gulf clients may be processing data subject to Gulf regulatory requirements. Third, the Gulf's role as a significant AI infrastructure node. Major cloud providers, AI model providers, and data centres serving the Middle East and Africa region route significant AI traffic through Gulf jurisdictions.

Understanding the landscape does not require full compliance programme implementation for every operator with incidental Gulf exposure. It requires knowing which specific provisions apply to your AI deployment and whether those provisions create obligations that differ from what your EU AI Act programme already requires.

The UAE framework: federal and free-zone layers

The UAE's regulatory architecture for AI is multi-layered in a way that reflects the country's jurisdictional structure. The federal government, the Emirate of Dubai, the Emirate of Abu Dhabi, and the two major financial free zones (DIFC and ADGM) each exercise distinct regulatory authority, and these authorities overlap and sometimes conflict in practice.

At the federal level, the UAE Ministry of AI (established October 2017) coordinates national AI strategy and oversees the UAE National AI Strategy 2031, which targets the UAE becoming one of the world's leading AI-enabled economies by the end of the decade. The Ministry does not issue binding AI-specific regulations directly, but its frameworks inform procurement requirements, sector-specific guidance, and the government entities with which international operators must engage. The UAE AI Office, established under the ministry, has published AI ethics guidelines that have been adopted by government entities as procurement requirements.

The primary binding regulation relevant to AI agents at the federal level is UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), which entered into force in January 2022 with implementing regulations published in 2023. The PDPL regulates the processing of personal data in the UAE and the processing of UAE residents' data outside the UAE when directed at UAE residents. Its provisions on automated processing are particularly relevant to AI agents.

Article 17 of the UAE PDPL addresses automated processing and individual rights. It requires that where a decision that significantly affects an individual is made based solely on automated processing, the controller must: inform the individual that such a decision was made, provide the individual with meaningful information about the logic involved, and give the individual the right to request that the decision be reviewed by a human or that they express their view. This provision applies to AI agents that make consequential individual-affecting decisions, including credit eligibility, pricing discrimination, service eligibility, and similar determinations. Operators must build disclosure mechanisms and human review pathways into their AI agent deployments to comply.

DIFC and ADGM: the free-zone regulatory distinction

The Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) are special economic zones with their own legal and regulatory systems, based on English common law rather than UAE civil law. Entities incorporated and operating within these zones are subject to the regulations of the DIFC Authority and the ADGM Financial Services Regulatory Authority (FSRA), not the federal UAE regulatory framework.

The DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020) is closely modelled on the EU GDPR and contains extensive automated decision-making provisions in Chapter X. Unlike the federal PDPL, the DIFC law applies not just when an individual is significantly affected but more broadly to automated processing that produces legal or similarly significant effects. For international financial services and technology operators who operate through a DIFC entity, the DIFC data protection regime is the relevant framework, and its GDPR-like structure makes compliance more familiar to European teams than the federal framework.

The ADGM Data Protection Regulations 2021 similarly follow the GDPR model and are enforced by the ADGM Registration Authority. ADGM-incorporated entities running AI agents must comply with these regulations, including the automated decision-making rights provisions.

For operators with both DIFC/ADGM entities and operations outside those zones in the wider UAE, the two frameworks apply simultaneously in their respective domains. An AI agent deployed by a DIFC-registered financial institution to service clients both inside and outside the free zone may be subject to both the DIFC DPL (for clients engaging through the DIFC entity) and the federal PDPL (for clients outside the DIFC). Mapping the applicable regime for each processing activity is essential before deploying AI agents in this context.

Saudi Arabia: emerging regulatory structure

Saudi Arabia has published the Saudi AI Ethics Principles and the National AI Strategy (Vision 2030 AI component) through the Saudi Data and AI Authority (SDAIA), which was established in 2019 as the national authority for AI governance. SDAIA's governance framework includes the Personal Data Protection Law (PDPL, Royal Decree No. M/19, 2021, amended 2023), the AI Ethics Principles published in 2022, and sector-specific AI guidance for financial services, healthcare, and government.

The Saudi PDPL applies to processing of Saudi residents' personal data by entities inside or outside Saudi Arabia. Its provisions on automated decision-making require transparency about automated profiling and provide individuals with the right to object to automated processing in certain circumstances. Fines for violations reach SAR 5 million (approximately EUR 1.3 million) for administrative violations and higher for criminal violations involving intentional harm.

