Saudi Arabia is building one of the most comprehensive national data governance frameworks in the world.
The National Data Management Office (NDMO), operating under the Saudi Data and Artificial Intelligence Authority (SDAIA), has established the Data Management and Personal Data Protection Standards 77 controls and 191 compliance specifications covering 15 distinct domains of data management. These standards apply to all Saudi public entities and their business partners handling government data. (Source: NDMO/SDAIA, “National Data Management and Personal Data Protection Standards,” Saudi Data and Artificial Intelligence Authority, 2021, sdaia.gov.sa)
This framework is not simply a compliance exercise. It is part of Vision 2030 the Kingdom’s strategic program to build a data-driven digital economy. The NDMO framework reflects the principle that data is a national asset deserving the same governance as physical infrastructure.
This guide covers what the NDMO framework is, who it applies to, how the 15 domains are structured, the eight guiding principles that underpin it, the compliance obligations organizations face, and the practical steps for implementation.
What Is the NDMO?
The National Data Management Office (NDMO) is the Kingdom of Saudi Arabia’s national data regulator, operating as a sub-entity of the Saudi Data and Artificial Intelligence Authority (SDAIA).
Its mandate extends beyond regulatory oversight. NDMO is responsible for developing and implementing policies, governance mechanisms, standards, and controls for data and AI; creating KPIs to assess government entities’ adherence to data governance requirements; monitoring and enforcing compliance; and building national expertise in data management through training and capacity development.
NDMO published the National Data Management and Personal Data Protection Standards Framework commonly referred to as the NDMO Standards which establishes the 77 controls and 191 compliance specifications that organizations must implement. These standards are structured around 15 knowledge domains that cover the full data lifecycle from creation through storage, processing, sharing, and disposal.
NDMO and the PDPL: Two Related but Distinct Requirements
Organisations operating in Saudi Arabia face two distinct data regulatory requirements that are related but not identical.
The NDMO Standards apply primarily to government (public) entities and their business partners handling government data. They cover data management, governance, quality, security, and technical infrastructure across 15 domains.
The Personal Data Protection Law (PDPL), which came into force on 14 September 2023, applies to all organizations public and private that collect, process, store, or transfer the personal data of Saudi residents. The PDPL is Saudi Arabia’s equivalent of GDPR, establishing rights for data subjects and obligations for data controllers. (Source: Saudi Data and Artificial Intelligence Authority, “Personal Data Protection Law,” Royal Decree No. M/19, 2021; enforcement effective September 2023, sdaia.gov.sa)
For many organizations, particularly government agencies and regulated entities in financial services, healthcare, and telecommunications, both frameworks apply. Compliance with one does not guarantee compliance with the other, though strong NDMO data governance implementation provides a foundation for PDPL compliance.
Additionally, organizations handling EU resident data must comply with GDPR in addition to Saudi regulations.
The Eight Guiding Principles
The NDMO framework is built on eight guiding principles that set the philosophy for data management across all 15 domains.
Principle | What It Means in Practice |
Data as a National Asset | Data should be treated with the same strategic value as physical infrastructure — governed, protected, and leveraged for national benefit |
Data Protection by Design | Privacy and security controls must be embedded from the start of any data initiative, not added retroactively |
Open by Default | Maximise data transparency and access unless a justified restriction applies; avoid unnecessary opacity |
Ethical Data Use | Ensure fairness, accountability, and respect for individuals in all data collection and processing activities |
Purposeful Design | Collect and process only data needed for clearly defined purposes; avoid accumulating data without a defined use |
Data-Driven Outcomes | Make decisions backed by measurable data insights; governance should enable analytics, not only restrict it |
Learning Culture | Continuously improve data management capabilities; invest in data literacy across the organization |
Trusted Data | Build data confidence through documented accuracy, security measures, and transparent management practices |
The 15 NDMO Domains
The 15 domains are organized into a three-level hierarchy: Domain (the knowledge area), Control (a grouping of related specifications within the domain), and Specification (the specific action required for compliance).
