26 May 2026 Neom digital sovereignty

Digital sovereignty: why NEOM buys its AI locally

What actually changed in 2024–2026

Before 2023, AI procurement in the Kingdom followed a conventional pattern: international tender, technical-capability scoring, contract with a global vendor (usually US or European), delivery through a local integration partner. Price mattered. Brand mattered. Sovereignty was a footnote.

Three shifts inverted the equation:

NSDAI 2020 and its 2025 refresh — the National Strategy for Data & AI is no longer an aspirational document. It is a procurement framework. SDAIA-aligned government projects now require an explicit sovereign component.
NDMO data classification regulations (2023, updated 2025) — four categories (Public, Restricted, Secret, Top Secret) each with distinct storage and processing requirements.[^1] The top two categories effectively exclude most public US infrastructure.
Real sovereign platforms maturing — Google Cloud’s Dammam region is live with Sovereign Controls via partner CNTXT,[^2] stc is delivering Oracle Alloy-based sovereign cloud services in KSA,[^3] and Microsoft signed a November 2025 MoU with PIF and SITE to explore sovereign-cloud services, with its Saudi Arabia East datacentre region scheduled to launch in Q4 2026.[^4] Sovereignty is no longer prohibitively expensive.

The result: a buyer at NEOM no longer asks “do you have a good model?” They ask “where is the data stored, who can access it, what nationality is the operating team, do you have a MISA licence, what’s your IKTVA local-content score?”

The sovereign procurement stack — six layers

Here is what we consistently see in tender documentation for giga-projects since 2024:

Layer	Requirement	Standard / reference
Data	Full residency inside KSA for sensitive categories	NDMO Data Management Standards
Infrastructure	Certified sovereign cloud or on-site deployment	SDAIA Sovereign Cloud Framework
Entity	Active MISA licence for the foreign provider, or partnership with a Saudi entity	Ministry of Investment
Workforce	Minimum Saudisation by activity category (varies by sector)	MHRSD Nitaqat tiers
Local content	Verifiable IKTVA or ICV score	Local Content Authority
Cybersecurity	Compliance with NCA Essential Cybersecurity Controls (ECC-1:2018 / ECC 2:2024)	NCA[^5]

Any vendor missing one of these six layers is effectively out of the running for Secret-and-above categories. This is the part that catches many international vendors off guard: the question is no longer “can we sell through a local partner?” It’s “does the actual provider have all six layers?”

Direct NEOM signals

We read three channels to understand what NEOM is actually buying:

Channel 1 — LinkedIn and bayt.com job postings. Anecdotally, a majority of recent NEOM technical postings — including roles at Tonomus (the public name since September 2022 of what was previously NEOM Tech & Digital Company)[^6] — explicitly require “Saudi national preferred” or “based in NEOM region.” AI and data-science roles list “data residency within KSA” and “sovereign deployment experience” as core qualifications.

Channel 2 — Etimad tenders and NEOM’s supplier portal. A synthesised illustration of the kind of compliance block that typically appears in giga-project AI tenders (not a verbatim extract from any single published tender):

Compliance requirements (illustrative — not a verbatim tender):
- Processed data shall not leave Kingdom boundaries (NDMO Secret tier)
- All administrative accounts operated from inside the Kingdom only
- Provider holds a locally licensed entity (MISA or Saudi company)
- Verifiable local-content (IKTVA) score in scoring matrix
- Adherence to NCA ECC controls
- Support staff hold security clearance (for Secret-tier categories)

Channel 3 — announced partnerships. Public-domain deals — Google Cloud’s Dammam region with Sovereign Controls,[^2] the Aramco-Cerebras chip partnership announced in September 2024,[^7] PIF’s launch of HUMAIN as an AI vehicle in May 2025,[^8] and Microsoft’s November 2025 MoU with PIF and SITE on sovereign-cloud services[^4] — all point one direction: foreign infrastructure is acceptable only when it has been transformed into a locally-operated sovereign instance.

What this means for global annotation vendors

Annotation vendors headquartered outside MENA face a structural challenge for KSA Secret-tier work that has nothing to do with product quality. The default global delivery model — data processed in the vendor’s home cloud region, a globally distributed contractor pool, no in-Kingdom legal entity, and no local-content scoring — runs into the NDMO and NSDAI clauses regardless of how strong the product is. The structural gaps:

Data location — most global vendors process customer data in their home regions. Reconfiguring that per customer is a heavy lift, not a switch.
Workforce structure — a globally distributed contractor pool is not the same thing as a KSA-resident operator team. Saudi-deployable workforce has to be built deliberately; it does not exist by default in a global pool.
No MISA-registered entity — most global vendors have no Saudi legal entity. Contracting runs through an international invoice, which is exactly what NDMO restricts for sensitive categories.
Local-content score — the vendor does not buy from Saudi suppliers and does not employ Saudis, which produces a low IKTVA / ICV score in scoring matrices that weight local content.

The practical result for the highest data-classification tiers: a vendor without those four layers is filtered out of the shortlist before price is discussed. This is not a judgement on the vendor — it is the way the compliance architecture is designed to filter.

A MENA-native provider — even with a smaller team and a less mature product — walks in with three layers already in place: entity, workforce, local content. The remaining three (data, infrastructure, cybersecurity) can be built on a certified sovereign cloud without restructuring the company. That asymmetry is structural, not temporary.

