PDPL·#1·Summary last reviewed:
Processor register expectations
Cross-border SaaS teams must document processing records and subprocessors before processing Saudi resident employee or customer data.
Does this affect you?
Yes, if you process personal data of residents in Saudi Arabia using offshore infrastructure.
Suggested actions
- Maintain a processing record covering data categories, purposes, retention, and subprocessors.
- Document data processing agreements (DPAs) where applicable.
Timing: Before substantive personal-data processing begins.
Official reference — SDAIA / PDPLNCA·#2·Summary last reviewed:
Cloud ECC baselines
Hosting in-Kingdom or GCC often simplifies attestation paths for Essential Cybersecurity Controls.
Does this affect you?
Relevant if you host critical systems or sensitive workloads outside an aligned posture.
Suggested actions
- Review encryption in transit/at rest and access logging.
- Document data residency and backup locations.
Timing: Before production go-live for sensitive systems.
Official reference — NCA ECCZATCA·#3·Summary last reviewed:
E-invoicing phase gates
Revenue thresholds determine phase eligibility—align ERP tax codes before go-live to avoid rejections.
Does this affect you?
Applies to VAT-registered businesses subject to Phase 1/2 rules.
Suggested actions
- Validate VAT registration and device onboarding status.
- Test XML/QR outputs against ZATCA formats before first live invoice.
Timing: Before the first regulated e-invoice issuance.
Official reference — ZATCACMA·#4·Summary last reviewed:
Crowdfunding rule updates
Fintech entrants should validate prospectus-light pathways vs. full prospectus regimes for retail access.
Does this affect you?
Relevant if you market investment opportunities to the public via crowdfunding models.
Suggested actions
- Confirm offering category and disclosure requirements with counsel.
- Document internal controls for marketing and eligible investors.
Timing: Before soliciting or collecting investment commitments.
Official reference — CMAPDPL·#5·Summary last reviewed:
Cross-border data transfers
Transfers of personal data outside the Kingdom require a lawful basis and appropriate safeguards.
Does this affect you?
Applies when you systematically move Saudi personal data to foreign infrastructure.
Suggested actions
- Run a transfer impact assessment and align contracts with PDPL.
- Document recipient safeguards and ongoing oversight.
Timing: Before any systematic cross-border transfer.
Official reference — PDPLHRSD·#6·Summary last reviewed:
Nitaqat updates (2025)
Periodic changes to establishment classification affect Saudization planning and contributions.
Does this affect you?
Relevant for workforce planning and compliance with localization programs.
Suggested actions
- Review your current Nitaqat band and hiring plan.
- Update employment contracts and payroll records as rules evolve.
Timing: At each annual review cycle or when headcount materially changes.
Official reference — HRSD
Want alerts when we publish new updates?
We send a concise monthly summary — no spam.
By subscribing you agree to receive our newsletter. You can unsubscribe anytime.