In the Kingdom of Saudi Arabia (KSA), the legal framework for the digital economy is a central component of the government’s vision. Recently, KSA has moved from foundational law-making to an integrated regulatory environment where data, e-commerce and digital services are governed by specialised authorities.

The primary regulatory bodies are the Saudi Data and AI Authority (SDAIA), the Communications, Space and Technology Commission (CST), and the Digital Government Authority (DGA).

Primary Laws and Regulations

The digital economy is regulated through several key legislative instruments that create a “trust-based” digital marketplace.

• Personal Data Protection Law (PDPL) – Governs the collection, processing and transfer of personal data; grace period for compliance ended by Sept 2024 (primary regulatory authority is the SDAIA).
• E-Commerce Law (2019) – Regulates electronic transactions, consumer rights and digital store transparency       (Ministry of Commerce/SDAIA).
• Electronic Transactions Law – Grants legal validity to electronic signatures and digital contracts (CST).
• Anti-Cyber Crime Law – Penalises unauthorised access, data theft and fraudulent digital activities (Ministry of Interior/CST).
• Digital Economy Policy (2020/2021) – A guiding framework outlining the Kingdom’s goals for infrastructure and human capital (MCIT).

Industry-Specific Frameworks

Data and AI governance (SDAIA)

• National Data Management and Personal Data Protection Standards – These provide a uniform framework for data classification (Public, Restricted, Confidential, Top Secret) and mandate the appointment of Data Protection Officers (DPOs) for entities processing sensitive data.
• Generative AI Guidelines – Issued to ensure ethical AI deployment, emphasising transparency (disclosing AI interaction) and risk mitigation.

Telecom and digital platforms (CST)

• Digital Content Platform Regulations – Platforms such as VOD (Video on Demand), social media and gaming platforms must register or obtain licences to operate within the Kingdom.
• Cloud Computing Regulatory Framework (CCRF) – Mandatory for cloud service providers (CSPs) to ensure data sovereignty and cybersecurity compliance.

Fintech and payments (SAMA)

• Electronic Payment Services Regulations – The Saudi Central Bank (SAMA) regulates the digital finance sector, requiring licences for e-wallets, payment aggregators, and “Buy Now Pay Later” (BNPL) companies.

Industry Codes of Conduct

KSA increasingly utilises “Soft Law” and industry-specific codes to bridge the gap between legislation and rapid tech evolution.

• SDAIA AI Ethics Principles – A set of ethical benchmarks (Fairness, Accountability, Transparency) that businesses are encouraged to embed into their AI life cycles.
• National Cybersecurity Authority (NCA) Controls – Specifically the Essential Cybersecurity Controls (ECC), which act as a mandatory code for all government and critical private sector entities.
• Mawthooq licence (for influencers) – A mandatory licensing code for social media influencers and digital marketers to ensure transparency in digital advertising.

Recent Legal Developments

• Hexagon Data Centre Initiative – In January 2025, KSA launched a USD2.7 billion digital infrastructure project to house the world’s largest government data centre, reinforcing data sovereignty as a legal and economic priority.
• Unified Charging Ports Phase II – As of April 2026, new regulations from CST and SASO require USB-C standardisation for laptops sold in the Kingdom, following the 2025 phase for mobile devices.

In KSA, the rapid shift towards a digital-first economy has created a high-compliance legal environment. The primary challenges for companies involve navigating a complex overlap of data sovereignty, sector-specific digital licensing, and aggressive new competition rules for digital platforms.

Data Sovereignty and Cross-Border Transfers

With the PDPL in full effect (as of September 2024), the management of data remains the most significant legal hurdle.

• Localisation mandates – While the law allows for data transfers under specific adequacy frameworks, the practical challenge is the SDAIA requirement for strict data localisation for “sensitive” and “sovereign” data. TMT companies must often maintain local mirrors or primary servers within KSA.
• Extraterritoriality – The PDPL applies to any entity processing data of Saudi residents, regardless of the entity’s physical location. This forces international digital service providers to appoint a local representative and align their global privacy policies with Saudi-specific “standard contractual clauses” (SCCs).

Digital Content Regulation and Platform Licensing

The CST has introduced a rigorous licensing model that poses operational challenges for digital service providers.

• Platform categorisation – The Regulations for Providing Digital Content Platform Services create different tiers (licence, registration or notification) for video OTT, audio-on-demand and gaming platforms. Determining which tier applies – and meeting the corresponding financial and administrative requirements – is a primary entry barrier.
• Liability and “safe harbour” – A critical challenge is the evolution of intermediary liability. While KSA is moving towards “safe harbour” provisions (protecting platforms from user-generated content violations if they act upon notice), the CST retains broad powers to issue “take-down notices”. Platforms must have 24/7 compliance teams capable of responding to these notices within hours.

Competition Law in Digital Markets

The General Authority for Competition (GAC) has intensified its focus on “platform power” and “network effects”.

• Dominance thresholds – Under the updated Competition Law, any platform with a 40% market share or the “ability to influence market price” is considered dominant. This is particularly challenging for e-commerce and social media “gatekeepers” who may face investigations for “self-preferencing” or “exclusive dealing” (ie, forcing vendors to use their own logistics).
• Merger control – The GAC has lowered the threshold for mandatory notification of “economic concentration”. Even smaller tech acquisitions must now be reported if they have a potential impact on the local digital ecosystem, leading to longer deal timelines for tech M&A.

Overlapping Jurisdictional Mandates

A persistent challenge is the “regulatory overlap” between authorities. A digital payment app in KSA must satisfy SAMA for financial security, CST for the digital platform licence and SDAIA for data processing. Discrepancies between these regulators’ cybersecurity standards (ie, NCA’s ECC versus SAMA’s CSF) can lead to compliance fatigue for start-ups and multinationals alike.

Content Moderation and Cultural Values

Digital services must strictly adhere to public morality and Sharia-compliant content standards. Unlike many western jurisdictions that protect intermediaries from “general monitoring,” Saudi authorities can mandate active filtering for specific categories of content (ie, gambling, adult content or content threatening national security). Platforms must integrate local sensitivity into their Artificial Intelligence (AI) moderation algorithms.

Taxation in KSA’s digital economy is primarily governed by the Zakat, Tax and Customs Authority (ZATCA). In recent years, the regulatory framework has become increasingly automated, with a particular focus on indirect tax enforcement and a growing shift towards imposing tax compliance obligations on digital platforms and electronic marketplaces, especially in the VAT context.

Taxation of Digital Services and Goods

The Saudi tax system treats digital transactions through three main levers: withholding tax (WHT), zakat and corporate income tax (CIT), and value added tax (VAT). Recent amendments to the VAT legislation have materially impacted the taxation of digital services and goods, notably through the expansion of the deemed supplier rules applicable to electronic marketplaces.

WHT

Non-resident companies providing services to Saudi entities (B2B) are generally subject to withholding tax.

• Royalties and licences – Payments for software licences or intellectual property usually trigger a 15% WHT.
• Technical services – Fees for technical or consulting services delivered digitally are generally taxed at 5%.

KSA has an extensive double tax treaty network. Where applicable, treaty relief may reduce WHT rates, subject to satisfaction of conditions such as tax residency, beneficial ownership, and the availability of valid supporting documentation.

Zakat and CIT

Companies incorporated in KSA are regarded as taxpayers and may be subject to both zakat and CIT, depending on their ownership structure.

• Zakat at a rate of 2.5% applies to the portion of an entity owned by Saudi or GCC persons. Zakat is calculated by reference to both the Zakat base (a balance sheet-based net worth measure) and adjusted net profit, in accordance with the Zakat Implementing Regulations.
• CIT at a rate of 20% applies to profits attributable to non-GCC ownership, calculated on net adjusted taxable profits.

This mixed system requires careful tracking of ownership percentages and profit attribution, which is particularly relevant for technology companies with diverse shareholder bases.

VAT

• Standard rate – Most digital services (streaming, software-as-a-service, cloud storage) and digital goods (e-books, games) are subject to the standard 15% VAT.
• Place of supply – For digital services, the “place of supply” is generally where the service is used and enjoyed (place of actual use or benefit of services). If a customer is located in KSA, the service is taxable in KSA at the standard rate, regardless of where the provider is based.
• VAT registration – Resident businesses are required to register for VAT if their annual taxable turnover exceeds SAR375,000. Non-resident suppliers are generally required to register for VAT in Saudi Arabia where they make taxable supplies with a place of supply in the Kingdom and the reverse-charge mechanism does not apply (eg, supplies to non-VAT-registered customers). No registration threshold applies to non-resident suppliers in such cases.
• Deemed supplier rules – A significant development in Saudi VAT law is the introduction and expansion of the deemed supplier rules. Under these rules, electronic marketplaces that facilitate supplies made by non-resident or non-VAT-registered sellers may be treated as the supplier for VAT purposes. Where applicable, the platform is deemed to have purchased and resold the goods or services in its own name and is therefore required to charge, collect and remit VAT at 15% on the full value of the transaction. The deemed supplier rules generally do not apply where the platform’s role is limited to advertising, payment processing or other ancillary services, and where the contractual relationship remains directly between the seller and the customer. Accordingly:
1. where a platform facilitates the electronic supply of services to customers in Saudi Arabia by non-resident suppliers, the platform is treated as the deemed supplier and assumes full VAT responsibility; and
2. from 1 January 2026, the rules extend further. Platforms facilitating the supply of goods or services by resident suppliers who are not registered for VAT must also act as the deemed supplier. This change is particularly significant, as it captures a wide range of small and micro-businesses that operate below the VAT registration threshold but sell through digital platforms.

Key Compliance Challenges for Companies

Managing tax in KSA’s digital economy is technically demanding due to the “real-time” nature of the regulations.

