
HCI vs. Public Cloud in MENA: A Realistic TCO Comparison for 2026
July 5, 2026For CIOs and compliance officers operating in the UAE’s healthcare, financial services, and government-adjacent sectors, the question is no longer whether to adopt cloud infrastructure — it is how to do so within an increasingly defined regulatory framework. Understanding the obligations imposed by the UAE’s data protection laws and translating them into architectural decisions is now a core governance responsibility.
The Regulatory Landscape
- Federal Decree-Law No. 45 of 2021 — the UAE Personal Data Protection Law (PDPL), effective January 2022. The UAE’s general-purpose data protection law, applicable across most sectors.
- Federal Law No. 2 of 2019 — governs the use, processing, and protection of health data. Health data is treated as a special category requiring heightened controls.
- CBUAE Cloud Computing Guidance — the Central Bank of the UAE has issued specific cloud guidance for licensed financial institutions, addressing risk management, third-party oversight, and data residency.
- Securities and Commodities Authority (SCA) Cloud Guidelines — regulated capital markets firms must comply with SCA-issued guidance on cloud adoption.
- UAE National Cybersecurity Authority (NCA UAE) Cloud Security Guidelines — cloud-specific cybersecurity standards that apply to critical sectors.
PDPL Requirements for Cloud Deployments
The PDPL establishes baseline obligations for any organisation acting as a data controller or data processor in the UAE. Cross-border data transfers are permitted only where the destination country or organisation provides an adequate level of protection, or where the data subject has given explicit informed consent. This requires organisations to assess and document the protection standards of every system or third-party service that may receive UAE personal data.
The PDPL also mandates that personal data be processed only for specified, legitimate purposes; retained only as long as necessary; and protected through appropriate technical and organisational measures. For cloud environments, this translates directly into requirements for access controls, audit logging, data minimisation at the storage layer, and formal data processor agreements with cloud vendors.
Health Data Law: Stricter Controls for a Sensitive Category
Federal Law No. 2 of 2019 treats health data as a distinct and more sensitive category. Healthcare providers, insurers, and any organisation processing clinical or patient information must apply explicit consent requirements and implement security measures commensurate with the sensitivity of the information.
In cloud architecture terms, health data should be subject to a separate classification tier: field-level encryption, stricter access governance (role-based with time-limited access), and complete audit trails of every access and modification event. In-country processing is the default expectation. Organisations should assume that cross-border processing of UAE health data requires explicit regulatory approval or patient consent.
Financial Sector Specifics
The CBUAE Cloud Computing Guidance and SCA cloud guidelines impose additional obligations on licensed financial institutions. Key requirements include conducting cloud risk assessments before onboarding any provider, maintaining a cloud service register, and ensuring outsourcing arrangements do not impair the regulator’s ability to supervise the institution or access its data.
Data classified at the highest tiers should remain within UAE-jurisdiction infrastructure. Multi-cloud or hybrid strategies are permissible but must be governed by a clear residency matrix that is documented and defensible to the regulator on request.
Architecture Checklist for Regulated Workloads
- Data classification layer: Implement a framework that tags all data at ingestion — at minimum distinguishing public, internal, confidential, and regulated special-category data. Classification must be enforced at the infrastructure level.
- Encryption at rest and in transit: All regulated data must be encrypted at rest using current cryptographic standards. Data in transit must use TLS 1.2 or higher. Key management must be auditable with key rotation policies enforced.
- In-country processing for sensitive categories: Health data and high-sensitivity financial data must be processed and stored within UAE-jurisdiction infrastructure — enforced through network controls and storage policies, not contractual terms alone.
- Audit logging: All access to regulated data must be logged immutably and retained for the period required under applicable law.
- Access governance: Role-based access controls with least-privilege must be applied to all regulated data stores. Privileged access must require MFA and generate separate audit trails.
- Data processor agreements: All cloud vendors and sub-processors handling UAE personal or health data must be bound by contractual DPAs aligned with PDPL requirements.
- Cross-border transfer controls: Implement technical controls to prevent regulated data from leaving UAE jurisdiction without authorised legal basis — including egress controls on storage buckets, API gateways, and analytics pipelines.
- Incident response and breach notification: Ensure cloud architecture supports detecting, containing, and notifying relevant authorities of personal data breaches within required timeframes.
MomentumX: UAE-Sovereign Infrastructure for Regulated Workloads
MomentumX operates a UAE-based data centre in Dubai, designed to support organisations with in-country processing requirements under the PDPL, Health Data Law, and sector-specific guidance. The infrastructure supports data residency enforcement, encryption key management within UAE jurisdiction, and audit logging frameworks aligned with NCA UAE cloud security guidelines.
For a deeper look at sovereign cloud options available in the UAE, see our guide to UAE cloud providers in 2026.
Ready to move to sovereign cloud?
MomentumX provides sovereign cloud infrastructure across Egypt, KSA, and UAE with full SAMA, NCA, and PDPL compliance. Your data stays in your country.
Enterprise Private CloudHyperAI
GPU Compute for AIHyper Private Cloud
Managed Private Cloud









