Saudi Arabia's AI Regulation in 2026: What the June SDAIA Package Actually Requires
Saudi Arabia has no standalone AI law yet - but the June 2026 SDAIA package of 10 regulatory documents, the binding PDPL, and sector rules from SAMA and SFDA already define what companies deploying AI in the Kingdom must do. A plain-language guide.
The short answer: Saudi Arabia does not yet have a binding, standalone AI law. What it has, as of June 2026, is a fast-thickening regulatory stack: a package of 10 SDAIA regulatory documents announced on June 8, 2026, the Personal Data Protection Law (PDPL) - which is binding and directly governs AI systems that touch personal data - and sector rules from SAMA (finance) and SFDA (healthcare). A dedicated AI law with risk-based classification is under development. If you deploy AI in the Kingdom, the compliance picture is already concrete enough to act on, and this post lays it out in plain language.
This is an engineering firm's operational reading, not legal advice - confirm specifics with counsel for your sector.
What SDAIA announced in June 2026
On June 8, 2026, the Saudi Data and AI Authority announced a package of regulatory contributions built around 10 documents on the ethical and responsible use of AI (Saudi Press Agency). The package includes:
- ▸AI ethics principles and generative AI principles for government entities
- ▸Generative AI principles for the general public
- ▸Deepfake guidelines - formally titled "Deepfake Guidelines: Mitigating Risks While Enabling Innovation" (SDAIA)
- ▸A national framework for professional standards in data and AI
- ▸A Saudi academic framework for AI specialty qualifications
These documents are guidance rather than statute - but in the Saudi system, SDAIA guidance is the strongest available signal of what the coming binding law will require, and government entities are already expected to follow it.
What is actually binding today
| Instrument | Issuer | Binding? | Relevance to AI |
|---|---|---|---|
| Personal Data Protection Law (PDPL) | Royal Decree M/19 | Yes | Governs collection, processing, and transfer of personal data - which includes AI training, inference, and deployment on personal data |
| National Data Management Office policies | NDMO | Yes, public sector | Data classification, governance duties |
| Essential Cybersecurity Controls (ECC) | National Cybersecurity Authority | Yes, where applicable | Security baseline for systems including AI |
| SAMA rules | Saudi Central Bank | Yes, financial sector | AI in banking/insurance operations |
| SFDA rules | Saudi Food & Drug Authority | Yes, healthcare | AI in clinical contexts |
| SDAIA AI ethics / GenAI principles / deepfake guidelines | SDAIA | Guidance | The template for the coming AI law |
The practical center of gravity is the PDPL (CMS AI Regulation Guide - Saudi Arabia): if your AI system processes Saudi personal data - customer chat logs, CVs, patient records, call recordings - you carry controller/processor duties, data-subject rights obligations, and cross-border transfer conditions today, regardless of any future AI-specific law.
The AI law that is coming
A dedicated AI law is under development, expected to unify the existing frameworks and introduce risk-based classification, registration, and audit duties for AI providers (CMS). A separate draft "AI Hub Law" from April 2025 addressed data sovereignty for foreign operators and remains unenacted. The direction of travel matches the EU pattern - risk tiers, provider obligations, auditability - adapted to the Kingdom's data-sovereignty priorities.
The operative word in the coming law is "audit duties." Systems being deployed in Saudi Arabia now will need to demonstrate - with evidence, not assurances - what they do with data, how accurate they are, and where their outputs come from. Building that evidence trail retroactively is far more expensive than building it in.
What to do now if you deploy AI in Saudi Arabia
- ▸Map your personal-data flows first. PDPL is binding now. Know exactly what personal data your AI system ingests, where it is processed, and whether anything crosses the border. Cross-border inference calls to a US-hosted model API are the most commonly overlooked transfer.
- ▸Prefer in-Kingdom or on-premise processing for sensitive workloads. Data residency solves most PDPL transfer questions structurally. Running the model itself inside your own infrastructure - now routine with quantized open-weight models - removes the external dependency entirely.
- ▸Follow the government principles even as a private company. SDAIA's generative AI principles for the public sector - human review of outputs, data classification, provenance - are the preview of private-sector duties under the coming law.
- ▸Keep an audit trail from day one. Log what the system was asked, what it answered, and what sources it used. This is simultaneously good engineering, PDPL hygiene, and pre-compliance with the announced audit duties.
- ▸Check your sector regulator. SAMA and SFDA obligations sit on top of everything above.
For a system already in production, the fastest way to know where you stand is an independent audit - measured accuracy, data-flow mapping, and a written report you can put in front of compliance or a regulator.
FAQ
Does Saudi Arabia have an AI law in 2026? Not a standalone binding one yet. What exists: the binding Personal Data Protection Law (PDPL), binding sector rules (SAMA, SFDA), NDMO policies for the public sector, and SDAIA's June 2026 package of 10 regulatory guidance documents. A dedicated AI law with risk-based classification and audit duties is under development.
What did SDAIA announce in June 2026? On June 8, 2026, SDAIA announced 10 regulatory documents on ethical and responsible AI use: AI ethics principles, generative AI principles for government entities and for the public, deepfake guidelines, a national professional-standards framework for data and AI, and an academic framework for AI qualifications.
Is SDAIA guidance legally binding? The guidance documents themselves are not statutes. But government entities are expected to follow them, and they are the clearest signal of what the coming binding AI law will require of private companies.
Can I use a foreign cloud AI API with Saudi customer data? That is a PDPL cross-border transfer question, and it depends on the data involved and the conditions met. Many regulated Saudi organizations avoid the question structurally by processing sensitive data in-Kingdom or fully on-premise, with the language model running inside their own infrastructure.
→ AI in Saudi Arabia: What Vision 2030 Means for Enterprise Buyers → AI Data Sovereignty in the GCC: Deploying Compliant On-Premise LLMs → The Gulf AI Mandate: Data Sovereignty and Local LLMs in the UAE and KSA