AI governance in Saudi Arabia, Vision 2030 and regulatory development

Saudi Arabia has made AI central to its Vision 2030 economic diversification strategy. The Saudi Data and AI Authority (SDAIA) was established in 2019 as the national authority for data and AI governance. Saudi Arabia's approach combines ambitious AI development investment with developing regulatory frameworks.

Regulatory framework

The Personal Data Protection Law (PDPL), effective September 2023, is the foundational data protection framework. It applies to AI processing personal data with requirements for consent, purpose limitation, data minimisation, and individual rights including the right to be informed about automated decision-making. The National Data Management Office (NDMO) under SDAIA oversees compliance.

SDAIA's AI Ethics Principles provide voluntary guidance covering: fairness and non-discrimination; transparency and explainability; security and privacy; human control and oversight; reliability and safety. These principles inform AI governance practices but are not directly enforceable.

Sector-specific regulation applies: SAMA (Saudi Central Bank) regulates AI in financial services; SFDA regulates AI in healthcare and medical devices; NCA (National Cybersecurity Authority) addresses AI cybersecurity. The Shoura Council has considered AI-specific legislation, though no standalone AI law has been enacted.

AI development agenda

Saudi Arabia's National Strategy for Data and AI targets making the Kingdom a global leader in AI. The strategy includes: NEOM and other giga-projects with significant AI integration; investment in AI research through KAUST and other institutions; public sector AI adoption through the Digital Government Authority; private sector AI development incentives. The $100 billion+ AI investment commitments position Saudi Arabia as one of the largest AI investors globally.

What companies operating in Saudi Arabia should do

Comply with PDPL for all AI processing personal data. Align AI governance with SDAIA AI Ethics Principles. For financial services, comply with SAMA expectations. For healthcare, comply with SFDA requirements. Monitor SDAIA and sectoral regulators for evolving guidance. Build governance frameworks flexible enough to accommodate expected future regulation.

Primary sources: SDAIA · NDMO

Related reading