Saudi Arabia AI Policy and Technology Regulation: What Businesses and Innovators Need to Know

On this page

Vision 2030 and the National Strategy for Data and AI
Key authorities
Saudi Data and Artificial Intelligence Authority (SDAIA)
National Data Management Office (NDMO)
Communications, Space and Technology Commission (CST)
National Cybersecurity Authority (NCA)
Digital Government Authority (DGA)
Sector regulators
International positioning: Riyadh Charter and ICAIRE
The Personal Data Protection Law (PDPL)
Scope and extraterritorial reach
Core obligations relevant to AI
Penalties
Implementing Regulations and ongoing amendments
The SDAIA AI framework
AI Ethics Principles (September 2023)
Generative AI Guidelines for Government (January 2024)
Generative AI Guidelines for the Public (January 2024)
AI Adoption Framework (September 2024)
Sector-specific AI regulation
Financial services (SAMA)
Healthcare
Smart cities and critical infrastructure
Public sector use of generative AI
The forthcoming dedicated AI law
A practitioner's compliance plan
Step 1: Map data flows and identify Saudi nexus
Step 2: Register where required and appoint a DPO if applicable
Step 3: Align with the SDAIA AI framework
Step 4: Address cross-border transfers and sectoral rules
Step 5: Plan for ISO/IEC 42001 alignment
Compliance FAQ
Does Saudi Arabia have a dedicated AI law?
Is the SDAIA AI Ethics Principles framework legally binding?
What are the maximum penalties under the PDPL?
How does the PDPL compare to GDPR for AI deployments?
What should businesses prioritise before any forthcoming AI law arrives?
Are there special rules for generative AI?
The bottom line

Saudi Arabia AI Policy and Technology Regulation

Saudi Arabia has built one of the most active AI policy ecosystems in the Middle East, but it has not yet enacted a horizontal AI statute equivalent to the EU AI Act. What the Kingdom has built instead is a layered regime: a binding Personal Data Protection Law fully enforceable from September 2024, a series of authoritative but non-binding SDAIA guidelines and frameworks, sector-specific rules from the Saudi Central Bank (SAMA), the National Cybersecurity Authority (NCA), and the Digital Government Authority (DGA), and an explicit Vision 2030 commitment to make AI a pillar of economic diversification.

For businesses building or deploying AI for the Saudi market, the practical compliance question in 2026 is therefore not "what does the AI law say." It is: which combination of the PDPL, the SDAIA framework, and sectoral rules applies to this deployment, and how do they layer.

Vision 2030 and the National Strategy for Data and AI

Saudi Arabia launched the National Strategy for Data and Artificial Intelligence (NSDAI) at the Global AI Summit in October 2020. The strategy frames AI and data as central to Vision 2030 and sets the goal of positioning the Kingdom as a global data and AI hub by 2030. The headline targets include training over 20,000 AI and data specialists, attracting major foreign investment, and embedding AI across priority sectors including energy, healthcare, finance, mobility, and government services.

NSDAI itself is policy guidance rather than enforceable law. Its operational expression is the activity of the Saudi Data and Artificial Intelligence Authority (SDAIA), the National Data Management Office (NDMO), and the sectoral regulators that align their domain rules with the SDAIA framework.

Key authorities

Saudi Data and Artificial Intelligence Authority (SDAIA)

SDAIA is the central regulator for data and AI in the Kingdom. It enforces the PDPL, issues policy guidelines, runs the National Data Bank, and represents Saudi Arabia in international AI fora including the UN, UNESCO, and the OECD. SDAIA itself achieved ISO/IEC 42001 certification in July 2024, signalling its commitment to the international AI management systems standard.

National Data Management Office (NDMO)

NDMO operates under SDAIA and sets data governance standards across government and private organisations. It is responsible for data classification, data sharing frameworks, data quality standards, and the National Data Governance Platform on which controllers register.

Communications, Space and Technology Commission (CST)

CST regulates telecommunications, digital infrastructure, and certain emerging technologies. Its role overlaps with AI for licensing, sandbox programmes for connected and autonomous technologies, and infrastructure standards.

National Cybersecurity Authority (NCA)

The NCA issues cybersecurity controls that apply to AI systems through its broader cybersecurity frameworks including the Essential Cybersecurity Controls (ECC) and sector-specific controls. AI systems handling sensitive data are typically captured by NCA controls in addition to PDPL and SDAIA requirements.

