DORA and the GCC: How Gulf Financial Centers Are Watching (and Learning)
The Brussels Effect Reaches the Gulf
On November 18, 2025, the European Supervisory Authorities designated 19 Critical Third-Party Providers under DORA — including AWS, Microsoft Azure, Google Cloud, and Oracle. These designations carry direct oversight powers over technology providers that serve financial institutions globally, not just in the EU.
For Gulf financial centers, this designation has immediate implications. AWS me-central-1 (UAE) and me-south-1 (Bahrain) are the primary cloud regions serving Gulf financial institutions. The same AWS that is now under ESA oversight for its EU operations also provides the infrastructure backbone for banking in Dubai, Abu Dhabi, Riyadh, and Manama.
This is not an academic observation. Gulf banks with EU subsidiaries or branches fall directly within DORA's scope under Article 2. Their ICT risk management frameworks, incident reporting obligations, and third-party risk assessments must comply with DORA — regardless of where the parent entity is headquartered. And even Gulf banks without direct EU presence face DORA's indirect influence: their cloud providers are now subject to EU oversight, their international counterparties increasingly expect DORA-equivalent resilience capabilities, and their own regulators are developing frameworks that draw heavily on DORA's architecture.
The GCC Regulatory Landscape
The Gulf Cooperation Council's six member states — UAE, Saudi Arabia, Bahrain, Kuwait, Oman, and Qatar — have developed varying levels of ICT and operational resilience regulation for their financial sectors.
| Jurisdiction | Regulator | Key framework | Cloud regulation | Incident reporting | Maturity |
|---|---|---|---|---|---|
| UAE (onshore) | CBUAE | Cloud outsourcing guidelines (2023) | Pre-approval for critical cloud | Mandatory (24h for critical) | Developing |
| UAE (DIFC) | DFSA | DIFC Rulebook, operational risk | Risk-based | Mandatory | Established |
| UAE (ADGM) | FSRA | ADGM Rules, tech risk management | Risk-based | Mandatory | Established |
| Saudi Arabia | SAMA | Operational resilience framework | Pre-approval regime | Mandatory (critical incidents) | Accelerating |
| Bahrain | CBB | Operational risk module | Cloud outsourcing circular | Mandatory | Established |
| Kuwait | CBK | ICT governance circular (2024) | Emerging requirements | Mandatory | Developing |
| Qatar | QCB | IT governance framework | Emerging requirements | Mandatory | Developing |
| Oman | CBO | ICT risk guidelines | Emerging requirements | Mandatory | Early stage |
Three jurisdictions stand out for their regulatory ambition and DORA-relevant development: the UAE (through CBUAE's onshore framework and the DIFC/ADGM international financial centers), Saudi Arabia (through SAMA's accelerating operational resilience programme), and Bahrain (through the CBB's established fintech-friendly regulatory infrastructure).
CBUAE: Cloud Outsourcing and Operational Resilience
The Central Bank of the UAE published comprehensive cloud outsourcing guidelines in 2023, establishing requirements for licensed financial institutions that use cloud services. The framework shares several structural elements with DORA's Pillar IV:
Pre-approval for critical outsourcing. Like DORA's heightened requirements for critical or important functions (Art. 28), CBUAE requires pre-approval for outsourcing critical or material functions to cloud providers. The institution must demonstrate that the outsourcing arrangement does not compromise data security, operational resilience, or regulatory compliance.
Exit strategy requirements. CBUAE guidelines require documented exit strategies for critical cloud arrangements — mirroring DORA Art. 28(8). The exit strategy must include data retrieval procedures, transition timelines, and identified alternative providers.
Data residency. CBUAE requires that customer data of UAE residents be processed and stored within the UAE or in jurisdictions with adequate data protection. This adds a geographic constraint that DORA approaches through Art. 30(2)(c)'s specification of data processing locations.
