Middle East · UAE & Saudi Arabia
Compliance Consulting in
the Middle East
Tranquility Cybersecurity (TCSA) delivers compliance consulting to banks’ vendors, fintechs, SaaS companies and enterprises across the UAE and Saudi Arabia — ISO 22301 business continuity for CBUAE vendor mandates, SAMA CSF and BCM readiness, PDPL privacy programmes, and ISO 27001 / SOC 2 for enterprise procurement. Engagements run remote-first with on-site delivery in the Gulf when the work needs it.
Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East. Our consultants have delivered PDPL compliance for SRG Group.
Serving the UAE & Saudi Arabia · Remote + on-site delivery · Last reviewed June 2026
Gulf Track Record
Names You Can Check, Not Claims
Gulf compliance work is bought on evidence. These are the engagements our consultants have delivered in the region — stated exactly as we state them to banks’ vendor-risk teams.
“Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East.”
“Our consultants have delivered PDPL compliance for SRG Group.”
TCSA is an independent consultancy — we prepare organisations for certification and attestation; accredited certification bodies and licensed CPA firms issue the certificates and reports. See verified client reviews and outcomes.
The Regulatory Wave
What Gulf Regulators Expect
Four obligations now drive compliance buying in the UAE and Saudi Arabia — two aimed at the financial sector and its suppliers, two aimed at anyone handling personal data or critical systems.
UAE — the CBUAE vendor BCMS wave
The Central Bank of the UAE’s business-continuity and outsourcing rules require banks to ensure critical vendors maintain robust continuity arrangements. Banks have operationalised this by writing ISO 22301-aligned BCMS requirements into supplier contracts — with the first contract-deadline wave landing in December 2025. Vendors without evidence risk failed assessments and removal from approved-supplier lists.
KSA — SAMA CSF and BCM Framework
The Saudi Central Bank (SAMA) requires banks, insurers, financing companies and payment providers to operate its Cyber Security Framework — with controls generally expected at maturity level 3 — alongside a Business Continuity Management Framework built directly on ISO 22301. Both sets of obligations flow down to suppliers through vendor due diligence.
KSA — PDPL, fully enforceable
Saudi Arabia’s Personal Data Protection Law has been fully enforceable since 14 September 2024, with SDAIA actively issuing enforcement decisions. Administrative fines run up to SAR 5 million per violation (doubled on repeat), and controllers must notify SDAIA of qualifying breaches within 72 hours.
UAE PDPL and NCA ECC
The UAE’s federal PDPL (Decree-Law 45/2021) sets the mainland privacy baseline ahead of its executive regulations, and Saudi Arabia’s National Cybersecurity Authority requires in-scope entities to implement the Essential Cybersecurity Controls (ECC). Both now appear routinely in Gulf vendor security questionnaires.
What We Do
What We Deliver in the Gulf
One firm for the frameworks CBUAE, SAMA and SDAIA obligations point you towards — implemented hands-on, scoped to what your regulator or bank counterparty actually checks.
ISO 22301 / Business Continuity (BCMS)
Our flagship Gulf service — business impact analysis, RTO/RPO definition, continuity and recovery plans, exercises and certification-audit support, scoped to satisfy CBUAE vendor clauses and SAMA’s BCM Framework. This is the discipline in which our consultants prepared ADIB, Mashreq Bank and AMEX.
ISO 27001 (ISMS)
The default trust certificate in Gulf enterprise and government procurement. We build the ISMS, run the internal audit and support you through the certification audit — and for SAMA-regulated entities we map ISMS controls to CSF maturity expectations.
ISO 27001 consultingPDPL readiness (KSA & UAE)
Data inventory and RoPA, lawful-basis records, privacy notices, cross-border transfer safeguards and a 72-hour breach playbook — built for SDAIA scrutiny in Saudi Arabia and the UAE’s federal PDPL, reusing your GDPR or ISO 27701 work where it exists.
PDPL compliance guideSOC 2 for vendors selling to banks
Gulf banks increasingly accept — and ask for — SOC 2 reports from technology vendors. We scope the Trust Services Criteria to the bank’s vendor assessment, with 250+ SOC 2 attestations delivered to date.
SOC 2 hubvCISO for Gulf entities
A named, certified security leader who owns your roadmap, regulator-facing responses and bank questionnaires — without the cost of a full-time CISO hire in Dubai or Riyadh.
vCISO servicesResearching before you buy? Start with the deep guides: ISO 22301, SAMA CSF & BCM, PDPL (KSA & UAE) and operational resilience.
Engagement Model
How We Work with Gulf Clients
No Gulf office theatre — a delivery model built honestly around remote-first consulting, planned on-site weeks, and the way UAE and Saudi teams actually work.
Remote-first, on-site when it counts
Engagements run remote-first from our India offices, with consultants travelling to Dubai, Abu Dhabi or Riyadh for kickoffs, BIA workshops, continuity exercises and audit weeks. You get Gulf delivery without paying Gulf retainer overheads.
On your clock and your calendar
Working sessions are scheduled to Gulf Standard Time and your working week — Sunday to Thursday in Saudi Arabia, Monday to Friday in the UAE. The 1.5-hour offset from India means questions raised in a Gulf morning are answered the same day.
