Who should read this article?

This article is useful for business leaders and execution teams operating in Technology Law in the Saudi market.

What should I do after reading?

The next step is to convert insights into a clear execution checklist, align priorities with available resources, and start with the highest-impact move.

Back to blog

Technology Law025

Saudi Tech Regulators: SDAIA, NCA, CST, CITC

Zaid R. IdrisPublished: February 20, 2026٢٣ شعبان ١٤٤٧ هـ2 min read

Quick answer

A map of Saudi technology regulators — SDAIA, NCA, CST, CITC, CMA mandates, jurisdictional scope, and practical overlaps.

Key takeaways

- Saudi Arabia has several specialized technology regulators — each with a clear mandate but overlapping jurisdictions.
- SDAIA — the Saudi Data and AI Authority — reports to the Council of Ministers and oversees PDPL and all data protection and AI matters.
- NCA — the National Cybersecurity Authority — reports directly to the King and issues binding cybersecurity controls.

This content is for educational and compliance awareness purposes only. It does not constitute legal advice. Consult a licensed attorney for legal counsel.

Saudi Arabia has several specialized technology regulators — each with a clear mandate but overlapping jurisdictions. An organization processing personal data, using cloud computing, and operating in a critical sector may be subject to SDAIA, NCA, and CST simultaneously.

SDAIA — the Saudi Data and AI Authority — reports to the Council of Ministers and oversees PDPL and all data protection and AI matters. Its mandate includes adequacy determinations for cross-border data transfer, issuing implementation guidance, and receiving breach notifications. Entities processing personal data within the Kingdom fall under SDAIA's scope.

NCA — the National Cybersecurity Authority — reports directly to the King and issues binding cybersecurity controls. NCA mandate covers ECC for all government and critical private sector, CCC for cloud computing, CSCC for critical systems, and TCC for remote work. NCA operates CERT-SA and receives security incident reports.

An organization processing personal data, using cloud, and operating in a critical sector may be subject to three or more regulators — coordination among them is key to effective compliance.

CST — the Communications, Space & Technology Commission — emerged from the merger of the former communications authority with space and technology sectors. CST oversees cloud computing policy, data hosting, and cloud provider licensing. Its requirements overlap with NCA on cloud security — technical controls from NCA, policy and licensing from CST.

CITC — the Communications and Information Technology Commission — regulates telecoms, internet, and spectrum. CITC mandate covers licensing of service providers, content oversight, and technical compliance. CITC and CST share some telecoms jurisdiction — the division evolves with regulatory restructuring.

CMA — the Capital Market Authority — regulates financial markets and e-commerce in financial products and fintech. CMA mandate covers payment platforms, electronic insurance, and digital investment. CMA's sandbox allows testing fintech solutions under supervised conditions.

Practical overlaps arise when: processing personal data (SDAIA) intersects with securing its storage (NCA) and cloud hosting (CST); banks and insurance companies also fall under SAMA with additional financial cybersecurity controls. Mature organizations designate internal contact points per regulator and coordinate their compliance program.

Incident reporting may trigger multiple authorities — a personal data breach is reported to SDAIA within 72 hours and possibly to NCA if the entity has a critical nature. Understanding each regulator's mandate prevents under- or over-reporting.

Reference

Regulatory Bodies Comparison

Responsibilities and scope per body

Body	Mandate	Applies To
SDAIA	Personal data and AI	All personal data processors
NCA	Cybersecurity	Government and critical infrastructure
Ministry of Commerce	E-commerce and consumer protection	E-commerce platforms
CITC	Telecom and technical data	Telecom and tech service providers

Regulatory Decision

SDAIA vs NCA Jurisdiction

When do you fall under SDAIA vs NCA?

SDAIA — Data & AI

Mandate over personal data protection and AI governance.

Pros

Focus on privacy and individual rights
Clear PDPL framework

Cons

Overlaps with data security at NCA

NCA — Cybersecurity

Mandate over cybersecurity controls for government and critical infrastructure.

Pros

Detailed security controls (ECC)
CERT-SA breach reporting

Cons

Applies primarily to government and critical sector

Verdict:

Your organization may fall under both — PDPL via SDAIA and security controls via NCA if critical infrastructure. Coordinating both compliance tracks is essential.