A peculiar assumption underpins most AI data centre investment theses: that the regulatory environment at the point of commitment will resemble the regulatory environment at the point of operation. It rarely does.
In the European Union, the AI Act will enforce conformity assessments, risk classification obligations, and transparency mandates for high-risk systems by August 2026. Maximum penalties for prohibited practices reach 35 million euros or seven per cent of global turnover, with lower but still significant fines for other categories of non-compliance. EU Digital Strategy. These rules apply primarily to AI system providers and deployers, but the compliance obligations cascade to the infrastructure hosting regulated workloads, creating requirements for data centre operators that did not exist when many current projects were financed. Legal Nodes
In Saudi Arabia, the regulatory architecture is evolving with equal speed but different intent: expanding proactively to enable and shape growth as a strategic national priority, while building governance structures around it in real time. The Kingdom's data governance framework now spans the Personal Data Protection Law, Cloud Computing Services Provisioning Regulations, and sector-specific mandates from the Capital Market Authority and the Saudi Arabian Monetary Authority. Baker McKenzie. In April 2025, the Communications, Space and Technology Commission published a draft Global AI Hub Law introducing the concept of "data embassies": sovereign data centres operating under foreign legal jurisdictions on Saudi soil. CMS Law. If enacted, Saudi Arabia would be among the first G20 nations to establish a comprehensive legal framework for this model. None of these instruments existed five years ago. All of them will evolve further in the next five.
The implication is straightforward. A project designed and financed in 2025 may face materially different compliance requirements by the time it is operational in 2027 or 2028. That is not a tail risk. It is a base case.
It is worth distinguishing between two types of regulatory risk. A shock is sudden and visible: an export ban, a moratorium, a law enacted overnight. Drift is slower. It is the gradual accumulation of incremental changes, each individually manageable, that collectively alter the commercial viability of a long-lived asset.
Ireland offers a useful case study. Ireland's Commission for Regulation of Utilities imposed restrictive connection criteria in late 2021, and EirGrid effectively stopped issuing new data centre connections in Dublin from January 2022. By late 2025, approximately 5.8 billion euros worth of projects were stranded: land secured, permits in hand, no grid capacity to connect. Enlit World: These were not poorly planned projects. They were well-structured investments caught by a regulatory and infrastructure environment that shifted faster than their deployment timelines.
Similar dynamics are emerging in London, Amsterdam, and Frankfurt. The EU's Energy Efficiency Directive now mandates performance reporting and, from 2026, energy management system implementation for data centres. Risk & Insurance In the United States, the Federal Energy Regulatory Commission's denial of AWS's proposal to source power directly from a Pennsylvania nuclear plant demonstrated how legacy regulatory frameworks collide with modern infrastructure requirements. Utility Dive Moody's has observed that rapid capacity expansion raises the prospect of overbuilding, with technological obsolescence, surging power requirements, and regulatory scrutiny all intensifying simultaneously. Moody's
In the GCC, drift manifests differently. Regulations are expanding to enable growth, but building to standards that have not yet been finalised carries its own exposure. Saudi Arabia's national data centre strategy, launched in 2025 by the Ministry of Communications and Information Technology and the Saudi Data and Artificial Intelligence Authority, targets approximately 1.5 gigawatts of capacity by 2030. Greenberg Traurig Questions around the hosting of sovereign workloads, cross-border data flows, and sector-specific compliance remain in active development. The opportunity is substantial. But so is the premium on being close enough to the policy process to anticipate where it lands.
Domestic regulation is only one dimension. AI data centres are only as capable as the processors they contain, and the supply of advanced GPUs is now governed by one of the most volatile export control regimes in modern trade policy.
The Biden administration's January 2025 AI Diffusion Rule established a three-tier country framework, placing most Middle Eastern states in Tier 2 with initial GPU caps. Introl The Trump administration rescinded that rule in May 2025 and signalled a more permissive posture toward Gulf partners, but a replacement framework had not been finalised as of early 2026. Greenberg Traurig
The practical result: hardware supply rules have changed multiple times in eighteen months, with further changes expected. In November 2025, the United States approved sales of advanced Nvidia chips worth approximately one billion dollars to HUMAIN, Saudi Arabia's national AI company, and the UAE's G42. CNBC
This was a meaningful signal of a deepening technology partnership, reflecting the growing strategic weight of GCC states in global AI supply chains. But it was secured through bilateral negotiation, not a stable regulatory architecture. The terms of such arrangements can shift with administrations and geopolitical conditions, and infrastructure investors cannot treat bilateral outcomes as permanent fixtures.
