A map of Saudi technology regulators — SDAIA, NCA, CST, CITC, CMA mandates, jurisdictional scope, and practical overlaps.
This content is for educational and compliance awareness purposes only. It does not constitute legal advice. Consult a licensed attorney for legal counsel.
Saudi Arabia has several specialized technology regulators — each with a clear mandate but overlapping jurisdictions. An organization processing personal data, using cloud computing, and operating in a critical sector may be subject to SDAIA, NCA, and CST simultaneously.
SDAIA — the Saudi Data and AI Authority — reports to the Council of Ministers and oversees PDPL and all data protection and AI matters. Its mandate includes adequacy determinations for cross-border data transfer, issuing implementation guidance, and receiving breach notifications. Entities processing personal data within the Kingdom fall under SDAIA's scope.
NCA — the National Cybersecurity Authority — reports directly to the King and issues binding cybersecurity controls. NCA mandate covers ECC for all government and critical private sector, CCC for cloud computing, CSCC for critical systems, and TCC for remote work. NCA operates CERT-SA and receives security incident reports.
An organization processing personal data, using cloud, and operating in a critical sector may be subject to three or more regulators — coordination among them is key to effective compliance.
CST — the Communications, Space & Technology Commission — emerged from the merger of the former communications authority with space and technology sectors. CST oversees cloud computing policy, data hosting, and cloud provider licensing. Its requirements overlap with NCA on cloud security — technical controls from NCA, policy and licensing from CST.
CITC — the Communications and Information Technology Commission — regulates telecoms, internet, and spectrum. CITC mandate covers licensing of service providers, content oversight, and technical compliance. CITC and CST share some telecoms jurisdiction — the division evolves with regulatory restructuring.
CMA — the Capital Market Authority — regulates financial markets and e-commerce in financial products and fintech. CMA mandate covers payment platforms, electronic insurance, and digital investment. CMA's sandbox allows testing fintech solutions under supervised conditions.
Practical overlaps arise when: processing personal data (SDAIA) intersects with securing its storage (NCA) and cloud hosting (CST); banks and insurance companies also fall under SAMA with additional financial cybersecurity controls. Mature organizations designate internal contact points per regulator and coordinate their compliance program.
Incident reporting may trigger multiple authorities — a personal data breach is reported to SDAIA within 72 hours and possibly to NCA if the entity has a critical nature. Understanding each regulator's mandate prevents under- or over-reporting.
Responsibilities and scope per body
| Body | Mandate | Applies To |
|---|---|---|
| SDAIA | Personal data and AI | All personal data processors |
| NCA | Cybersecurity | Government and critical infrastructure |
| Ministry of Commerce | E-commerce and consumer protection | E-commerce platforms |
| CITC | Telecom and technical data | Telecom and tech service providers |
When do you fall under SDAIA vs NCA?
Mandate over personal data protection and AI governance.
Mandate over cybersecurity controls for government and critical infrastructure.
Verdict:
Your organization may fall under both — PDPL via SDAIA and security controls via NCA if critical infrastructure. Coordinating both compliance tracks is essential.
Knowledge is free — execution tools are ready to buy
Saudi PDPL Compliance Kit
NCA Essential Cybersecurity Controls (ECC) Checklist
Compliance Management System Kit
A map of Saudi technology regulators — SDAIA, NCA, CST, CITC, CMA mandates, jurisdictional scope, and practical overlaps.
This article is useful for business leaders and execution teams operating in Technology Law in the Saudi market.
The next step is to convert insights into a clear execution checklist, align priorities with available resources, and start with the highest-impact move.
Practical insights and important updates delivered straight to your inbox.
By subscribing you agree to receive our newsletter. You can unsubscribe anytime.