First announced: Final Implementing Regulations issued by the Saudi Data & AI Authority (SDAIA) in 2025; enforcement active with compliance deadlines extending into 2026.
Submitted by: NYBACS Compliance Desk
What changed
The Implementing Regulations clarify lawful processing bases, consent standards, data retention limits, breach notification requirements and cross-border data transfer restrictions. Controllers must register where required and maintain documented compliance programs.
Who’s affected
Companies operating in Saudi Arabia or processing personal data of Saudi residents, including foreign entities with local operations or digital services targeting the Kingdom.
Immediate actions
• Map data processing activities within Saudi jurisdiction.
• Establish lawful basis documentation and consent records.
• Implement breach notification procedures aligned with SDAIA timelines.
• Review international data transfer mechanisms.
Practical notes & timeline
The PDPL framework is now enforceable, with SDAIA empowered to impose administrative penalties. Businesses should ensure full operational readiness during 2026 supervisory reviews.



