Saudi PDPL is live with 48 enforcement decisions issued by mid-January 2026. Fines reach SAR 5 million for sensitive-data violations and SAR 15 million for repeat offenses. Generic ISO 42001 advice is not enough.
Request a PDPL Readiness assessmentSix to eight weeks · Fixed scope · Fixed fee
A structured gap analysis of your AI deployments against Saudi, UAE, Bahrain, or Qatar PDPL. Delivered with a remediation roadmap in Arabic and English.
Request assessmentEight to twelve weeks · Ongoing advisory
Build an AI Management System aligned to ISO/IEC 42001 and NIST AI RMF 1.0. Positions you ahead of certification requirements before they become mandatory across the GCC.
Learn moreOngoing subscription · Quarterly advisory sessions
Establish your AI Council with a charter and decision rights framework. The Sentinel cadence turns governance into early-warning competitive intelligence.
EnquireMost organizations treat AI governance as a cost to minimize. The Sentinel posture is Cosmopro's reframing of governance: not compliance overhead, but the layer of the organization that sees risks and opportunities before anyone else does.
An organization with a functioning Sentinel layer knows about SDAIA enforcement trends, competitor regulatory incidents, and sovereign-stack shifts before its competitors know they should care. That is a structural advantage, not a compliance checkbox.
Saudi PDPL · UAE PDPL (Federal Decree-Law No. 45) · Bahrain PDPL · Qatar PDPL (Law No. 13 of 2016)
ISO/IEC 42001:2023 (AI Management Systems) · NIST AI RMF 1.0 · UAE AI Seal Certification · SDAIA National AI Ethics Principles
We do not undercut the Big Four on Layer 5. Cheap PDPL advisory implies cheap insurance. Our day rates on governance work are positioned at market or above. The differentiation is speed, Arabic fluency, and founder accountability, not price.
Saudi PDPL applies to any organization that processes the personal data of Saudi residents, regardless of where the organization is headquartered. If you have Saudi customers, partners, or employees whose data you process, PDPL obligations attach. Cross-border transfer restrictions under Article 28 are particularly relevant for organizations with data flowing outside the Kingdom.
A gap analysis mapped to SDAIA articles, a remediation roadmap with prioritized actions (quick wins vs. structural changes), a DPO assessment, a cross-border transfer register, and a breach notification workflow. Everything delivered in Arabic and English. The Sprint is advisory; implementation decisions remain with your legal and IT teams. We do not file documentation on your behalf.
Not yet mandated. But the UAE AI Seal Certification (Dubai Economy and Tourism) is already used as a procurement signal by government entities. ISO/IEC 42001 alignment is expected to become a requirement for AI-using suppliers to government and regulated-sector clients across the GCC within 18 to 36 months. Organizations building alignment now will not be scrambling when it becomes mandatory.
Yes. We co-advise with legal counsel where clients have existing relationships. Cosmopro provides the technical and strategic advisory layer (data flows, AI system architecture, governance design, organizational behavior). Legal counsel provides the regulatory interpretation and formal legal opinions. We do not provide legal advice.
Start with a PDPL Readiness assessment. Six to eight weeks. Fixed scope. Founder-led.