The 15 domains are further organized into five control areas. (All domain control and specification counts below are sourced from: NDMO/SDAIA, “National Data Management and Personal Data Protection Standards,” 2021, sdaia.gov.sa)
Control Area 1: Data Governance
Data Governance is the overarching domain and the first priority in the NDMO framework. It contains 8 controls and 28 specifications, making it the most extensively specified domain.
Requirements include establishing a data governance framework aligned with the organization’s strategic objectives, defining roles and responsibilities including a Chief Data and Privacy Officer (CDPO), developing a 3-year data management implementation roadmap, and establishing KPIs for all data management domains.
The CDPO is a significant requirement. This executive role with authority and organizational influence is responsible for ensuring that the data management and personal data protection program is followed. The CDPO must have the standing to direct compliance across the organization, not merely document it.
Control Area 2: Data Management
This area covers the operational management of data assets. It includes:
- Data Catalog and Metadata (6 controls, 20 specifications): Requirements for maintaining a searchable inventory of data assets with documented ownership, definitions, and lineage.
- Data Quality (7 controls and specifications): Requirements for measuring and improving data accuracy, completeness, consistency, and timeliness, with defined quality thresholds and remediation processes.
- Data Operations (covering data lifecycle management from creation through disposal, including retention schedules and secure deletion procedures).
- Document and Content Management: Requirements for managing unstructured data including physical records, emails, and digital documents.
- Data Architecture and Modeling: Requirements for documented data models, schemas, and architecture decisions.
- Data Sharing and Interoperability: Requirements for controlled data exchange between entities, including data sharing agreements and API standards.
- Reference and Master Data Management: Requirements for maintaining consistent authoritative reference data and master data across systems.
Control Area 3: Data Classification and Availability
Data Classification is one of the most operationally significant domains because it determines what controls apply to every data asset.
The NDMO requires a data classification register listing all identified data assets with their classification level. Classification is based on the potential impact of a breach or unauthorized disclosure the higher the potential damage, the more stringent the required controls.
Data Availability covers freedom of information requirements the obligation to make publicly classified data accessible to Saudi citizens and to provide transparent request and appeal processes for accessing government information.
Control Area 4: Data Protection
This area covers the technical and procedural controls required to protect data from unauthorized access, disclosure, and loss.
Requirements include implementing data security controls aligned with the National Cybersecurity Authority (NCA) guidelines, conducting personal data protection impact assessments (similar to GDPR’s DPIAs) for high-risk processing activities, and establishing documented data erasure procedures that ensure secure destruction of operational data, archived data, and backups.
Cross-border data transfer restrictions are a significant requirement. Data within the Kingdom of Saudi Arabia must remain within national borders unless specific conditions are met. Any cross-border transfer requires compliance assessment and, for sensitive categories of personal data, explicit authorization.
Control Area 5: Digital Transformation Enablement
This area covers the infrastructure and capabilities that enable effective data management at scale, including data storage and computing infrastructure standards, AI and advanced analytics governance requirements, and the technical architecture that supports the other 14 domains.
Who Must Comply?
The NDMO Standards are mandatory for all Saudi government (public) entities including government agencies, ministries, regulatory bodies, and public sector organizations and for all business partners that handle government data on their behalf.
The PDPL applies to all organizations collecting or processing the personal data of Saudi residents, regardless of whether the organization is public or private, and regardless of where the organization is headquartered. A foreign company that processes the personal data of Saudi residents in the course of providing services is subject to PDPL.
Private sector organizations that are not subject to the mandatory NDMO Standards are increasingly adopting the framework voluntarily, because compliance with NDMO is becoming a requirement for participating in government procurement, tendering, and data-sharing partnerships.
Consequences of Non-Compliance
Non-compliance with NDMO Standards and the PDPL carries material consequences.
- Regulatory fines and sanctions: Financial penalties reflecting the government’s strong commitment to data governance enforcement.
- Legal consequences: Violations may lead to legal action, operational restrictions, or suspension of licenses with severe implications for business continuity.
- Reputational damage: A data breach or publicly identified compliance failure damages trust with customers, partners, and government stakeholders.
- Exclusion from government business: Non-compliant organizations risk exclusion from government contracts and public sector data-sharing arrangements.
