Cybersecurity’s shift from a defensive cost centre to a strategic enabler of growth in the Middle East
The Diversification of Economies Beyond Oil
For decades, countries like the UAE and Saudi Arabia have relied on oil to fuel their economies. However, these states are rapidly investing in digitalisation initiatives across sectors from tourism to smart cities. Ambitious programmes costing trillions of dollars include Saudi Arabia’s Vision 2030 and the UAE’s Future Roadmap, channelling oil revenues into greenfield mega projects, luxury resorts, ‘smart’ skyscrapers, and sensor-laden city grids. These initiatives aim to sustain the region for when oil demand plateaus.
This economic transformation to diversify economies brings new challenges. As Gulf states embrace digital technologies to power everything from e-government services to autonomous transit systems, cyber risk is increasing. Critical systems that underpin the old economy (oil production) and the new (smart city utilities, transportation platforms) are targets. The same connectivity and data-driven operations that enable diversification also expand the attack surface for malicious actors. Recognising this, regional governments are making cybersecurity a priority as part of their diversification strategy. The result is a dual focus on securing current revenue streams to ensure economic stability as they build out future industries like tourism and smart cities. Throughout the UAE and Saudi Arabia, these regions are safeguarding their evolving economies with robust cyber defences to ensure resilience.
Cybersecurity in the Region: Securing Current Investment Streams and Future Growth Opportunities
Facilities in the oil and gas sector in the Middle East remain a prime target for cyberattacks. Industrial refineries, offshore rigs, and pipeline networks rely on OT systems. Gulf nations and their national oil companies in recent years have been fortifying their OT cybersecurity. Saudi Aramco, for example, has ramped up investments to harden its industrial control systems, partnering with international and local cybersecurity services organisations to improve resilience. This intrinsically links to Saudi’s Vision 2030 goals of advancing a digital economy, acknowledging that safeguarding industrial assets is a prerequisite for economic diversification. Across the region, companies are segmenting networks, upgrading legacy control software, and deploying specialised intrusion detection for pipelines and plants. By elevating OT cybersecurity, Middle Eastern nations aim to secure their current revenue engines even as they pivot to new industries.
The growing focus on smart cities within the region is at the centre of a post-oil vision. These projects encompass a tech-centric approach with sensors adjusting traffic flow in real time, utilities managed by AI for efficiency, and residents seamlessly connected to digital services. The Gulf has been a leader in smart cities, using them to address rapid urbanisation and sustainability while attracting investment, with the first smart city being launched in 2008. But smart cities are exposed to a wide range of cyber risk as they operate on IoT sensors and automated OT systems that control water treatment, power grids, traffic lights, surveillance cameras, building HVAC systems and more. The abundance of interconnected devices creates an array of cybersecurity challenges, as there are multiple entry points for hackers. The OT systems managing critical city services are a target for cybercriminals as an attack disabling the city’s power grid could interrupt daily life, endanger public safety, and reduce public trust in the new digital infrastructure.
Governments are aware that cybersecurity is the cornerstone of their smart city success and emphasise security-by-design. Saudi Arabia has backed cyber resilience into its plans for NEOM and other giga-projects, working with international tech partners to embed security from the ground up. The NEOM Oxagon “Cognitive Security Platform” in Saudi Arabia is a smart city cybersecurity framework that applies zero-trust principles to IoT networks and AI systems, ensuring these connected services remain uninterrupted from attacks, and provides a multi-layered defence against threats that threaten the operations of NEOM and safety of residents. City planners are working with cyber experts to design networks that can isolate breaches, backup critical controls, and maintain essential services even when under attack. The takeaway is clear, smart cities must be cyber safe to deliver economic benefits.
Alongside smart cities, tourism is a critical pillar of the Middle East’s diversification strategy. As hotels, airports, and hospitality services undergo rapid digital transformation, there is increasing reliance on OT systems such as HVAC, air controls, Building Management Control Systems, and IoT-enabled smart rooms. While, these technologies enhance operational efficiency and customer experience, they also introduce new cybersecurity risks. As OT systems are being integrated with IT networks, this is expanding the attack surface for cyber threats such as ransomware and system takeovers. To counter these threats, tourism authorities and organisations are investing in stronger cybersecurity measures. For OT cybersecurity controls these include network segmentation, continuous monitoring, and compliance with global security standards. Ensuring the resilience of critical building infrastructure is essential to maintaining operational continuity.
Saudi Arbia and the UAE’s local cybersecurity ecosystem is supported by government support and national strategies. In Saudi Arabia, key players like Cyberani (Aramco Digital’s cybersecurity arm), Tamkeen Security (specialising in governance, risk, and compliance), and CQR (focused on OT security) are leading the expansion of local expertise. Other firms include Cipher, as well as established entities like Sirar by STC, a major provider of digital trust and managed security services, and Elm, a strategic national company delivering cybersecurity solutions across the public sector. In the UAE, the ecosystem is supported by firms such as Help AG, a trusted cybersecurity advisor to government entities, and CPX, which delivers comprehensive cyber defence for critical infrastructure. Companies like ITSEC, Injazat, and DigitalX are also contributing to the country’s digital resilience. Meanwhile, a growing number of startups and innovation hubs are nurturing local talent and accelerating cyber capabilities across both nations.
