SDAIA approves accreditation and data auditing licensing rules with a capital of 10 million

In a significant regulatory step aimed at strengthening the digital infrastructure in the Kingdom of Saudi Arabia, the Saudi Data & Artificial Intelligence Authority (SDAIA) has adopted regulations governing the licensing of data controllers and processors, as well as auditing and inspection activities related to the processing of personal data. This decision complements the Kingdom's ongoing efforts to regulate the data sector and ensure the privacy of individuals and institutions.

The context of digital transformation and data protection

The adoption of these regulations comes at a time when the Kingdom is undergoing a rapid digital transformation in line with the goals of Vision 2030, where data has become the new oil and the primary driver of the digital economy. With the issuance of the Personal Data Protection Law, the urgent need arose for independent and trustworthy bodies capable of granting accreditation and conducting audits to ensure compliance by both government and private entities with the law's provisions. SDAIA, as the national authority for data and artificial intelligence, is working to bridge regulatory gaps to guarantee a safe and reliable digital environment.

Strict financial and technical requirements

The new rules set precise standards for entities wishing to obtain a license, to ensure quality and reliability. Among the most prominent of these requirements are:

• Capital: The rules stipulated that the capital of the entity applying to practice the activity of issuing accreditation certificates should not be less than 10 million Saudi Riyals , which reflects the seriousness of the investment and the financial ability to bear the responsibilities.
• Human resources: The rules require the presence of at least 10 employees specializing in evaluation with direct contracts, with a requirement that some of them have at least 5 years of experience in the fields of data protection and evaluation.
• National accreditation: Certification bodies must obtain accreditation from the "Saudi Center for Accreditation" to ensure their compliance with national and international standards.

Licensing procedures and timeframe

The regulations stipulate that the license is valid for three years and renewable, and applications are subject to a rigorous evaluation process not exceeding 90 working days. The regulations also emphasize the need to disclose any conflicts of interest and to store data related to these activities within the Kingdom's geographical boundaries, thus reinforcing national data sovereignty.

Expected impact on the business sector

This regulation is expected to create a new market for compliance and auditing services in the Kingdom, thereby raising the level of competitiveness and quality. It will also enhance investor and customer confidence in companies that obtain accredited certifications, confirming their commitment to the highest standards of personal data protection. This measure is a fundamental pillar for establishing a comprehensive regulatory framework that guarantees rights and clarifies obligations in the Saudi digital space.