• E-Invoicing Phase 2 (Integration) – Most businesses with revenue over SAR375,000 must be in the “integration phase” of e-invoicing. This requires digital platforms to link their billing systems directly to ZATCA’s Fatoora portal, with invoices cleared or reported in near real-time (within 24 hours).
• Determining residency and status – Under the “deemed supplier” rules, platforms must accurately verify the tax residency and VAT registration status of every seller on their platform. Failing to correctly identify a seller as “non-resident” can lead to the platform being held liable for unpaid taxes.
• Data residency versus tax audits – ZATCA requires tax records and e-invoices to be stored in a format accessible within the Kingdom for at least six to ten years. For global cloud companies, keeping these financial records locally while managing global ledgers creates significant architectural complexity.
• Mixed-ownership calculations – Many tech start-ups in KSA have a mix of Saudi founders and foreign investors. Calculating the simultaneous burden of 2.5% zakat and 20% corporate tax on a pro-rata basis requires sophisticated accounting.
• VAT classification and audit risk – Correctly classifying digital supplies (eg, distinguishing between taxable digital services, exempt financial services and out-of-scope transactions) often requires detailed contractual and functional analysis. Misclassification can lead to reassessments, penalties and interest.

Summary: Tax Rates for Digital Economy

Transaction types, tax and applicable rates are as follows.

• B2C digital sales (eg, Netflix sub) – VAT at 15% (collected by provider).
• Marketplace sales (non-resident seller) – VAT at 15% (collected by platform).
• B2B software royalties – WHT at 15%.
• B2B technical services – WHT at 5%.
• Tax on Saudi companies (foreign ownership) – CIT at 20%.
• Tax on Saudi companies (GCC ownership) – Zakat at 2.5%.

In KSA, the taxation of digital advertising has become a primary focus of ZATCA. As explained above, KSA employs a sophisticated “real-time compliance” model that targets both the revenue generated by platforms and the payments made to international advertising giants.

Tax Implications for Digital Advertising Revenues

The tax treatment depends on the residency of the advertiser and the platform.

Value added tax (VAT) – 15%

• Domestic sales (B2B/B2C) – Advertising services provided by a Saudi-based entity to a Saudi-based client attract a standard 15% VAT.
• The “use and enjoyment” rule – For digital services like advertising, the “place of supply” is determined by where the service is consumed. If an ad is displayed to users in Saudi Arabia, it is considered a supply within KSA and is subject to 15% VAT.
• Deemed supplier rules – Starting 1 January 2025, electronic marketplaces and advertising platforms that facilitate ads for non-resident or non-registered sellers are treated as the “deemed supplier”. This means the platform (eg, a local social media hub) is responsible for collecting the 15% VAT from the advertiser and remitting it to ZATCA.

Withholding tax (WHT) on outbound payments

Many Saudi companies advertise on global platforms (ie, Google, Meta, TikTok) that do not have a permanent establishment in KSA.

• WHT Rate – Payments made by a Saudi entity to a non-resident for advertising services are generally subject to a 15% withholding tax, as these are often classified as “other services” or “royalties” (if paying for the use of a proprietary ad-tech platform).
• Source of income – ZATCA considers the source of income to be KSA if the marketing is developed or targeted within KSA.

Corporate income tax and zakat

• Foreign-owned entities – Net profit from digital advertising is subject to a 20% corporate income tax.
• Saudi/GCC-owned entities – Subject to 2.5% zakat on the zakat base (net worth and adjusted net profit).

Ensuring Compliance With Tax Laws

With ZATCA’s move towards complete digitalisation, “paper-based” compliance is no longer an option.

Phase 2 E-invoicing (integration phase)

All digital advertising agencies and platforms with taxable revenue exceeding SAR375,000 must be integrated with the Fatoora portal.

• Real-time reporting – Standard tax invoices (B2B) must be cleared by ZATCA’s API in real-time before being sent to the client.
• Simplified invoices (B2C) – Must be reported to ZATCA within 24 hours of issuance.

The “Mawthooq” requirement for influencers

Under the General Authority for Media Regulation (GAMR), social media influencers (individuals) must hold a Mawthooq licence to provide advertising services.

• Tax registration – Obtaining this licence often triggers an automatic link to ZATCA. Individual advertisers must register for VAT if their annual advertising revenue exceeds the SAR375,000 threshold.

Withholding tax filings

Saudi companies paying foreign ad platforms must do the following.

• Deduct the tax (usually 15%) from the gross payment.
• File a monthly WHT return via the ZATCA portal.
• Remit the payment within the first ten days of the month following the payment.
1. Tip: Most global platforms charge the full price and do not allow for deduction; in this case, the Saudi company must “gross-up” the tax, effectively paying the 15% out of their own pocket.

Summary of Key Rates

The following summarises tax type, rate and applicable transactions.

• VAT at 15% – All domestic digital ad placements.
• Withholding tax at 15% – Payments to non-resident ad platforms.
• Corporate tax at 20% – Profits of foreign-owned ad agencies in KSA.
• Zakat        at 2.5% – Wealth/profits of Saudi-owned ad agencies.

In KSA, consumer protection for digital goods and services is a high-priority area, governed by a combination of the E-Commerce Law (2019), the PDPL, and specialised regulations from the CST.

The framework has matured into a system that balances rapid digital transformation with stringent safeguards for individual rights.

Applicable Consumer Protection Laws

The TMT (technology, media and telecommunications) sector is governed by a “layered” legislative approach.

• The E-Commerce Law (2019) – This is the foundational law for all digital transactions. It applies to both local entities and foreign practitioners targeting the Saudi market. Key protections include:
1. right of rescission (termination) – consumers can return digital goods or terminate service agreements within seven days of receipt/conclusion if they have not yet utilised the service; and
2. transparency – mandatory disclosure of the service provider’s identity, contact details and the full price (including VAT and delivery fees).
• CST Regulations of User Rights Protection Rules (Decision No. 552/1445) – Issued in early 2024 and fully active in 2026, these rules provide specific safeguards for ICT and telecom users, such as:
1. contract clarity – requirements for “service summary” sheets that distil complex terms into simple, readable facts; and
2. credit limit protection – automatic barring of services once a user reaches a pre-set spending limit to prevent “bill shock”.
• PDPL – Protects consumers’ “digital identity”. It mandates that companies obtain explicit consent for data processing and gives consumers the right to access, rectify or destroy their personal data.

Upholding Consumer Rights in the Digital Economy

To remain compliant, TMT companies must implement specific operational measures.

• Arabic language localisation – All essential consumer information (including terms of service, invoices and safety warnings) must be provided in Arabic.
• Secure payment integration – Under SAMA guidelines, platforms must use secure, licensed payment gateways and ensure that “subscription auto-renewals” are clearly disclosed with easy “one-click” cancellation options.
• Advertising integrity – Under the Mawthooq rules, digital advertisements must be clearly labelled as “sponsored”. Misleading claims (eg, “fastest 5G” without a local benchmark) can lead to immediate fines.

Resolution of Consumer Complaints

KSA has a centralised, digital-first complaint resolution architecture.

• The “provider-first” rule – A consumer must first file a complaint with the company. The company has a maximum of five days (under CST rules) to provide a final response.
• Escalation to CST (telecom/tech) – If the consumer is unsatisfied or the company fails to respond, the dispute can be escalated to the CST Portal. The CST acts as a quasi-judicial body and its decisions are binding on the service provider.
• Ministry of Commerce (E-commerce) – For disputes involving digital goods (ie, e-books or software licences), the Ministry of Commerce manages the “Balagh” app, which allows users to report commercial violations instantly.

Best Practices for Dispute Management

For TMT companies, effectively handling disputes is a matter of both legal survival and brand reputation.

• Automated ticketing with tracking – Implement a system where consumers receive a unique reference number and a clear timeline for resolution immediately upon filing a complaint.
• Transparent refund policies – Clearly state in the checkout flow which digital goods are “non-refundable” (ie, activated software keys) to avoid disputes over the seven-day return right.
• Internal compliance audits – Conduct regular reviews to ensure agents are not inadvertently making promises that violate CST or PDPL standards.

In KSA, the legal stance towards blockchain and cryptocurrency is characterised by a “dual-track” policy: aggressive institutional adoption of blockchain technology contrasted with a highly restrictive and cautionary approach towards public cryptocurrencies.

Are Blockchain and Crypto Regulated?

The regulatory status depends entirely on whether the technology is used for “enterprise/government” infrastructure or as a “public asset/currency”.

• Blockchain Technology – CST and the DGA regulate blockchain as an emerging technology. There is no “Blockchain Law” but it is governed under the Telecommunications and IT Act and the PDPL.
• Cryptocurrency – As of 2026, cryptocurrencies like Bitcoin remain “illegal” for use by local financial institutions. A standing committee (including SAMA, the CMA and the Ministry of Finance) has issued repeated warnings that no entity is licensed to trade or facilitate public crypto in the Kingdom.
• Central Bank Digital Currencies (CBDC) – While public crypto is restricted, SAMA’s institutional digital currency (ie, from Project Aber) is a cornerstone of the financial sector’s modernisation.

Legal Challenges and Opportunities

Legal challenges presented by these technologies are as follows.

• Lack of specific crypto legislation – Given that there is no bespoke “Virtual Asset Law”, companies operate in a grey zone. Most activities are analysed under existing Anti-Money Laundering (AML) and Securities Laws.
• Enforcement risk – Agreements involving the “sale of crypto” may be deemed void in Saudi courts for being “unlicensed investment activities”, meaning parties cannot seek legal redress if a transaction fails.
• Data privacy (PDPL) versus immutability – A key challenge in the TMT sector is the “right to erasure” under the PDPL. Since blockchain is immutable, TMT companies must implement “off-chain” storage for personal data to remain compliant.

There are also opportunities.

• Vision 2030 integration – The government is rapidly integrating blockchain into the Ministry of Justice (for real estate title deeds) and the Saudi Food & Drug Authority (SFDA) for supply chain tracking.
• Stablecoin development – By early 2025, SAMA and the CMA signalled a move towards a National Stablecoin Framework, which would allow regulated, Riyal-pegged digital assets to be used in retail and real estate.