Digital Government Authority (DGA)

DGA oversees digital government transformation and supports public sector AI adoption. Its role intersects with SDAIA on government use cases and on the implementation of the Generative AI Guidelines for Government.

Sector regulators

SAMA regulates AI in banking and financial technology, runs the SAMA Regulatory Sandbox, and issues fintech rules. The Saudi Food and Drug Authority (SFDA) addresses AI in medical devices and healthcare. The Capital Market Authority addresses AI in securities and asset management. The Ministry of Health addresses clinical AI applications.

International positioning: Riyadh Charter and ICAIRE

From September 2024 to March 2025, ICESCO, in collaboration with SDAIA and the Saudi National Commission for Education, Culture and Science, unveiled the Riyadh Charter on Artificial Intelligence for the Islamic World. Saudi Arabia has also moved forward with the establishment of the International Center for Artificial Intelligence Research and Ethics (ICAIRE) in Riyadh, recognised by UNESCO as a Category 2 centre. These are positioning instruments rather than binding regulation, but they shape the international interpretive context for SDAIA guidance.

The Personal Data Protection Law (PDPL)

The PDPL was issued by Royal Decree No. M/19 dated 16 September 2021, amended by Royal Decree No. M/148 of March 2023, and entered into force on 14 September 2023 with a one-year grace period. It became fully enforceable on 14 September 2024. The PDPL is the first comprehensive data protection law in the Kingdom and is enforced by SDAIA.

Scope and extraterritorial reach

The PDPL applies to:

Entities and individuals located in Saudi Arabia that process personal data by any means.
Entities and individuals located outside Saudi Arabia that process personal data of individuals in the Kingdom.

The extraterritorial reach is broader than the GDPR's. Unlike GDPR Article 3, which limits extraterritoriality to offering goods or services to or monitoring the behaviour of EU data subjects, the PDPL applies to any processing of personal data of individuals in Saudi Arabia. The PDPL also protects the personal data of deceased individuals where it would lead to identification.

Core obligations relevant to AI

Lawful basis for processing: consent is the default; other bases include legal obligation, contractual necessity, and (excluding sensitive data) legitimate interests.
Sensitive personal data: includes data revealing ethnic or tribal origin, religious or political beliefs, criminal or security data, biometric and genetic data, credit data, health data, and location data.
Data subject rights: access, correction, deletion, withdrawal of consent, and objection.
Data protection impact assessments: required for higher-risk processing activities.
National Data Governance Platform: controllers that are public entities, that primarily process personal data, or that process sensitive data must register on the National Data Governance Platform.
Data Protection Officer (DPO): required in certain circumstances; SDAIA has issued specific guidance on DPO appointment and qualifications.
Cross-border transfer: governed by the Regulation on Personal Data Transfer Outside the Kingdom, updated on 1 September 2024. Transfers permitted to jurisdictions with adequate protection or under approved safeguards including SDAIA-issued Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).

Penalties

PDPL non-compliance can trigger:

Civil and administrative fines up to SAR 5 million (approximately USD 1.3 million) per violation, doubled for repeat offences.
Criminal penalties including imprisonment for certain unlawful disclosures of sensitive personal data.
Confiscation of unlawfully obtained funds.
Operational restrictions and licensing consequences.

In its first year of enforcement, SDAIA has signalled a progressive penalty approach, with early enforcement focused on warnings and corrective measures rather than maximum fines.

Implementing Regulations and ongoing amendments

The PDPL is supported by Implementing Regulations, which expand and operationalise the law's requirements. SDAIA has published proposed amendments to the Implementing Regulations and continues to refine guidance on direct marketing, breach notification, privacy notices, and DPO responsibilities. Organisations should track SDAIA updates rather than treat the 2024 framework as final.

The SDAIA AI framework

Beyond the PDPL, SDAIA has built out a sequence of AI-specific instruments. None is binding in the same sense as the PDPL, but each shapes regulator expectations, government procurement, and commercial contract requirements.

AI Ethics Principles (September 2023)

SDAIA issued the AI Ethics Principles (final version) in September 2023, after a public consultation. The Principles cover 12 named principles:

Integrity
Fairness
Privacy
Security
Reliability
Safety
Transparency
Interpretability
Accountability
Responsibility
Humanity
Social and environmental benefit

Implementation is operationalised through risk classification, ethics impact assessments, mandatory documentation and logging for higher-risk systems, validation and testing regimes, and defined roles including a Responsible AI Officer and an AI System Assessor. Public entities are expected to appoint a Chief Data Officer and meet the framework's mandatory controls.

