UAE organisations are building on a strong compliance foundation, but new research from Cohesity shows the next challenge lies in managing AI governance, vendor complexity, and socio-economic risks.
According to the findings, 66% of organisations remained fully compliant with UAE regulations over the past year. However, that also means around one-third still faced gaps or even disruptions in keeping up to date with local legislation changes. This provides a reminder that compliance is a constantly evolving requirement.
At the same time, compliance is only one part of business resilience. Meeting regulations is essential, but companies also need stronger detection and prevention before an attack, as well as rapid recovery afterwards, to reduce competitive risk in an environment shaped by AI adoption, vendor complexity, and socio-economic pressures.
- 70% of organisations say AI and automation will be most valuable in reducing third-party and multicloud risks.
- 62% now monitor compliance themselves across third-party data service providers – aware that taking a ‘data sovereignty-first’ approach is now essential.
- 87% are now confident they can recover data quickly and stay compliant in the event of a cyber incident.
However, while organisations are taking active steps to strengthen resilience, their biggest concerns are shifting. In 2024, nearly half (49%) ranked cyber risk as the top threat. In 2025, competition (34%) and economic uncertainty (32%) have overtaken cyber (31%), showing that broader business pressures are contesting cyber resilience priorities. At the same time, awareness of geopolitical instability and the risks to data and business security these cause is growing, with the realisation that international incidents can be as, if not more, disruptive than local challenges.
Johnny Karam, Managing Director & VP of International Emerging regions – India, Eastern Europe, Middle East, Turkey and Africa, said: “The UAE has established some of the most progressive data protection and sovereignty frameworks globally, from the Personal Data Protection Law to AI ethics guidelines and now the UAE Stargate initiative. Our research shows that while many organisations prioritize meeting these standards, security and compliance challenges remain. One in three still face compliance gaps, and businesses are under pressure to embed AI governance and manage growing vendor complexity.
“We are seeing a shift: organisations are beginning to take sovereignty into their own hands by monitoring third-party compliance directly and making governance part of daily practice. This approach is becoming even more critical as geopolitical instability and cross-border risks add new layers of pressure to already complex data security environments,” Johnny Karam added.
The report highlights a decisive shift from prevention-only strategies to resilience-first models. In 2024, nearly half of organisations cited cyber risk as their top concern. In 2025, cyber threats are seen as part of a broader risk landscape that also includes sustainability gaps (24%), talent shortages (23%), AI risks (22%), and geopolitical uncertainty (22%). This evolution reflects a more mature perspective: resilience is now about weathering economic, social, and digital challenges simultaneously, adding additional data security and compliance concerns.
The UAE has already adopted AI compliance processes broadly (91% in 2024). The focus has now moved to integration and continuous review. Seven in ten organisations now review their AI governance practices every six months or less, embedding governance into daily operations rather than treating it as an annual exercise. Legislation remains a trigger for review, but organisations increasingly rely on internal processes, signaling a shift from compliance-by-mandate to compliance-by-design.
“For customers across the region, data sovereignty and security are becoming nearly inseparable business priorities,” said Ali Ballout, Business Unit Manager, MDS Dubai. “Pan-regional enterprise organisations must be especially aware of the complex web of national data legislation environments that exist, while maintaining with the ability to classify and differentiate specific data which needs to remain within national borders. By working with Cohesity, we can offer our customers exactly that – a secure data repository that helps them comply with local regulations while maintaining the highest standards of cyber resilience.”
Organisations are also investing ahead of regulation. Many are mapping their data to confirm location, training staff on compliance, and deploying AI to automate governance tasks. Others are reducing reliance on offshore providers and investing in improved threat detection and prevention. Together, these actions show that sovereignty is being treated not as a regulatory burden, but as a strategic differentiator that builds customer trust and resilience in uncertain conditions.
Johnny Karam added, “Looking ahead, the real test for organisations in the UAE will be how quickly they can integrate AI tools in everyday data governance and sovereignty processes, to accelerate data insights and cyber resilience. The companies that succeed won’t just be compliant; they will set themselves apart as the most competitive on both a regional and global basis. At Cohesity, especially through our recently announced Cohesity Gaia-on premise solution, we see our role as enabling that transition, so businesses are prepared not only for the compliance and security requirements of today, but also opportunities of tomorrow.”
