Westbourne + Partners
المملكة العربية السعودية: الهيئات التنظيمية، الأطر، وهندسة الامتثال
Westbourne + Partners
1. Overview
Saudi Arabia has shifted from a licensing-focused model to a framework-governed investment environment. Securing a license remains essential, but it is now only the first step. The real determinant of operational success lies in meeting the frameworks, standards, and controls enforced across data protection, cybersecurity, digital government, environmental regulation, payments infrastructure, and sector-specific authorities.
Companies that enter the market without a clear compliance roadmap often find themselves licensed but unable to open bank accounts, integrate data, host on approved cloud environments, or operate in regulated sectors such as AI, healthcare, finance, construction, and energy. These challenges stem not from the licensing process, but from insufficient alignment with the framework layer that governs day-to-day operations.
Saudi Arabia rewards readiness. Organisations that map their regulatory landscape early, coordinate across multiple authorities, and embed compliance into their operating models consistently achieve faster market activation and greater long-term resilience within the Kingdom.
As the Kingdom accelerates its economic transformation, regulatory frameworks are becoming more structured, transparent, and interoperable across agencies. This integration is intentional: it ensures that investment flows, digital infrastructure, data governance, and sectoral development advance in lockstep. For investors, this means that compliance is no longer a back-office function but a core strategic capability. Firms that build regulatory intelligence into their market strategy, understanding how frameworks interact, where bottlenecks occur, and which authorities shape operational readiness, are better positioned to scale, participate in national programs, and capture early-mover advantage.
2. The Two Layers of Governance in Saudi Arabia
Layer | What It Represents | Common Mistake | Real‑World Impact |
Regulator | Authority issuing licenses, supervision, approvals | “If we know the regulator, we’re safe.” | License issued; operations blocked later |
Framework | Standards, controls, processes, policies required to operate | “We’ll comply after launch.” | Banking delayed; cloud rejected; rollouts stalled; penalties |
Dual‑compliance model - Permission to enter (regulator) - Capability to operate at scale (framework)
3. Saudi Arabia’s Regulatory Structure
Saudi Arabia’s regulatory transformation is among the most ambitious and forward‑looking globally. Under the umbrella of Vision 2030, the Kingdom has built one of the most advanced governance ecosystems in the emerging world, integrating technology, transparency, and proactive oversight across every major sector. This regulatory modernization not only protects investors but accelerates market efficiency and trust. It represents a model of how future economies balance innovation with accountability.
3.1 Cross‑Sector Authorities
Ministry of Investment (MISA): Foreign investment licensing, investor services, Regional HQ program, business setup.
Ministry of Commerce (MoC): Commercial registration, corporate law, franchise regulation.
Zakat, Tax and Customs Authority (ZATCA): Corporate tax, VAT, zakat, customs duties, rulings.
National Cybersecurity Authority (NCA): National cyber policy and mandatory cybersecurity controls; reports to the Royal Court.
Saudi Data and Artificial Intelligence Authority (SDAIA): National data & AI policy, PDPL oversight, AI ethics and GenAI guidance.
Digital Government Authority (DGA): Digital government policy, identity, APIs, interoperability, open data.
General Authority for Competition (GAC): Competition law and merger control.
Saudi Central Bank (SAMA): Financial services, payments, and fintech.
Capital Market Authority (CMA): Securities, funds, and public offerings.
Communications, Space & Technology Commission (CST): Telecoms, cloud, and ICT licensing.
Saudi Authority for Intellectual Property (SAIP): IP registration and enforcement.
3.2 Financial & Capital Markets
Saudi Central Bank (SAMA): Banking, payments, financing, cybersecurity and IT governance for financial entities.
Capital Market Authority (CMA): Securities, funds, listings, investment management, financial advisory licensing.
Insurance Authority: Regulates, supervises, oversees, and strengthens the insurance sector. (Certain legacy frameworks originated under SAMA remain applicable during transition.)
· Financial Sector Development Program (FSDP): Not a regulator, but a governing program that drives regulatory mandates and reforms.
· Anti-Money Laundering & Counter-Terrorist Financing authorities:
o Saudi Central Bank (SAMA): Sectoral AML rules
o General Directorate of Financial Intelligence (SAFIU) (intelligence and reporting authority): National FIU.
o Permanent Committee for AML/CFT: National coordination. (AML/CFT is a mandatory cross-cutting framework for all financial entities.)
3.3 Data, AI, Cyber & Digital
SDAIA: PDPL implementation, data governance standards, AI ethics, GenAI guidance.
NCA: Cybersecurity baselines and sectoral controls (including critical systems and cloud).
DGA: Digital service regulation, identity standards, API policies.
