Companies selling AI into Europe and the Gulf typically run two separate compliance projects. The legal frames differ, but the engineering converges. One unified system, built once and mapped to both regimes, costs less and moves faster.
A company that sells AI-enabled products into both Europe and the Gulf usually ends up running two compliance projects. One team works to the EU AI Act. Another works to whatever the relevant authority in Riyadh, Abu Dhabi, or Doha expects. The two rarely talk, and the company pays twice for what is largely the same work.
I think that is a mistake, and an expensive one. The legal frames are genuinely different. The engineering underneath them is not.
Start with the difference, because it is real. Europe approaches AI from rights. Its first question is what a system might do to a person's safety or fundamental rights, and it builds obligations outward from there. The Gulf approaches AI from development. Saudi Arabia's national data and AI authority, the UAE's AI strategy and the rulebooks of its financial free zones, and the principles coming out of the regional central banks all treat AI first as something to deploy at scale for economic transformation, with governance as the thing that keeps that deployment trusted. Same technology, two different instincts about why you bother to govern it.
Step underneath the language, though, and the requirements converge more than they part. Whatever the regime, you have to know what AI systems you are running. You have to know which ones make or shape consequential decisions. You need documentation that shows how each was built and tested, a way for a human to oversee it, and evidence you can put in front of whoever asks. An inventory built for the EU AI Act answers most of what a Gulf supervisor wants to see, and as the regional frameworks mature, the reverse is becoming true as well.
So the case for one system is practical rather than ideological. You build the inventory once. You classify once, against the stricter of the two regimes, which is usually the European one. You produce a single body of documentation and map it to each authority's expectations instead of generating it twice. Where the regimes genuinely diverge, and there are real points where they do, you handle those as additions on top of a shared base rather than as separate programs.
The hard part is not the overlap. It is the translation. A governance program written in Brussels' rights-based language often lands badly with a Gulf institution that thinks about AI in terms of national strategy and growth, and a program written purely for a Gulf regulator usually will not satisfy a European auditor. Someone has to move between the two without dropping what each side actually requires. That conversion is most of what I do, and it is rarer than either kind of expertise on its own.
For a company with exposure on both sides, the real question is not which regime to build for. It is whether to build the same thing twice or once. The two-track habit made sense when these frameworks were new and nobody knew how they would settle. They are settling now, toward the same underlying engineering even where the law still reads differently. The companies that build for that convergence will spend less and move faster than the ones still running parallel programs out of habit.