Implementing NDMO Compliance: A Practical Approach
Step 1: Baseline assessment across all 15 domains
Before planning implementation, establish where the organization currently stands. Conduct a structured assessment against each of the 15 domains, rating maturity on a defined scale from initial to optimized.
This assessment surfaces the specific gaps, prioritises remediation effort, and creates the documented baseline that the compliance program will build from.
Step 2: Establish the governance structure first
Data Governance is Domain 1 and Priority 1 in the NDMO framework for a reason. Without the governance structure CDPO appointment, data management office, defined roles and responsibilities, implementation roadmap the operational domains cannot be implemented consistently.
The CDPO appointment is a formal requirement with specific accountability. The individual must have organizational authority, not just responsibility. Appointing someone to the CDPO role without the authority to direct compliance across departments will not satisfy the requirement.
Step 3: Build the data inventory and classification register
Data classification is the prerequisite for data protection. Without a comprehensive register of data assets with assigned classification levels, the organization cannot apply appropriate controls because it does not know what data it holds or how sensitive each asset is.
The classification register must cover data in all forms: structured databases, unstructured documents, emails, paper records, voice recordings, and any other form of recorded data. The scope of NDMO’s definition of “government data” is broad.
Step 4: Implement technical controls aligned with NCA requirements
The NDMO framework requires that data security controls align with the National Cybersecurity Authority’s guidelines. The NCA and NDMO work in coordination NDMO sets the data management and governance requirements; NCA sets the cybersecurity and technical security standards.
Technical controls include access management (who can access which data under what conditions), encryption at rest and in transit, audit logging of data access and modification, secure deletion procedures, and incident response processes for data breaches.
Step 5: Address cross-border data transfer restrictions
The data residency requirement is operationally significant for cloud-first organizations. Saudi government data must remain within the Kingdom unless specific authorization conditions are met.
This affects cloud infrastructure choices AWS, Azure, and Google Cloud have established Saudi Arabia region availability to address this requirement. It also affects SaaS vendors, data processors, and any third-party service that would process or store Saudi government data outside the Kingdom.
Step 6: Establish continuous compliance monitoring
NDMO compliance is not a one-time certification. The NDMO may conduct ad-hoc compliance audits on selected entities based on submitted compliance reports. Compliance reports must be submitted on a defined schedule.
Continuous monitoring automated quality checks, access log reviews, data classification reviews, breach detection monitoring provides the ongoing assurance and the audit trail that compliance audits require.
The Data Infrastructure Requirements Behind NDMO
NDMO compliance is not achievable through policy documentation alone. The framework makes specific demands on data infrastructure that organizations must build or procure.
A data catalog with metadata management capability is required for the Data Catalog and Metadata domain covering asset discovery, ownership assignment, and lineage documentation. A data quality monitoring platform is required for the Data Quality domain continuous measurement of quality dimensions with breach alerting. Access management systems that enforce role-based access controls aligned with classification levels are required for the Data Protection domain. Lineage tracking tools that document how data moves between systems support both the Data Governance and Data Sharing domains.
For organizations that have not previously invested in data management infrastructure, NDMO compliance creates both the requirement and the justification for that investment. For those with existing infrastructure, NDMO provides the governance framework that should govern how that infrastructure is configured and used.
Final Thoughts
The NDMO framework is the most comprehensive national data governance requirement in the Gulf region. Its 15 domains, 77 controls, and 191 specifications create a detailed, auditable standard for how Saudi public entities and their partners must manage data.
For organizations operating in or with Saudi Arabia, the practical implication is that data governance is no longer optional. The framework demands it, the government enforces it, and the data infrastructure to support it must be built.
The organizations that approach NDMO compliance strategically treat it as an opportunity to build the data management capabilities that will create competitive advantage rather than just a compliance exercise to satisfy auditors and extract lasting value from the investment.
For data teams building the governance frameworks, metadata management systems, data quality programs, and access control infrastructure that NDMO compliance requires, Data Pilot’s data governance and strategy consulting helps organizations in Saudi Arabia and the wider GCC region build compliant, trustworthy, and high-performing data foundations.