Impact on the TMT Sector Landscape

The impact of these technologies on the TMT legal landscape is focused on infrastructure rather than exchange.

• Smart contracts as evidence – The Saudi Law of Evidence and Electronic Transactions Law allow for the recognition of digital records. TMT companies are increasingly using blockchain-based smart contracts for “service level agreements” (SLAs) that trigger automatic credits or penalties.
• Fintech sandboxes – The SAMA Regulatory Sandbox and CMA Fintech Lab allow TMT companies to test blockchain-based payment or securities platforms under a temporary exemption from certain licensing requirements.
• Digital identity – Blockchain is a key component of the National Digital Identity initiatives, shifting the legal responsibility of identity verification from companies to a decentralised, government-verified ledger.

In KSA, cloud and edge computing are governed by a sophisticated “tiered” regulatory system. This framework prioritises national data sovereignty while encouraging digital innovation. The primary regulators are the CST and SDAIA.

Primary Laws and Regulations

The legal landscape for cloud and edge services is built on three core pillars.

• CCRF – Issued by the CST, this is the foundational regulation for all (CSPs). It mandates that any CSP providing services to customers in KSA must register with the CST.
• PDPL – Enforced by SDAIA, the PDPL regulates how personal data is processed in the cloud. It emphasises purpose limitation, data minimisation and strict rules for cross-border data transfers.
• NCA controls – The NCA’s Cloud Cybersecurity Controls (CCC) set the technical security standards. There are two main versions:
1. CCC-1 – minimum requirements for all cloud services; and
2. CCC-2 (2024/2025) – enhanced controls specifically addressing data localisation and edge computing security.

Industry-Specific Restrictions

Highly regulated industries in KSA face heightened compliance bars, often requiring local data residency and prior regulatory approval for outsourcing.

• Banking and finance (regulated by SAMA) – Must comply with the SAMA Cloud Computing Policy. Core banking data must remain in KSA; “no-objection” certificates are often required for international cloud outsourcing.
• Insurance (Insurance Authority) – Policyholder and claims data are classified as sensitive; hosting this data on “public clouds” requires high-level encryption and local storage.
• Government (DGA/SDAIA) – Follows the “Cloud First Policy”. Government data must be hosted on G-Cloud (Government Cloud) or highly secure, locally hosted private clouds.
• Healthcare (Ministry of Health/SFDA) – Patient records and health data are subject to the Health Information Law, requiring strict localisation and access controls.

Personal Data Processing in the Cloud

Processing personal data in a cloud environment triggers specific legal obligations under the PDPL.

• Data residency – There is a strong legal presumption that personal data of Saudi residents should be processed within KSA.
• Cross-border transfers – Transfers outside KSA are only permitted if the destination country has an “adequate” level of protection (as determined by SDAIA) or if the entity uses SCCs or Binding Corporate Rules (BCRs).
• Processor agreements – Controllers (the cloud customers) must enter into a formal written agreement with the CSP (the processor). This contract must specify the duration, purpose and types of data processed.
• Data breach notification – In the event of a cloud security breach, the controller must notify SDAIA within 72 hours if the breach poses a risk to the data subjects.

Edge Computing and “Sovereign Data”

Edge computing – where data is processed closer to the source (eg, smart city sensors or factory floors) – is now regulated under the CST’s 2025 National Computing Infrastructure roadmap.

• Localisation at the edge – Even if data is processed at “the edge”, any permanent storage or secondary analysis must comply with localisation rules.
• Data embassies – A new concept in Saudi law allows for “data embassies”, which are sovereign data centres where foreign governments can host data under their own laws within Saudi territory, provided a bilateral agreement exists. The draft AI Hub Law tackling the data embassies point is not yet issued.

In KSA, the legal framework for AI has evolved into a sophisticated ecosystem. Governance is centred on SDAIA, which acts as the national regulator, and the Saudi Authority for Intellectual Property (SAIP) for creative rights.

Primary Laws and AI Regulatory Frameworks

KSA does not have a single “AI Act” but regulates the technology through a series of specialised instruments.

• AI Ethics Principles (2023/2024) – Mandatory for all entities (public and private). These principles – fairness, accountability, humanity and transparency – require AI developers to conduct “Ethical Impact Assessments” for high-risk systems.
• PDPL – The primary engine for AI regulation. Since AI models rely on vast datasets, any AI-driven processing of personal data must comply with strict consent, data minimisation and local residency requirements.
• Generative AI Guidelines – Specific rules for Large Language Models (LLMs). They mandate that organisations inform users when they are interacting with an AI and prohibit using AI for critical decisions without human-in-the-loop oversight.

Protection of Likeness and Deepfake Technologies

Likeness and moral rights are protected under a combination of the PDPL and the Anti-Cyber Crime Law.

• Explicit consent for likeness – Article 5 of the PDPL prohibits processing a person’s image or voice (biometric data) without explicit, informed consent. Using AI to replicate a person’s likeness (deepfakes) for commercial or social media use without permission is a direct violation.
• Moral rights – Saudi law grants individuals the right to object to any “distortion” of their image that prejudices their honour or reputation.
• Criminal penalties – Disseminating deepfakes intended to mock, defame or mislead the public carries penalties of up to five years in prison and fines of up to SAR3 million under the Anti-Cyber Crime Law. Repetitive violations would lead to doubling the fines.

AI in Transport: Autonomous Vehicles and Drones

KSA has become a global leader in autonomous mobility, with specific technical regulations now in mandatory application.

• Technical Regulation for Autonomous Vehicles (SASO/CST) – Effective April 2025, this regulation mandates that all self-driving cars meet Saudi-specific safety standards (SHC 801).
• Liability and insurance – The legal framework for autonomous transit moves away from “driver negligence” towards “strict product liability”. Manufacturers or operators must carry specialised AI liability insurance to cover accidents caused by software failures.
• Drones and aerial logistics – Regulated by the General Authority of Civil Aviation (GACA). Commercial drone delivery services (pioneered in Jeddah and NEOM) require a Drone Operator Licence. AI-powered drones must operate within “Geofenced” zones and are strictly prohibited from filming private residences, to protect privacy.

Key Legal Elements for AI Integration

Key elements, their legal consideration and associated regulatory bodies are as follows.

• Liability – Shifts from users to developers/operators if the AI logic is flawed (Courts/Ministry of Justice).
• Intellectual property – SAIP rules that fully AI-generated works cannot be copyrighted. Human “creative contribution” (prompts, edits) is required for protection (SAIP).
• Data protection – AI training data must be cleansed of bias and stored locally within KSA       (SDAIA).
• Fundamental rights – AI systems used in hiring or banking must be audited for algorithmic bias against specific demographics (SDAIA).

In KSA, the regulation of the Internet of Things (IoT) and Machine-to-Machine (M2M) communications is no longer just a technical guideline but a strict legal requirement. The landscape is defined by the IoT Regulations (issued by the CST) and the PDPL.

The IoT Regulatory Framework

The CST manages the specific technical and licensing rules for IoT.

• Mandatory licensing – Companies providing IoT connectivity (especially virtual network operators) must hold a Class A IoT-VNO Licence. If you use licence-exempt frequencies, a specific permit is required via the Nafath portal.
• M2M numbering – Under the Saudi National Numbering Plan, all IoT/M2M devices must use specific numbering ranges. International roaming for M2M is strictly monitored, and “permanent roaming” is often restricted to ensure local regulatory oversight.
• Device approval – Every IoT device (sensors, smart meters, connected cars) must obtain a Certificate of Conformity from the CST before being imported.

Machine-to-Machine (M2M) Communications

M2M is legally defined as automated communication between devices without human intervention.

• Dedicated SIMs – All SIM cards or eSIMs used in devices must be configured solely for M2M. Using M2M SIMs for voice or standard SMS without prior approval is a violation of the Telecommunications Act.
• Registration – Operators must keep a register of all IMSI and MSISDN numbers associated with M2M devices and make this record available to the CST upon request.

Communications Secrecy and Confidentiality

The Telecommunications and IT Law places heavy emphasis on the “inviolability of communications”.

• Confidentiality – Providers are legally obligated to protect the secrecy of data transmitted via M2M. Unauthorised interception or monitoring is a criminal offence under the Anti-Cyber Crime Law.
• Lawful interception – Despite the secrecy requirements, all M2M and IoT platforms must have the technical capability to comply with lawful interception requests from security authorities, ensuring that encrypted traffic can be audited under a legal warrant.

Data Protection in IoT (PDPL)

Since IoT devices often collect sensitive environmental or personal data (eg, smart home cameras, health wearables), the PDPL (enforced by SDAIA) applies strictly.

• Data localisation – A critical challenge for TMT companies is that personal data and “sovereign data” collected by IoT devices must be stored on servers within KSA.
• Privacy by design – Developers must implement data minimisation – collecting only what is strictly necessary for the device’s function.
• Security measures – The NCA mandates that IoT infrastructure complies with the ECC, including robust encryption (AES-256) and secure boot mechanisms for hardware.

The following is a compliance checklist (specifying the regulator) for IoT/M2M in KSA.

• Licensing – Class A IoT-VNO or class licence for exempt frequencies (CST).
• Type approval – Mandatory conformity certificate for all hardware (CST/SASO).
• Data residency – All IoT data of Saudi residents must stay in KSA (SDAIA (PDPL)).
• Cybersecurity – Compliance with ECC and IoT security standards (RI114) (NCA).
• Privacy notice – Users must be informed of what data the device “senses” (SDAIA).

In KSA, the deployment of IoT solutions is characterised by a “triple-lock” of compliance: spectrum/hardware rules, data privacy mandates and national cybersecurity standards. The regulatory burden has shifted from mere guidelines to enforceable technical and legal requirements.

Compliance Challenges in IoT Deployment

Companies in KSA face several high-stakes challenges when integrating IoT into their operations.

