Other BriefingsSaudi Arabia Invites Global Feedback on Draft Global AI Hub Law
Saudi Arabia issues a draft Global AI Hub Law for public consultation, introducing data sovereignty hubs and redefining cross-border digital infrastructure.
On April 14, 2025, Saudi Arabia’s Communications, Space and Technology Commission (CST) released a draft of the Global AI Hub Law for public consultation, inviting international feedback until May 14, 2025. This landmark proposal introduces a regulatory framework for establishing sovereign and foreign-affiliated data centers, called Hubs, within the Kingdom. These Hubs allow data localization under foreign laws while still operating within Saudi borders. This draft law signals a pivotal shift in global data governance and lays the foundation for Saudi Arabia to become a major digital and artificial intelligence hub.
Overview of the draft Global AI Hub Law
The draft law introduces the legal foundation for three types of digital infrastructure Hubs: Private Hubs, Extended Hubs, and Virtual Hubs. These centers aim to host data, applications, infrastructure, and services of foreign governments or companies, under frameworks that respect the originating country’s laws. The proposed law provides for agreements, privileges, and oversight mechanisms that facilitate such operations within Saudi territory while ensuring national sovereignty, data security, and digital continuity.
The law will be regulated by a Competent Authority appointed by the Council of Ministers. Depending on operational needs, this could be CST, the Saudi Data and Artificial Intelligence Authority (SDAIA), or another regulatory agency. The draft law stipulates cooperation with foreign governments and multinationals through Bilateral Agreements or regulatory approvals, depending on the Hub type.
Structure and purpose of Hub categories
The draft Global AI Hub Law introduces three distinct models for hosting and processing foreign data and services within Saudi Arabia: Private Hubs, Extended Hubs, and Virtual Hubs. Each model has a tailored legal and operational structure, designed to facilitate digital cooperation while preserving Saudi Arabia’s sovereign oversight.
A Private Hub is designed for the exclusive use of a foreign government, referred to as a Guest Country, and is established through a formal Bilateral Agreement between that country and Saudi Arabia. This type of Hub operates entirely under the laws of the Guest Country for all hosted data, applications, and systems. It enjoys extensive privileges, akin to those granted to diplomatic missions. These include inviolability of hosted data, legal immunity for appointed staff, and protected communications infrastructure. The Guest Country maintains full legal authority over its data, while the Host Country ensures the physical and operational integrity of the infrastructure.
An Extended Hub is a more flexible model that involves a tri-party arrangement between Saudi Arabia, a Guest Country, and an approved local or foreign Operator. While the data continues to be governed by the Guest Country’s laws, the Operator is responsible for maintaining and managing the Hub’s infrastructure under a regulatory agreement. This model accommodates scenarios where the Guest Country lacks the capability to directly operate its own infrastructure. While not enjoying full diplomatic protections, the Extended Hub is safeguarded by terms specified in the bilateral agreement and any applicable operational protocols established by the Competent Authority.
The Virtual Hub represents a commercial model where a licensed Service Provider, incorporated in Saudi Arabia, offers hosting services to clients from Designated Foreign States. These hubs are regulated under Saudi jurisdiction but operate under the governing laws of the foreign clients’ home countries with respect to data handling. Although lacking bilateral privileges, Virtual Hubs must receive prior approval from Saudi regulators and are required to maintain transparent compliance records. They provide a lower-barrier entry for businesses and are crucial for multinational service delivery models, especially for companies without a formal state backing or bilateral agreement.
| Hub type | Primary user | Legal basis | Governing law | Privileges |
| Private hub | Guest country | Bilateral agreement | Guest country law | Diplomatic-like |
| Extended hub | Operator + guest | Bilateral + operator agreement | Guest country law | Limited |
| Virtual hub | Service provider | Regulatory approval | Designated foreign state | Not specified |
Legal and strategic implications
The draft law fundamentally reshapes the notion of digital jurisdiction by allowing foreign governments and multinational corporations to operate data centers within Saudi Arabia while applying their own national laws to the data they host. This dual-jurisdiction approach introduces a new model for managing data sovereignty in a globally connected digital economy. By enabling entities to maintain control over their data and applications, the law supports frictionless cross-border data flows while ensuring operations remain within a sovereign legal and infrastructure framework.
