We use cookies for analytics to improve your experience. Privacy Policy
Building and maintaining multi-jurisdictional compliance programmes that satisfy regulators in France, the UAE, Saudi Arabia and across the GCC — from anti-corruption and sanctions through data protection to ESG.
The regulatory compliance landscape across Europe and the Middle East has intensified dramatically in the past five years. French Sapin II anti-corruption obligations (with AFA audit enforcement), UAE Anti-Money Laundering Law and FATF-driven reforms, Saudi AML/CTF regulations, GDPR, UAE PDPL (Federal Decree-Law No. 45 of 2021), Saudi PDPL, VARA virtual asset regulation, ESG disclosure requirements for listed companies, and the expanding extraterritorial reach of US OFAC sanctions and the UK Bribery Act create a compliance burden that no company operating across multiple jurisdictions can afford to treat as a box-ticking exercise. The cost of non-compliance — regulatory fines, licence revocation, criminal prosecution, reputational damage and loss of banking relationships — far exceeds the cost of proactive compliance.
GSDA Legal Consultants designs, implements, audits and remediates compliance programmes for multinational corporates, financial institutions, sovereign entities, listed companies and family offices operating across France, the UAE, Saudi Arabia and the wider GCC. Our regulatory compliance practice covers anti-corruption and anti-bribery (Sapin II, UK Bribery Act, US FCPA), anti-money laundering and counter-terrorism financing (AML/CTF), sanctions compliance (OFAC, EU, UN, GCC domestic), data protection and privacy (GDPR, UAE PDPL, Saudi PDPL, DIFC Data Protection Law, ADGM Data Protection Regulations), corporate governance and director duties, financial services regulation (DFSA, CBUAE, SAMA, AMF), virtual asset regulation (VARA, SCA), ESG and sustainability disclosure, and industry-specific regulatory compliance (energy, healthcare, construction, financial services).
Our approach is risk-based and commercially proportionate. We begin with a comprehensive regulatory risk assessment, map applicable obligations across all operating jurisdictions, design a compliance framework calibrated to the client's risk profile and operational complexity, implement the necessary policies, procedures, training and monitoring systems, and provide ongoing compliance support — including regulatory horizon scanning, periodic audits and incident response.
For companies facing regulatory investigations or enforcement actions, we provide crisis management, internal investigation, remediation and regulatory engagement services — working to contain exposure, cooperate effectively with regulators and implement the corrective measures that demonstrate genuine compliance commitment.
Related Sectors
The challenges you face
Companies operating across France, the UAE and Saudi Arabia face overlapping and sometimes conflicting compliance obligations — French Sapin II's extraterritorial anti-corruption requirements, UAE AML/CTF expectations, Saudi PDPL data localisation mandates, and GDPR's reach into GCC operations through data transfers — creating a compliance framework that cannot be managed by siloed, jurisdiction-specific programmes.
The interaction of US OFAC sanctions (with extraterritorial secondary sanctions), EU sanctions, UN sanctions and GCC domestic sanctions regimes creates a multi-layered screening and compliance burden — where a transaction that is lawful under UAE law may still trigger US secondary sanctions exposure through the USD clearing system or US-person involvement.
The UAE's removal from the FATF grey list in February 2024 came with commitments to sustained AML/CTF enforcement — meaning financial institutions, DNFBPs (designated non-financial businesses and professions) and free zone entities face heightened compliance expectations, more frequent regulatory audits and zero tolerance for Know Your Customer (KYC) failures.
Companies must simultaneously comply with UAE PDPL, DIFC Data Protection Law 2020, ADGM Data Protection Regulations 2021, Saudi PDPL, GDPR (for EU data subjects and transfers), and sector-specific data rules (CBUAE financial data, HIPAA-equivalent healthcare data) — each with different consent requirements, breach notification timelines and cross-border transfer mechanisms.
Listed companies in the UAE and Saudi Arabia face rapidly escalating ESG disclosure expectations — ADX/DFM sustainability reporting guidance, Tadawul ESG guidelines, ISSB standards (IFRS S1/S2) adoption timeline — while many companies lack the governance frameworks, data collection systems and reporting processes to comply.
Increasing cross-border enforcement cooperation between French (AFA/PNF), UAE (Financial Intelligence Unit, Economic Crimes Department), Saudi (MASAM) and international (FATF, Interpol) authorities means that a compliance failure detected in one jurisdiction can trigger coordinated investigations across multiple regulators simultaneously.
We design and implement anti-corruption compliance programmes aligned with French Sapin II (including AFA audit preparation), UK Bribery Act and US FCPA requirements — covering risk assessments, codes of conduct, third-party due diligence, gift and hospitality policies, facilitation payment controls, whistleblowing mechanisms and compliance training.