SDAIA has signalled its intention to develop sector-specific AI binding regulations beginning in 2025 and 2026. The financial services sector, regulated by the Saudi Central Bank (SAMA) and the Capital Market Authority (CMA), already has AI governance guidance requiring explainability for AI models used in credit and investment decisions. Healthcare AI governance is developed through the Saudi Food and Drug Authority (SFDA) for medical AI devices. International operators in these sectors should track sector regulator guidance alongside the SDAIA framework.

The most significant Saudi development for international operators is the draft National AI Governance Framework that SDAIA released for consultation in late 2025. The framework proposes a risk-tiered approach to AI regulation with mandatory impact assessments for high-risk applications in healthcare, financial services, employment, and critical infrastructure. The scope and penalty structure proposed closely tracks the EU AI Act framework, suggesting that SDAIA is deliberately designing for regulatory alignment that will facilitate Saudi operators seeking EU market access and vice versa.

Qatar and the QCSC framework

Qatar's AI governance framework is primarily channelled through the Qatar AI Committee (established under the Ministry of Communications and Information Technology) and the Qatar Financial Centre (QFC) regulatory framework for entities in that free zone. Qatar's Personal Data Protection Law, Law No. 13 of 2016, provides the primary binding data protection framework, though it predates most contemporary AI deployment patterns and its AI-specific provisions are less developed than the UAE PDPL.

The Qatar National AI Strategy, endorsed in 2019 and updated as part of the Qatar National Vision 2030 digital transformation agenda, focuses heavily on government AI deployment, smart city applications, and the National Artificial Intelligence Initiative. For private sector operators, the QCSC (Qatar Computer Emergency Response Team) has published cybersecurity standards that apply to AI systems in critical infrastructure. Financial services firms in the QFC are subject to the QFC Regulatory Authority's guidance on technology risk and algorithmic systems, which addresses AI agent accountability requirements.

Qatar has initiated discussions with the EU on digital governance alignment, which may in future produce a mutual recognition arrangement for AI standards. For now, EU operators deploying AI agents that interact with Qatari data subjects should focus on the automated decision-making and data subject rights provisions of the Law No. 13 framework, which provide the most relevant binding obligations for AI agent deployments.

Cross-border implications: data localisation and transfer restrictions

All three major Gulf frameworks include data localisation provisions that create specific compliance requirements for AI agent deployments. UAE PDPL Article 22 restricts cross-border transfers of personal data to jurisdictions that do not provide adequate protection, with a procedure for obtaining approval from the UAE Data Office for transfers to non-approved destinations. Saudi Arabia's PDPL similarly restricts cross-border transfers and requires a privacy impact assessment for transfers to non-approved destinations. The EU and its member states are not yet on either country's formal adequacy list, meaning that transfers from the Gulf to EU processors require specific legal mechanisms.

For international operators using EU-based cloud or AI infrastructure to process Gulf data, this creates a practical compliance question: is the data of Gulf residents being transferred to EU infrastructure in a way that requires either an adequacy finding, standard contractual clauses, or other approved transfer mechanism under the applicable Gulf framework? Most operators have not mapped this question comprehensively, because Gulf data protection enforcement has historically been less active than EU enforcement. That risk profile is changing as both UAE and Saudi Arabia have established active supervisory authorities with growing enforcement capacity.

AI agent deployments that process Gulf residents' personal data, whether through a customer-facing chatbot, an email processing system, or an automated analysis tool, should map the data flows between the Gulf jurisdiction and the operator's processing infrastructure, and identify the transfer mechanism that applies to each flow.

What operators should prepare for 2026 and 2027

The Gulf AI governance landscape is in active development. Saudi Arabia's sector-specific AI binding regulations are expected to begin entering force in 2026 and 2027, beginning with financial services and healthcare. The UAE's federal data protection framework implementing regulations are being updated to provide more specific AI guidance. DIFC and ADGM are both monitoring EU AI Act developments and have indicated that their frameworks will evolve to maintain alignment.

