Companies trying to move their most sensitive data to the cloud run into the same problem over and over: they need to follow strict rules in countries where those rules haven’t been written yet. The Middle East shows this tension clearly. Surveys show 68% of businesses there plan to shift most of their work to the cloud in the next two years, but the legal and technical guardrails haven’t kept pace.
The numbers tell one story while reality tells another. Analysts value the global cloud compliance market at $40.5 billion this year, with forecasts pointing to 14.8% annual growth through 2034. But most of the tools being sold were built for places like the United States and Europe, where regulators spent years hammering out what compliance actually means. Companies in newer markets often have to guess.
Take what happened in the Kingdom of Saudi Arabia. A major cloud provider wanted to offer a compliance offering there, but needed an expert to understand to what extent data residency (data at rest, in use, and in transit) meant in practice, or how to control access, or what sovereignty requirements applied to cloud infrastructure.
Translating regulatory ambiguity into technical controls
Urvish Pandya, a Technical Program Manager focused on cloud security, took on the job of building the Kingdom of Saudi Arabia’s first complete cloud compliance framework from the ground up. His task was translating hazy regulatory ideas into concrete security controls that would satisfy government inspectors and corporate security officers alike.
The work started with drawing lines around data. He had to get engineers, lawyers, and compliance specialists on the same page to design a system that kept data where it belonged without breaking the services themselves. That meant bringing more than 60 different cloud services into the new compliance boundary and setting up logging systems that recorded and checked every single request that touched customer data inside that boundary.
“Compliance in emerging markets demands a different approach than adapting existing frameworks,” Urvish Pandya explained. “You’re essentially building the blueprint while constructing the building, translating regulatory intent into technical specifications that don’t yet have industry precedents.”
The technical build used organizational policy rules applied at the platform level. Instead of trusting each application to police itself, the system enforced data location limits through the infrastructure underneath, making it impossible for data to leave the designated regions. Access justification required staff to explain in writing why they needed to touch any customer workload, creating paper trails that auditors could check later.
This work got the cloud provider its Class C certification from the Kingdom of Saudi Arabia regulators, the first time a major platform met the Kingdom of Saudi Arabia’s compliance standards. The framework later supported several big deployments, including a complete business network platform that a major enterprise software company set up for public sector clients across the region.
The Kingdom of Saudi Arabia’s work wasn’t his only project. He simultaneously led the implementation of Google Compute Engine and Identity and Access Management breakglass capabilities for a major consumer technology company, part of a multi-billion-dollar cloud opportunity. By streamlining decisions across engineering teams, he delivered the required components a full month ahead of schedule. This early delivery accelerated the customer’s compliance certification and showed how tight coordination between security, infrastructure, and compliance teams could compress timelines without cutting corners on technical requirements.
This implementation ensures full data sovereignty for public sector operations within the KSA. Consequently, the KSA is the first country globally to host the SAP Business Network for the public sector while maintaining complete data sovereignty compliance. The technical core relied on Binary Authorization policy enforcement, a system that validates container images before deployment and blocks unauthorized workloads at the infrastructure layer. First-mover positions in cloud markets typically lock in sustained market advantages. The framework generated multimillion-dollar revenue from independent software vendors like SAP, deploying their platforms in the region.
Addressing operational risk in compliance architecture
He also worked on a separate problem: what happens when security rules get in the way of fixing actual emergencies? Companies under strict compliance regimes still have outages that need immediate fixes, but most compliance systems don’t have a way to bend the rules safely when things break.
The Break Glass project built a temporary override for security policies that would otherwise block urgent repairs during outages. The system logged everything, required someone with authority to approve it, and automatically put the normal rules back in place once the emergency passed. This kept compliance controls from making outages worse or preventing teams from installing critical security patches.
Research firms tracking cloud security found that 44% of companies dealt with security incidents last year, and 14% had actual breaches. The override system lets teams handle these problems without breaking audit rules or losing their regulatory standing. Compliance officers could see exactly what happened during each emergency and why.
Scaling compliance infrastructure across regions
After Saudi Arabia, he expanded the compliance setup to cover more markets, including European Union sovereign control options. Each place had its own rules, GDPR in Europe, sector-specific requirements in the Gulf states, but the basic design held up across all of them.
The strategy focused on building individual security controls that could be mixed and matched rather than one giant compliance package. Different controls could be combined to meet whatever a specific country required. This meant the same technical foundation could serve markets with completely different rules, which cut down on engineering work while still hitting regulatory targets.
The approach fits into a bigger shift happening across the industry. As more governments write laws requiring data to stay inside their borders, cloud companies have to prove they’re keeping data local and under local legal control. Investment banks tracking the region estimate Middle East cloud spending at $12.1 billion this year, with projections indicating 22% annual growth through 2031, primarily driven by concerns over sovereignty.
Emerging patterns in compliance technical program management
Pandya also built a customer engagement process that changed how the organization handles compliance projects. His approach brought customer security officers, legal teams, and technical architects into structured early conversations before engineering work started. These sessions caught gaps between what customers thought they needed and what regulations actually required, preventing expensive fixes later. The methodology became standard protocol across the organization for new compliance work, reducing project delays and improving initial compliance assessments for multiple regional launches afterward.
This kind of structured program management fixes a common way compliance projects fail: requirements that look straightforward in regulatory documents often have hidden ambiguities that only show up when you try to build them. Getting both regulators and customer security teams involved early surfaced these problems when changes were still easy to make, not after the infrastructure was already running.
“This systematic approach to technical program management addressed a common failure mode in compliance projects: requirements that look clear in regulatory documents often contain ambiguities that only surface during implementation,” Urvish Pandya noted.
What this shows is that compliance infrastructure in new markets needs both technical and institutional work at the same time. Companies can’t just copy what they did somewhere else; so they have to sit down with regulators and figure out together what compliance actually means, then turn those definitions into technical systems that can be checked and verified.
As more countries without established compliance rules start adopting cloud services quickly, this kind of collaborative standard-setting will probably become more common. Cloud providers who know how to work through regulatory uncertainty have an edge in emerging markets, and countries that successfully bring in cloud infrastructure see economic benefits from technology investment and local technical jobs.
What comes next is figuring out how to scale this as more countries write data sovereignty laws. Each new jurisdiction makes global cloud operations more complex, requiring infrastructure that can enforce different compliance systems while still running efficiently across regions. The technical answers exist, but putting them into practice takes the kind of coordination across different parts of an organization that most companies struggle to do consistently.