Communications, Space and Technology Commission (CST): ICT, spectrum, satellite/space, IoT, cloud classification, data routing.
SAMA: Regulates cybersecurity, cloud, outsourcing, and data for Banks, fintechs, and payments providers. Issues mandatory cyber and IT governance frameworks that override general guidance for regulated entities.
CMA: Cybersecurity, technology risk, and data governance rules for Capital Market Institutions and Tadawul-listed entities.
3.4 Construction, Housing & Real Estate
Ministry of Municipal, Rural Affairs and Housing (MOMRAH): Permits, urban planning, municipal codes, smart city standards.
Real Estate General Authority (REGA): Real estate ownership, brokerage, escrow, developer regulation.
Saudi Contractors Authority (SCA): Contractor classification, licensing and compliance.
Saudi Building Code (SBC) Commission / Secretariat: National building standards (SBC) adoption and updates.
Ministry of Energy: Regulates energy efficiency, district cooling, and utilities coordination. Relevant for large developments and smart cities.
Water & Electricity Regulatory Authority (WERA): Regulates utilities, connections, and tariffs. Critical for real estate and infrastructure projects.
Ministry of Justice (MoJ): Oversees property registration, title deeds, and real estate courts and dispute resolution.
Civil Defence (General Directorate of Civil Defence): Fire safety approvals, life safety compliance, mandatory for building permits and occupancy.
National Centre for Environmental Compliance (NCEC): Environmental impact assessments (EIA), and sustainability compliance.
3.5 Environment, Energy & Sustainability
Ministry of Energy (MoE): Energy policy (oil, gas, renewables, hydrogen), licensing oversight.
Ministry of Environment, Water and Agriculture (MEWA): water and agriculture policies.
National Centre for Environmental Compliance (NCEC): Environmental enforcement, EIA approvals, monitoring.
National Center for Waste Management (MWAN): Circular economy, waste‑to‑energy and waste regulation.
Water & Electricity Regulatory Authority (WERA): Regulates power generation, transmission, distribution, water production and desalination, and tariffs, licensing and grid access.
Saudi Standards, Metrology and Quality Organization (SASO): Mandatory standards for energy efficiency (MEPS, labelling), and environmental and product compliance.
Royal Commission for Jubail & Yanbu (RCJY): Environmental and industrial regulation within Jubail and Yanbu, including special economic/industrial zones.
Ministry of Economy & Planning (MEP): National sustainability targets alignment as well as carbon, ESG, and climate integration into planning.
3.6 Industry, Mining & Logistics
Ministry of Industry and Mineral Resources (MIMR): Industrial licensing, mining concessions, manufacturing incentives.
Royal Commission for Jubail and Yanbu (RCJY): Industrial cities governance, HSE standards.
Economic Cities and Special Zones Authority (ECZA): Oversees Special Economic Zones; issues licenses and frameworks for global investors.
Ministry of Transport and Logistics Services (MOTLS): National Logistics Policy, integrated logistics licensing, and ports, rail, road and freight regulation.
Saudi Ports Authority (MAWANI): Regulates and operates seaports, and port licensing, safety and logistics zones.
General Authority of Civil Aviation (GACA): Air cargo, airports, and aviation logistics regulation.
Saudi Railway Company (SAR) / Rail Regulator Function: Rail freight regulation and network access.
Zakat, Tax and Customs Authority (ZATCA): Customs regulation, cross-border trade compliance, and free zone customs treatment.
3.7 Special Governance Zones & Urban Authorities
Saudi Arabia’s flagship special zones represent some of the most advanced governance and investment models in the region. Projects such as NEOM, ECZA’s Special Economic Zones, and the Royal Commission for Riyadh City (RCRC) operate under autonomous or semi-autonomous regulatory structures that allow them to establish tailored licensing regimes, sector-specific operating rules, and internationally benchmarked standards. These zones function as strategic platforms for piloting next-generation regulation across sustainability, digital infrastructure, mobility, professional services, tourism, and advanced manufacturing.
Each zone plays a distinct role within Saudi Arabia’s regulatory landscape.
NEOM is developing a future-oriented legal and governance model, incorporating smart-city regulation, environmental standards, digital identity, data-sharing protocols, and specialised dispute-resolution mechanisms suited for high-innovation sectors. NEOM operates under a dedicated regulatory authority with delegated powers and bespoke frameworks.
Economic Cities and Special Zones Authorities (ECZA) oversee multiple Special Economic Zones designed to streamline investor onboarding, enhance logistics connectivity, and provide targeted incentives for global companies.