Concentration risk awareness. While CBUAE guidelines do not prescribe quantitative concentration metrics like the HHI approach referenced in DORA Art. 29 analysis, they require institutions to assess and manage concentration risk arising from heavy reliance on a single cloud provider.
| Requirement area | DORA | CBUAE | Gap analysis |
|---|---|---|---|
| Third-party register | Art. 28(3) — comprehensive register | Required but less prescriptive | CBUAE lacks structured register format |
| Concentration risk | Art. 29 — quantitative assessment | Qualitative assessment required | DORA more prescriptive (HHI approach) |
| Exit strategies | Art. 28(8) — mandatory with testing | Required — testing not mandated | CBUAE lacks testing expectation |
| Sub-outsourcing | Art. 30(2)(a) — contractual controls | Required but less detailed | DORA more granular on sub-outsourcing |
| Incident reporting | Art. 19 — 4h initial notification | 24h for critical incidents | DORA significantly tighter timeline |
| Resilience testing | Art. 24-27 — comprehensive programme | Basic requirement | DORA far more detailed (TLPT, scenarios) |
| Board governance | Art. 5 — specific management body obligations | General governance requirements | DORA more prescriptive on training |
SAMA: Accelerating Toward DORA Equivalence
The Saudi Arabian Monetary Authority has accelerated its operational resilience regulatory programme in parallel with DORA's development, reflecting both the Kingdom's Vision 2030 financial modernization agenda and the growing interconnection between Saudi and European financial markets.
SAMA's approach shares DORA's comprehensive scope — covering ICT risk management, incident response, business continuity, and third-party oversight — but with several Saudi-specific characteristics:
Centralized oversight model. SAMA functions as both the central bank and the insurance regulator, giving it unified visibility across banking and insurance that the EU's three-ESA model must coordinate to achieve.
Technology-forward posture. Saudi Arabia's financial sector is rapidly adopting cloud, open banking, and digital payment technologies. SAMA's regulatory framework reflects this acceleration, with specific provisions for cloud computing, open banking APIs, and digital payment resilience that go beyond DORA's technology-neutral drafting.
Cybersecurity framework integration. SAMA's cybersecurity framework — updated in 2024 — is closely integrated with its operational resilience requirements. This integration avoids the fragmentation that some EU institutions experience when DORA requirements overlap with existing cybersecurity standards (NIS2, ISO 27001).
For Gulf banks with Saudi operations, SAMA's framework is the primary compliance obligation. The alignment with DORA principles means that institutions building DORA compliance programmes can leverage much of that work for SAMA compliance — particularly in ICT risk management, incident response, and third-party oversight.
The Dubai Financial Center Ecosystem
Dubai's financial regulatory landscape is uniquely complex: three regulatory regimes (CBUAE onshore, DFSA in DIFC, and FSRA in ADGM) operate within a single metropolitan area, each with its own ICT risk and operational resilience requirements.
DIFC (Dubai International Financial Centre). The DFSA regulates financial entities within the DIFC free zone. Its Rulebook includes operational risk requirements that align with international standards (Basel, IOSCO) but does not yet include DORA-equivalent prescriptive requirements for ICT resilience testing, evidence management, or third-party concentration metrics.
ADGM (Abu Dhabi Global Market). The FSRA regulates financial entities within the ADGM free zone. Its approach is principles-based and technology-neutral, with growing emphasis on cloud governance and cyber resilience. ADGM has been proactive in engaging with fintech and virtual asset service providers, creating a regulatory environment that is more adaptive but less prescriptive than DORA.
For international financial groups with DIFC or ADGM operations, the gap between the free zone regulatory frameworks and DORA creates a dual-compliance challenge similar to the DORA/UK PS 16/24 dynamic in Europe: different regulatory philosophies (principles-based vs prescriptive) applied to the same underlying operational risks.
The AWS Dubai AZ Outage: A Concentration Risk Case Study
In early 2026, an AWS Availability Zone outage in Dubai (me-central-1) disrupted financial services workloads across the Gulf region. The incident illustrated several DORA-relevant risks that Gulf financial regulators are now addressing:
Single-region dependency. AWS me-central-1 (UAE) is the only AWS region in the Gulf Cooperation Council. Until the outage, many Gulf financial institutions ran production workloads exclusively in this region, creating geographic concentration within a single provider that a multi-region strategy within AWS (e.g., failing over to me-south-1 in Bahrain) could partially mitigate but that requires explicit architectural planning and investment.
