Saudi PDPL (enforced by SDAIA) is the most active: 48 enforcement decisions issued by mid-January 2026, fines up to SAR 5 million. UAE, Qatar, Bahrain, Kuwait, and Oman each operate under their own laws with their own authorities. Generic ISO 42001 advice does not cover any of them.
Request a regulatory readiness assessmentOne week. Founder-led. By appointment. Sponsored for qualified accounts.
You get a written read on your data-protection posture across each Gulf jurisdiction you operate in: where you are exposed, where you are aligned, and what the next ninety days require.
Request a Regulatory Posture ScanSix to eight weeks · Fixed scope · Fixed fee
A structured gap analysis against the data laws in each Gulf jurisdiction where you operate. Delivered with a remediation roadmap in Arabic and English.
Request assessmentEight to twelve weeks · Ongoing advisory
Build an AI Management System aligned to ISO/IEC 42001 and NIST AI RMF 1.0. Positions you ahead of certification requirements before they become mandatory across the GCC.
Learn moreOngoing subscription · Quarterly advisory sessions
Establish your AI Council with a charter and decision rights framework. The Sentinel cadence turns governance into early-warning competitive intelligence.
EnquireMost organizations treat AI governance as a cost to minimize. The Sentinel posture is NYMM's reframing of governance: not compliance overhead, but the layer of the organization that sees risks and opportunities before anyone else does.
An organization with a functioning Sentinel layer tracks regulatory shifts across each jurisdiction it operates in: SDAIA decisions in Saudi, UAE Data Office activity, Qatar CRA moves, Bahrain PDPA and Oman PDPL signals. It knows about peer regulatory incidents and sovereign-stack shifts before competitors know they should care. That is a structural advantage, not a compliance checkbox.
Saudi PDPL (SDAIA) · UAE Federal Decree-Law No. 45 (UAE Data Office) plus ADGM and DIFC · Qatar Law No. 13 of 2016 (CRA) · Bahrain PDPL (PDPA) · Kuwait (CITRA / CMA) · Oman PDPL Royal Decree 6/2022
ISO/IEC 42001:2023 (AI Management Systems) · NIST AI RMF 1.0 · UAE AI Seal Certification · SDAIA National AI Ethics Principles
We do not undercut the global firms on Layer 5. Cheap data-protection advisory implies cheap insurance. Our day rates on governance work are positioned at market or above. The differentiation is speed, Arabic fluency, multi-jurisdictional coverage, and founder accountability, not price.
Saudi PDPL applies to any organization that processes the personal data of Saudi residents, regardless of where the organization is headquartered. If you have Saudi customers, partners, or employees whose data you process, PDPL obligations attach. Cross-border transfer restrictions under Article 28 are particularly relevant for organizations with data flowing outside the Kingdom.
A jurisdiction-by-jurisdiction gap analysis mapped to the specific law and authority of each country where you operate (Saudi PDPL articles for SDAIA, UAE Federal Decree-Law 45 obligations for the UAE Data Office, Qatar Law 13/2016 for the CRA, Bahrain PDPL 2018 for the PDPA, and so on). Outputs: a remediation roadmap with prioritized actions (quick wins vs. structural changes), a DPO assessment for each applicable jurisdiction (the thresholds differ), a cross-border transfer register, and a breach notification workflow tuned to each authority's window. Everything delivered in Arabic and English. The Sprint is advisory; implementation decisions remain with your legal and IT teams. We do not file documentation on your behalf.
Not yet mandated. But the UAE AI Seal Certification (Dubai Economy and Tourism) is already used as a procurement signal by government entities. ISO/IEC 42001 alignment is expected to become a requirement for AI-using suppliers to government and regulated-sector clients across the GCC within 18 to 36 months. Organizations building alignment now will not be scrambling when it becomes mandatory.
Yes. We co-advise with legal counsel where clients have existing relationships. NYMM provides the technical and strategic advisory layer (data flows, AI system architecture, governance design, organizational behavior). Legal counsel provides the regulatory interpretation and formal legal opinions for each specific jurisdiction (Saudi PDPL, UAE Federal law, Qatar Law 13/2016, etc.). We do not provide legal advice.
Start with a Regulatory Readiness assessment. Six to eight weeks. Fixed scope. Founder-led.