Saudi Arabia, the UAE, and Morocco are each developing distinct approaches to AI governance. Understanding how these frameworks are structured — and where they converge and diverge — is essential for organizations operating across the region.
The MENA region is not a regulatory monolith. Across the Gulf and North Africa, governments are developing AI governance frameworks that reflect their different institutional contexts, development priorities, and relationships with international regulatory standards. For organizations operating across MENA — or for those with MENA exposure assessing regulatory risk — understanding these frameworks at a substantive level is increasingly necessary.
This overview covers the three most developed frameworks in the region: Saudi Arabia's SDAIA, the UAE's AI ethics governance approach, and Morocco's data protection regime under Law 09-08.
Saudi Arabia: SDAIA and the National AI Governance Structure
Saudi Arabia has invested substantially in building institutional AI governance capacity. The Saudi Data and Artificial Intelligence Authority (SDAIA) was established in 2019 and serves as the national authority responsible for data management, AI governance, and digital transformation policy.
SDAIA operates several key functions relevant to AI governance:
National AI governance frameworks. SDAIA has published ethics principles for AI and is developing sector-specific guidance for high-priority domains including healthcare, financial services, and government. These frameworks address fairness, transparency, accountability, privacy, and security — concepts that map recognizably onto international governance standards.
Personal Data Protection Law (PDPL). Saudi Arabia's PDPL came into effect in 2023 and is being enforced through phased implementation. The PDPL establishes consent requirements, data subject rights, and obligations for data processors — including AI systems that process personal data. Organizations operating in Saudi Arabia must assess AI systems against PDPL requirements, not just generic ethics principles.
Regulatory sandbox engagement. SDAIA has been actively engaging with international standards bodies and bilateral regulatory dialogues, which signals a trajectory toward greater formalization of AI compliance requirements over time.
For organizations operating in Saudi Arabia or deploying AI systems that process Saudi personal data, SDAIA's frameworks are not merely aspirational — they are the baseline for regulatory engagement, and their specificity is increasing.
The UAE: An Integrated AI Strategy with Ethics at Its Core
The UAE has positioned AI adoption as a core element of national economic strategy since the 2017 appointment of the world's first Minister of State for Artificial Intelligence. This positioning shapes the UAE's regulatory approach: it is designed to enable AI adoption while establishing ethical guardrails, not to restrict AI development.
The UAE's AI ethics guidelines were developed through a government-led process and reflect several key commitments:
Human-centric AI. The UAE framework emphasizes that AI systems should respect human dignity, support human decision-making rather than replace it in high-stakes contexts, and be designed with attention to social impact.
Accountability and transparency. The guidelines establish expectations around explainability and accountability that are consistent with international frameworks, though expressed at a higher level of abstraction than the EU AI Act's specific requirements.
Sector-specific regulation. The UAE has developed AI governance guidance at the sector level — financial services through the Central Bank and CBUAE, healthcare through the Ministry of Health — that is more prescriptive than the national ethics principles. Organizations operating in regulated UAE sectors should engage with these sector-level frameworks rather than relying solely on the national principles.
Free zone dynamics. The UAE's free zone structure (DIFC, ADGM, and others) creates a layered regulatory environment. DIFC and ADGM have their own data protection and AI-relevant frameworks, which may apply to organizations operating within those jurisdictions. Cross-free-zone and mainland operations add compliance complexity.
Morocco: Law 09-08 and the EU-Adjacent Framework
Morocco's approach to AI governance is anchored in data protection rather than dedicated AI regulation. Law 09-08, the national data protection law, predates the major wave of AI regulation but provides the foundational legal framework within which AI systems operating in Morocco must be assessed.
The CNDP's role. The Commission Nationale de contrôle de la Protection des Données à caractère Personnel (CNDP) is Morocco's data protection authority. It has enforcement authority over personal data processing, which encompasses most AI systems that interact with Moroccan individuals.
EU alignment. Law 09-08 was drafted with significant influence from EU data protection principles, which means its substantive requirements are conceptually familiar to organizations with European compliance experience. Morocco's Association Agreement with the EU and its aspirations for advanced status create ongoing incentives toward regulatory convergence.
Emerging AI-specific guidance. As of early 2025, Morocco does not yet have dedicated AI regulation equivalent to SDAIA's frameworks or the EU AI Act. However, the CNDP has issued guidance on automated decision-making and algorithmic transparency that is directly relevant to AI system design and deployment.
Strategic position. Morocco's regulatory trajectory — EU-adjacent data protection, increasing digital economy investment, and a geographic position at the EU–Africa junction — means organizations with Moroccan operations are likely to face progressively more structured AI governance expectations aligned with European standards.
Cross-Regional Patterns and What They Mean for Organizations
Looking across these three frameworks, several patterns are worth noting:
Convergence on principles, divergence on specificity. The substantive ethical principles across SDAIA, UAE, and Morocco frameworks are largely convergent — fairness, transparency, accountability, human oversight. The variation is in specificity and enforceability. The EU AI Act sets the most prescriptive requirements; MENA frameworks are at various stages of formalization.
Data protection as the current compliance floor. In the absence of dedicated AI regulation in most MENA jurisdictions, data protection law is the operative compliance requirement. AI systems that process personal data — which is most commercially significant AI systems — must be assessed against data protection obligations.
Regulatory capacity is building. SDAIA, the UAE's AI regulatory bodies, and the CNDP are each investing in regulatory capacity. Organizations that engage proactively with these authorities — through comment processes, regulatory sandboxes, and bilateral engagement — are building relationships that will matter as regulatory requirements become more formalized.
International compliance architecture has value. Organizations that build AI governance programs aligned with the EU AI Act's requirements are, in most respects, well-positioned for MENA regulatory compliance. The EU Act's risk-based framework, documentation requirements, and human oversight obligations are substantively consistent with the direction MENA regulators are moving.
For organizations building cross-regional AI governance strategies, the investment case for EU AI Act compliance extends well beyond EU market access — it provides a governance foundation with durable value across the MENA regulatory landscape.
Rabii Agoujgal is an AI governance professional based in Casablanca, Morocco, specializing in the MENA region and the EU–MENA regulatory corridor. He works with regulated enterprises, international development organizations, and government clients on AI governance strategy, compliance readiness, and policy advisory. He engages in Arabic, French, and English.