• Rigid data localisation (PDPL) – Under the Personal Data Protection Law, any IoT data categorised as “sensitive” or “sovereign” must be stored and processed within Saudi Arabia. This is a major hurdle for global companies using centralised “Global Cloud” IoT hubs, as they must often re-architect their systems to use local instances.
• Hardware certification (CST/SASO) – All IoT devices (sensors, gateways, smart meters) must undergo CST type approval and be registered on the SABER platform. Importing non-compliant hardware can result in immediate customs seizures and significant fines.
• M2M connectivity restrictions – IoT deployments must use specific M2M SIMs/eSIMs. “Permanent roaming” (using a foreign SIM for more than 90 days) is strictly regulated by the CST to prevent data leakage and ensure that local operators have visibility over the traffic.
• The skills gap – There is a mandatory requirement for qualified Saudi professionals to oversee critical digital infrastructure. Companies often struggle to find certified cybersecurity and IoT architects who are also experts in local regulatory nuances.

Mandatory Governance Frameworks

To navigate these challenges, companies are expected to implement a multi-layered governance structure aligned with national authorities.

NCA frameworks

The NCA is the ultimate authority for digital security. For IoT, companies must implement the following.

• ECC – The baseline framework for all entities. It mandates risk management, asset inventory and incident response.
• Cybersecurity Guidelines for IoT – Specifically released to embed “security-by-design” in IoT life cycles, covering everything from firmware updates to physical device security.

CST digital content and cloud frameworks

• IoT Regulatory Framework – Governs the licensing of IoT service providers and the technical standards for connectivity.
• CCRF – Since most IoT platforms are cloud-based, companies must ensure their cloud provider is “Class C” or “Class B” certified by the CST, depending on the data sensitivity.

SDAIA data governance platform

• National Data Governance Platform – Data controllers (companies deploying IoT) are now required to register their activities on this platform.
• DPIA (Data Protection Impact Assessment) – For IoT solutions involving “high-risk” processing (like biometric smart locks or public surveillance), a formal DPIA must be conducted and filed to prove that privacy risks have been mitigated.

Summary of Governance Best Practices

The following lists the relevant framework layer, key governance action and responsible body for best practices.

• Connectivity – Use CST-licensed M2M SIMs and Saudi-certified hardware (CST).
• Data privacy – Map all IoT data flows and ensure local storage for sensitive data (SDAIA).
• Security – Implement automated firmware patching and network segmentation (VLANs)       (NCA).
• Legal – Appoint a data protection officer (DPO) and register on the National Platform (SDAIA).

In KSA, data sharing for IoT companies is no longer a “best practice” but a strictly regulated activity overseen by SDAIA and CST. The legal landscape is defined by the PDPL and the Data Sharing Policy, which mandate that data is treated as a national asset while protecting individual privacy.

Key Legal Requirements for IoT Data Sharing

IoT companies must navigate a “permission-first” framework when sharing data with third parties, partners or government entities.

• Lawful basis for sharing – Under the PDPL, data sharing is only permitted if there is a valid legal basis. For commercial IoT (eg, smart home devices), this usually requires explicit consent. For industrial IoT, it may fall under contractual necessity.
• The “purpose limitation” rule – Shared data must only be used for the specific purpose disclosed at the time of collection. If an IoT company collects data for “maintenance” but shares it with a partner for “marketing”, they are in violation of Saudi law unless fresh consent is obtained.
• Data sharing agreements (DSA) – It is a mandatory requirement for IoT companies to have a formal DSA with any recipient. These agreements must specify:
1. the classification of data being shared;
2. protection controls and security standards; and
3. destruction mechanisms once the purpose of sharing is fulfilled.
• Transparency requirements – IoT providers must publish a privacy notice that explicitly lists the categories of third parties with whom data is shared and the countries where that data might be sent.

Thresholds and Subject Entities

The data sharing requirements in KSA apply broadly, but the “weight” of the requirements depends on the entity’s role and the nature of the data.

Directly subject entities

• IoT service providers – Any company providing IoT connectivity or platforms (ie, IoT-VNO licensees) must comply with CST’s IoT Regulations, which mandate data interoperability and secure sharing via standardised APIs.
• Data controllers – Any entity that determines the “why and how” of IoT data collection (eg, a factory using smart sensors) is directly responsible for legal sharing.

Indirectly subject entities

• Sub-processors and analytics providers – Third parties receiving IoT data are bound by the same PDPL obligations as the original collector. They are subject to “collective accountability” under Saudi law.

Thresholds for mandatory sharing

• Public interest/integration – Large-scale IoT projects (eg, smart cities like NEOM or the LINE) are often subject to “mandatory sharing” requirements with the National Information Center (NIC) for safety and urban planning purposes.
• Critical National Infrastructure (CNI) – IoT companies in the energy, water or transport sectors have lower thresholds for mandatory data sharing with regulators to ensure operational resilience.

Heightened Requirements for Specific Data Categories

Saudi law recognises that not all IoT data carries the same risk. Three categories have significantly heightened sharing and protection requirements.

• Sovereign/national data – Must be stored in KSA; sharing with foreign entities requires prior SDAIA approval (Data Classification Policy).
• Sensitive personal data – Includes health data (wearables) and biometrics (smart locks). Requires explicit consent and a DPIA (Data Protection Impact Assessment) (PDPL).
• Credit/financial data – Sharing IoT-derived credit insights requires SAMA oversight and strict encryption (Banking Control Law/PDPL).

The “Sovereignty” Factor

A major hurdle is the cross-border transfer restriction. If an IoT company shares data with a global analytics provider located outside KSA, it must prove that the destination country has “adequate protection” or use SCCs approved by SDAIA. Large-scale transfers of sensitive IoT data outside the Kingdom often require direct notification to the regulator.

In KSA, the authorisation framework for audiovisual media has transitioned into a dual-layered system. Providers are regulated by two primary authorities depending on whether they are traditional broadcasters, content producers or digital platform operators.

Primary Regulatory Bodies

• GAMR – Formerly GCAM, GAMR is the main authority for licensing traditional broadcasting (TV, radio), cinema and content production.
• CST – Following the Regulations for Providing Digital Content Platform Services (effective October 2024), the CST now oversees digital streaming, video-sharing and social media platforms.

Requirements for Traditional Versus Digital Services

Traditional audiovisual media (TV and radio)

Under the Audiovisual Media Law, traditional broadcasters must meet the most stringent requirements.

• Specific media licence – A licence for “scheduled broadcasting services” (linear TV/radio) is required.
• Local presence – Entities must have a local commercial registration (CR) and, for foreign investors, a MISA (Ministry of Investment) licence.
• Frequency allocation – Broadcasters using spectrum must co-ordinate with the CST for frequency permits.
• Content retention – Licensees must maintain an archive of all broadcasted material for 90 days.

Streaming and video-sharing platforms (Netflix, YouTube, Spotify, etc)

These fall under the Digital Content Platform Services regulations. The requirements apply to both local and international providers.

• Mandatory registration/licensing – Platforms like Netflix (VOD), Spotify (audio-on-demand), and YouTube (video-sharing) must obtain a specific regulatory tool (licence or registration) from the CST.
• Local representative – International platforms that do not have a physical branch in KSA are required to appoint a local representative to act as a point of contact for the CST.
• Content standards – Platforms must implement technical measures to filter content that violates Saudi media policy (ie, nudity, vulgar language, or content prejudicial to public morality).
• Age classification – Mandatory integration of the Saudi age rating system (3+, 7+, 12+, 16+, 18+, 21+) for all titles available in KSA.

Authorisation Procedures and Fees

The procedure is primarily digital, managed through the Media Platform (for GAMR) and the CST Portal. The procedural steps are as follows.

• Commercial registration (CR) – Ensure your CR includes relevant activities (eg, “production of TV programmes” or “providing VOD services”).
• Application submission – Upload constitutional documents, a business plan and technical details of the platform/service.
• Content commitment – Sign a pledge to adhere to the Saudi Media Policy and the PDPL (Data Protection Law).
• CST notification/registration – For digital platforms, the CST will determine if the entity requires a full licence (higher-tier platforms) or a registration/notification (smaller or specialised services).

The licensing bodies and fees according to activity type are as follows.

• Content production (GAMR) – SAR2,000.
• Social media advertising (Mawthooq) (GAMR) – SAR15,000 (for three years).
• VOD/OTT streaming (CST) – Varies by revenue/tier (up to SAR300,000+ for major platforms).
• Traditional radio/TV broadcasting (GAMR/CST) – Case-by-case assessment based on frequency and scope.

Key Legal Considerations

• User-generated content – Video-sharing platforms are held liable if they do not provide a clear “report” mechanism for users to flag illegal content or if they fail to remove flagged content within the timeframe prescribed by the CST.
• The “ignite” programme – The Saudi government provides incentives for platforms that host their servers locally or invest in local content production through the IGNITE initiative.

In KSA, the scope of telecommunications regulation has expanded significantly under the Telecommunications and Information Technology Law. The CST now oversees a sector that includes traditional telephony, space-based communications and emerging digital technologies.

Technologies and Services in Scope

The CST regulates any technology used for the “transmission, reception, or routing” of signals. Key areas include the following.

• Traditional and mobile services – Voice, SMS, 5G/6G mobile networks and fixed-line broadband.
• Space and non-terrestrial networks (NTN) – Satellite broadband (LEO/MEO/GEO), satellite-to-cell, and “high-altitude platform stations” (HAPS).
• Emerging tech and IoT – Internet of things (IoT) connectivity, virtual mobile network operators (VMNOs) and vehicle-to-everything (V2X) systems.
• Digital content platforms – Over-the-top (OTT) services and digital messaging apps that provide communication functions.
• Cloud and infrastructure – Data centres and cloud service providers (CSPs) that host telecommunications or sensitive national data.

Pre-Marketing Requirements

Before a product or service integrating these technologies can be launched in the Kingdom, specific regulatory milestones must be met.

Equipment type approval (mandatory for hardware)

Any device that uses radio frequencies or connects to public networks (eg, smartphones, routers, IoT sensors) must obtain CST type approval.

