This content is for informational and educational purposes only and does not constitute legal advice.
On 3 May 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) closes the consultation on the draft Responsible Artificial Intelligence Policy including Artificial Intelligence authority governance. The draft Policy applies to all government bodies, the private sector, the non-profit sector, and individuals who develop, use, or publish applications or solutions based on AI technologies in Saudi Arabia. The draft Policy would designate SDAIA as the authority responsible for overseeing AI systems in Saudi Arabia. SDAIA will establish a general AI risk classification framework comprising four risk tiers, namely critical, high, limited and minimal or negligible. It will publish a register classifying AI systems by risk level, accredit impact assessments, respond to incident reports and coordinate with relevant national and international bodies. The release of critical-risk AI systems would be prohibited. High-risk AI systems would not be permitted for release until safety reports and technical safety test results were submitted to and accredited by SDAIA. SDAIA would also operate an AI Regulatory Sandbox and would be authorised to issue suspension orders for critical or high-risk systems and to take deterrent measures against non-compliant providers. Mandatory compliance would begin in the first phase with large companies and entities operating in high-risk sectors.
On 3 May 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) closes the consultation on the draft Responsible Artificial Intelligence Policy including testing requirement. The draft Policy applies to all government bodies, the private sector, the non-profit sector, and individuals who develop, use, or publish applications or solutions based on AI technologies in Saudi Arabia. The draft Policy would require all entities to conduct comprehensive safety tests before deploying a high-risk AI system or any version thereof. Required tests would include red team tests, continuous stress tests, bias evaluation, and security evaluation. Safety reports would be required to document the types of safety guardrails and tools used and the results of safety evaluations across all input and output types. High-risk AI systems would also be required to undergo annual third-party auditing accredited by the Authority.
On 3 May 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) closes the consultation on the draft Responsible Artificial Intelligence Policy including data protection regulation. The draft Policy applies to all government bodies, the private sector, the non-profit sector, and individuals who develop, use, or publish applications or solutions based on AI technologies in Saudi Arabia. The draft Policy would require AI service operators to use personal data only for the specific and clear purposes for which the consent of the data owner was obtained. Expanding the scope of use of such data, including for model training or redeployment in other applications, without obtaining new and explicit consent from the data owner, would be prohibited. Entities would be required to verify compliance with national data sovereignty controls through the secure hosting of data and models.
On 3 May 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) closes the consultation on the draft Responsible Artificial Intelligence Policy including non-discrimination requirement. The draft Policy applies to all government bodies, the private sector, the non-profit sector, and individuals who develop, use, or publish applications or solutions based on AI technologies in Saudi Arabia. The draft Policy would require all developers, operators, and users of AI systems to ensure that systems operate without bias, discrimination, or stereotyping based on personal, social, or cultural characteristics. AI systems would be required to produce objective and balanced decisions based on complete and unbiased data. Entities would be required to evaluate system integrity periodically to verify compliance with this requirement.
On 3 May 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) closes the consultation on the draft Responsible AI Policy. The draft Policy applies to all government bodies, the private sector, the non-profit sector, and individuals who develop, use, or publish applications or solutions based on AI technologies in Saudi Arabia. The draft Policy would require private sector entities that develop, operate, or deploy AI services and products to submit a registration application with the Authority. Registered entities would receive a certificate documenting their registration, renewed annually. Mandatory compliance would begin in the first phase with large companies and entities operating in high-risk sectors.
On 3 May 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) closes the consultation on the draft Responsible AI Policy. The draft policy applies to all government bodies, the private sector, the non-profit sector, and individuals who develop, use, or publish applications or solutions based on AI technologies within the Kingdom of Saudi Arabia. The draft policy requires AI system developers to design systems with privacy, transparency, and safety through design. Developers must embed watermarks in all AI outputs to ensure traceability and resistance to tampering, integrate content tracking techniques to ensure content integrity, implement bias mitigation measures through diversification of data sources, and integrate interpretable features into models to clarify outputs and decision-making mechanisms for users.
On 3 April 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) opened a consultation on the draft Responsible AI Policy until 3 May 2026. The draft policy applies to all government bodies, the private sector, the non-profit sector, and individuals who develop, use, or publish applications or solutions based on AI technologies within the Kingdom of Saudi Arabia. The draft policy requires AI system developers to design systems with privacy, transparency, and safety through design. Developers must embed watermarks in all AI outputs to ensure traceability and resistance to tampering, integrate content tracking techniques to ensure content integrity, implement bias mitigation measures through diversification of data sources, and integrate interpretable features into models to clarify outputs and decision-making mechanisms for users.
On 25 December 2025, the Saudi Data and AI Authority (SDAIA) adopted the General Rules for Secondary Use of Data. They establish data protection regulations governing the secondary use of data for purposes other than those initially specified at the time of data collection. The general rules require compliance with the Personal Data Protection Law and its Implementing Regulations. They apply to data-sharing requests between government entities, from government entities to private entities for public interest purposes, and from private entities to government entities for research, development, and innovation. The general rules set out principles on privacy and personal data protection, responsible secondary use of data, data quality, ethical data use, data security, and public interest. They require that data use be limited to the minimum necessary and exclude profit-oriented purposes.