For international operators, the practical preparation steps are: first, map which Gulf jurisdictions your AI agent deployments are exposed to, based on where your data subjects are located, where your operational entities are incorporated, and where your processing infrastructure sits. Second, review the automated decision-making provisions of the applicable framework and confirm that your AI agents meet the disclosure and human review requirements. Third, map your cross-border data flows for Gulf data and confirm that transfer mechanisms are in place. Fourth, monitor SDAIA and UAE Data Office publications for updated guidance on AI-specific obligations as sector-specific frameworks develop.

For operators already maintaining EU AI Act compliance programmes, the Gulf frameworks add incremental requirements rather than an entirely different compliance architecture. The EU AI Act covers the most demanding end of the compliance spectrum. Gulf frameworks add localisation requirements, sector-specific controls, and automated decision-making notifications that can be layered onto an existing AI governance programme without fundamental restructuring. For the broader global comparison, the US, EU, and UK three-framework comparison provides context on where Gulf frameworks sit relative to the most developed global AI governance regimes. For the EU regulatory framework that remains the baseline for operators with European exposure, see the detailed analysis on EU AI Act Article 26 deployer obligations.

Frequently asked questions

Does the UAE have specific AI regulations for operators?

Yes. The UAE operates under several overlapping frameworks. The UAE National AI Strategy 2031 sets national objectives. Federal Decree-Law No. 45 of 2021 on Personal Data Protection regulates automated processing of personal data. Within the UAE, the DIFC and ADGM maintain their own data protection and financial services AI regulations, which are distinct from the federal framework. Entities operating in these free zones are subject to the DIFC or ADGM regulatory regime rather than the federal regime.

What is the Dubai AI Regulation and who does it apply to?

Dubai's Executive Council has issued the Dubai Ethical AI Principles and the Dubai AI Governance Roadmap. Dubai government entities and their AI deployments are subject to the Dubai Digital Authority's AI governance framework, which includes impact assessment requirements and mandatory human oversight for high-risk applications in government services. Private sector operators who supply AI services to Dubai government entities must comply with procurement-level AI requirements. The framework is advisory for most private sector entities but mandatory for government contractors and entities in regulated sectors.

How does UAE data protection law apply to AI agents?

Federal Decree-Law No. 45 of 2021 applies to processing of UAE residents' personal data inside and outside the UAE. Article 17 requires that individuals be informed when a significant decision about them is made based solely on automated processing, and grants them the right to request human review. AI agents making individual-affecting decisions must include disclosure and review-right mechanisms. Cross-border data transfers are regulated under Article 22.

Are there penalties for non-compliance with Gulf AI regulations?

Yes. UAE Federal Decree-Law No. 45 of 2021 provides for fines up to AED 20 million for serious violations. Saudi Arabia's PDPL imposes fines up to SAR 5 million for violations including unlawful automated processing. Qatar's personal data law provides for financial penalties and, in serious cases, criminal sanctions. DIFC and ADGM entities are subject to the enforcement powers of the DFSA and FSRA respectively.

How do Gulf AI governance frameworks compare to the EU AI Act?

Gulf AI frameworks are currently less prescriptive than the EU AI Act. The EU AI Act imposes mandatory conformity assessments, detailed documentation requirements, and technical obligations for high-risk AI systems with penalties up to EUR 35 million or 7% of global turnover. Gulf frameworks focus more on principles, national strategy objectives, and data protection provisions as the primary binding layer. Saudi Arabia's developing framework is closest to the EU approach in its risk-tiered ambition. For EU operators in Gulf markets, the EU AI Act remains the primary compliance burden; Gulf frameworks add localisation requirements and automated decision-making notifications.

References

  1. UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), in force January 2022, implementing regulations 2023.
  2. DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020), administered by the DIFC Commissioner of Data Protection.
  3. ADGM Data Protection Regulations 2021, administered by the ADGM Registration Authority.
  4. Saudi Arabia Personal Data Protection Law, Royal Decree No. M/19, 2021, amended 2023, administered by SDAIA.
  5. SDAIA, AI Ethics Principles for the Kingdom of Saudi Arabia, 2022.
  6. Qatar Personal Data Protection Law No. 13 of 2016.
  7. UAE National AI Strategy 2031, UAE Ministry of AI, updated 2022.
  8. Regulation (EU) 2024/1689 (EU AI Act), for comparison with Gulf frameworks.