• Conformity assessment – Verification that the hardware meets Saudi technical specifications (often based on EU RED/CE standards).
• Accredited testing – Submission of test reports covering electromagnetic compatibility (EMC), radio frequency (RF), and safety.
• SABER integration – The CST approval process is now integrated with the SABER platform (SASO), which is required for customs clearance.

Licensing and permits

• General class licence – For providing basic services like internet access or value-added services.
• Specific registration – New rules require providers of NTN services and space stations to obtain specific “provision of operation” permits via the Mutasil platform.
• Local presence – While some digital services allow for foreign permits, most physical infrastructure or spectrum-based services require a local Saudi entity or a registered commercial agent.

Localisation and Arabisation

• Arabic support – User manuals, safety labels and warranty information must be provided in Arabic.
• Labelling – Devices must often display the CST conformity mark or have it accessible in the software’s “About” menu.

Security Requirements for Telecom Services

Security is treated as a matter of national sovereignty. Telecom providers must comply with a hierarchy of cybersecurity mandates.

CST cybersecurity regulatory framework

The CRF is a sector-specific mandatory framework that requires the following.

• Maturity assessments – Service providers are categorised into levels (eg, Sensitive National Infrastructure). They must submit periodic self-assessments and undergo third-party audits.
• Incident reporting – Mandatory notification to the CST of any significant cybersecurity breach within hours of detection.

NCA controls

As Critical National Infrastructure, telecom operators must implement the following.

• ECC – The baseline security architecture for all national entities.
• CCC – Specifically for any provider using cloud-based infrastructure. This includes “Class C” requirements for the highest level of data sensitivity.

Data sovereignty and encryption

• Local data hosting – Customer metadata, billing records and “sensitive traffic” must be stored and processed within KSA.
• Lawful interception (LI) – Providers must ensure their systems are compatible with national security requirements for authorised access to communications (as governed by the Telecommunications Act).
• Encryption standards – Use of high-grade encryption is required, but providers must ensure they do not use “unauthorised” encryption methods that bypass national security oversight.

In KSA, net neutrality is no longer a matter of voluntary “best practice” but is governed by a formal and rigorous regulatory framework. The CST released the definitive Regulations of the Net Neutrality (Decision No 501/1444), which became fully operational in 2023 and continues to be the governing standard.

Core Principles of Saudi Net Neutrality

The Saudi framework is designed to align with international best practices (similar to the EU’s BEREC guidelines). The four pillars of the regulation are as follows.

• Open internet access – End-users have the right to freely access and distribute any “lawfully permissible” content, applications and services.
• Equal traffic treatment – Service providers must treat all internet traffic equally, without technical or commercial discrimination based on the sender, receiver, content or device used.
• Non-discriminatory access for content providers – Local and international content providers must have non-discriminatory access to the Saudi market.
• Transparency – Providers are legally required to disclose their traffic management practices and any differential pricing models (such as zero-rating) to both the CST and the public.

Regulatory Impact on the Telecom Sector

The introduction of these rules has fundamentally changed how Saudi operators manage their networks and market their services.

Traffic management restrictions

Operators can no longer block or throttle specific services (eg, VoIP apps or competing streaming services) to protect their own revenue streams. Traffic management is only permitted if it is:

• reasonable – necessary for network integrity or congestion management;
• proportionate – limited to what is strictly necessary; and
• transparent – operators must publish reports on how and when they manage traffic.

Zero-rating and differential pricing

“Zero-rating” (where certain apps, like WhatsApp or Shahid, do not count against a data cap) is a common marketing tool in KSA. Under the new regulations, the following apply.

• Non-exclusivity – A zero-rating offer cannot be exclusive to one content provider. If an operator zero-rates a specific social media app, it must provide a transparent and fair process for competing apps in the same “class” to be included in the offer.
• Data exhaustion – If a user runs out of data, an operator cannot block all internet access while allowing the zero-rated app to keep working, as this is considered discriminatory.

Specialised services

The law allows for “specialised services” (eg, remote surgery, autonomous vehicle data or specific 5G network slicing for enterprise). These are permitted only if:

• the network capacity is sufficient to provide them without degrading the quality of the “General Internet” for other users; and
• they are not used as a loophole to bypass net neutrality rules for standard content.

Oversight and Enforcement

The CST acts as the “referee” of the digital space. Its enforcement powers include the following.

• Annual market monitoring – The CST conducts yearly reviews of ISP practices to ensure compliance.
• Complaint resolution – Content providers (like a local Saudi start-up) can file formal complaints if they believe an ISP is unfairly throttling their traffic.
• Sanctions – Violations of the Net Neutrality Regulations are subject to the penalties outlined in the Telecommunications Act, which include fines of up to SAR25 million per violation.

In KSA, the rapid adoption of emerging technologies has necessitated a dynamic and proactive legal response. KSA has shifted from traditional telecom oversight to a holistic “digital governance” model led by CST and SDAIA.

Impact of Emerging Technologies on the Legal Landscape

The convergence of 5G, IoT and AI has blurred the lines between “connectivity” and “data processing”, forcing regulators to update foundational laws.

• From “pipes” to “platforms” – The Telecommunications and Information Technology Act and its subsequent updates now treat 5G “network slicing” and edge computing as specialised services. This means providers are not just regulated for signal quality, but for the computational integrity of the services they host.
• Regulating “space” connectivity – With 5G expanding into NTN, the CST has introduced the Regulation for Registration of Telecommunication Space Stations (2025). This brings satellite-to-cell and LEO satellite broadband into a structured licensing framework for the first time.
• Expansion of AI governance – While there is no standalone “AI Law”, AI is governed through a “patchwork framework”. SDAIA’s AI Ethics Principles and the Generative AI Guidelines act as “soft law” that courts use to interpret “duty of care” and “fair processing” in AI-driven telecom services.

Legal Considerations for TMT Companies

Companies integrating these technologies must navigate several “high-risk” legal areas.

Data sovereignty and “sovereign AI”

Under the PDPL, data residency remains a top priority.

• IoT and edge computing – Data generated by IoT devices must be processed locally. TMT companies cannot offload this data to foreign clouds without a Data Transfer Risk Assessment (DTRA).
• AI Training Data – Companies building localised AI models must ensure the training datasets (especially if they contain personal data) do not exit KSA, fostering a push for “Sovereign AI” hosted on local infrastructure.

Liability in autonomous systems

As AI agents and autonomous IoT systems (like connected vehicles) become mainstream, the Civil Transactions Law (2023) is being tested.

• The attribution challenge – If a 5G-enabled autonomous robot causes harm, who is liable? Saudi law is moving towards a “developer-operator” model. If the error is in the “logic”, the developer is liable; if it is in the “operation/maintenance”, the TMT provider is liable.

Spectrum and interoperability

• IoT numbering – TMT companies must comply with the National Numbering Plan, which mandates specific machine-to-machine (M2M) ranges for IoT mobile connectivity.
• Interoperability – The CST “type approval” now includes strict requirements for IPv6 adoption and interoperability between different IoT ecosystems to prevent vendor lock-in.

Cybersecurity and critical infrastructure

Given that 5G and AI are classified as CNI, companies must adhere to the following.

• ECC – Mandatory audits for any AI or 5G infrastructure.
• CCC – High-level “Class C” certification is often required for AI as a service providers in the government or health sectors.

Entering the Saudi market involves navigating a legal landscape that has undergone a massive “modernisation wave” between 2021 and 2026. While KSA is increasingly pro-business, technology agreements are now governed by high-stakes mandatory laws that cannot be “contracted out”.

Main Challenges in Technology Agreements

Companies entering into these agreements face three primary operational and legal hurdles.

• Dual-regulatory oversight – Tech companies often fall under the jurisdiction of multiple bodies simultaneously. For example, a fintech start-up must satisfy SAMA for financial rules, SDAIA for data privacy, and the CST for cloud hosting.
• Sharia compliance and public policy – While Saudi contract law is modernising, agreements must still avoid elements deemed contrary to Sharia (eg, certain types of speculative “aleatory” clauses or excessive interest/late payment penalties that could be reclassified as Riba).
• Enforcement and arbitration seats – A major challenge is deciding where disputes will be heard. While the Saudi Center for Commercial Arbitration (SCCA) is now a world-class venue, foreign providers often push for external seats (like London or Dubai), which can complicate the enforcement of awards against local assets if the award is seen to violate local public policy.

Mandatory Laws and Typical Exclusions

Certain features of the Saudi legal framework are mandatory and will override any conflicting terms in a technology agreement.

Data storage and localisation

• The PDPL – Fully enforceable as of September 2024, the PDPL requires that personal data of Saudi residents be processed with high levels of security.
• Localisation mandates – While the law has moved towards a more flexible “adequacy” model (similar to GDPR), sensitive data – especially government, health and national security data – must be stored within KSA.

Price revision and termination

• Government Tenders and Procurement Law (GTPL) – If the technology agreement is with a government entity, price revisions are strictly capped. Generally, prices cannot increase by more than 10% of the original contract value without an incredibly high burden of proof and administrative approval.
• Termination for convenience – Many tech vendors include “termination for convenience” clauses. However, in Saudi government contracts, the state’s right to terminate for “public interest” is a mandatory legal principle that often leaves the vendor with limited recourse for lost future profits.

Industry-Specific Restrictions

Regulated industries face significantly “higher bars” for technology compliance.

• Banking/fintech (primary regulator SAMA) – Must comply with the SAMA Cyber Security Framework. Cloud outsourcing requires prior “no-objection” from SAMA for core banking functions.
• Insurance (Insurance Authority) – Strict localisation of policyholder data. Outsourcing tech to foreign vendors requires ensuring the regulator has “audit rights” over the vendor’s systems.
• Healthcare (Ministry of Health/SFDA) – High-security requirements for “health data”. AI used in medical diagnosis must be pre-cleared by SFDA.
• Telecom (CST) – Mandatory “Class B” or “Class C” licences for cloud providers. Data traffic must remain within the Kingdom’s peering points unless specifically exempted.

