A lot of MENA businesses have decided the EU AI Act is a European problem. That assumption is the expensive part. The Act has extraterritorial reach. It follows the customer, not the company. If your AI system touches EU clients or EU residents, it can apply to you whether you are based in Dubai, Riyadh, or anywhere else.
The four tiers
The Act sorts AI systems by risk, and the obligations escalate sharply as you move up.
Prohibited. A small set of uses banned outright, including social scoring by public authorities and certain kinds of biometric surveillance. If your system is here, the conversation is over.
High-risk. This is the tier that matters for most businesses, and the one people miss. Annex III lists high-risk uses explicitly, and they include things that do not sound dramatic: credit scoring, AI used in employment and recruitment, and systems used in essential services. High-risk does not mean dangerous. It means the law imposes hard obligations.
Limited-risk. Systems like chatbots, where the main requirement is transparency. Users must know they are interacting with AI.
Minimal-risk. The majority of AI systems, with no specific obligations under the Act.
What "high-risk" actually requires
When a system lands in the high-risk tier, the requirements are specific and binding: a conformity assessment before the system goes to market, detailed technical documentation, human oversight mechanisms, risk management processes, and registration in an EU database. This is not a governance improvement plan. It is a compliance gate.
The practical consequence is that "is our governance good enough" becomes the wrong question. The right one is "can we legally serve this market with the system as built." Those are very different conversations, and a company that does not realise it is in the high-risk tier will only find out when a customer, a partner, or a regulator asks.
A concrete example
We assessed a UAE fintech startup whose credit-scoring models had been pushed toward NIST AI RMF by a technology partner. Through a NIST lens, the models needed governance improvements. But credit scoring is explicitly high-risk under Annex III, and the startup planned to onboard European users. Under the EU AI Act, the same models were not close to compliant. The framework choice turned a governance note into a market access problem. The full case study is here.
What MENA companies should do
If you serve, or plan to serve, EU clients with an AI system, the first step is classification. Find out which tier each system falls into before you scale, not after. The cost of discovering you are in the high-risk tier is manageable if you find it early and ruinous if you find it from a customer's compliance team mid-deal. Classification is cheap. Retrofitting compliance onto a deployed high-risk system is not.
If you are weighing an AI investment, acquisition, vendor selection, or training programme, our team is happy to start with a conversation about scope and approach.
The views and findings in this article are shared for general information only. They are high-level perspectives, not legal, financial, regulatory, or other professional advice, and should not be relied upon for any specific decision or circumstance. For guidance tailored to your situation, please consult a qualified adviser.