Government Cyber Strategies and Regulatory Frameworks
Across the region cybersecurity is beginning to be treated as the necessary foundation for economic diversification, with growing regulations being mandated. The risk from cyberattacks are driving top-down support for clear strategies to secure the digital transformation. In the UAE, the federal government established the Cybersecurity Council in 2020 to develop a comprehensive national cybersecurity strategy and coordinate cyber defences across the country, creating legal and regulatory frameworks to secure both existing and emerging technologies. The UAE also has sector-specific standards, and a National Cyber Incident Response Plan for increased protection against threats.
Saudi Arabia created the National Cybersecurity Authority (NCA) as a central body to oversee cyber defence and policy. The NCA’s Essential Cybersecurity Controls (ECC-1:2018) issued baseline requirements across government and critical sectors, and issued the Operational Technology Cybersecurity Controls (OTCC-1:2022) to bolster industrial systems security. These frameworks align with international standards, ensuring that as Saudi Arabia modernises, security is not an afterthought. In 2023, Saudi Arabia updated its national cyber strategy, shifting to a risk-based approach that prioritises resources based on threat impact. Notably, Saudi leaders frequently link cybersecurity to economic resilience. For example, protecting Aramco’s networks or the digital systems of new megaprojects is described as essential for maintaining investor confidence and continuity of business. By boosting cyber capabilities, Saudi Arabia is working to ensure that its Vision 2030 diversification goals are not derailed by digital risks.
Securing the Digital Foundation through Data Sovereignty and the Cloud
Gulf countries have shifted services to the cloud and have enacted strict policies around data sovereignty, digital data residency, and cloud hosting to support this transformation. Data sovereignty means ensuring that a nation’s sensitive data is stored and handled in accordance with its own laws. Both Saudi Arabia and the UAE have introduced comprehensive privacy laws in recent years. Saudi Arabia’s Personal Data Protection Law of 2021 (enforced in 2023) mandates that personal data on Saudi citizens be stored on local servers and imposes heavy penalties for non-compliance. This law, along with a broader Data Sovereignty Policy, ensures that critical digital assets, including data supporting operational infrastructure, remain within national borders. Similarly, the UAE also has its federal PDPL introduced in 2021 with sector specific requirements ensuring that sensitive operational data, such as government systems or smart infrastructure controls, reside within UAE borders. These regulations reflect the region’s growing emphasis on data localisation, and sovereignty over OT systems data that is essential for smart cities.
The push for data residency has driven changes in the cloud computing landscape of the Middle East. Five years ago, majority of public cloud data was stored in Europe or the US. However, local data centres have been built across the Gulf. Major cloud providers now hosting in the region including AWS, Microsoft Azure, and Google Cloud, all meeting local data residency requirements. The growth in data centres is set to continue with Jones Lang Lasalle forecasting a 37% increase in the MW capacity of data centres in Saudi to 2027. These local clouds allow governments and companies to leverage innovative cloud services without sending sensitive data overseas. Regional telecom companies have also partnered to create national cloud services. Dubai’s du (The Emirates Integrated Telecommunications Company PJSC) and Microsoft recently announced collaboration on a $545 M hyperscale data centre in the UAE, supporting the objectives of the Dubai Universal Blueprint for Artificial Intelligence. Middle Eastern regulators have generally adopted a cloud-friendly stance (many have Cloud First policies for government IT), but always with the caveat of security and sovereignty. For example, Saudi Arabia’s regulators issued a Cloud Computing Regulatory Framework that requires government data to be hosted by approved local providers. Such policies are ensuring that the digital infrastructure for diversification is robust and resilience.
Cybersecurity will be the Foundation of Economic Diversification Success in the Region
Gulf states are attempting to pivot from resource-dependent to innovation-driven economies. Success hinges on reliability and trust, as a cyberattack on a major oil facility, a breach that releases millions of tourists’ data, or a sabotage of smart city systems could undermine investor confidence and public support for these initiatives overnight. By fortifying their cyber defences, the region is gaining insurance for their economic future. Looking ahead, the Middle East’s digital transformation will drive significant and sustained investment in cybersecurity infrastructure, particularly in sectors that underpin national resilience and economic diversification. As the region accelerates the development of smart cities, autonomous transport, digital tourism platforms, and AI-powered public services, protecting OT and critical infrastructure will move even higher on the strategic agenda. Future investment will increasingly target specialised OT cybersecurity solutions, industrial control system monitoring, and incident response capabilities built specifically for energy facilities, utilities, and smart infrastructure.
The region’s growing dependence on data centres brings with it significant power demand, making secure and reliable energy infrastructure a national priority. It marks a shift from oil being the foundation of its wealth to the regions’ future being dependent on reliable power as the backbone for its economic transformation to reach strategic goals. Cyber resilience must extend across the critical infrastructure landscape to safeguard both legacy assets and the foundations of future growth.
Regulation will continue to evolve becoming more detailed, more sector-specific, and more rigorously enforced. While frameworks like Saudi Arabia’s Essential Cybersecurity Controls and the UAE’s data protection laws have laid the groundwork, future regulation is expected to focus on emerging risks, including AI safety, supply chain security, and mandatory reporting of cyber incidents. There will likely be increasing regional cooperation to harmonise standards, share threat intelligence, and align compliance expectations particularly as cross-border digital services and joint infrastructure projects become more common within the current GCC Ministerial Committee for Cybersecurity.