Middle East AI Compliance Just Got Real: What Professional Services Firms Must Do Now

For years, AI governance across the Gulf read like a collection of well-intentioned ambitions — national strategies, voluntary charters, aspirational frameworks. That era is over. Across the UAE, Saudi Arabia, Qatar, Bahrain, Kuwait, and Oman, regulators have moved decisively from guidance to enforcement, from principles to penalties. For UK professional services firms with Middle Eastern clients, operations, or data flows, the compliance question is no longer theoretical. It is urgent.

From Aspirational to Binding: The Shift You Cannot Ignore

The Middle East AI regulatory landscape has not produced a single, sweeping horizontal AI Act in the style of the EU. Instead, it has developed something arguably more complex: a multi-layered regime built through hardening data protection laws, sector-specific mandates, and jurisdiction-specific AI rules that interact in ways that demand careful navigation.

The clearest signal of this shift came in January 2026, when the Dubai International Financial Centre's Regulation 10 reached full enforcement. This is the first AI-specific regulation in the region, and it imposes concrete duties on organisations deploying autonomous and semi-autonomous systems within the DIFC. One month later, the UAE Central Bank issued mandatory AI and machine learning guidance for all licensed financial institutions. These are not recommendations. They are requirements with regulatory teeth.

Saudi Arabia's trajectory tells a similar story. The Personal Data Protection Law (PDPL) became fully enforceable in September 2024 following the close of its grace period, and the Saudi Data & AI Authority (SDAIA) has wasted no time. Between 2025 and 2026, SDAIA issued 48 enforcement decisions targeting PDPL violations. Fines reach up to SAR 5 million, and intentional breaches involving sensitive data carry the prospect of imprisonment. The Kingdom has also declared 2026 its "Year of AI" and introduced a draft Global AI Hub Law, creating a novel jurisdictional framework through which foreign entities can deploy AI via Private, Extended, and Virtual Hub structures — a development with significant implications for cross-border service delivery.

Elsewhere across the Gulf: Qatar's Central Bank enacted mandatory AI guidelines in September 2024; Kuwait's Data Privacy Regulation became fully enforceable in February 2025; Oman's National AI Policy took effect in April 2025. Bahrain is advancing a 38-article AI Regulation Law that includes criminal penalties of up to three years' imprisonment for non-compliance. The direction of travel is consistent, and it is accelerating.

What This Means for Accountants, Solicitors, and Consultancies

Professional services firms tend to underestimate their regulatory exposure in this context. If your firm uses AI-powered tools to process client data — for document review, financial analysis, HR screening, marketing automation, or any similar purpose — and any of that data relates to individuals in the Gulf region, you are within scope of these frameworks.

The DIFC Commissioner of Data Protection has already issued active enforcement decisions. Qatar's non-compliance regime includes fines ranging from QAR 1 million to QAR 5 million for failures such as not conducting mandatory impact assessments. These are not hypothetical risks. They are live enforcement environments.

The Four Operational Shifts Required Right Now

1. Conduct Mandatory Audits and Data Protection Impact Assessments

Under the various Gulf data protection frameworks, any AI tool processing personal data requires a formal Data Protection Impact Assessment (DPIA). You must also maintain detailed Records of Processing Activities (RoPA) covering every AI system in use. For many professional services firms, this means building documentation that almost certainly does not yet exist to the standard these regulators require. Start with your highest-risk tools — anything touching client financial data, employment records, or health information — and work outward.

2. Appoint the Right Governance Roles

Depending on the jurisdiction in which you are operating, your obligations around governance roles will differ. Saudi Arabia's PDPL and Kuwait's framework require the appointment of a localised Data Protection Officer. DIFC Regulation 10 introduces a distinct role: the Autonomous Systems Officer (ASO), responsible for overseeing high-risk AI deployments. These are not paper appointments. Regulators are examining whether these individuals have genuine authority and competence. If your current DPO has no specific AI governance training, that gap needs addressing now.

3. Overhaul Your Vendor Contracts for Cross-Border Data Transfers

Most professional services firms in the UK rely on global AI platforms — cloud-based tools, large language model APIs, automated workflow systems. The moment those tools process data relating to Gulf-region individuals and transfer it offshore, you need legally compliant data transfer mechanisms in place. For Saudi Arabia, that means Standard Contractual Clauses reviewed and approved by SDAIA. Each jurisdiction has its own requirements. Generic GDPR-era data processing agreements are unlikely to be sufficient. Conduct a full audit of your AI vendor contracts and update them to meet the specific transfer mechanisms each regulator requires.

4. Take "Soft Law Hardening" Seriously

Across the Gulf, voluntary ethical AI guidelines are quietly becoming de facto mandatory prerequisites. Adherence to recognised ethical frameworks and certifications — ISO 42001 being the most significant example — are increasingly required to participate in government procurement and public tenders. If your firm operates in, or is looking to grow within, Gulf markets, obtaining ISO 42001 certification is no longer a differentiator. For certain clients and contracts, it is becoming a threshold requirement. Build this into your medium-term compliance roadmap now rather than scrambling to qualify for a contract you cannot afford to lose.

The Broader Pattern: Enforcement Is Ahead of Awareness

The common thread running through every jurisdiction covered here is that enforcement activity has outpaced the compliance readiness of most foreign-headquartered firms. SDAIA's 48 enforcement decisions demonstrate that regulators are not waiting for the legal framework to feel fully settled before they act. They are using the tools already available to them — data protection law, sector mandates, algorithmic safeguards — and applying them with increasing confidence.

For UK professional services firms, the risk calculation has changed. Operating in or serving Gulf markets while deploying AI tools without a structured compliance programme is now a material business risk, not an administrative oversight. Reputational damage, contractual disqualification, regulatory fines, and — in extreme cases — personal criminal liability for executives are all live outcomes in this landscape.

Next Steps: Do Not Wait for Certainty

The Middle East's AI regulatory environment will continue to evolve rapidly. Bahrain's criminal penalties framework has not yet passed. Saudi Arabia's Global AI Hub Law is still in draft. But waiting for finality is the wrong strategy. The infrastructure you build now — documented impact assessments, qualified governance appointments, compliant vendor contracts, recognised certifications — will serve you regardless of how the final legislative details settle.

At Ops Intel, we help UK professional services firms map their AI compliance exposure across international jurisdictions, identify critical gaps, and build the governance structures that regulators are actively looking for.

If your firm uses AI tools and operates in, or serves clients across, Gulf markets, now is the time to act. Contact Ops Intel today to arrange a compliance gap assessment and understand exactly where your exposure lies.