In KSA, service and interconnection agreements are governed primarily by CST under the Telecommunications and Information Technology Act and its implementing regulations.

Since 2024, the legal landscape has shifted towards high transparency, mandatory consumer protection, and rigid “reference offers” for dominant players like stc.

Key Elements of Telecommunications Service Agreements

Under the CST’s Regulations on the Protection of Rights of ICT Services’ Users, every service agreement (contract) must include the following specific mandatory disclosures in both Arabic and English.

• Service definition and quality (SLAs) – Detailed description of the service (eg, fibre, 5G), including a guaranteed minimum performance. For example, fibre broadband must maintain at least 70% of the advertised download speed.
• Tariffs and credit limits – A clear breakdown of periodic fees, one-time installation charges, and the “credit limit” beyond which service may be barred.
• Term and termination – The minimum contractual period and the specific penalty for early termination (typically capped by CST at a maximum of three months’ subscription fees for fixed services).
• Privacy and data protection – Explicit clauses identifying the provider’s compliance with the PDPL, covering how user metadata and billing info are handled.
• Dispute resolution – Mandatory inclusion of the internal complaint procedure and the right of the user to escalate the dispute to the CST if not resolved within five days.

Negotiating Favourable Terms

For enterprise and TMT companies, “standard form” contracts offered by operators are often the starting point, but room for negotiation exists in specific commercial areas.

• Targeting “phase 0” discovery – Negotiate a “discovery phase” or “pilot” clause where the contract can be terminated without penalty if the technical solutioning (interfaces/integration) fails to meet predefined benchmarks in the first 30–60 days.
• Customising service level credits – Move beyond standard “uptime” percentages. Negotiate “service level credits” that apply not just to total outages, but to latency and packet loss thresholds, which are critical for digital media and cloud-heavy businesses.
• Dynamic scalability – Ensure the agreement allows for “upward and downward scalability” without triggering new long-term commitments.
• Exclusion of auto-renewal – Strictly negotiate the removal of auto-renewal clauses. In KSA, CST regulations generally favour users, but for B2B contracts explicit “opt-out” language is necessary to prevent being locked into legacy pricing.

Considerations for Interconnection Agreements

Interconnection agreements allow different networks to exchange traffic. In KSA, these are heavily regulated to prevent anti-competitive behaviour.

• Reference interconnection offers (RIO) – If dealing with a dominant service provider, the agreement must align with their CST-approved RIO. Any deviation that gives one company a “better” deal must be transparent and potentially offered to other operators to avoid “undue discrimination” claims.
• Technical interoperability – Agreements must specify points of interconnection (PoI), signalling protocols and calling line identification (CLI) standards. Failure to meet CLI standards can lead to traffic being blocked under Saudi anti-spam/security rules.
• Pricing models (LRIC) – Interconnection rates in KSA often follow the long run incremental cost (LRIC) model. Companies should verify that the wholesale rates proposed do not exceed the price caps set by the CST.
• Security and lawful interception – Every interconnection agreement must account for the NCA standards. This includes how “transit traffic” is handled and ensuring that lawful interception capabilities are not compromised when traffic passes between networks.

In KSA, the landscape for trust services and electronic signatures is governed by a modernised legal framework that places the Kingdom among the leading digital economies globally. The transition from the 2007 Electronic Transactions Law to the 2024 Implementing Regulations has created a highly secure and legally robust “tiered” model for digital trust.

Primary Laws and Regulations

The regulatory framework is anchored by three main instruments.

• Electronic Transactions Law – This is the foundational statute. It grants electronic signatures and records the same legal weight as their physical counterparts. Article 5 explicitly prevents the denial of a contract’s enforceability solely because it was concluded electronically.
• Implementing Regulations of the Electronic Transactions Law – These regulations provide the technical and administrative requirements for Trust Service Providers (TSPs). They define the standards for digital certificates and the mandatory link between a signature and a licensed provider.
• Saudi National Public Key Infrastructure (PKI) Policy – Managed by the National Information Center (NIC), this policy sets the technical “root of trust” for all digital certificates issued in the Kingdom.

The Tiered Model of Electronic Signatures

Saudi law distinguishes between types of signatures based on their evidentiary weight in court.

• Standard (SES) – Basic clicks, typed names or scanned images (commonly used in internal HR memos and low-risk retail forms). This signature type carries low evidentiary weight, requiring additional proof of intent/identity if challenged.
• Qualified (QES) – Certificate-based signatures issued by a licensed TSP (eg, emdha) (commonly used in commercial contracts, powers of attorney and financial agreements). With high evidentiary weight, these are legally equivalent to a wet-ink signature and are non-repudiable.

Digital Identity Schemes: Nafath and Absher

KSA’s digital identity ecosystem is one of the most integrated in the world.

• Nafath platform – This is the National Single Sign-On (SSO) service. It allows users to authenticate themselves across government and private sector platforms using biometric or multi-factor authentication linked to their national ID.
• Legal integration – When a user “accepts” a request on the Nafath app, it constitutes a legally binding authentication under the Electronic Transactions Law. In 2026, many high-value transactions (such as opening a bank account) require Nafath authentication as the primary identity verification.

Key Legal Elements and Challenges

Liability and insurance

• TSP liability – Licensed Trust Service Providers are strictly liable for damages resulting from a failure in their certification systems (eg, if a certificate is forged due to their negligence).
• Insurance mandates – Under the 2024 Regulations, TSPs are often required to maintain Professional Indemnity Insurance to cover potential claims arising from digital identity theft or certificate failures.

Data protection (PDPL)

• Sovereignty – Digital identity data and “trust” logs must be stored within Saudi Arabia.
• Sensitive data – Biometric data used in Nafath (face ID/fingerprints) is classified as Sensitive Personal Data under the PDPL. Processing it requires heightened security controls and explicit user consent for each specific purpose.

Intellectual property and fundamental rights

• IP of digital assets – The code and cryptographic algorithms used by local TSPs are protected under the Copyright Law and managed by SAIP.
• Right to privacy – While the government promotes digital identity, individuals have the fundamental right (under the PDPL) to know how their identity data is being used and to request a log of every entity that has accessed their Nafath profile.

Jurisdiction and exclusions

Despite the digital push, certain high-risk transactions are excluded from electronic signatures and still require a physical notary (Ma’zoon).

• Marriage and divorce – Personal status documents.
• Real estate deeds – Transfer of land titles (though this is increasingly moving towards a centralised, government-hosted digital “E-Deed” system).
• Wills (Waqf) – Testamentary documents and endowments.

In KSA, the gaming industry is a central pillar of Vision 2030, specifically through the National Strategy for Gaming and Esports. The legal framework is designed to promote growth while maintaining strict alignment with Sharia principles and public decency.

Legal Framework and Regulators

Gaming is regulated through a multi-agency approach rather than a single “Gaming Act”.

• General Authority for Media Regulation (GAMR) – Formerly GCAM, it is the primary body for content classification, age ratings and the clearance of electronic games for the Saudi market.
• Saudi Esports Federation (SEF) – Focuses on the competitive landscape, regulating leagues (ie, the Saudi eLeague), player contracts and the professionalisation of the sector.
• CST – Oversees the digital infrastructure, online platform registrations and cloud hosting for gaming services.
• PDPL – Enforced by SDAIA, this governs how game developers collect and process player data (biometrics, location and payment info).

Age Ratings and Content Restrictions

Saudi Arabia operates its own specialised age classification system, which is mandatory for all physical and digital games sold in KSA.

Age classification categories (GAMR)

The following categories apply.

• 3+ (suitable for ages 3 and up) – Very mild, cartoonish violence; no scary sounds.
• 7+ (suitable for ages 7 and up) – May contain non-realistic violence or minor scary elements.
• 12+ (suitable for ages 12 and up) – May include scary sounds, mild injuries or mild suggestive themes.
• 16+ (suitable for ages 16 and up) – Realistic violence towards human-like characters; use of inappropriate language.
• 18+ (adults only) – Explicit violence, torture or themes of crime/smoking/alcohol.
• 21+ (new for 2025/2026) – Extreme violence, horror or sensitive political/social themes.

Content restrictions

A game can be refused classification (banned) if it contains content that violates any of the following.

• Religious values – Mockery of Islamic sanctities or promoting other religions.
• Public morals – Graphic sexual content, nudity or themes of homosexuality.
• Sovereignty – Material that insults the State or its leaders.
• Drug promotion – Depicting drug use as a positive or unpunished behaviour.

In-Game Purchases, Loot Boxes and Gambling

The regulation of monetisation is where Saudi law is most distinct due to the Sharia prohibition of Maysir (gambling).

• Gambling elements – Any game mechanic that requires a wager for a chance to win a prize with real-world or high virtual value is prohibited. Pure “social casino” games that allow cashing out are strictly banned.
• Loot boxes – Saudi regulators have moved towards the “Transparency and Classification” model. While not banned outright, games with loot boxes must comply with the following:
1. disclose odds – clearly state the probability of receiving specific items;
2. age gate – often receive an automatic 16+ or 18+ rating because of the “simulated gambling” risk; and
3. prohibit resale – mechanics that allow the “cash-out” of loot box items into real currency are prohibited, as this converts the mechanic into a legal definition of gambling.
• Consumer protection – Under the E-Commerce Law, developers must provide clear invoices for digital purchases and ensure that “accidental” purchases by minors are refundable if parental controls were bypassed.

Key Legal Challenges

• Cross-border data localisation – Large-scale MMOs (massively multiplayer online games) must navigate the PDPL requirement to host Saudi user data locally, which can cause latency issues if local cloud infrastructure is not fully integrated.
• Esports contractual disputes – As the professional scene grows, SEF is increasingly dealing with disputes regarding player transfers, sponsorship rights and prize pool distributions.
• Censorship versus global versions – Developers face the challenge of creating “KSA-specific” builds (censoring certain scenes or character outfits) to pass GAMR classification without breaking the game’s core experience.
• Platform liability – Under the Telecommunications and IT Law, digital storefronts (like Steam or Epic) can be held liable if they allow unrated or banned games to be accessed via Saudi IP addresses without proper geofencing.

