Saudi PDPL is live with 48 enforcement decisions issued by mid-January 2026. Fines reach SAR 5 million for sensitive-data violations and SAR 15 million for repeat offenses. Generic ISO 42001 advice is not enough.
Request a PDPL Readiness assessmentSix to eight weeks · Fixed scope · Fixed fee
A structured assessment of your current AI deployments and data practices against Saudi PDPL, UAE PDPL, Bahrain PDPL, or Qatar PDPL, with a remediation roadmap and prioritized action list.
Eight to twelve weeks · Ongoing advisory
Build an AI Management System aligned to ISO/IEC 42001 and NIST AI Risk Management Framework 1.0. Positions your organization ahead of certification requirements and demonstrates governance maturity to partners and regulators.
Ongoing subscription · Quarterly advisory sessions
Establish and operationalize your organization's AI Council with a governing charter, decision rights framework, and a Sentinel cadence that converts governance into early-warning competitive intelligence.
Most organizations treat AI governance as a cost to minimize. The Sentinel posture, named by Salim Ismail in his Intelligence Stack framework, reframes governance as the layer of the organization that sees risks and opportunities before anyone else does.
An organization with a functioning Sentinel layer knows about SDAIA enforcement trends, competitor regulatory incidents, and sovereign-stack shifts before its competitors know they should care. That is a structural advantage, not a compliance checkbox.
Saudi PDPL · UAE PDPL (Federal Decree-Law No. 45) · Bahrain PDPL · Qatar PDPL (Law No. 13 of 2016)
ISO/IEC 42001:2023 (AI Management Systems) · NIST AI RMF 1.0 · UAE AI Seal Certification · SDAIA National AI Ethics Principles
We do not undercut the Big Four on Layer 5. Cheap PDPL advisory implies cheap insurance. Our day rates on governance work are positioned at market or above. The differentiation is speed, Arabic fluency, and founder accountability, not price.
Saudi PDPL applies to any organization that processes the personal data of Saudi residents, regardless of where the organization is headquartered. If you have Saudi customers, partners, or employees whose data you process, PDPL obligations attach. Cross-border transfer restrictions under Article 28 are particularly relevant for organizations with data flowing outside the Kingdom.
A gap analysis mapped to SDAIA articles, a remediation roadmap with prioritized actions (quick wins vs. structural changes), a DPO assessment, a cross-border transfer register, and a breach notification workflow. Everything delivered in Arabic and English. The Sprint is advisory; implementation decisions remain with your legal and IT teams. We do not file documentation on your behalf.
Not yet mandated. But the UAE AI Seal Certification (Dubai Economy and Tourism) is already used as a procurement signal by government entities. ISO/IEC 42001 alignment is expected to become a requirement for AI-using suppliers to government and regulated-sector clients across the GCC within 18 to 36 months. Organizations building alignment now will not be scrambling when it becomes mandatory.
Yes. We co-advise with legal counsel where clients have existing relationships. Cosmopro provides the technical and strategic advisory layer (data flows, AI system architecture, governance design, organizational behavior). Legal counsel provides the regulatory interpretation and formal legal opinions. We do not provide legal advice.
Start with a PDPL Readiness assessment. Six to eight weeks. Fixed scope. Founder-led.