Research shows UAE organizations shifting to a data sovereignty-first model

In advance of GITEX GLOBAL 2025, Cohesity has unveiled new research showing that while UAE organisations are making strong progress on compliance with national data protection rules, the next frontier will be embedding AI governance and managing growing vendor complexity.

The research, sponsored by Cohesity and conducted by YouGov in August 2025 among 330 senior IT and business decision-makers in the UAE, reveals both strengths and emerging challenges. On the one hand, two-thirds of organisations (66%) report full compliance with the UAE’s strict data protection and sovereignty laws—demonstrating alignment with some of the world’s most stringent frameworks. But the findings also confirm what progressive organizations have known all along—compliance alone is not enough to guarantee resilience.

From compliance to resilience

In 2024, nearly half of the UAE organisations surveyed (49%) ranked cyber risk as their top concern. But in 2025, the picture has broadened: Competition (34%) and economic uncertainty (32%) now outrank cyber risk (31%) as the top concern reported by UAE organizations. This shift shows that resilience is being tested by digital threats and also by socioeconomic and geopolitical instability.

UAE organisations are responding. Eighty-seven percent of surveyed respondents say they are confident in their ability to recover data quickly and remain compliant during a cyber incident. More than 70% say they believe AI and automation will be most valuable in reducing risks tied to multicloud and third-party providers. This signals a move away from prevention-only approaches towards resilience-first models, where recovery and continuity matter just as much as defence.

AI governance moves from adoption to integration

Organizations in the UAE have been at the forefront of adopting AI governance. In 2024, 91% of surveyed organisations said they had implemented AI compliance processes. This year, the focus increased: 70% say they now review AI governance practices every six months or less, embedding compliance into operational routines rather than treating it as an annual exercise.

Legislation is still a trigger. In 2025, 60% of respondents say that they update reviews when UAE laws change, and 55% review when global laws are updated. But organisations are increasingly relying on internal processes. That shift from compliance-by-mandate to compliance-by-design reflects a market continuing to mature in its approach to AI governance.

2025: Taking data sovereignty into their own hands

According to the survey, UAE organisations are taking a data sovereignty-first stance. In 2025, 62% of respondents report that they directly monitor compliance across all third-party providers, rather than trusting vendors to assure it on their behalf.

This sovereignty-first stance is not just about ticking regulatory boxes. Many organisations report that they are mapping their data to confirm location (40%), training staff on compliance (40%), and investing in cybersecurity (39%). Other organizations report that they are reducing reliance on offshore providers and embedding AI into governance processes. These actions show that sovereignty is increasingly seen as a strategic differentiator, one that builds trust with customers and resilience in volatile conditions.

Looking ahead

The findings underline that UAE organisations are forward-leaning in embedding AI governance and data sovereignty. But the work isn’t finished. One in three respondents say they still face compliance gaps, and the pressures of vendor complexity, AI regulation, and international legislation will only grow.

For businesses in the UAE specifically, as well as globally, we expect that the future of resilience will rest on three pillars:

1. Continuous compliance as part of everyday operations.
2. Sovereignty-first accountability, with organisations taking direct control of vendor oversight. 
3. AI-enabled resilience, using automation to detect, prevent, and recover from threats faster.

As we prepare for GITEX GLOBAL 2025, the message is clear: resilience is no longer just about compliance, it’s about competitiveness. The organisations that succeed will be those that view regulatory mandates as a trigger for turning resilience into a true competitive advantage.
 

Research Methodology: The research was sponsored by Cohesity and conducted by YouGov in August 2025 among 330 senior IT and business decision-makers in the UAE, across multiple industries, including financial services, telecommunications, retail, hospitality, public sector, and technology. Results were compared with a baseline survey [sponsored by Cohesity and] conducted [by YouGov] in September 2024 among 100 IT decision-makers in the UAE, enabling year-on-year analysis of progress in AI compliance and resilience practices.