Generative AI Guidelines for Government (January 2024)

In January 2024, SDAIA issued Generative AI Guidelines for Government, providing risk-based guidance to government entities and public servants on responsible adoption, use, and oversight of generative AI systems. Topics covered include risk classifications, data classification rules, vendor due diligence, role definitions, human oversight, and a compliance checklist that aligns with the PDPL and the SDAIA Ethics Principles.

Generative AI Guidelines for the Public (January 2024)

A parallel guideline issued at the same time addresses individuals, developers, and businesses using generative AI in Saudi Arabia. It covers content authenticity, watermarking expectations, oversight, and harms prevention.

AI Adoption Framework (September 2024)

The AI Adoption Framework defines four maturity levels (from "Emerging" to "Advanced") and four enabling pillars: data, technology, human capabilities, and responsible use. It provides checklists for entities to self-assess against the maturity model and align controls with the level appropriate to their AI deployments.

Sector-specific AI regulation

Financial services (SAMA)

The Saudi Central Bank (SAMA) regulates AI use in banking, insurance, and fintech. SAMA's expectations include risk management, model validation, transparency to customers, and compliance with PDPL and SDAIA principles for any AI deployment that processes personal financial data. The SAMA Regulatory Sandbox allows fintech companies to pilot AI-driven services in a supervised environment before full deployment.

Healthcare

AI applications in healthcare must comply with rules issued by the Ministry of Health and the Saudi Food and Drug Authority (SFDA). AI systems used for diagnosis, medical imaging, treatment support, or therapy must satisfy clinical validation, patient data protection under PDPL, and human oversight requirements. Sector-specific licensing applies to AI-based medical devices through SFDA processes.

Smart cities and critical infrastructure

Major projects including NEOM, The Line, and Diriyah Gate involve heavy AI integration in transportation, energy management, and public services. AI used in critical infrastructure operates under both NCA cybersecurity controls and SDAIA's framework, with additional sector-specific rules from CST and other regulators.

Public sector use of generative AI

Government entities using generative AI must align with the SDAIA Generative AI Guidelines for Government, the AI Ethics Principles, and DGA digital government policies. Procurement processes increasingly require evidence of compliance with these instruments before generative AI vendors can supply public sector deployments.

The forthcoming dedicated AI law

SDAIA has signalled that a dedicated AI law is under development. Expected components include risk-based classification of AI systems, registration and audit duties for AI providers, and a unified framework that consolidates today's distributed instruments. As of April 2026 the law has not been enacted, and businesses should plan compliance against the existing distributed regime while monitoring SDAIA announcements.

A practitioner's compliance plan

Step 1: Map data flows and identify Saudi nexus

List every AI system that processes personal data of individuals in Saudi Arabia, regardless of where the deployer is established. Identify whether personal data is collected directly or indirectly, whether sensitive data is involved, and whether processing is for purposes that require explicit consent. Document the analysis in a Record of Processing Activities.

Step 2: Register where required and appoint a DPO if applicable

Public entities, controllers whose primary activity is personal data processing, and controllers handling sensitive data must register on the National Data Governance Platform. Determine whether a DPO appointment is required under the PDPL and Implementing Regulations, and ensure the DPO meets SDAIA-issued qualifications.

Step 3: Align with the SDAIA AI framework

Map AI systems against the AI Ethics Principles' 12 principles and the AI Adoption Framework's maturity model. Conduct ethics impact assessments for higher-risk systems. Document role allocations including the Responsible AI Officer where applicable. For generative AI use in government or government procurement, layer in the Generative AI Guidelines obligations.

Step 4: Address cross-border transfers and sectoral rules

For data transfers outside the Kingdom, apply the updated Data Transfer Regulation. Use SDAIA-issued SCCs or BCRs where the recipient jurisdiction lacks an adequacy designation. For sector-specific deployments (financial services, healthcare, telecommunications, government), layer in SAMA, SFDA, CST, NCA, and DGA requirements as applicable.

