Saudi Arabia: Saudi Data and AI Authority issued rules governing the issuance of accreditation certificates for controllers and processers

On 17 February 2026, the Saudi Data and AI Authority (SDAIA) issued the Rules Governing the Issuance of Accreditation Certificates for Controllers and Processers, which became effective upon their online publication. The rules apply to both authorised "Licensees" and "Applicants" (Controllers or Processors) operating within or outside Saudi Arabia, establishing a framework where an Accreditation Certificate serves as formal evidence that an entity’s processing practices comply with the Personal Data Protection Law (PDPL), its Implementing Regulations, and the Transfer Regulations. To qualify, an Applicant must be registered in the National Register of Controllers, disclose all prior complaints or violations identified by SDAIA, and maintain qualified legal and technical staff with at least three years of experience. Following a maximum 90-business-day assessment period, successful Applicants receive a certificate valid for two years, with renewal applications required no later than 30 business days prior to expiration.