RISK RADAR 2025 – Part 2: compliance, tech and transformation

In the first part of our two-part series, we highlighted five of the most pressing legal and regulatory flashpoints impacting companies operating in the GCC. In this second part, we look at compliance, technology and transformation – issues high on the agenda of any company operating in the region.

With regulators stepping up scrutiny and companies accelerating their digital agendas, Middle East legal and compliance teams are under growing pressure to modernise compliance frameworks while managing new areas of exposure. From AML enforcement and overlapping data regimes to AI, ESG and cross-border contracting risks, legal strategy must now extend across systems, policies, and platforms.

1. Regulator Scrutiny: No Longer a Light Touch

Regulators across the Middle East are stepping up enforcement, especially in areas like AML, market conduct, and disclosure obligations. The days of light-touch supervision are over, and legal teams need to be ready.

What’s the risk?

• Escalating penalties. The UAE Central Bank and DFSA have recently issued a number of multi-million dollar fines for AML breaches. Other regulators are likely to follow.
• Proactive oversight. Regulatory scrutiny is rising across the region, from AML enforcement by the UAE Central Bank, ADGM, and DFSA, to the Saudi General Authority for Competition ramping up merger control and anti-cartel actions.

General Counsel game plan:

• Reinforce AML vigilance. Roll out refresher training, circulate policy updates and embed a compliance-first mindset, especially in higher-risk business units.
• Prepare for regulatory engagement. Set up a response playbook for investigations or dawn raids. Identify key contacts, define escalation protocols, and rehearse scenarios to avoid chaos under pressure if a regulator comes knocking.

2. Data Law Uncertainty: Fragmented Regimes and Patchy Enforcement

Data protection, cybersecurity and privacy remain in sharp focus as digital transformation accelerates across the region. Legal and compliance teams must navigate a patchwork of national laws, alongside overlapping offshore regimes, such as those in the DIFC and ADGM.

While these frameworks mark regulatory progress, implementation remains incomplete. Breach reporting, cross-border data transfers, and enforcement processes are often unclear, creating uncertainty and operational and legal exposure.

What’s the risk?

• Fragmented compliance obligations. Multi‑jurisdictional operations must align with different but overlapping national and offshore regimes.
• Inadequate internal governance. Poor data handling procedures can undermine lawful processing and increase breach exposure.
• Unclear enforcement pathways. Enforcement remains limited in most jurisdictions. For example, KSA’s PDPL only came into force in late 2024, and the implementation of the UAE’s PDPL is still ongoing.

General Counsel game plan:

• Map your exposure. Track the implementation of new laws and identify how both national and free zone regimes apply across your operations.
• Run a gap assessment. Develop breach response protocols and cross-border data flow mapping aligned with international standards (e.g. the GDPR), so you’re ready to detect, report, and respond effectively.
• Stay alert to key developments. Monitor the rollout of the UAE PDPL’s executive regulations and the formal launch of the Data Office. Set internal alerts to capture updates that could affect compliance obligations.
• Tailor for your sector. Prioritise developments affecting high-risk industries with heightened data sensitivity, particularly financial services, healthcare and technology.

3. Contracting Pitfalls: Vague Clauses and Outdated Templates

In a region where cross-border projects and international partnerships are becoming the norm, poorly drafted contracts remain a persistent source of legal exposure. Many agreements still rely on legacy templates that fail to reflect current risks, shifting dispute resolution preferences, regulatory changes, or the commercial realities of operating across GCC markets.

What’s the risk?

• Ambiguity and inconsistency. Key clauses, such as termination rights, limitations of liability, and dispute resolution mechanisms, are often vague or misaligned with enforcement regimes in local or offshore courts. Choice of law provisions are frequently tacked on late in negotiations, without properly assessing their interaction with operational terms.
• Template reliance. Contracts copied across jurisdictions may contain inapplicable terms or omit crucial provisions. Legacy templates often specify outdated dispute resolution forums or ignore new developments in regional enforcement regimes.
• Dispute escalation. Poorly drafted dispute clauses can lead to confusion over venue or procedure can result in forum shopping or parallel proceedings that are an unnecessary and expensive distraction from the real issue.

General Counsel game plan:

• Run a template refresh. Review and update core agreements (such as NDAs, EPC and supply contracts, JV arrangements) to reflect current risk allocation, dispute forum trends, and jurisdiction-specific enforcement measures.
• Tailor by jurisdiction. Ensure contracts are properly localised to account for differing local law interpretations, enforcement standards and dispute resolution norms across GCC markets.

4. ESG Liability: More Than Marketing

In the GCC, ESG is moving beyond corporate communications and into the legal and compliance domain. With governments driving ambitious sustainability agendas (e.g. Vision 2030, Net Zero pledges, and green financing frameworks), businesses face rising expectations around ESG transparency and delivery.

While the GCC has not yet seen the wave of ESG litigation that is currently unfolding in the US and Europe, regulators, investors and business partners are increasingly scrutinising ESG performance and disclosures.

What’s the risk?

• Greenwashing exposure. Public ESG commitments, especially in annual reports, sustainability strategies and RFP submissions, can attract claims for misrepresentation, misleading advertising or breach of fiduciary duty by investors or other shareholders.
• Supply chain risk. Environmental breaches, links to sanctioned entities, and human rights concerns in cross-border supply chains can create exposure, particularly for sectors under global ESG scrutiny such as construction, energy, defence, and logistics.
• Isolated oversight. ESG initiatives often sit with marketing, sustainability, or investor relations teams, with limited legal input, creating potential blind spots around disclosure obligations, misrepresentation, or third-party liability.

General Counsel game plan:

• Review public ESG claims. Ensure that all sustainability and impact statements, on websites, reports, or investor materials, are factually accurate and legally defensible.
• Stay ahead of regulatory expectations. Monitor ESG-related obligations emerging from Gulf regulators (e.g. ESG index requirements in Saudi Arabia and the UAE), sovereign wealth fund due diligence expectations (e.g. those set by PIF or Mubadala), and cross-border sustainability disclosure rules (especially in dealings with EU or US partners).
• Integrate legal into ESG governance. Legal teams should review ESG KPIs, approve disclosures and embed ESG oversight into contract management and supplier due diligence.

5. AI Adoption: Legal Risk Lags the Technology

AI tools are rapidly being adopted across business functions, from contract review and compliance monitoring to recruitment and customer scoring. But legal frameworks are still catching up, and the risks of opaque algorithms, biased outcomes and unregulated deployment are growing. GCs are increasingly expected to set boundaries and frameworks for responsible AI use, even where formal regulation is limited.

What’s the risk?

• Opaque decision-making. AI tools often operate as black boxes, making it difficult to explain or justify outcomes, especially in HR or credit contexts.
• Data misuse and bias. Without legal oversight, AI systems may process personal or sensitive data without a lawful basis, or embed discriminatory assumptions.
• Procurement gaps. Business units may onboard AI vendors without reviewing IP ownership, liability caps, or algorithmic transparency obligations.

General Counsel game plan:

• Adopt an AI use policy. Set internal rules for how AI can be procured, deployed, and monitored, including transparency, accountability, and escalation protocols.
• Review data and model governance. The onus is on businesses to ensure that any AI system used internally complies with data protection law and does not introduce discrimination, opacity or profiling risks.If necessary, speak with third party providers to better understand exactly how the tools work.
• Stay ahead of regulation. Monitor developments in regional and international AI frameworks (e.g. the EU AI Act, OECD guidelines and the various GCC AI charters) to anticipate future compliance shifts.

Part 2 Conclusion: Planning Ahead for Success

As the regulatory and commercial landscape across the GCC continues to evolve at pace, in-house legal and compliance teams are navigating an increasingly complex environment.

General Counsel in the region are no longer just legal advisers, they are strategic risk managers, corporate diplomats and compliance architects. Staying ahead means more than tracking legal developments, it requires building internal resilience: refreshing contracts, reviewing controls and embedding legal oversight into emerging business functions.

By anticipating pressure points and preparing accordingly, legal and compliance teams can turn regulatory complexity into a source of strategic advantage as 2025 progresses.

Authored by Randall Walker, Imtiaz Shah, and Jessica Quinlan.