UAE firms lead in data compliance, but AI governance and vendor risks loom large

While two-thirds of UAE organisations are fully compliant with national data protection laws, emerging challenges around AI governance, vendor complexity, and international regulations are reshaping the cybersecurity landscape, a study showed.

Released ahead of GITEX 2025, a new study by data security firm Cohesity highlights how UAE businesses are responding to some of the world’s most stringent data sovereignty laws. According to the findings, 66 per cent of organisations maintained full compliance with UAE regulations over the past year. However, one-third still faced gaps or disruptions, underscoring the evolving nature of regulatory demands.

“Security and compliance challenges remain,” said Johnny Karam, Managing Director & VP of International Emerging Regions at Cohesity. “One in three still face compliance gaps, and businesses are under pressure to embed AI governance and manage growing vendor complexity.”

The study, conducted by YouGov in August 2025 among 330 senior IT and business leaders across various sectors, shows a shift in how organisations approach governance. Seventy per cent now review AI compliance every six months or less, moving away from annual checklists to continuous oversight. This reflects a broader trend of embedding governance into daily operations.

AI and automation are increasingly seen as tools to mitigate third-party and multicloud risks, with 70 per cent of respondents citing them as key to resilience. Additionally, 62 per cent of organisations now directly monitor compliance across third-party data service providers, embracing a “data sovereignty-first” approach.

Sanjay Poonen (left) Johnny Karam

Cohesity CEO Sanjay Poonen emphasized the importance of resilience over mere recovery. “The real challenge is moving from simple data recovery to continuous resilience in an environment where cross-border threats and economic pressures converge,” he said. “UAE organisations are tackling this head-on by embedding AI governance and taking sovereignty into their own hands.”

The report also reveals a shift in perceived threats. While cyber risk topped the list in 2024, concerns in 2025 have broadened to include competition (34 per cent), economic uncertainty (32 per cent), sustainability gaps (24 per cent), and talent shortages (23 per cent). Cyber threats now rank third at 31 per cent, indicating a more holistic view of business resilience.

Ali Ballout, Business Unit Manager at MDS Dubai, noted that data sovereignty and security are becoming inseparable priorities. “Pan-regional enterprises must navigate complex national legislation while ensuring sensitive data remains within borders,” he said. “Working with Cohesity enables our clients to meet these demands while maintaining high standards of cyber resilience.”

The findings suggest that UAE organisations are not only adapting to local regulations but also preparing for stricter international compliance. Many are investing in AI-driven governance, staff training, and reducing reliance on offshore providers. This proactive stance positions data sovereignty as a strategic advantage rather than a regulatory burden.

Looking ahead, Karam believes the next frontier lies in integrating AI tools into everyday governance. “The companies that succeed won’t just be compliant,” he said. “They’ll be the most competitive — regionally and globally.”