In KSA, the regulation of the gaming industry has evolved from basic content filtering into a sophisticated, multi-agency ecosystem designed to protect social values.

Primary Regulatory Bodies

The gaming industry is overseen by a “regulatory trinity” that manages content, competitive integrity and digital infrastructure.

• GAMR – Formerly GCAM, GAMR is the supreme authority for content and classification. It manages the mandatory age-rating system and licenses the import, distribution and local development of electronic games.
• Saudi Esports Federation (SEF) – Established to regulate the professional side of the industry, SEF oversees the Saudi eLeague, professionalises player contracts and manages the integrity of domestic and international tournaments (like the Esports World Cup).
• CST – This body regulates the infrastructure that makes gaming possible. Its “Game Mode” initiative monitors ISP performance (latency/jitter) and it handles the licensing of cloud service providers who host game servers within KSA.

Enforcement Powers

The authorities possess a wide range of legal and administrative tools to ensure compliance with Saudi Law and Sharia-based public policy.

• Financial sanctions – Fines for distributing unrated games or operating illegal esports tournaments can reach up to SAR5 million.
• Seizure and confiscation – Regulators have the power to conduct field raids (supported by the Ministry of Interior) to seize counterfeit games or hardware that bypasses region-locking or classification.
• Market exclusion – GAMR can “black-list” a game developer or publisher, preventing their future titles from being legally sold in the Saudi market if they repeatedly violate content standards (eg, refusing to censor sensitive material).
• Digital blocking – The CST can order the blocking of IP addresses or URLs of online gaming platforms that host “gambling-like” mechanics or content that threatens public order.
• Licence revocation – Influencers or businesses promoting unlicensed games can have their Mawthooq (media licence) or commercial registration suspended.

Recent Enforcement Actions

Recent years have seen a shift towards proactive enforcement.

• The “violating games” raid – GAMR teams conducted co-ordinated raids on warehouses in Riyadh, Jeddah and Dammam, seizing over 5,000 electronic games valued at over SAR1 million. These games either entered the Kingdom illegally or did not bear the approved Saudi age rating.
• Esports contractual enforcement – The Saudi Esports Federation (SEF) has increasingly intervened in disputes involving “poaching” of players. In one instance, a domestic club was penalised for signing a player without following the mandatory transfer protocols outlined in the Saudi eLeague Regulation 2026.
• Loot box transparency action – In early 2025, several popular mobile titles were temporarily removed from local app stores until they updated their interfaces to display probability odds for loot boxes in Arabic, ensuring compliance with Saudi consumer protection standards regarding “uncertain transactions”.
• Unlicensed tournament shutdowns – Authorities have cracked down on “unauthorised gaming cafes” that were hosting paid-entry tournaments without SEF permits, citing concerns over prize pool integrity and child protection.

In KSA, intellectual property (IP) is a cornerstone of the gaming and digital entertainment strategy. The SAIP, established in 2018, centralises all IP matters, including copyright, trade marks and patents, providing a modern framework for game developers.

Common IP Challenges for Game Developers

Despite rapid modernisation, developers face specific hurdles in the Saudi market.

• Piracy and unauthorised distribution – While enforcement has increased, digital piracy remains a challenge. Developers must navigate “shredded” distribution where unrated or cracked versions of games appear on local peer-to-peer networks.
• Arabic localisation rights – International developers often struggle with IP ownership of Arabic-translated assets. If a local agency performs the translation without a clear “work-for-hire” agreement under Saudi law, the agency may claim moral or economic rights over the localised content.
• Cultural adaptation versus originality – Modifying a game to meet GAMR standards can create “derivative work” complexities regarding who owns the modified assets.

Creators’ Rights in Virtual Environments

Creators in virtual spaces (the metaverse, VR or MMOs) possess the same fundamental rights as physical-world creators, but with digital-specific applications.

• Right of reproduction – Developers have the exclusive right to authorise or prohibit the duplication of their code, 3D models and soundscapes within the virtual world.
• Moral rights – Saudi Law emphasises the “inviolable moral right”, allowing a creator to prevent any modification of their virtual work that might prejudice their honour or reputation (highly relevant for Sharia-compliant digital environments).
• Enforcement powers – Creators can file “cease and desist” orders through SAIP’s e-portal. Penalties for infringement can reach SAR250,000 and up to six months’ imprisonment.

Copyright in Digital and Virtual Assets

In KSA, copyright protection for digital assets is governed by the Copyright Law and its subsequent 2024 updates.

• Automatic protection – Copyright is granted automatically upon creation; however, SAIP recommends optional registration for digital assets (eg, character skins, virtual furniture) to provide a “timestamp” for legal disputes.
• AI-generated content – As of late 2025, SAIP guidelines state that fully AI-generated assets (without significant human creative input) cannot be copyrighted. They enter the public domain. Only assets where a human “guided” the AI with specific prompts and iterative edits are eligible for protection.
• Duration – Protection lasts for the author’s life plus 50 years (or 50 years from publication for corporate-owned software/games).

Trade Mark Laws in Virtual Goods and Services

Trade mark registration for virtual goods is now a standard practice for brands entering the Saudi digital economy.

• Nice classification (Classes 9 and 41) – Companies must register trade marks under Class 9 (for downloadable virtual goods like digital clothes) and Class 41 (for entertainment services in virtual environments).
• Visual and sound marks – Saudi law allows for the registration of “non-traditional” marks, such as the unique sound a game makes or a specific 3D avatar’s silhouette, provided it is distinctive.
• First-to-file – KSA is a “first-to-file” jurisdiction. A developer must register their game’s name and logo with SAIP before launch to prevent “trade mark squatting” by local entities.

Implications of User-Generated Content (UGC)

UGC is a “legal grey area” that Saudi regulators are currently refining.

• Ownership default – Unless the game’s end user licence agreement (EULA) states otherwise, the user may technically own the copyright to an original creation made within a game.
• Licensing clauses – Most Saudi-compliant EULAs now include a “mandatory irrevocable licence”, where the user grants the developer the right to use, host and display the UGC without royalty.
• Platform liability – Under the Anti-Cyber Crime Law, a game developer is responsible for removing infringing or illegal content once they are notified.

In KSA, the social media landscape is governed by a robust and specialised legal framework that underwent significant tightening. This framework is designed to balance rapid digital modernisation with Sharia-based public policy and national security.

Primary Laws and Regulations

General Authority of Media Regulation (GAMR) – new guidelines

As of late 2025, the GAMR (formerly GCAM) issued comprehensive new content standards. These apply to all platforms (X, TikTok, Snapchat, Instagram, YouTube) and enforce the following.

• Mawthooq licence – A mandatory licence (approx. SAR15,000 for three years) for any individual (citizen or resident) earning revenue from social media advertising.
• Content restrictions – Explicit bans on “wealth flaunting” (showing excessive cash or luxury cars), filming family disputes or using inappropriate/vulgar language.
• The “child ban” – A landmark 2025 regulation prohibits influencers from featuring children or domestic workers in daily “lifestyle” or promotional content to prevent commercial exploitation.

PDPL

Fully enforced as of September 2024, the PDPL governs how social media platforms and influencers handle user data.

• Explicit consent – Platforms must obtain clear consent before using personal data for behavioural targeting or direct marketing.
• Rights of the deceased – Uniquely, Saudi law protects the data privacy of individuals even after death if it identifies them or their family.

Anti-Cyber Crime Law

This remains the primary penal statute for online conduct. Key articles include the following.

• Article 6 – Penalises the production or transmission of material impinging on public order, religious values or public morals with up to five years in prison and fines up to SAR3 million.
• Defamation – Strictly prohibits “naming and shaming” or mocking individuals online, even if the shared information is true.

Key Legal Challenges

Intellectual property (IP) and “sharing”

SAIP has intensified enforcement regarding digital copyright.

• Challenge – A common misconception is that “re-posting” or performing a poem/song on one’s personal account is harmless.
• Legal reality – SAIP recently ruled that performing a poem or using a professional photograph without a written licence is a violation. In 2025, fines for such “social sharing” reached SAR5,000–250,000 depending on the commercial intent.

Data monetisation

Under the PDPL and GAMR rules, “data scraping” for commercial gain without a licence or user consent is strictly regulated.

• Challenge – Many small businesses use social media analytics to target users.
• Legal reality – If the data includes “identifiers” (like usernames or locations), it falls under PDPL. Companies must provide a “privacy notice” and an opt-out mechanism for any monetisation of such data.

Age restrictions and minor protection

The 2025 “Off the Feed” policy represents a major challenge for the “family vlogger” industry.

• Challenge – Verifying the age of users and preventing the “sharenting” (parents sharing kids’ lives) culture.
• Legal reality – Unlike some Western jurisdictions that allow “parental consent” for child content, Saudi law now treats the commercial use of a child’s likeness in social media as a per se violation of the minor’s rights, regardless of parental permission.

Cybersecurity and “public order”

The definition of “public order” is a significant challenge for international platforms.

• Challenge – Aligning global “community standards” with local laws.
• Legal reality – Platforms are often required to remove content within hours if it is deemed by Saudi authorities to violate public decency or social values. Failure to comply can lead to the platform being throttled or blocked under the Telecommunications Law.

Penalties for social media violations

The following list sets out violation type, primary regulator and maximum fines.

• No Mawthooq licence (GAMR) – SAR5 million/five-year prison term. 
• Privacy breach (PDPL) (SDAIA) – SAR5 million/two-year prison term.
• Impinging public order (Ministry of Interior) – SAR3 million/five-year prison term.
• IP/copyright infringement (SAIP) – SAR250,000 (civil/criminal mix).

In KSA, the regulation of social media is a multi-agency effort characterised by strict oversight, mandatory licensing and rapid enforcement. The regulatory environment is more structured than ever, focusing on commercial transparency, cultural alignment and data sovereignty.

Primary Regulatory Bodies

Three main authorities share jurisdiction over the social media ecosystem, each focusing on a distinct aspect of digital life.

