Saudi Arabia Opens a Consultation on AI Cybersecurity Guidelines | TLY

AI Regulation Tracker  /  Draft consultation

Saudi Arabia opens a public consultation on draft AI Cybersecurity Guidelines

On July 5, 2026, Saudi Arabia's National Cybersecurity Authority opened a public consultation on draft AI Cybersecurity Guidelines (إرشادات الأمن السيبراني للذكاء الاصطناعي). It is a draft out for feedback, not a rule in force. Comments are due August 5, 2026.

Saudi Arabia has spent the last few years building out a formal cybersecurity rulebook, and it is now turning that machinery toward artificial intelligence. On July 5, 2026, the National Cybersecurity Authority opened a public consultation on a draft set of AI Cybersecurity Guidelines. The document is open for comment, not adopted, and the authority has set August 5, 2026 as the deadline for feedback.

What the draft proposes

The NCA states the aim plainly. In the consultation text, the purpose of the AI Cybersecurity Guidelines document is to ensure the implementation of cybersecurity requirements for AI systems. In other words, this is not an AI ethics framework or a broad policy statement. It is a security document, meant to translate the NCA's existing controls-based approach into the specific problem of protecting AI systems.

The draft is organized around the kinds of concerns you would expect from a national cybersecurity regulator: governance over how AI systems are managed, defensive controls for the systems themselves, resilience so they keep working under stress or attack, and third-party risk where models, data, or services come from outside vendors. Treat the exact requirements as provisional. This is a draft, and the point of a consultation is that the wording can still move before anything is final.

A draft, not a rule in force

This is the distinction that matters for planning. Opening a consultation is the start of a process, not the end of one. Nothing in the draft binds anyone today. The NCA is collecting feedback through August 5, 2026, and only after it reviews that input and issues a finalized document would the guidelines carry any weight. Anyone telling you Saudi Arabia now requires specific AI security controls is describing a draft that has not been adopted.

Scope is the other thing to hold loosely. The NCA's cybersecurity mandate has historically centered on government bodies and critical national infrastructure, and its reach has been expanding toward some private-sector entities. So rather than assume the guidelines will land on every company, read the draft as applying to AI systems that sit within the NCA's cybersecurity mandate, and watch the final text to see exactly where that line is drawn.

Why a US professional should track this

The direct audience is any organization that operates or secures AI systems connected to Saudi government work or critical infrastructure, which includes US technology and security vendors with Saudi contracts, partnerships, or subsidiaries. If that is you, the consultation window is the cheapest time to influence the rules, and reading the draft now tells you what a compliance program would need to cover if the guidelines are finalized close to their current form.

There is a second reason to watch it. A growing number of governments are moving to fold AI systems into their existing cybersecurity regimes rather than write standalone AI laws. Saudi Arabia routing AI through its national cybersecurity authority is a clear example of that pattern, and how the NCA scopes and phrases these guidelines is a useful signal for where security-first AI regulation is heading elsewhere.

Questions professionals are asking

Does Saudi Arabia now require specific cybersecurity controls for AI systems?

Not yet. The NCA opened a public consultation on draft AI Cybersecurity Guidelines on July 5, 2026. The draft is out for feedback until August 5, 2026, and it does not bind anyone until the NCA finalizes and issues it.

What would the guidelines cover?

The draft proposes cybersecurity requirements for AI systems, organized around governance, defensive controls, resilience, and third-party risk. The exact requirements are provisional and can change through the consultation.

Who would the guidelines apply to?

They target AI systems within the NCA's cybersecurity mandate, which centers on government and critical national infrastructure and, as the authority's reach expands, some private-sector entities. The finalized text will define the precise scope.

RELATED BRIEFINGS

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel in the relevant jurisdiction.