CTPP overlay. AWS's designation as a CTPP under DORA means that the ESAs now have oversight powers that extend to AWS's global operations. The Dubai outage — while primarily affecting Gulf, not EU, financial institutions — will inform the ESAs' assessment of AWS's operational resilience capabilities, potentially influencing the oversight relationship for EU-facing services as well.
Recovery time gaps. Gulf financial institutions with DORA obligations (through EU subsidiaries or branches) were required to assess whether the outage breached their recovery time objectives under Art. 11. Institutions that had not tested recovery for their Dubai-hosted workloads discovered gaps between documented RTO targets and actual recovery capability.
Cross-Border Compliance: The Practical Challenge
For financial groups with operations in both the EU and the GCC, the practical compliance challenge is managing parallel regulatory expectations that share principles but diverge in detail.
| Compliance dimension | Practical approach |
|---|---|
| ICT risk framework | Build to DORA standard (most prescriptive); demonstrate to GCC regulators |
| Incident reporting | Maintain parallel notification procedures for EU NCA (4h) and GCC regulator (24h) |
| Third-party register | DORA register format satisfies all jurisdictions; augment with GCC-specific fields |
| Concentration risk | DORA quantitative approach (HHI) exceeds GCC qualitative requirements |
| Testing programme | DORA comprehensive testing programme covers GCC basic testing requirements |
| Exit strategies | Build to DORA Art. 28(8) standard; add CBUAE data residency requirements |
| Board governance | DORA Art. 5 training requirements exceed GCC governance standards |
The strategic approach for cross-border groups is to build a single compliance programme to DORA standards — the most prescriptive framework — and demonstrate compliance to GCC regulators through that programme. This is the "comply once, demonstrate twice" model that reduces duplication while satisfying all applicable regulators.
The Direction of Travel: Convergence
The long-term trajectory is convergence. Gulf financial regulators are developing their frameworks with explicit awareness of DORA's architecture, and the practical benefits of alignment — reduced compliance burden for cross-border institutions, enhanced supervisory cooperation, and consistent resilience standards across interconnected financial markets — create strong incentives for GCC regulators to adopt DORA-equivalent requirements over time.
Several factors accelerate this convergence:
Global cloud infrastructure. Gulf and EU financial institutions use the same cloud providers. Operational resilience requirements that diverge significantly between jurisdictions create compliance inconsistency for providers and institutions alike.
International standard-setting. Basel Committee, IOSCO, and IAIS guidance on operational resilience increasingly reflects DORA's comprehensive approach. GCC regulators that align with international standards will converge toward DORA principles.
Cross-border financial flows. The EU is the GCC's largest trading partner. Financial flows between the regions require aligned regulatory expectations for the institutions that facilitate them.
Regulatory expertise. GCC regulators are increasingly engaging EU regulatory expertise — through secondments, consulting arrangements, and multilateral forums — that carries DORA-influenced thinking into Gulf regulatory development.
Actionable Takeaways
- Assess your cross-border exposure. If your institution has EU operations (subsidiaries, branches, or clients), you are in DORA scope. Your GCC operations feed into the institution-wide ICT risk framework that DORA requires.
- Build to the highest standard. Construct your compliance programme to DORA's prescriptive requirements — the most comprehensive framework. This investment will satisfy GCC regulators' evolving requirements without duplication.
- Monitor GCC regulatory development. CBUAE, SAMA, and the free zone regulators (DFSA, FSRA) are actively developing ICT resilience frameworks. Track consultation papers, circulars, and guidance to anticipate emerging requirements.
- Address cloud concentration for the Gulf specifically. With limited AWS and Azure regions in the GCC, geographic concentration risk is more acute than in the EU. Assess multi-region and multi-cloud options for Gulf-hosted workloads.
- Engage regulators proactively. GCC regulators are in framework-building mode and are receptive to industry input. Engage through industry associations and consultation responses to shape proportionate, DORA-aligned requirements.
This analysis reflects DORA Regulation (EU) 2022/2554, CBUAE cloud outsourcing guidelines, SAMA operational resilience framework, and DFSA/FSRA rulebook requirements as applicable in Q1 2026. GCC regulatory frameworks are evolving; institutions should monitor for updates.