We advise financial institutions, DNFBPs and corporate groups on AML/CTF compliance — KYC/CDD procedures, transaction monitoring, suspicious activity reporting (goAML), sanctions screening integration, beneficial ownership identification, enhanced due diligence for PEPs and high-risk jurisdictions, and compliance with UAE Federal Decree-Law No. 20 of 2018 and its implementing regulations.
We design integrated sanctions compliance programmes covering OFAC (SDN, SSI lists), EU consolidated sanctions, UN Security Council sanctions, UAE Executive Office sanctions and GCC domestic sanctions — including automated screening implementation, escalation procedures, licence application support and secondary sanctions risk assessment for USD-denominated transactions.
We advise on multi-jurisdictional data protection compliance — GDPR, UAE PDPL, Saudi PDPL, DIFC/ADGM data protection regimes — covering privacy impact assessments, data processing agreements, consent management, cross-border data transfer mechanisms (SCCs, adequacy assessments), breach notification procedures, DPO appointment and regulatory engagement.
We advise boards and directors on governance obligations under SCA Governance Rules, DFSA Listing Rules, AMF corporate governance code, Saudi CMA regulations and the Companies Laws of each jurisdiction — covering board composition, independent director requirements, audit committee mandates, related-party transaction approvals, insider trading controls and annual governance reporting.
We guide regulated entities through licensing, prudential requirements, conduct-of-business rules and ongoing regulatory compliance with DFSA (DIFC), CBUAE (UAE Federal), FSRA (ADGM), SAMA/CMA (Saudi Arabia) and AMF (France) — covering banking, insurance, investment management, fintech and payment services regulation.
We advise virtual asset service providers (VASPs) on VARA licensing (Dubai), SCA regulation, CBUAE payment token rules, ADGM FSRA framework, and Saudi Central Bank (SAMA) digital asset guidance — covering licence applications, AML/CTF compliance, client asset segregation, technology governance and custody requirements.
We advise on ESG governance frameworks, sustainability reporting (GRI, SASB, ISSB/IFRS S1 and S2), carbon disclosure, climate risk assessment, green taxonomy compliance, sustainable finance frameworks and the integration of ESG considerations into corporate governance, risk management and board decision-making processes.
France's Law No. 2016-1691 (Sapin II) requires French companies with 500+ employees and EUR 100 million+ revenue to implement comprehensive anti-corruption compliance programmes including: a code of conduct, internal whistleblowing mechanism, risk mapping, third-party due diligence, accounting controls, training, disciplinary sanctions, and an internal monitoring system. The Agence Française Anticorruption (AFA) audits compliance. Sapin II has extraterritorial application — it applies to French companies' activities worldwide and can reach non-French companies with a sufficient nexus to France. Penalties include fines up to EUR 1 million for individuals and EUR 5 million for companies, plus court-supervised compliance programmes. GSDA advises French and international companies on Sapin II compliance programme implementation and AFA audit preparation.
Companies operating in the GCC face a complex multi-layered sanctions environment: UN Security Council sanctions (implemented domestically by each GCC state), US OFAC sanctions (which have extraterritorial reach through the USD clearing system and secondary sanctions), EU sanctions, and local GCC sanctions (including the 2017-2021 Saudi-led sanctions on Qatar). The UAE has its own sanctions committee under Federal Decree-Law No. 20 of 2018. The DIFC and ADGM have separate sanctions compliance frameworks. Companies must screen counterparties against all applicable lists, implement robust sanctions policies, and ensure that correspondent banking relationships are not disrupted. GSDA advises multinational companies on implementing integrated sanctions compliance programmes covering all applicable regimes.
The UAE's Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and its implementing regulations establish a comprehensive data protection framework. Key obligations include: lawful processing basis (consent or legitimate interests), data subject rights (access, rectification, erasure, portability), data protection impact assessments for high-risk processing, mandatory data breach notification, and restrictions on cross-border data transfers (adequacy decisions or appropriate safeguards). The PDPL closely mirrors GDPR but with some differences — including a broader range of lawful processing bases, different breach notification timelines, and separate regimes for the DIFC (Data Protection Law 2020) and ADGM (Data Protection Regulations 2021). GSDA advises companies on PDPL compliance, cross-border data transfer mechanisms, and interaction with GDPR.
