Cybersecurity ยท Kuwait
Cybersecurity law & regulation in Kuwait (2026)
Kuwait shaded by its cybersecurity status
Cybersecurity in Kuwait: comprehensive law, anchored by NCSC Decision No. 2/2026 (National Basic Cybersecurity Controls, NBCC/KNBCC); Law No. 63/2015 on Combating Information Technology Crimes; CITRA established under Law No. 37/2014; National Cybersecurity Strategy (CITRA/NCSC).
Kuwait has established a mandatory, cross-sector cybersecurity baseline through NCSC Decision No. 2 of 2026 (the National Basic Cybersecurity Controls), which applies to all government bodies, military and security agencies, and critical private-sector entities with an 18-month compliance deadline (approx. October 2027). This sits atop a pre-existing cybercrime law (Law No. 63/2015) and CITRA's regulatory and enforcement powers over telecoms and ICT services. A companion data classification framework (NCSC Decision No. 1/2025) and cloud-sector breach-notification rules further define incident-reporting duties.
Key points
NCSC Decision No. 2 of 5 April 2026 formally mandates the National Basic Cybersecurity Controls across six domains, Govern, Identify, Protect, Detect, Respond, and Recover, for all civil government entities, security/military bodies, and designated critical private-sector organisations (telecom, energy, finance, healthcare). Non-compliance can trigger regulatory action and criminal liability.
Covered entities have 18 months from the April 2026 publication date to achieve full NBCC compliance, placing the deadline at approximately October 2027. Organisations certified to ISO/IEC 27001 may have a partial head start but must still conduct a gap assessment against Kuwait-specific requirements.
Law No. 63 of 2015, in force since January 2016, criminalises unauthorised access, hacking, data theft, fraud, and distribution of harmful content via information systems, and provides the primary criminal-enforcement backbone for cyber offences.
The Communications and Information Technology Regulatory Authority (CITRA), established by Law No. 37/2014, oversees cybersecurity at the national level through its Information Security and Emergency Response Department and the National Cybersecurity Centre (NCSC). CITRA can impose fines up to KD 1 million per violation and order network blocking or content removal.
CITRA's cloud-computing regulatory framework requires cloud service providers to notify authorities of data breaches within 72 hours. The NBCC's 'Respond' domain mandates documented incident-response plans with defined escalation paths and reporting obligations for all covered entities.
NCSC Decision No. 1 of 2025 establishes a mandatory national data-classification regime, requiring government entities to classify data by sensitivity, apply corresponding security controls, and obtain NCSC approval before transferring sensitive (Tier 3/4) data outside Kuwait.
Timeline - major decisions & events
Kuwait's National Cybersecurity Centre issued a mandatory cross-sector baseline covering government agencies, military/security bodies, and critical private-sector entities across six control domains (Identify, Protect, Detect, Respond, Recover, Govern), aligned to ISO 27001 and NIST CSF, with an 18-month compliance deadline. This is the first unified mandatory standard applying simultaneously to both public and private sectors.
ASAR Legal โThe National Cybersecurity Centre issued a binding framework requiring all entities handling electronic information to classify data into defined tiers and obtain NCSC authorisation before storing or processing Tier 3/4 (sensitive) data outside Kuwait. Directly feeds into the cross-border data-transfer controls enforced under both CITRA and NCSC regimes.
Wefaq Law โCITRA replaced prior data-privacy rules for telecommunications and information technology service providers, introducing detailed obligations on lawful processing, consent, 72-hour breach notification, and cross-border transfer authorisation. Represents the most comprehensive sector-specific data-protection update since CITRA's founding.
CITRA โThe National Cybersecurity Centre deployed a centralised Government Cyber Shield (GovShield) offering a 24/7 Security Operations Centre, continuous monitoring, real-time threat detection, penetration testing, and Active Directory assessments to all government ministries at no cost. Represents Kuwait's first structured national-level SOC capability for the public sector.
Telecom Review Middle East โPublished in Official Gazette Issue No. 1649, this decision established a binding governance architecture assigning cybersecurity responsibilities across the Supreme Committee, military/security entities, licensed service providers, and vital-sector organisations. The first substantive binding governance act issued by the newly created NCSC, translating the 2023-2027 strategy into enforceable duties.
Lexis Middle East (Official Gazette Issue 1649, 20/08/2023) โKuwait adopted a refreshed five-year cybersecurity strategy with priorities aligned to 5G deployment, cloud adoption, and digital-economy expansion, designating the NCSC as the central coordinating authority. Superseded the 2017 foundational strategy and provided the policy mandate for the wave of NCSC decisions that followed.
CITRA (Kuwait Government) โAn Amiri Decree created Kuwait's National Cybersecurity Centre as the dedicated national authority for protecting information networks, telecommunications systems, and critical infrastructure, consolidating responsibilities previously fragmented across multiple agencies. Marked the formal institutionalisation of cybersecurity governance as a standalone state function.
Lexis Middle East โThreat actors deployed LockBit ransomware against the Ministry of Commerce and Industry, disrupting government services and exposing systemic vulnerabilities in public-sector defences. The attack, one of several major incidents during a period when cybercrime cost Kuwait an estimated USD 160 million, reinforced the political momentum to create the NCSC.
Cyberlands โCITRA mandated licensing for cloud service providers, tiered data localisation (Tier 3 and 4 data must be stored in Kuwait-based data centres), 72-hour breach notification, and service-level continuity obligations. Kuwait's first comprehensive cloud-specific security and data-sovereignty regime, covering both public-sector subscribers and private CSPs.
CITRA โThe government published its inaugural National Cyber Security Strategy with three pillars: cultivating a cybersecurity culture, safeguarding national assets and critical infrastructure, and advancing regional and international cooperation. Provided Kuwait's first overarching strategic framework for state-level cyber defence and signalled the move toward a formal national architecture.
Council of Europe Octopus / CITRA โKuwait's principal cybercrime statute criminalised unauthorised access, data alteration, hacking, electronic fraud, and spreading misinformation, with escalating penalties for attacks targeting government or critical-infrastructure systems. Enacted June 2015 and in force from 12 January 2016; remains the foundational criminal law for cyber offences.
Lexis Middle East โKuwait - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