• GAMR – Formerly known as GCAM, GAMR is the primary regulator for content. It oversees the licensing of influencers, monitors audiovisual material for cultural compliance and manages the “Mawthooq” licensing system.
• CST – The CST regulates the digital infrastructure and platforms. It handles the registration of social media companies (especially those with over 100,000 Saudi subscribers) and ensures that platforms comply with local data residency and telecommunications laws.
• SDAIA – As the national steward of the PDPL, SDAIA oversees how social media platforms and commercial accounts collect, process and monetise user data.

Enforcement Powers

The regulatory bodies possess broad administrative and legal powers to ensure compliance.

• Financial sanctions – Fines for operating without a licence or violating content standards can reach up to SAR5 million (approx. USD1.33 million).
• Content control – GAMR has the power to issue mandatory “take-down” notices. For non-compliant platforms, the CST can order internet service providers (ISPs) to throttle bandwidth or block access within the Kingdom.
• Licensing actions – The authorities can suspend or permanently revoke “Mawthooq” licences, effectively ending an influencer’s legal ability to earn advertising revenue in KSA.
• Criminal referrals – In cases involving threats to national security, public order or major fraud, regulators refer cases to the public prosecution under the Anti-Cyber Crime Law, which can lead to imprisonment for up to five years.

Recent Enforcement Examples

Enforcement has shifted from “warning-based” to “action-oriented” in recent years. Notable examples include the following.

• The “Mawthooq” crackdown (2024–25) – GAMR conducted a massive audit of Snapchat and TikTok influencers. In a single quarter, dozens of accounts were fined and suspended for promoting unlicensed investment schemes and foreign products without displaying the mandatory licence number.
• Misleading advertising fines – In 2025, several high-profile influencers were fined a total of SAR400,000 for promoting “medical products” and cosmetic procedures without a permit from the Ministry of Health, which is a requirement integrated into the GAMR social media rules.
• Seizures of violating digital goods – In mid-2024, the Media Regulation Authority conducted raids in Riyadh and Jeddah, seizing over 5,000 counterfeit electronic games and digital assets being sold via social media shops that did not meet the national age-classification standards.
• Deportation of non-Saudi violators – There have been reported cases where resident expatriates (non-Saudis) were deported and banned from the Kingdom after being found working as influencers or digital advertisers without the specific foreign investment/commercial licences required for non-citizens.
• PDPL breach notifications – In late 2025, SDAIA issued formal warnings to three local e-commerce entities that were using social media “pixel” tracking to harvest user data for targeted ads without the explicit consent required under the PDPL.

Key Data Privacy Laws and Regulations

The legal landscape for Saudi telecom providers is a multi-layered framework involving national laws and sector-specific mandates.

• PDPL – The primary national statute (fully effective as of September 2024). It sets the baseline for data processing, subject rights and controller obligations.
• Telecommunications and Information Technology Act – Specifically governs the TMT sector. It introduces mandatory obligations for user data confidentiality and empowers the CST to issue detailed privacy and security regulations.
• CST protection of rights of service users – A regulatory framework mandates transparency in billing, service terms and the protection of personal information specifically for telecom subscribers.
• NCA controls – Since telecom infrastructure is classified as Critical National Infrastructure (CNI), providers must comply with the ECCs and CCCs.

Main Challenges for Telecom Companies

Telecom providers face unique operational hurdles in achieving compliance.

• Granular consent management – Under the PDPL, consent must be explicit for marketing and sensitive data. Managing this across millions of legacy subscribers, often through USSD codes or SMS, is technically complex.
• Data minimisation versus big data analytics – Telecoms rely on vast datasets (location, call logs, browsing metadata) for network optimisation and personalised services. Balancing the “minimum necessary” principle of the PDPL with data-heavy innovation is a constant tension.
• Fulfilment of user rights – The PDPL grants users the right to access, correct and destroy their data. For a telecom provider, “erasing” data is often restricted by mandatory retention laws.

Cross-Border Data Transfers and Localisation

KSA maintains a strict “localisation-first” approach, particularly for regulated sectors.

• Data residency – All personal data related to Saudi subscribers should ideally be stored and processed within KSA.
• Transfer mechanisms – If data must leave KSA, the provider must conduct a data transfer risk assessment (DTRA).
• Approval and adequacy – Transfers are permitted if the destination country has an “adequate” level of protection (as determined by SDAIA) or if the provider uses SCCs or BCRs.

Balancing Lawful Interception (LI) With Privacy

This is perhaps the most sensitive area for Saudi telecom operators.

• Mandatory LI obligations – The Telecommunications Act and national security laws require providers to grant “competent authorities” (security services) access to communications for counter-terrorism and crime prevention.
• Legal basis – Under PDPL Article 6, processing is permitted without consent if it is required for security purposes or to implement another law.
• Privacy protections – Providers must ensure that LI capabilities are only activated upon official warrant/request. Internal access to these tools must be strictly audited and restricted to “need-to-know” personnel to prevent unauthorised surveillance.

Role of Third-Party Vendors and Cloud Providers

Telecoms increasingly rely on global vendors and cloud for 5G and AI.

• Data processing agreements (DPAs) – Providers must sign DPAs with all vendors, ensuring the vendor (the “processor”) adheres to the same PDPL standards as the telecom.
• Cloud first policy – Government-linked or critical telecom data must be hosted on CST-qualified cloud providers who have local data centres within KSA.
• Audit rights – Telecoms are legally required to audit their vendors’ security measures periodically.

Impact on Infrastructure and Innovation

The evolving regulatory environment acts as both a constraint and a catalyst.

• Infrastructure investment – To comply with data residency, providers have had to invest heavily in local Tier III and Tier IV data centres and “edge computing” nodes within KSA borders.
• Privacy by design – Innovation in 5G and IoT now requires privacy to be “baked in” from the start. For example, a new smart-city solution over a 5G network must have automated data anonymisation built into its architecture.
• Market trust – While compliance costs are high (estimated in the billions of SAR for the sector), these regulations are seen as essential for positioning KSA as a Regional Digital Hub, attracting global tech partners who demand high legal certainty.

In KSA, digital media and streaming platforms – ranging from local services like Shahid to global giants like Netflix and YouTube – operate within a rigorous and evolving legal ecosystem. The regulatory landscape is anchored by the PDPL and overseen by the SDAIA and the NCA.

Primary Legal and Operational Challenges

Digital media providers face a complex “triple-threat” of regulatory compliance, cultural alignment and technical security.

• Lawful basis for processing – Under the PDPL, streaming services must identify a specific legal basis for every data point collected. While “contractual necessity” covers basic service delivery, explicit consent is often required for secondary uses like behavioural advertising or cross-platform tracking.
• Data residency and localisation – A major challenge is the requirement to store “sovereign” or sensitive data within the Kingdom. For global streaming platforms, this often necessitates local data centres or using KSA-based cloud providers to avoid legal friction.
• Verification of minors – Saudi law places heavy emphasis on protecting children. Operationalising robust age-verification that complies with the PDPL without being overly intrusive to the user experience is a significant hurdle.
• Content versus privacy – Managing user-generated content (UGC) requires providers to balance the Anti-Cyber Crime Law (which mandates the removal of illegal content) with the PDPL (which limits the monitoring of private user data).

Privacy-by-Design and Security-by-Design Implementation

To meet SDAIA and NCA standards, providers must integrate protection into the “DNA” of their platforms.

Privacy by design (PbD)

• Data minimisation – Platforms are configured to only collect what is strictly necessary. For example, a “kids profile” might be prohibited from collecting geolocation or precise age, instead using broad age-group categories.
• Automated deletion – Implementing “right to be forgotten” workflows where user metadata is automatically scrubbed or anonymised 30 days after a subscription expires, aligning with PDPL retention limits.
• Transparent UI – Using “just-in-time” privacy notices. Instead of one massive T&C document, a platform might show a small pop-up explaining why it needs microphone access before a user starts a voice-search.

Security by design (SbD)

• End-to-end encryption – Streaming traffic and user payment data are encrypted using TLS 1.3 and AES-256 standards.
• Multi-factor authentication (MFA) – With the rise of “account takeover” attacks, Saudi regulators increasingly view MFA not as a feature, but as a mandatory security control for premium digital services.
• NCA ECC compliance – Providers often align with the ECCs, which require regular penetration testing and vulnerability management.

Third-Party Data Sharing Challenges (Advertisers and Analytics)

Sharing data with third parties is the highest-risk area for streaming platforms in KSA.

• The “processor” versus “controller” trap – Under Saudi law, the streaming platform is the “controller.” If an analytics provider (the “processor”) suffers a breach, the platform remains legally liable to the Saudi regulator unless a robust data processing agreement (DPA) is in place.
• Marketing consent – The PDPL prohibits “bundling” consent. A user must be able to agree to use the streaming service while refusing to have their data shared with third-party advertisers.
• Anonymisation requirements – To share “big data” trends with advertisers legally, providers must use advanced de-identification techniques. If the data can be “re-identified” (eg, through IP addresses), it is still considered personal data and subject to strict transfer rules.

Impact of Emerging Regulations on Operations and Agreements

The regulatory environment has fundamentally shifted how TMT (Technology, Media and Telecommunications) agreements are drafted. The following lists the contractual implications of operational changes in impact areas.

• Data transfers – Mandatory data transfer risk assessments (DTRA) before sending data abroad. Standard contractual clauses (SCCs) are now a mandatory annex in all vendor agreements.
• Audit rights – Platforms must physically or digitally audit their vendors’ KSA-based infrastructure. Agreements must include “right to audit” clauses and transparency on sub-processors.
• Incident response – Platforms must notify SDAIA of breaches within 72 hours. Service level agreements (SLAs) now include strict “immediate notification” triggers for security incidents.
• Cloud sovereignty – Shift towards local cloud providers to meet CST “Class B” or “Class C” requirements. Termination for convenience clauses are common if a vendor loses its CST qualification.