Saudi Arabia's Personal Data Protection Law (Royal Decree M/19 of 2021, amended 2023) came into full effect in September 2023, with a transitional compliance period until September 2024. Key requirements include: explicit consent for processing personal data (with limited exceptions), appointment of a Data Protection Officer for certain entities, data localisation requirements (personal data must be stored in Saudi Arabia unless cross-border transfer conditions are met), data breach notification to the SDAIA (Saudi Data and Artificial Intelligence Authority) within 72 hours, and data subject rights including access, correction, and deletion. Penalties include fines up to SAR 5 million and imprisonment for certain violations. GSDA advises companies on Saudi PDPL compliance programmes and cross-border data transfer assessments.
Listed companies on ADX and DFM must comply with SCA Governance Rules (Resolution No. 3 of 2020), which mandate: independent directors (at least one-third of the board), audit and nomination/remuneration committees with independent majorities, annual corporate governance reports, related-party transaction approval procedures, insider trading controls, and quarterly and annual financial reporting. DIFC-incorporated listed entities follow DFSA Listing Rules and the DIFC Companies Law. The SCA governance framework aligns with international best practices but includes jurisdiction-specific elements such as Emirati board representation requirements and specific UAE disclosure obligations. GSDA advises listed companies on governance compliance, board formation, and regulatory reporting.
VARA (established by Dubai Law No. 4 of 2022) is the world's first independent virtual asset regulator. VARA licences virtual asset service providers (VASPs) operating in Dubai (excluding the DIFC, which is regulated by the DFSA). Licence categories include: exchange services, broker-dealer services, custody services, lending/borrowing services, and payment/remittance services using virtual assets. VASPs must comply with AML/CTF requirements, minimum capital adequacy, client asset segregation, and technology governance standards. VARA has enforcement powers including fines and licence revocation. GSDA advises virtual asset businesses on VARA licensing applications, compliance programme design, and ongoing regulatory obligations.
Whistleblower protection in the GCC is developing but remains less comprehensive than in Europe or the US. The UAE DIFC has specific whistleblower protection under DFSA regulations for reports of financial services misconduct. The UAE Federal Government introduced whistleblower protection provisions in the anti-corruption framework under Federal Decree-Law No. 11 of 2021. Saudi Arabia's Reporting Protection Regulations provide protection for persons who report corruption, money laundering, and terrorism financing. However, standalone whistleblower protection legislation comparable to the EU Whistleblower Directive or US SOX is not yet in place in most GCC jurisdictions. GSDA advises companies on implementing whistleblower channels and policies that meet multi-jurisdictional requirements including Sapin II and US SOX where applicable.
ESG reporting requirements are rapidly expanding across the GCC. The UAE's ADX and DFM have introduced voluntary ESG disclosure guidance aligned with GRI and SASB standards, with mandatory sustainability reporting expected for listed companies. Saudi Arabia's Tadawul published ESG Disclosure Guidelines requiring listed companies to report on material ESG metrics. The UAE's Net Zero 2050 strategy and Saudi Arabia's Saudi Green Initiative are driving additional sector-specific sustainability obligations. DIFC and ADGM have introduced sustainable finance frameworks. The ISSB (International Sustainability Standards Board) standards (IFRS S1 and S2) are expected to be adopted across the GCC. GSDA advises companies on ESG compliance frameworks, sustainability reporting, and integrating ESG considerations into corporate governance structures.
GSDA redesigned our entire compliance programme after we expanded from France into the UAE and Saudi Arabia. They built an integrated framework covering Sapin II, UAE AML/CTF, GDPR, UAE PDPL and Saudi PDPL — replacing three separate compliance silos with a single coherent programme that actually works in practice.
Chief Compliance Officer — European Financial Services Group, Regional Operations
The GSDA advantage
Multi-jurisdictional compliance architecture — we design integrated compliance programmes that satisfy regulators in France, the UAE and Saudi Arabia simultaneously, avoiding the duplication and inconsistency that arises from jurisdiction-specific programmes designed in isolation.
Sapin II and AFA expertise — our Paris-based compliance lawyers have prepared companies for AFA audits and designed Sapin II-compliant programmes from inception, giving us practical experience of the standards French regulators actually apply.
Post-FATF grey list compliance depth — we have advised UAE-based financial institutions and DNFBPs on the enhanced AML/CTF compliance expectations following the UAE's removal from the FATF grey list, understanding the practical impact on KYC, transaction monitoring and regulatory audit intensity.
Sanctions navigation capability — we advise on the intersection of OFAC, EU, UN and GCC domestic sanctions in real time, helping clients structure transactions, screen counterparties and obtain licences in the complex multi-sanctions environment of the Gulf.
Crisis response and investigation — when compliance failures occur, we provide rapid-response internal investigation, regulatory engagement, remediation design and enforcement defence — containing exposure and demonstrating to regulators the genuine commitment to compliance that mitigates penalties.
