Skip to content
World Watch/Kuwait/Cybersecurity

Cybersecurity ยท Kuwait

Cybersecurity law & regulation in Kuwait (2026)

Comprehensive lawNCSC Decision No. 2/2026 (National Basic Cybersecurity Controls, NBCC/KNBCC); Law No. 63/2015 on Combating Information Technology Crimes; CITRA established under Law No. 37/2014; National Cybersecurity Strategy (CITRA/NCSC)Country index 71 ยท B

Kuwait shaded by its cybersecurity status

Cybersecurity in Kuwait: comprehensive law, anchored by NCSC Decision No. 2/2026 (National Basic Cybersecurity Controls, NBCC/KNBCC); Law No. 63/2015 on Combating Information Technology Crimes; CITRA established under Law No. 37/2014; National Cybersecurity Strategy (CITRA/NCSC).

Kuwait has established a mandatory, cross-sector cybersecurity baseline through NCSC Decision No. 2 of 2026 (the National Basic Cybersecurity Controls), which applies to all government bodies, military and security agencies, and critical private-sector entities with an 18-month compliance deadline (approx. October 2027). This sits atop a pre-existing cybercrime law (Law No. 63/2015) and CITRA's regulatory and enforcement powers over telecoms and ICT services. A companion data classification framework (NCSC Decision No. 1/2025) and cloud-sector breach-notification rules further define incident-reporting duties.

Key points

NBCC Mandatory Controls (2026)

NCSC Decision No. 2 of 5 April 2026 formally mandates the National Basic Cybersecurity Controls across six domains, Govern, Identify, Protect, Detect, Respond, and Recover, for all civil government entities, security/military bodies, and designated critical private-sector organisations (telecom, energy, finance, healthcare). Non-compliance can trigger regulatory action and criminal liability.

Compliance Deadline

Covered entities have 18 months from the April 2026 publication date to achieve full NBCC compliance, placing the deadline at approximately October 2027. Organisations certified to ISO/IEC 27001 may have a partial head start but must still conduct a gap assessment against Kuwait-specific requirements.

Cybercrime Law No. 63/2015

Law No. 63 of 2015, in force since January 2016, criminalises unauthorised access, hacking, data theft, fraud, and distribution of harmful content via information systems, and provides the primary criminal-enforcement backbone for cyber offences.

CITRA as Regulatory Authority

The Communications and Information Technology Regulatory Authority (CITRA), established by Law No. 37/2014, oversees cybersecurity at the national level through its Information Security and Emergency Response Department and the National Cybersecurity Centre (NCSC). CITRA can impose fines up to KD 1 million per violation and order network blocking or content removal.

Breach Notification & Incident Reporting

CITRA's cloud-computing regulatory framework requires cloud service providers to notify authorities of data breaches within 72 hours. The NBCC's 'Respond' domain mandates documented incident-response plans with defined escalation paths and reporting obligations for all covered entities.

Data Classification Framework (2025)

NCSC Decision No. 1 of 2025 establishes a mandatory national data-classification regime, requiring government entities to classify data by sensitivity, apply corresponding security controls, and obtain NCSC approval before transferring sensitive (Tier 3/4) data outside Kuwait.

Timeline - major decisions & events

Apr 5, 2026law
NCSC Decision No. 2/2026: Kuwait National Basic Cybersecurity Controls (KNBCC) Issued

Kuwait's National Cybersecurity Centre issued a mandatory cross-sector baseline covering government agencies, military/security bodies, and critical private-sector entities across six control domains (Identify, Protect, Detect, Respond, Recover, Govern), aligned to ISO 27001 and NIST CSF, with an 18-month compliance deadline. This is the first unified mandatory standard applying simultaneously to both public and private sectors.

ASAR Legal โ†—
Oct 19, 2025law
NCSC Decision No. 1/2025: National Data Classification Framework Mandated

The National Cybersecurity Centre issued a binding framework requiring all entities handling electronic information to classify data into defined tiers and obtain NCSC authorisation before storing or processing Tier 3/4 (sensitive) data outside Kuwait. Directly feeds into the cross-border data-transfer controls enforced under both CITRA and NCSC regimes.