On 25 December 2025, the Saudi Data and AI Authority (SDAIA) adopted the General Rules for Secondary Use of Data. They establish a data governance framework across government and private entities, defining scope, objectives, and mechanisms governing data-sharing requests, including controls for data classification levels and confidentiality of government data. The rules set out procedures for submitting, assessing, approving, or rejecting data-sharing requests through the Data Marketplace platform and other approved secure methods. They introduce a use licensing mechanism for private entities requesting government data, with licenses issued under procedures established by the National Data Management Office and including possible provisions on intellectual property rights and commercial confidentiality. They complement SDAIA's Data Sharing Policy and allocate oversight and procedural roles to the National Data Management Office.
On 19 November 2025, the United States Department of State and the Ministry of Foreign Affairs of the Kingdom of Saudi Arabia signed the strategic Artificial Intelligence (AI) partnership. The partnership is a government-to-government framework to support advanced semiconductor supply, AI application development, cloud and AI infrastructure services, and high-value technology investments across sectors, including health, education, energy, mining, and transport. The partnership introduces commitments to co-develop semiconductors and AI tools, build large-scale AI and cloud computing infrastructure, expand national skills and capabilities, and deepen bilateral investment and security cooperation, with both governments now moving to implement the agreed infrastructure, capability-building, and investment programmes.
On 31 August 2025, the Communications, Space and Technology Commission (CST) announced the launch of five solutions under its Regulatory Technologies (RegTech) project at a side event held in conjunction with the Global Symposium for Regulators (GSR25). The first solution, RegTrust, is a blockchain and artificial intelligence platform designed to connect stakeholders, strengthen the reliability of public messaging channels, cut unwanted messages by up to 95%, and increase compliance to 98%. The second solution, InfraReg, is a digital platform for managing telecommunications infrastructure that streamlines processes from application to payment, aiming for an 85% improvement in operational efficiency and a 95% increase in stakeholder satisfaction. The third solution, RegDrafter, is a platform for drafting regulatory documents equipped with benchmarking and automation tools. It is intended to achieve 98% accuracy in initial drafts, shorten approval time by 90%, and reduce preparation costs by 80%. The fourth solution, RegAdvisor, is an artificial intelligence advisory platform that provides multilingual guidance on the national regulatory framework. It seeks to reduce consultation times by 90% and achieve a 90% improvement in stakeholder confidence. The fifth solution, Regulation as a Code (RaaC), converts regulatory texts into digital formats such as XML, JSON, and logic models. Its objective is to raise compliance rates to 70% and reduce ambiguity and human error in interpretation and implementation by 90%.
On 3 August 2025, the Saudi Data and Artificial Intelligence Authority (SDAIA) released a report detailing the dimensions, technological developments, and applications of Agentic Artificial Intelligence (Agentic AI) at global and national levels. The report outlines its core capabilities, perception, reasoning, learning, action-taking, communication, and autonomous operation, and its integration in sectors including healthcare, education, and energy. The report examined the historical evolution of AI agents from simple rule-based systems to multi-agent architectures supported by large language models (LLMs), described international policy approaches and regulatory contexts, assessed national readiness within the Kingdom of Saudi Arabia as part of Vision 2030, and highlighted initiatives such as the development of the ALLaM Arabic large language model and smart city projects in NEOM and the Red Sea. It identified technical, organisational, and ethical challenges, including causal reasoning limitations, transparency, human resource capacity gaps, cybersecurity risks, and cultural impacts, and proposed a governance framework combining data governance, AI ethics, and human oversight. The report also includes a four-phase adoption roadmap, vision and planning, pilot testing, expansion and integration, and continuous innovation, supported by strategic partnerships, infrastructure development, and capacity building to ensure safe, responsible, and value-sustaining deployment of Agentic AI solutions.
On 23 July 2025, the National Cybersecurity Authority (NCA) released the National Cybersecurity Risk Management Framework. The framework applies to government bodies, government-affiliated entities, private sector organisations in critical infrastructure, and all other entities designated by the competent authority. It includes methods for identifying, assessing, and mitigating cyber risks while delineating responsibilities and procedures. The framework includes structured phases for risk identification, assessment, and treatment, supported by a risk assessment matrix. The framework obliges such entities to identify and classify risks based on the national methodology, which outlines definitions for risk levels based on severity, scale of impact, and likelihood level. All organisations must report high and critical level risks to the NCA.
On 22 July 2025, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched the “National AI Index” to assess government readiness for adopting artificial intelligence (AI) technologies. The index is structured around three main pillars, seven core dimensions, and 23 subcategories to enable a comprehensive evaluation of institutional AI adoption maturity. It is designed to monitor progress, provide recommendations, and facilitate the alignment of government efforts with national priorities in the AI domain. The index supports the development and implementation of sustainable AI solutions across government entities, contributing to digital transformation and improved institutional performance in line with the strategic objectives of Saudi Vision 2030. As part of SDAIA’s mandate as the national reference for data and AI, the index also aims to provide enablers that strengthen innovation capabilities and maximise impact across priority sectors through strategic partnerships.
On 20 July 2025, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched the technical sandbox for the national platform Tawakkalna and commenced accepting applications from the first group of private sector companies. The sandbox enables companies to test digital services with real users in a secure technical environment, facilitating integration between public and private entities under a flexible and regulated framework. The initiative supports the expansion of Tawakkalna’s function as a unified national platform and offers participating companies access to a user base exceeding 34 million. Evaluation of applications is based on defined criteria and controls to ensure secure and integrated digital service delivery, including requirements for valid commercial registration, applicable licences, regulatory compliance, governance adherence, alignment with national values, and provision of services in Arabic as the primary language. The initiative is intended to enhance collaboration and promote the development of user-focused, innovative digital services through public-private partnerships.
On 27 May 2025, the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) closes its consultation for a proposed amendment to the Implementing Regulation of the Personal Data Protection Law (PDPL). In particular, the amendment would require controllers to register in the National Register of Controllers through the Competent Authority’s platform if they met certain conditions, such as being a public entity, primarily engaging in Personal Data processing, transferring data outside the Kingdom, or handling sensitive or vulnerable individuals’ data. Each Controller would have a separate register where records of processing activities and related documents would be maintained. This obligation would also apply to individuals if they processed Personal Data for purposes beyond personal or family use.
On 27 May 2025, the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) closes its consultation for a proposed amendment to the Implementing Regulation of the Personal Data Protection Law (PDPL). The amendments would revise controller obligations, modify definitions, and adjust procedural requirements. Changes would include the removal of the definitions for "direct marketing" and "personal data breach". Furthermore, the proposed amendments would introduce new requirements for drafting Privacy Policies in clear and service-consistent language, revise consent procedures for marketing communications, and modify obligations regarding direct marketing, including consent withdrawal and sender identification. The amendments also update responsibilities for Personal Data Protection Officers, restructure recordkeeping obligations for Personal Data processing, and adjust procedures for reporting to the Competent Authority. Provisions concerning complaint handling procedures would also be restructured.
On 27 April 2025, the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) opened a consultation on the proposed amendments to the Implementing Regulation of the Personal Data Protection Law (PDPL) until 27 May 2025. In particular, the amendment would require controllers to register in the National Register of Controllers through the Competent Authority’s platform if they met certain conditions, such as being a public entity, primarily engaging in Personal Data processing, transferring data outside the Kingdom, or handling sensitive or vulnerable individuals’ data. Each Controller would have a separate register where records of processing activities and related documents would be maintained. This obligation would also apply to individuals if they processed Personal Data for purposes beyond personal or family use.
On 27 April 2025, the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) opened a consultation on the proposed amendments to the Implementing Regulation of the Personal Data Protection Law (PDPL) until 27 May 2025. The amendments would revise controller obligations, modify definitions, and adjust procedural requirements. Changes would include the removal of the definitions for "direct marketing" and "personal data breach". Furthermore, the proposed amendments would introduce new requirements for drafting Privacy Policies in clear and service-consistent language, revise consent procedures for marketing communications, and modify obligations regarding direct marketing, including consent withdrawal and sender identification. The amendments also update responsibilities for Personal Data Protection Officers, restructure recordkeeping obligations for Personal Data processing, and adjust procedures for reporting to the Competent Authority. Provisions concerning complaint handling procedures would also be restructured.
On 23 April 2025, the Saudi Data and AI Authority (SDAIA) closes its consultation for the General Rules for Secondary Use of Data. The rules would establish a framework to regulate data-sharing between government and private entities for purposes such as research, development, innovation, and achieving public interest objectives, where the use of data differs from the original collection purpose. The rules would set definitions, introduce principles for responsible data use, privacy protection, and data security, and outline procedural requirements for submitting and evaluating data-sharing requests. It is further stipulated that data-sharing practices would have to be aligned with the public interest, subject to compliance with applicable licensing conditions, and that relevant parties may seek legal counsel from the National Data Management Office (NDMO) in the event of any disputes.
On 8 April 2025, the Saudi Data and AI Authority (SDAIA) opened a consultation process for the General Rules for Secondary Use of Data until 23 April 2025. The rules would establish a framework to regulate data-sharing between government and private entities for purposes such as research, development, innovation, and achieving public interest objectives, where the use of data differs from the original collection purpose. The rules would set definitions, introduce principles for responsible data use, privacy protection, and data security, and outline procedural requirements for submitting and evaluating data-sharing requests. It is further stipulated that data-sharing practices would have to be aligned with the public interest, subject to compliance with applicable licensing conditions, and that relevant parties may seek legal counsel from the National Data Management Office (NDMO) in the event of any disputes.
On 11 January 2025, the Data and Artificial Intelligence Authority (SDAIA) closes its consultation on a proposed regulatory framework to introduce licenses to conduct activities involving personal data processing, auditing, and certification issuance in Saudi Arabia. The framework specifies the requirements, procedures, and responsibilities for obtaining licenses to carry out these activities to ensure compliance with the Personal Data Protection Law.
Last updated: 03/05/2026