This content is for informational and educational purposes only and does not constitute legal advice.
On 3 April 2026, the Saudi Data and Artificial Intelligence Authority (SDAIA) opened a consultation on the draft Responsible AI Policy until 3 May 2026. The draft policy applies to all government bodies, the private sector, the non-profit sector, and individuals who develop, use, or publish applications or solutions based on AI technologies within the Kingdom of Saudi Arabia. The draft policy requires AI system developers to design systems with privacy, transparency, and safety through design. Developers must embed watermarks in all AI outputs to ensure traceability and resistance to tampering, integrate content tracking techniques to ensure content integrity, implement bias mitigation measures through diversification of data sources, and integrate interpretable features into models to clarify outputs and decision-making mechanisms for users.
On 25 December 2025, the Saudi Data and AI Authority (SDAIA) adopted the General Rules for Secondary Use of Data. They establish data protection regulations governing the secondary use of data for purposes other than those initially specified at the time of data collection. The general rules require compliance with the Personal Data Protection Law and its Implementing Regulations. They apply to data-sharing requests between government entities, from government entities to private entities for public interest purposes, and from private entities to government entities for research, development, and innovation. The general rules set out principles on privacy and personal data protection, responsible secondary use of data, data quality, ethical data use, data security, and public interest. They require that data use be limited to the minimum necessary and exclude profit-oriented purposes.
On 25 December 2025, the Saudi Data and AI Authority (SDAIA) adopted the General Rules for Secondary Use of Data. They establish a data governance framework across government and private entities, defining scope, objectives, and mechanisms governing data-sharing requests, including controls for data classification levels and confidentiality of government data. The rules set out procedures for submitting, assessing, approving, or rejecting data-sharing requests through the Data Marketplace platform and other approved secure methods. They introduce a use licensing mechanism for private entities requesting government data, with licenses issued under procedures established by the National Data Management Office and including possible provisions on intellectual property rights and commercial confidentiality. They complement SDAIA's Data Sharing Policy and allocate oversight and procedural roles to the National Data Management Office.
On 19 November 2025, the United States Department of State and the Ministry of Foreign Affairs of the Kingdom of Saudi Arabia signed the strategic Artificial Intelligence (AI) partnership. The partnership is a government-to-government framework to support advanced semiconductor supply, AI application development, cloud and AI infrastructure services, and high-value technology investments across sectors, including health, education, energy, mining, and transport. The partnership introduces commitments to co-develop semiconductors and AI tools, build large-scale AI and cloud computing infrastructure, expand national skills and capabilities, and deepen bilateral investment and security cooperation, with both governments now moving to implement the agreed infrastructure, capability-building, and investment programmes.
On 31 August 2025, the Communications, Space and Technology Commission (CST) announced the launch of five solutions under its Regulatory Technologies (RegTech) project at a side event held in conjunction with the Global Symposium for Regulators (GSR25). The first solution, RegTrust, is a blockchain and artificial intelligence platform designed to connect stakeholders, strengthen the reliability of public messaging channels, cut unwanted messages by up to 95%, and increase compliance to 98%. The second solution, InfraReg, is a digital platform for managing telecommunications infrastructure that streamlines processes from application to payment, aiming for an 85% improvement in operational efficiency and a 95% increase in stakeholder satisfaction. The third solution, RegDrafter, is a platform for drafting regulatory documents equipped with benchmarking and automation tools. It is intended to achieve 98% accuracy in initial drafts, shorten approval time by 90%, and reduce preparation costs by 80%. The fourth solution, RegAdvisor, is an artificial intelligence advisory platform that provides multilingual guidance on the national regulatory framework. It seeks to reduce consultation times by 90% and achieve a 90% improvement in stakeholder confidence. The fifth solution, Regulation as a Code (RaaC), converts regulatory texts into digital formats such as XML, JSON, and logic models. Its objective is to raise compliance rates to 70% and reduce ambiguity and human error in interpretation and implementation by 90%.
On 3 August 2025, the Saudi Data and Artificial Intelligence Authority (SDAIA) released a report detailing the dimensions, technological developments, and applications of Agentic Artificial Intelligence (Agentic AI) at global and national levels. The report outlines its core capabilities, perception, reasoning, learning, action-taking, communication, and autonomous operation, and its integration in sectors including healthcare, education, and energy. The report examined the historical evolution of AI agents from simple rule-based systems to multi-agent architectures supported by large language models (LLMs), described international policy approaches and regulatory contexts, assessed national readiness within the Kingdom of Saudi Arabia as part of Vision 2030, and highlighted initiatives such as the development of the ALLaM Arabic large language model and smart city projects in NEOM and the Red Sea. It identified technical, organisational, and ethical challenges, including causal reasoning limitations, transparency, human resource capacity gaps, cybersecurity risks, and cultural impacts, and proposed a governance framework combining data governance, AI ethics, and human oversight. The report also includes a four-phase adoption roadmap, vision and planning, pilot testing, expansion and integration, and continuous innovation, supported by strategic partnerships, infrastructure development, and capacity building to ensure safe, responsible, and value-sustaining deployment of Agentic AI solutions.
On 23 July 2025, the National Cybersecurity Authority (NCA) released the National Cybersecurity Risk Management Framework. The framework applies to government bodies, government-affiliated entities, private sector organisations in critical infrastructure, and all other entities designated by the competent authority. It includes methods for identifying, assessing, and mitigating cyber risks while delineating responsibilities and procedures. The framework includes structured phases for risk identification, assessment, and treatment, supported by a risk assessment matrix. The framework obliges such entities to identify and classify risks based on the national methodology, which outlines definitions for risk levels based on severity, scale of impact, and likelihood level. All organisations must report high and critical level risks to the NCA.
On 22 July 2025, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched the “National AI Index” to assess government readiness for adopting artificial intelligence (AI) technologies. The index is structured around three main pillars, seven core dimensions, and 23 subcategories to enable a comprehensive evaluation of institutional AI adoption maturity. It is designed to monitor progress, provide recommendations, and facilitate the alignment of government efforts with national priorities in the AI domain. The index supports the development and implementation of sustainable AI solutions across government entities, contributing to digital transformation and improved institutional performance in line with the strategic objectives of Saudi Vision 2030. As part of SDAIA’s mandate as the national reference for data and AI, the index also aims to provide enablers that strengthen innovation capabilities and maximise impact across priority sectors through strategic partnerships.
On 20 July 2025, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched the technical sandbox for the national platform Tawakkalna and commenced accepting applications from the first group of private sector companies. The sandbox enables companies to test digital services with real users in a secure technical environment, facilitating integration between public and private entities under a flexible and regulated framework. The initiative supports the expansion of Tawakkalna’s function as a unified national platform and offers participating companies access to a user base exceeding 34 million. Evaluation of applications is based on defined criteria and controls to ensure secure and integrated digital service delivery, including requirements for valid commercial registration, applicable licences, regulatory compliance, governance adherence, alignment with national values, and provision of services in Arabic as the primary language. The initiative is intended to enhance collaboration and promote the development of user-focused, innovative digital services through public-private partnerships.
Last updated: 03/04/2026