The Middle East’s digital economy is scaling at a pace few regions can match. The UAE’s cloud computing market is projected to exceed US$39 billion by 2031, at a 34% CAGR, while Saudi Arabia’s data centre capacity is expected to expand at a 29% CAGR through 2030. Across the GCC, the broader data centre market is forecast to grow at over 18% annually, fuelled by hyperscale cloud expansion and the rapid acceleration of AI workloads.
This rapid build-out of local infrastructure is being driven by a clear desire for greater independence and control. National strategies across the UAE and Saudi Arabia are prioritising local data ecosystems, sovereign cloud, and in-country AI capabilities. However, much of this progress still equates sovereignty with location. While localisation is essential, it is only one part of a far more complex equation. True sovereignty is defined not just by where data resides, but by who controls it, how it is processed, and under which legal frameworks it operates.
Jurisdiction, not geography
The distinction between geography and jurisdiction is where many sovereignty strategies begin to fall short. Data stored within national borders can still fall under external legal frameworks, particularly when global cloud providers or foreign-owned platforms are involved. Laws such as the US CLOUD Act and FISA 702 allow US authorities to access data held by US-based companies regardless of where that data is physically hosted, creating a scenario where data is local in location, but not fully sovereign in practice.
This presents a nuanced challenge for Middle Eastern organisations. The region has actively attracted hyperscaler investment, with global providers establishing local cloud regions to meet data residency requirements. Yet while this supports compliance on paper, it does not fully remove exposure to foreign jurisdiction. As a result, organisations may assume sovereignty has been achieved, even as elements of control remain externalised.
The complexity increases further with AI. Data is no longer static; it is continuously processed, modelled, and transferred across environments. Regulatory frameworks are beginning to reflect this shift. The UAE’s Federal Law No. 2 of 2019 mandates strict controls around sensitive data such as healthcare, while Saudi Arabia’s Personal Data Protection Law (PDPL) places clear conditions on cross-border data flows.
As AI adoption grows, sovereignty will depend less on where data is stored and more on how transparently it is governed across its entire lifecycle.
Rethinking cloud in the age of AI
The region’s cloud strategy is also entering a period of recalibration. Over the past decade, a cloud-first approach has underpinned digital transformation across the Middle East, supported by significant hyperscaler investment and strong enterprise adoption. This model has delivered speed and scalability, but it is now being tested by the demands of AI.
AI workloads are fundamentally different. They require significantly more compute, operate at greater scale, and introduce cost dynamics that are far less predictable than traditional applications. Running these workloads exclusively within hyperscaler environments can quickly lead to cost escalation, reducing financial control and, in turn, limiting strategic flexibility. In this context, cost itself becomes a sovereignty concern.
This is prompting a shift in thinking. Rather than defaulting to cloud-first, organisations are beginning to adopt a more deliberate approach to workload placement, balancing public cloud with on-premises and locally governed infrastructure. While cloud repatriation is still an emerging concept in the Middle East, it is being driven by the need for cost predictability, regulatory alignment, and greater operational control.
As regional data centre capacity expands and sovereign infrastructure matures, organisations have more options than ever before. The critical question is whether their architectures are built to support that flexibility. Without it, the ability to adapt is constrained, and sovereignty becomes dependent on decisions that are difficult to reverse.
Interoperability as a strategic enabler
While sovereignty and cloud dominate the conversation, interoperability remains the foundation upon which many national digital ambitions depend. Across the Middle East, governments are not simply building infrastructure. They are designing connected ecosystems where services, data, and platforms operate as part of a unified whole.
Initiatives such as the UAE’s digital government programmes and Saudi Arabia’s national transformation efforts are centred on the vision of seamless data exchange across entities, streamlined service delivery, and integrated citizen and business experiences. This level of coordination cannot be achieved through isolated systems, regardless of how securely or locally they are hosted.
Interoperability ensures that systems can communicate across environments, vendors, and platforms without friction.
It enables organisations to integrate new capabilities, share data securely, and evolve their digital services without being constrained by rigid architectures. Without it, sovereignty risks creating siloed ecosystems that meet compliance requirements but fall short of delivering real operational value. In this sense, interoperability is not a technical consideration but a strategic requirement.
From deployment choice to operating model
Taken together, these factors point to a fundamental shift in how digital sovereignty must be approached. It is not a feature of infrastructure, nor a checkbox achieved through local deployment. It is an operating model that must span legal exposure, architectural flexibility, and technology choice.
This is where open approaches become critical. Open standards, modular architectures, and technologies that provide full visibility into how data is processed and exchanged allow organisations to retain control without sacrificing flexibility. They make it possible to move workloads across environments, integrate systems at scale, and adapt to evolving regulatory and operational demands without being locked into a single vendor or ecosystem.
Open source, in particular, plays a foundational role in enabling this model. Its inherent transparency allows organisations to understand and verify how their systems operate. Its portability ensures that applications and data can move freely across infrastructure environments. And its alignment with open standards supports the interoperability required to build connected, scalable ecosystems. Rather than prescribing a fixed approach, it provides the flexibility and control that sovereignty ultimately demands.
For the Middle East, where digital transformation is advancing at speed, this distinction is critical. Sovereignty will not be defined by how much infrastructure is deployed within national borders, but by how effectively organisations can control, adapt, and integrate the systems that run on top of it.
This opinion piece is authored by Sharya Unamboowe, Vice President and General Manager of Integration, WSO2.
Source: Tahawul Tech