NDAs and confidentiality first
Every Gulf engagement begins with a mutual NDA. Evidence and documents are exchanged through access-controlled channels you approve, and bank-facing artefacts are prepared to survive your counterparty’s own scrutiny.
English engagement documents
Policies, reports, working sessions and audit-facing artefacts are delivered in English — the working language of Gulf compliance and vendor-risk teams. An Arabic version of this page is on the way.
Choosing a Framework
Which Framework Do You Need?
Start from who is asking. The entity type on your side of the contract usually determines the framework the Gulf counterparty expects to see first.
| Your situation | Start with | Why |
|---|---|---|
| Vendor or supplier to a UAE bank | ISO 22301 (BCMS) | CBUAE continuity and outsourcing rules flow down to critical vendors — banks are writing ISO 22301-aligned BCMS clauses into contracts, with the first deadlines from December 2025. |
| SAMA-regulated entity in Saudi Arabia (bank, insurer, financing company, PSP) | SAMA CSF + SAMA BCM | SAMA expects its Cyber Security Framework operated at maturity level 3 and a business-continuity programme built on ISO 22301 — evidenced to the regulator, not just asserted. |
| Any company processing KSA or UAE personal data | PDPL readiness | The Saudi PDPL is fully enforceable — SDAIA fines up to SAR 5M per violation and a 72-hour breach-notification clock — and the UAE’s Decree-Law 45/2021 is the mainland counterpart. |
| SaaS or IT vendor selling to Gulf enterprises | ISO 27001 and/or SOC 2 | The default asks in Gulf enterprise security reviews: an accredited ISO 27001 certificate, a SOC 2 report, or both — whichever your buyer’s procurement checklist names. |
Most Gulf clients end up combining two — ISO 22301 for the bank contract plus PDPL for the data, for example. A scoping call sequences them so shared controls are built once.
Middle East Compliance FAQs
Straight answers to what UAE and Saudi teams ask us before starting ISO 22301, SAMA, PDPL or ISO 27001 work.
Does TCSA work with companies in the UAE and Saudi Arabia?
Yes. Tranquility Cybersecurity (TCSA) serves the UAE and Saudi Arabia as part of a client base across India, USA, UK, Australia and UAE. Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East, and have delivered PDPL compliance for SRG Group. Engagements run remote-first from our India offices, with on-site delivery in the Gulf for workshops, exercises and audit weeks.
Do we need ISO 22301 as a vendor to a UAE bank?
Increasingly, yes. The Central Bank of the UAE’s business-continuity and outsourcing rules require banks to ensure their critical vendors maintain robust continuity arrangements, and banks have operationalised this by writing ISO 22301-aligned BCMS requirements into supplier contracts — with the first contract-deadline wave landing in December 2025. If your bank client has issued such a clause, you typically need a working BCMS (BIA, RTO/RPO, tested continuity plans) and, in many cases, certification by an accredited body. TCSA builds the BCMS and prepares you for that audit.
How is the Saudi PDPL different from GDPR?
The architecture is familiar — lawful bases, data-subject rights, records of processing, breach notification — so existing GDPR work is reusable. The key differences: the PDPL is enforced by SDAIA and has been fully enforceable since 14 September 2024; administrative fines run up to SAR 5 million per violation (doubled on repeat), with criminal exposure for unlawful disclosure of sensitive data; breach notification to SDAIA is due within 72 hours; and cross-border transfer rules follow SDAIA’s own regulations rather than EU adequacy mechanics. We map your GDPR or ISO 27701 programme onto PDPL obligations instead of starting from zero.
Can you work on-site in Dubai, Abu Dhabi or Riyadh?
Yes. While engagements are remote-first, our consultants travel to the UAE and Saudi Arabia for the parts of the work that benefit from being in the room — kickoff and scoping workshops, business impact analysis sessions, continuity and incident exercises, internal audits and certification-audit weeks. On-site visits are planned into the engagement schedule and quoted upfront.
How is compliance consulting priced for Gulf engagements?
Engagements are custom-scoped to your size, regulator deadlines, and existing maturity — whether that is ISO 22301 BCMS readiness, PDPL readiness, or SAMA CSF + BCM readiness. We provide a fixed, all-inclusive quote agreed in writing after a short scoping call — no hourly billing, no scope creep — billed in INR or USD. Certification-body and CPA fees are always separate and quoted transparently.
Do you offer support in Arabic?
Engagements today run in English — policies, reports, working sessions and audit-facing documents — which is the working language of Gulf compliance, vendor-risk and audit teams. Where a regulator or counterparty requires Arabic-language artefacts, we coordinate translation as part of the engagement plan. An Arabic version of this page is on the way.
Keep Exploring
Related Reading
ISO 22301 Overview
What a BCMS is, who demands it, and how certification works.
Read moreSAMA CSF & BCM
The Saudi Central Bank's cyber and continuity frameworks, demystified.
Read morePDPL Compliance (KSA & UAE)
Saudi Arabia's SDAIA-enforced privacy law and the UAE's federal PDPL.
Read moreOperational Resilience Consulting
One ISO 22301-grade BCMS that answers CBUAE, SAMA, CPS 230 and DORA.
Read moreSOC 2 Overview
The AICPA attestation US and global enterprise buyers ask for.
Read moreProof & Track Record
Every number we publish — explained, sourced and verifiable.
Read moreWritten By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours