UAE organisations are building on a strong compliance foundation, but new research from Cohesity shows the next challenge lies in managing AI governance, vendor complexity, and socio-economic risks.
The study was conducted ahead of GITEX 2025 and highlights how well organisations are responding to the country’s strict data protection and sovereignty laws, while preparing for a new era of AI-driven innovation. At the same time, it underlines that international legislation is equally critical, and many organisations may need stronger tools and guidance to ensure they are aligned not just locally but also fully compliant across international regulatory environments.
According to the findings, 66% of organisations remained fully compliant with UAE regulations over the past year. However, that also means around one-third still faced gaps or even disruptions in keeping up to date with local legislation changes. This provides a reminder that compliance is a constantly evolving requirement.
At the same time, compliance is only one part of business resilience. Meeting regulations is essential, but companies also need stronger detection and prevention before an attack, as well as rapid recovery afterwards, to reduce competitive risk in an environment shaped by AI adoption, vendor complexity, and socio-economic pressures.
- 70% of organisations say AI and automation will be most valuable in reducing third-party and multicloud risks.
- 62% now monitor compliance themselves across third-party data service providers – aware that taking a ‘data sovereignty-first’ approach is now essential.
- 87% are now confident they can recover data quickly and stay compliant in the event of a cyber incident.
However, while organisations are taking active steps to strengthen resilience, their biggest concerns are shifting. In 2024, nearly half (49%) ranked cyber risk as the top threat. In 2025, competition (34%) and economic uncertainty (32%) have overtaken cyber (31%), showing that broader business pressures are contesting cyber resilience priorities. At the same time, awareness of geopolitical instability and the risks to data and business security these cause is growing, with the realisation that international incidents can be as, if not more, disruptive than local challenges.
Johnny Karam, Managing Director & VP of International Emerging regions – India, Eastern Europe, Middle East, Turkey and Africa, said: “The UAE has established some of the most progressive data protection and sovereignty frameworks globally, from the Personal Data Protection Law to AI ethics guidelines and now the UAE Stargate initiative. Our research shows that while many organisations prioritize meeting these standards, security and compliance challenges remain. One in three still face compliance gaps, and businesses are under pressure to embed AI governance and manage growing vendor complexity.
“We are seeing a shift: organisations are beginning to take sovereignty into their own hands by monitoring third-party compliance directly and making governance part of daily practice. This approach is becoming even more critical as geopolitical instability and cross-border risks add new layers of pressure to already complex data security environments,” Johnny Karam added.
From compliance to resilience
The report highlights a decisive shift from prevention-only strategies to resilience-first models. In 2024, nearly half of organisations cited cyber risk as their top concern. In 2025, cyber threats are seen as part of a broader risk landscape that also includes sustainability gaps (24%), talent shortages (23%), AI risks (22%), and geopolitical uncertainty (22%). This evolution reflects a more mature perspective: resilience is now about weathering economic, social, and digital challenges simultaneously, adding additional data security and compliance concerns.
AI governance embedded into operations
The UAE has already adopted AI compliance processes broadly (91% in 2024). The focus has now moved to integration and continuous review. Seven in ten organisations now review their AI governance practices every six months or less, embedding governance into daily operations rather than treating it as an annual exercise. Legislation remains a trigger for review, but organisations increasingly rely on internal processes, signaling a shift from compliance-by-mandate to compliance-by-design.
The UAE is making impressive progress, but the reality is that full compliance is not universal; one in three organisations still face gaps or disruptions. ‘Commenting on this, ahead of his onstage appearance at GITEX discussing AI and Data Sovereignty, Sanjay Poonen, CEO and President at Cohesity, said: “That’s the real challenge: how to move from simple data recovery, post a cyber-attack incident or for local compliance purposes, to continuous resilience in an environment where cross-border cyber threats, economic pressures, and international compliance requirements are converging. What stands out is that many UAE organisations are tackling this head-on by embedding AI governance and taking sovereignty into their own hands. It’s not a finished story, but it is an important lesson for the rest of the world: resilience today is about combining innovation with accountability, and that’s what Cohesity is focused on delivering to all our customers globally.”
Preparing for stricter sovereignty rules
Organisations are also investing ahead of regulation. Many are mapping their data to confirm location, training staff on compliance, and deploying AI to automate governance tasks. Others are reducing reliance on offshore providers and investing in improved threat detection and prevention. Together, these actions show that sovereignty is being treated not as a regulatory burden, but as a strategic differentiator that builds customer trust and resilience in uncertain conditions.
“For customers across the region, data sovereignty and security are becoming nearly inseparable business priorities,” said Ali Ballout, Business Unit Manager, MDS Dubai. “Pan-regional enterprise organisations must be especially aware of the complex web of national data legislation environments that exist, while maintaining with the ability to classify and differentiate specific data which needs to remain within national borders. By working with Cohesity, we can offer our customers exactly that – a secure data repository that helps them comply with local regulations while maintaining the highest standards of cyber resilience.”
The findings confirm that UAE organisations are leading the global conversation on data sovereignty and AI governance. By embedding compliance into operations, taking direct responsibility for sovereignty, and building resilience through both technology and governance, they set a pragmatic and progressive standard for others to follow.
Johnny Karam added, “Looking ahead, the real test for organisations in the UAE will be how quickly they can integrate AI tools in everyday data governance and sovereignty processes, to accelerate data insights and cyber resilience. The companies that succeed won’t just be compliant; they will set themselves apart as the most competitive on both a regional and global basis. At Cohesity, especially through our recently announced Cohesity Gaia-on premise solution, we see our role as enabling that transition, so businesses are prepared not only for the compliance and security requirements of today, but also opportunities of tomorrow.”