Royal Commission for Riyadh City (RCRC), with its comprehensive urban mandate, governs planning, mobility systems, permitting, heritage protection, and city-wide smart-infrastructure frameworks across Riyadh.
Royal Commission for Jubail & Yanbu (RCJY): Full regulatory authority over industrial licensing, environmental & HSE, and urban planning.
While these zones enjoy varying levels of autonomy, they remain aligned with national regulators across data protection (SDAIA), cybersecurity (NCA), taxation (ZATCA), environmental compliance (NCEC/MEWA), and commercial law (MoC). Their models complement the Kingdom’s broader regulatory architecture by enabling controlled experimentation, faster adoption cycles, and globally competitive operating environments.
4. The Framework Layer: Saudi Arabia’s Real Rulebook
4.1 Data & AI Governance (NDMO / MCIT)
Personal Data Protection Law (PDPL)
PDPL Implementing Regulations
National Data Governance Framework (NDMO) (Binding on government ministries, authorities, and state-owned entities. Not universally mandatory for private-sector entities unless contractually or regulatorily imposed.)
Data Management and Personal Data Protection Standard (SDAIA) (Mandatory for government entities and some public-sector platforms. Not universally binding on private companies.)
Mandatory for government / public sector
o National Data Governance Framework
o Data Management & Personal Data Protection Standard
o NIC (when integrating with government platforms)
Official guidance (non-binding)
o PDPL Compliance Guide
o AI Ethics Principles
o Generative AI Guidelines
(Note: NDMO frameworks are binding primarily on government and public-sector entities and apply to private-sector entities only where contractually or regulatorily mandated.)
4.2 Cybersecurity (NCA – Reports Directly to the Royal Court)
Essential Cybersecurity Controls (ECC)
Critical Systems Cybersecurity Controls (CSCC)
Cloud Cybersecurity Controls (CCC)
Data Cybersecurity Controls (DCC)
National Cryptographic Standards (NCS)
4.3 Financial, Insurance, & Payments (SAMA, Insurance Authority, & Saudi Payments)
Cybersecurity Framework (CSF)
IT Governance Framework (ITGF)
Counter Fraud Framework (CFF)
Financial Entities Ethical Framework (FEER) mandated, but not a technical/operational framework
RTGS Cybersecurity Framework (for SARIE/RTGS operated by Saudi Payments)
IFRS-17 (mandatory for insurance entities) · BCBS 239 (banking governance standard adopted where mandated), international standards adopted by mandate, not Saudi-origin frameworks
National payment scheme rules (e.g., Mada, SADAD) and operational circulars (Saudi Payments)
4.4 Construction & Housing (SBC/ SCA / REGA)
Saudi Building Code (SBC)
Contractor Classification and Compliance Regulations (SCA)
Real Estate Registration & Escrow Framework (REGA)
4.5 Environmental, Energy & Sustainability (MEWA / NCEC / SEEC)
Environmental Compliance Framework (NCEC)
Energy Efficiency Framework (SEEC)
Waste management regulations exist under MWAN, framework includes circular economy principles.
Environmental Protection Law (MEWA)
4.6 Digital Government (DGA)
Digital Government Regulatory Framework (DGRF)
National Open Data Regulations (NORA) (Official national regulation on open data but governed by SDAIA/NDMO rather than DGA itself)
4.7 Telecom / Cloud
Spectrum Regulation
Satellite frequency/licensing rules
Internet of Things (IoT) Regulation
Cloud Computing Services Provisioning Regulations (CCSPRs) Cloud Computing Regulatory Framework (CCRF) - Issued and enforced by CST
Cloud First Policy (by MCIT)
Personal Data Protection Law (PDPL), CST cloud regulations, and sector policies
5. Sector-by-Sector Regulatory & Framework Map
Sector | Primary Regulators | Required Frameworks & Controls (Non-Exhaustive) |
Banking & Finance | Saudi Central Bank (SAMA), Capital Market Authority (CMA) | SAMA IT Governance Framework (ITGF) · SAMA Cybersecurity Framework (CSF) · PCI-DSS (mandatory for card data environments) · SWIFT Customer Security Controls Framework (CSCF) (mandatory for SWIFT-connected institutions) · International standards adopted by Saudi regulators where explicitly mandated: BCBS 239 · ISO 20022 |
Insurance & Reinsurance | Insurance Authority | Insurance Authority solvency and capital adequacy frameworks · Governance and risk management requirements · Actuarial and reserving standards · Product approval and market conduct rules · IFRS-17 (mandatory) · PDPL · National Cybersecurity Authority controls (ECC/CSCC where applicable) |