Step 5: Plan for ISO/IEC 42001 alignment

SDAIA's own ISO/IEC 42001 certification signals the framework Saudi regulators consider best practice. Building an AI management system aligned with ISO/IEC 42001 (and complementary frameworks such as the NIST AI RMF) supports compliance under both the current SDAIA regime and any forthcoming dedicated AI law.

Compliance FAQ

Does Saudi Arabia have a dedicated AI law?

Not yet. As of April 2026, AI compliance in Saudi Arabia rests on the binding PDPL plus the non-binding but authoritative SDAIA framework (AI Ethics Principles, Generative AI Guidelines, AI Adoption Framework) and sector-specific regulator rules. SDAIA has signalled a dedicated AI law is in development.

Is the SDAIA AI Ethics Principles framework legally binding?

The Principles themselves are not directly binding in the way the PDPL is. However, non-compliance can trigger enforcement under other instruments, particularly the PDPL where the AI system processes personal data. Government procurement and contracts increasingly require alignment with the Principles, and sector regulators reference them in their own oversight.

What are the maximum penalties under the PDPL?

Up to SAR 5 million (approximately USD 1.3 million) per violation, doubled for repeat offences, plus criminal penalties (including imprisonment) for certain unlawful disclosures of sensitive personal data. SDAIA has signalled progressive enforcement, with early actions focused on warnings and corrective measures rather than maximum fines.

Conceptually similar (lawful basis, data subject rights, DPIAs, breach notification) but with important differences: the PDPL has broader extraterritorial reach, requires registration on the National Data Governance Platform for certain controllers, treats sensitive data without a separate legal basis requirement, and uses SDAIA-issued SCCs that differ from EU SCCs. A GDPR programme is a useful starting point but cannot be relied on without a Saudi-specific gap analysis.

What should businesses prioritise before any forthcoming AI law arrives?

PDPL compliance, registration on the National Data Governance Platform where required, alignment with the AI Ethics Principles and Adoption Framework, and ISO/IEC 42001 alignment as an internationally recognised AI management system. These investments are likely to translate directly into compliance with the forthcoming AI law rather than become wasted work.

Are there special rules for generative AI?

Yes. SDAIA's January 2024 Generative AI Guidelines (separate documents for Government and the Public) cover content authenticity, watermarking expectations, vendor due diligence, data classification, human oversight, and harm prevention. The Guidelines are non-binding but authoritative; expect them to influence binding rules under the forthcoming AI law.

The bottom line

Saudi Arabia has built a serious AI compliance framework without yet enacting a dedicated AI statute. The PDPL is binding and fully enforceable. The SDAIA AI Ethics Principles, Generative AI Guidelines, and AI Adoption Framework are non-binding but authoritative, and government procurement and sector regulators reference them as a matter of course. The forthcoming dedicated AI law will likely consolidate today's distributed instruments rather than replace them. Businesses that build a compliance programme now around PDPL, the SDAIA framework, and ISO/IEC 42001 will not have to start over when the AI law arrives. Treat the layered structure as the steady state, monitor SDAIA announcements, and document every decision in a way that survives a regulator review.

Last updated: April 2026. This article is educational content and is not legal advice. Saudi Arabia's PDPL, SDAIA framework, and sectoral rules are evolving, and a dedicated AI law is under development. Consult qualified counsel before making compliance decisions.

Cite this article

Beladiya, R. (2026, March 13). Saudi Arabia AI Policy and Technology Regulation: What Businesses and Innovators Need to Know. AI Law Guide. https://ailawguide.org/blog/saudi-arabia-ai-policy-and-technology-regulation-what-businesses-and-innovators-need-to-know-3982791343926254192

Last updated April 25, 2026. This article is educational content and is not legal advice. Consult qualified counsel before making compliance decisions in your jurisdiction.

About the author

Rahul Beladiya

I'm a Legal Tech strategist and writer who focuses on the blend of law, AI, and digital change. Through my writing on the Legal Tech Ecosystem, I help in-house legal teams, law firms, and tech companies navigate the fast-changing world of artificial intelligence, legal tech tools, and digital support. Whether it's setting up AI-powered contract lifecycle management, creating future-ready legal operations, or choosing the right technology for compliance and efficiency, I break down complex innovations into practical, actionable strategies. My goal is straightforward: to provide legal professionals and tech leaders with the clarity and confidence they need to succeed in a technology-driven legal environment.

Author profile Contact editor