In a major development that strengthens the implementation of the Kingdom’s Personal Data Protection Law (PDPL), the Saudi Data and Artificial Intelligence Authority (SDAIA) has officially released detailed rules governing the licensing of entities authorized to issue accreditation certificates to controllers and processors, as well as to perform audits and inspections of personal data processing activities.
Titled “Rules Governing the Licensing to Issue Accreditation Certificates to Controllers and Processors, and the Auditing and Inspection of Personal Data Processing Activities” (Version 1.0, 2026), the new framework provides clear, transparent, and rigorous standards for third-party service providers seeking to support compliance efforts across the Saudi market.
This move is expected to boost confidence in the PDPL ecosystem, encourage higher standards of data protection, and create new opportunities for qualified local and international firms to participate in the growing compliance services sector.
Why These Rules Matter for Saudi Arabia’s Data Protection Landscape
Under the PDPL (Royal Decree No. M/19 dated 9/2/1443 AH) and its Implementing Regulation, certain compliance activities — such as issuing formal accreditation certificates and conducting independent audits/inspections — can only be performed by entities specifically licensed by SDAIA.
The new rules operationalize Articles 33, 35, and 36 of the Law and Regulation, creating a formal licensing regime that ensures only capable, independent, and trustworthy organizations are allowed to certify or audit personal data practices in the Kingdom.
Two Distinct License Types
SDAIA has established two separate licenses, each with its own requirements and scope:
1. License for Issuing Accreditation Certificates
Allows licensed entities to evaluate controllers and processors and issue official certificates confirming that their personal data processing practices fully comply with the PDPL, its regulations, and SDAIA standards.
2. License for Auditing and Inspection Activities
Permits licensed entities to carry out comprehensive audits and inspections of personal data processing operations, assess the effectiveness of protection controls, and produce formal audit/inspection reports.
Both licenses are issued exclusively to legal persons established in the Kingdom and are designed to guarantee independence, competence, and accountability.
Strict Eligibility Requirements for Applicants
To obtain either license, applicants must satisfy a robust set of general and specific conditions, including:
– Full compliance with the PDPL and all SDAIA regulations
– Complete independence and an established presence in Saudi Arabia
– Disclosure of any conflicts of interest, past complaints, or previous violations
– Possession of necessary technical tools and highly qualified personnel
– For accreditation certificate issuers only: minimum capital of SAR 10 million, at least 10 full-time evaluation employees with relevant experience, and completion of specialized SDAIA-approved training or tests
– Saudi Accreditation Center accreditation (for certificate issuers)
– Any additional requirements SDAIA may set
SDAIA retains the right to grant exemptions in exceptional cases.
Clear and Structured Licensing Process
Applications must be submitted through SDAIA’s designated procedures and include:
– Completed application form specifying the license type
– Articles of association, commercial registration, and contact details
– All supporting evidence of compliance with the requirements
SDAIA will review each application within a maximum of 90 business days and notify the applicant of the outcome. Successful applicants receive a license valid for three (3) years.
Fees for both license types will be determined and published by SDAIA, with possible tiered categories.
Renewal, Suspension, Revocation, and Cancellation Rules
Licenses can be renewed if the licensee continues to meet all requirements, with applications required at least 90 business days before expiry.
SDAIA may suspend or revoke a license for serious reasons, including:
– Non-compliance with the rules or PDPL
– Failure to address violations or directives
– Provision of false information
– Loss of required accreditations
Licensees have 30 business days to appeal or rectify issues. Cancellation occurs automatically in cases such as company dissolution or unapproved mergers/acquisitions.
Licensees may not subcontract work without prior SDAIA approval, and even then, only to other licensed entities. The primary licensee remains fully responsible for all work performed.
Key Ongoing Obligations for Licensed Entities
All licensees must:
– Continuously train and professionally develop their staff in personal data protection
– Perform semi-annual internal assessments of their own operations
– Maintain strict confidentiality of audit and certification findings (disclosure requires SDAIA approval)
– Retain all related data inside the Kingdom
– Immediately disclose any new conflicts of interest
– For certificate issuers: maintain periodic review plans for previously certified entities
These obligations ensure that licensed service providers maintain the highest standards of integrity and professionalism over the full term of their license.
For controllers and processors operating in Saudi Arabia:
– When selecting third-party auditors or certification bodies, always verify that the provider holds a valid SDAIA license under these rules.
– Accreditation certificates and audit reports issued by unlicensed entities will not be recognized for PDPL compliance purposes.
For companies interested in becoming licensed providers:
– Begin preparing now by reviewing capital, staffing, training, and accreditation requirements.
– Ensure robust conflict-of-interest policies and internal compliance programs are in place.
– Monitor SDAIA’s Competent Authority Platform for the official application portal, fee schedule, and detailed mechanism documents.
PDPA vs SDAIA
The release of these licensing rules marks another significant milestone in SDAIA’s ongoing efforts to build a mature, trustworthy, and world-class personal data protection regime in the Kingdom. By formalizing the role of independent certifiers and auditors, SDAIA is reinforcing accountability while opening the door for specialized service providers to support organizations across all sectors.
The full official text of the Rules (Version 1.0, 2026), including all application forms and supporting documents, is available for download on the SDAIA website.
Organizations seeking guidance on how these rules affect their compliance programs are encouraged to consult qualified legal and data protection advisors.