For data centre projects with multi-year capital deployment timelines, this creates a specific problem: the facility's technical specifications depend on hardware access that is subject to political discretion rather than predictable regulation. Designing around that uncertainty requires more than a procurement strategy. It requires relationships that provide visibility into how policy is moving before it arrives.
The conventional response to regulatory risk is compliance. Monitor changes. Engage counsel. Adjust operations. For AI data centres in the GCC, this reactive posture is necessary but structurally inadequate, for three reasons.
The first is scale. Saudi Arabia's Vision 2030 has targeted over 18 billion dollars in data centre investments. Addleshaw Goddard The UAE's Stargate project, a one-gigawatt AI cluster within a planned five-gigawatt campus in Abu Dhabi, represents an investment now estimated at over 30 billion dollars. ORF Middle East Projects of this magnitude are not downstream consumers of regulation. They are entities around which regulatory frameworks are being built. The risk position of an operator inside that process is categorically different from that of one responding to its outputs.
The second is the nature of the GCC regulatory advantage. The World Economic Forum noted in January 2026 that the Gulf's structural strengths include sovereign cloud zones, unified national strategies, and aligned regulation that shortens decision cycles. World Economic Forum: These are not accidental features. They are products of deliberate coordination between government, regulator, and enterprise. For operators without access to this coordination layer, the same regulatory velocity that creates opportunity also creates exposure.
The third is demand composition. Data localisation requirements in Saudi Arabia require that personal data be stored and processed within the Kingdom, with limited exemptions. The UAE's framework varies by jurisdiction and free zone but similarly mandates local handling of sensitive government and financial data. Addleshaw Goddard. Public sector workloads require sovereign-grade compliance. The draft Global AI Hub Law envisions hub structures that each require distinct bilateral agreements with the Saudi government. Lexology Facilities lacking structural government alignment will find themselves excluded from the fastest-growing demand segment, regardless of technical capability.
Operators building across the GCC and Europe face a compounding difficulty: maintaining compliance across regulatory regimes that are not merely different but philosophically distinct.
The EU's approach is prescriptive and risk-based. The AI Act imposes graduated obligations with penalties scaling from three per cent of worldwide turnover for high-risk non-compliance to seven per cent for prohibited practices. heyData The GCC's approach is more market-oriented, using national strategies, investment incentives, and sovereign partnerships to shape outcomes while retaining flexibility for operators.
An operator designing a facility in Riyadh for a hyperscaler that also serves European customers must simultaneously account for Saudi data localisation rules, EU AI Act documentation mandates, U.S. export controls on installed GPUs, and the compliance requirements flowing from the specific workloads being processed. Each layer operates on its own timeline, enforcement logic, and trajectory of change. As the DPO Centre concluded in its 2025 assessment, the most significant challenge for multinational organisations in 2026 will be managing data protection and AI governance across regions simultaneously. DPO Centre
This is not a legal problem with a legal solution. It is an operational architecture problem. It requires platforms designed from inception for regulatory flexibility, led by teams with active relationships across government and institutional stakeholders in each relevant jurisdiction.
Against this backdrop, one variable becomes disproportionately important: contracted demand.
A data centre with a binding offtake agreement from a creditworthy counterparty occupies a fundamentally different regulatory risk position than a facility built on speculative capacity. Contracted demand clarifies which compliance requirements actually apply, because the offtaker's obligations define the facility's specifications. It creates standing for regulatory engagement, because government stakeholders have a direct interest in enabling projects that serve identified national priorities. And it provides the revenue certainty that allows operators to fund the adaptive compliance infrastructure that multi-jurisdictional operations require over decades.
Without contracted demand, regulatory risk compounds. A facility designed to general specifications may not serve the workloads that emerge as the market develops. A project without an identified offtaker has no natural counterpart in policy discussions. And speculative capacity lacks the revenue base to sustain ongoing compliance investment.
The sequencing matters: demand first, then capital, then construction. This is not merely a financial discipline. It is a regulatory risk management strategy.
The data centre projects most likely to survive decades of regulatory evolution share identifiable characteristics.
They are designed with sovereign alignment from inception, meeting the compliance thresholds of government and institutional offtakers rather than minimum requirements. They are led by teams with active, ongoing relationships in the jurisdictions where they operate, positioned to anticipate regulatory change rather than react to it. They deploy capital against contracted demand, ensuring that investment is anchored by revenue from counterparties whose own compliance needs define the facility's design parameters. And they treat regulatory navigation with the same technical fluency applied to power engineering, cooling architecture, and network design.
The GCC data centre market is entering a defining period. The capital is available. National strategies are in place. Demand from hyperscalers, sovereign programmes, and enterprise AI is accelerating. The GCC data centre market is projected to grow from 3.48 billion dollars in 2024 to 9.49 billion dollars by 2030. Introl HUMAIN, Saudi Arabia's national AI company, alone targets 1.9 gigawatts by 2030 through partnerships with Google, NVIDIA, and Qualcomm, a figure that exceeds the Kingdom's earlier national data centre capacity target of 1.5 gigawatts. Middle East Institute
The question is no longer whether this infrastructure will be built but whether it will be built to withstand the regulatory evolution that is already underway.
In a market defined by regulatory velocity, the platforms that combine infrastructure execution with structured government partnership and demand certainty will be better positioned to navigate what comes next. Those who treat regulation as an external constraint rather than an operating environment will discover, eventually, that the constraint has become structural.
1. European Commission, “AI Act: Shaping Europe’s Digital Future” Link
2. Legal Nodes, “EU AI Act 2026 Updates: Compliance Requirements and Business Risks” Link
3. Baker McKenzie, “Data Localization and Regulation of Non-Personal Data: Saudi Arabia” Link
4. CMS Law, “Shaping the Future of Data Sovereignty: Saudi Arabia Issues New Draft Global AI Hub Law” Link
5. Enlit World, “Data Centre Assets Left Stranded by Power Constraints” Link
6. Risk & Insurance, “Data Center Building Boom Creates Insurance and Risk Management Complexities” Link
7. Utility Dive, “Shaping the Future of Data Centers in Light of FERC’s AWS, Talen Energy Ruling” Link
8. Moody’s, “Data Centers: Managing Risk Amid a Market Boom” Link
9. Greenberg Traurig, “Saudi Arabia’s Data Centre Expansion: Regulatory Framework and Strategic Considerations” Link
10. Introl, “AI Export Controls: Navigating Chip Restrictions Globally” Link
11. Greenberg Traurig, “Navigating GPU Export Controls and AI Use Restrictions in Data Center Operations” Link
12. CNBC, “U.S. Greenlights AI Chip Exports to Gulf Tech Giants” Link
13. Addleshaw Goddard, “The Future of Data Centres in the Gulf Cooperation Council” Link
14. ORF Middle East, “Digital Infrastructure, Strategic Power: The Gulf’s Data Centre Boom” Link
15. World Economic Forum, “Why the GCC Might Have an Edge on Implementing Agentic AI” Link
16. Lexology, “Saudi Arabia Releases a Draft Global AI Hub Law Redefining Digital Jurisdiction” Link
17. Middle East Institute, “From Crude to Compute: Building the GCC AI Stack” Link
18. Introl, “The Middle East’s Trillion Dollar Bet on AI Infrastructure” Link
19. heyData, “EU AI Act 2026: New Obligations for Companies” Link
20. DPO Centre, “Data Protection and AI Governance 2025-2026” Link
21. Consultancy.me, “How the GCC Can Align Its Data Centre Expansion with Its Climate Ambitions” Link
22. Data Center Knowledge, “Data Center Compliance in 2026: What Changed, What’s Next” Link
23. Chambers and Partners, “Data Protection and Privacy 2025: Saudi Arabia” Link
24. Capacity, “UAE’s Stargate AI Data Centre Project to Cost Over $30bn” Link
25. G42, “Global Tech Alliance Launches Stargate UAE” Link
This article is published for informational purposes only and does not constitute investment advice, a financial promotion, or an offer of securities. The views expressed reflect analysis of publicly available information and should not be relied upon as the basis for any investment decision.