Among the strategic benefits, the framework supports data sovereignty and cross-border operations without undermining local oversight. It removes traditional barriers around data localization and offers legal certainty for deploying AI, cloud services, and cybersecurity technologies within Saudi infrastructure. Furthermore, the initiative promotes regional service delivery by enabling localized data processing, thereby reducing latency and supporting compliance with domestic privacy regulations. In effect, the draft law offers a stable legal basis for the development of sovereign-aligned digital ecosystems.
Saudi authorities also retain strong safeguards. In the event of emergencies such as natural disasters or threats to public safety, the law authorizes the government to intervene directly in Hub operations. While data hosted in Virtual Hubs remains under the exclusive jurisdiction of the customer’s national authorities, Saudi Arabia will cooperate with those authorities for enforcement, ensuring compliance without undermining national interests.
Protections and limitations
To safeguard its sovereignty and national interests, the Kingdom reserves the right to terminate any agreement or revoke Hub approvals, particularly in cases where diplomatic relations are absent or national security is at stake. The government may access a Hub in emergencies, such as fires, floods, or cybersecurity threats, and may prohibit service providers whose operations could disrupt public order or national stability. These measures balance legal autonomy for foreign operators with domestic accountability and regulatory oversight.
The law also demands compliance with international laws, applicable bilateral agreements, and cybersecurity regulations. All Hubs must be formally registered and subject to oversight by a Competent Authority appointed by the Council of Ministers. This ensures a robust compliance mechanism that prevents abuse or operational ambiguity.
Operational and compliance challenges for businesses
Despite offering opportunities for operational flexibility, the proposed law introduces compliance complexities that foreign and local businesses must navigate. Operating under the legal framework of a foreign country while physically based in Saudi Arabia requires intricate coordination between legal and operational teams. Infrastructure must be designed with dual regulatory compliance, domestic and foreign, in mind.
Moreover, operators of Virtual Hubs will be required to maintain detailed records, demonstrate audit readiness, and support enforcement requests by the foreign authorities whose laws govern the hosted data. Hosting data from multiple jurisdictions can also pose governance challenges, particularly for multinational firms dealing with differing regulatory standards. Firms entering agreements under this framework should proactively assess their compliance capabilities and legal exposure before proceeding, ideally through early-stage legal consultation and jurisdictional analysis.
Next steps and consultation
The CST has launched a public consultation through the Saudi ‘Istitlaa’ platform. The feedback window is open until May 14, 2025. Interested parties, including technology providers, governments, legal experts, and investors, can submit comments via Istitlaa or email queries to AIHub@cst.gov.sa.
Foreign businesses are advised to evaluate the model’s alignment with their digital infrastructure and compliance strategies. For those operating in the Middle East, the Hub framework may offer competitive benefits in terms of cost, latency, and regulatory coherence.
In brief
The Global AI Hub Law positions Saudi Arabia at the forefront of cross-border data innovation. By redefining how data jurisdiction can function within a sovereign context, the law offers a model for international collaboration that balances digital access with regulatory integrity.
As AI and cloud technologies continue to shape global economies, frameworks like this could become essential. Whether through Private Hubs for foreign governments, Extended Hubs for multinationals, or Virtual Hubs for digital service providers, the Kingdom’s proposal reflects a strategic vision to drive digital transformation while maintaining legal safeguards.
Middle East Briefing 是Asia Briefing旗下的五大区域性内容平台之一,由协力管理咨询(Dezan Shira & Associates)提供支持。协力管理咨询是一家泛亚洲的专业服务公司,致力于为跨国投资者提供服务。 我们在迪拜(阿联酋)、中国、印度、越南、新加坡、印度尼西亚、意大利、德国和美国设有办公室。此外,我们与位于马来西亚、孟加拉国、菲律宾、泰国和澳大利亚的合作伙伴公司保持紧密合作。
如需在中东设立企业或进驻其他亚洲市场的相关信息,请通过邮箱 dubai@dezshira.com 联系我们,或访问我们的网站www.dezshira.com。此外,点击此处免费订阅Middle East Briefing的内容产品。
- Previous Article Saudi Arabia New Draft Data Protection Amendments: Overview and Business Implications
- Next Article