Fintech & Payments | Saudi Central Bank (SAMA), key industry entity / payment system operator under SAMA authority: Saudi Payments | SAMA Sandbox Rules · PCI-DSS · EMV · Digital Wallet Framework · Open Banking Policy · AML Rules |
Cloud, AI & Digital Platforms | Saudi Data and Artificial Intelligence Authority (SDAIA), National Cybersecurity Authority (NCA), Digital Government Authority (DGA) | PDPL · NDMO · AI Ethics · GenAI Guidelines · NCA ECC/CSCC/CCC · Digital Gov API & Identity Rules |
Healthcare & Biotech | Saudi Food and Drug Authority (SFDA), Ministry of Health (MoH), Saudi Data and Artificial Intelligence Authority (SDAIA) | PDPL Medical Data Rules · Telehealth Regulations · SFDA Device Registration · Cybersecurity for Medical Systems · Essential Cybersecurity Controls (ECC) · Data protection and cybersecurity frameworks · NCA ECC / CSCC (National Cybersecurity Authority Controls) · Healthcare Facility Licensing (MoH + Saudi Commission for Health Specialties) · Clinical Trial Regulations (MoH/SFDA) |
Energy, Industrial & Mining | Ministry of Energy (MoE), Ministry of Industry and Mineral Resources (MIMR), National Cybersecurity Authority (NCA), Saudi Standards, Metrology and Quality Organization (SASO) | Industrial Licensing · NCA CSCC for OT Systems · Environmental Standards · Product Safety Schemes · Essential Cybersecurity Controls (ECC) |
Green Energy & Sustainability | Ministry of Energy (MoE), Ministry of Environment, Water and Agriculture (MEWA), Renewable Energy Project Development Office (REPDO), National Center for Environmental Compliance (NCEC), Saudi Energy Efficiency Center (SEEC) | Renewable Energy Procurement Framework · Energy Efficiency Code · ESG-aligned regulatory and reporting requirements · Environmental Impact Assessment (EIA) Rules |
Construction, Housing & Infrastructure | Ministry of Municipal, Rural Affairs and Housing (MOMRAH), Real Estate General Authority (REGA), Saudi Contractors Authority (SCA) | Saudi Building Code · Contractor Compliance Rules · Housing Policy Framework |
Telecom, Space & Digital Infrastructure | Communications, Space and Technology Commission (CST), Ministry of Communications and Information Technology (MCIT) | Spectrum Policy · Satellite Rules · IoT Regulation · Cloud Classification · Data localization, routing, and cross-border transfer controls |
Real Estate | Real Estate General Authority (REGA), Ministry of Municipal, Rural Affairs and Housing (MOMRAH) | Ownership Rules · Escrow Laws · Digital Permit System · Saudi Building Code (via MOMRAH) · Zoning and land-use regulations · Environmental and infrastructure approvals for large developments |
Aviation & Transport | General Authority of Civil Aviation (GACA), Transport General Authority (TGA) | Safety & Airworthiness · NCA (with GACA oversight) · Passenger Data Transfer |
Government Tech & Digital Identity | Digital Government Authority (DGA), Saudi Data and Artificial Intelligence Authority (SDAIA), National Cybersecurity Authority (NCA), Communications, Space and Technology Commission (CST) | DGRF · NORA · API governance and standards · Data residency restrictions |
6. The Six Most Common Mistakes Foreign Investors Make
Assuming licensing = operational approval – Licenses issued without framework alignment lead to stalled operations.
Treating Saudi rules as GCC-wide templates – Saudi enforces its own sovereign standards across AI, cyber, energy, and environment.
Underestimating cybersecurity, data, and environmental governance – NCA ECC, SDAIA PDPL, and NCEC environmental standards are mandatory prerequisites.
Starting compliance after market entry – In Saudi Arabia, compliance precedes execution.
Engaging only the licensing regulator – Projects often fail due to enforcement by a different body (e.g., NCA, MEWA, or SDAIA).
Believing Saudi is still “early-stage.” – It is now one of the most structured regulatory environments in the G20.
7. Key Insights for Proactive Investors
Align licensing with operational frameworks early. Investors who plan compliance from the start move faster and avoid delays.
Recognize Saudi Arabia’s sovereign standards. Each framework (AI, cybersecurity, energy, environmental) has unique local depth.
Prioritize cybersecurity, data, and environmental readiness. NCA ECC, SDAIA PDPL, and NCEC standards are market‑entry essentials.
Embed compliance in business models. Early framework alignment reduces risk and boosts bankability.
Engage multiple regulators. Success depends on coordination across SDAIA, NCA, MEWA, and other authorities.
Seize the first‑mover advantage. Saudi Arabia’s clear frameworks favour investors who act decisively and align early.
٦ يناير ٢٠٢٦