NSDAI 2025 — the direction buyers are reading

SDAIA’s National Strategy for Data & AI signals headline targets — SAR 75bn AI investment by 2030, 300+ AI startups, and a top-15 OECD AI ranking — and SDAIA has signalled IKTVA-style local-content preferences for AI-sector procurement.[^9] The day-to-day operational read is consistent across the giga-projects: buyers at NEOM, HUMAIN, or SDAIA no longer need to justify choosing a local provider with sovereign-stack alignment. The opposite is true — they’ll need to justify choosing an international one without it.

IKTVA vs ICV — what’s the difference, and why it matters

The terms get used interchangeably, but they are distinct frameworks:

IKTVA (In-Kingdom Total Value Add) — originally Aramco’s framework launched in 2015, computed as (localized goods/services + Saudi salaries + Saudi training and development + supplier development) divided by revenue.[^10] It has become Saudi Arabia’s de facto “local content” measurement.
ICV (In-Country Value) — the equivalent ADNOC framework in the UAE (launched 2018) that expanded to UAE-federal scope under MOIAT in September 2021.[^11]

A vendor who cannot produce a certified IKTVA score from a licensed auditor is materially disadvantaged in scoring matrices that weight local content.

Because IKTVA includes spend on Saudi workforce, in-Kingdom hiring isn’t a “nice to have” — it’s a direct pricing component in the tender.

Sovereign cloud ≠ cloud-in-Kingdom

A distinction many international vendors get wrong:

Cloud in the Kingdom = physical servers inside Saudi borders. This is available from AWS Middle East (Bahrain or UAE), Azure Saudi Region, Google Cloud Dammam.

Sovereign cloud = all of the above + administrative control held by a Saudi entity + local support staff + customer-managed encryption keys + no admin access from outside the Kingdom + operational continuity independent of the foreign parent company.

NDMO’s Secret tier effectively requires the latter, not the former. The distinction isn’t purely technical — it’s legal-operational. A US company can lease a rack in Riyadh, but it cannot — by virtue of the US CLOUD Act — guarantee that customer data won’t be subject to a US court order.[^12] That is exactly what KSA’s PDPL and NDMO frameworks restrict for sensitive categories.

What a vendor who wants to sell to NEOM should actually do

From direct field observation over the past year, a serious vendor needs a five-step plan:

Get a MISA licence — a distribution partner is not enough. The legal entity must be capable of signing directly.
Build a real operational presence in Riyadh or NEOM — office, local team, local bank account (SAMA-registered).
Contract with a certified sovereign cloud — Google Cloud Dammam with Sovereign Controls, stc + Oracle Alloy, or on-site deployment for Secret-tier categories.
Build a Saudi team for critical roles — not only for Saudisation, but because roles requiring security clearance legally require Saudi nationality.
Register for IKTVA and start measuring the score — even starting from a low number, the vendor who measures outranks the vendor who doesn’t.

This isn’t a months-long effort; it’s a year, minimum. Vendors who began in 2023–2024 are harvesting today. Those who wait until 2026–2027 will find the approved-vendor lists already filled.

The converging UAE framework

A noticeable convergence is happening between the Saudi and Emirati frameworks. UAE’s ICV mirrors Saudi IKTVA in most material ways. Etihad Cloud and G42 Cloud mirror the Saudi sovereign stack. The UAE Data Office is converging with NDMO on the four-category classification model.

Practical implication for vendors: preparing for the Saudi market effectively qualifies you for the Emirati one, and vice versa. A sovereign cloud built for Saudi data residency serves — with marginal adjustments — Emirati requirements. But big procurement (NEOM, Aramco, ADNOC, EGA) still requires separate IKTVA/ICV scores, so compliance cannot be “bundled.”

Closing read

Digital sovereignty in the Gulf is not a political slogan; it’s a measurable procurement framework. The vendor who understands the six-layer stack reads the tender differently, builds the proposal differently, and wins differently. The vendor selling “best global technology” without the stack loses on the qualification page before reaching the price page.

NEOM, HUMAIN, and SDAIA aren’t buying artificial intelligence. They’re buying sovereign compliance that happens to carry artificial intelligence inside.

Discuss sovereign requirements for your project → 30-min session Read the sovereign deployment guide

Limitations & disclaimer

Limitations of this analysis. This post reflects Annota8's reading of publicly available evidence as of its last-modified date. Vendor positioning, regulatory frameworks, benchmark numbers, and program scope can change without notice. Where numeric ranges are cited, those numbers are reproducible from the source linked in the post's References section — Annota8 has not independently re-run the benchmarks unless explicitly stated in the post.

Privacy & legal posture. Annota8 is an early-stage AI data operations company in soft launch. We do not currently hold SOC 2, ISO 27001, PDPL certification, or any other third-party security or privacy certification. We design with PDPL principles in mind and can sign a DPA modelled on the EU SCC template. Specific compliance posture for your engagement is available on request from [email protected].

Nothing in this post is legal, tax, or investment advice. Regulatory citations should be verified with counsel in your jurisdiction. Vendor names mentioned in this post are referenced as industry-landscape context only — Annota8 is not asserting a comparative product claim, a customer relationship, or any other affiliation with any platform named, unless that affiliation is explicitly stated.

Reach the team:[email protected] · annota8.ai