Wefaq Law โ†—
May 1, 2024lawofficial
CITRA Decision No. 26/2024: Data Privacy Protection Regulations for Telecom and IT Sector

CITRA replaced prior data-privacy rules for telecommunications and information technology service providers, introducing detailed obligations on lawful processing, consent, 72-hour breach notification, and cross-border transfer authorisation. Represents the most comprehensive sector-specific data-protection update since CITRA's founding.

CITRA โ†—
Jan 1, 2024decision
NCSC Launches GovShield: Government-Wide Cyber Defence Programme

The National Cybersecurity Centre deployed a centralised Government Cyber Shield (GovShield) offering a 24/7 Security Operations Centre, continuous monitoring, real-time threat detection, penetration testing, and Active Directory assessments to all government ministries at no cost. Represents Kuwait's first structured national-level SOC capability for the public sector.

Telecom Review Middle East โ†—
Aug 20, 2023law
NCSC Decision No. 35/2023: National Framework for Cybersecurity Governance Published

Published in Official Gazette Issue No. 1649, this decision established a binding governance architecture assigning cybersecurity responsibilities across the Supreme Committee, military/security entities, licensed service providers, and vital-sector organisations. The first substantive binding governance act issued by the newly created NCSC, translating the 2023-2027 strategy into enforceable duties.

Lexis Middle East (Official Gazette Issue 1649, 20/08/2023) โ†—
Jan 1, 2023guidanceofficial
National Cybersecurity Strategy 2023-2027 Adopted

Kuwait adopted a refreshed five-year cybersecurity strategy with priorities aligned to 5G deployment, cloud adoption, and digital-economy expansion, designating the NCSC as the central coordinating authority. Superseded the 2017 foundational strategy and provided the policy mandate for the wave of NCSC decisions that followed.

CITRA (Kuwait Government) โ†—
Feb 2, 2022law
Amiri Decree No. 37/2022: National Cybersecurity Center (NCSC) Established

An Amiri Decree created Kuwait's National Cybersecurity Centre as the dedicated national authority for protecting information networks, telecommunications systems, and critical infrastructure, consolidating responsibilities previously fragmented across multiple agencies. Marked the formal institutionalisation of cybersecurity governance as a standalone state function.

Lexis Middle East โ†—
Jan 1, 2022incident
LockBit Ransomware Attack on Kuwait Ministry of Commerce and Industry

Threat actors deployed LockBit ransomware against the Ministry of Commerce and Industry, disrupting government services and exposing systemic vulnerabilities in public-sector defences. The attack, one of several major incidents during a period when cybercrime cost Kuwait an estimated USD 160 million, reinforced the political momentum to create the NCSC.

Cyberlands โ†—
Sep 21, 2021lawofficial
CITRA Resolution No. 112: Cloud Computing Regulatory Framework Issued

CITRA mandated licensing for cloud service providers, tiered data localisation (Tier 3 and 4 data must be stored in Kuwait-based data centres), 72-hour breach notification, and service-level continuity obligations. Kuwait's first comprehensive cloud-specific security and data-sovereignty regime, covering both public-sector subscribers and private CSPs.

CITRA โ†—
Jan 1, 2017guidanceofficial
Kuwait's First National Cybersecurity Strategy Issued

The government published its inaugural National Cyber Security Strategy with three pillars: cultivating a cybersecurity culture, safeguarding national assets and critical infrastructure, and advancing regional and international cooperation. Provided Kuwait's first overarching strategic framework for state-level cyber defence and signalled the move toward a formal national architecture.

Council of Europe Octopus / CITRA โ†—
Jan 12, 2016law
Law No. 63/2015 on Combating Information Technology Crimes Enters Into Force

Kuwait's principal cybercrime statute criminalised unauthorised access, data alteration, hacking, electronic fraud, and spreading misinformation, with escalating penalties for attacks targeting government or critical-infrastructure systems. Enacted June 2015 and in force from 12 January 2016; remains the foundational criminal law for cyber offences.

Lexis Middle East โ†—

Kuwait - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’