Cybersecurity regulation in Kuwait (2026)

NCSC Decision No. 2 of 5 April 2026 formally mandates the National Basic Cybersecurity Controls across six domains — Govern, Identify, Protect, Detect, Respond, and Recover — for all civil government entities, security/military bodies, and designated critical private-sector organisations (telecom, energy, finance, healthcare). Non-compliance can trigger regulatory action and criminal liability.

Covered entities have 18 months from the April 2026 publication date to achieve full NBCC compliance, placing the deadline at approximately October 2027. Organisations certified to ISO/IEC 27001 may have a partial head start but must still conduct a gap assessment against Kuwait-specific requirements.

Law No. 63 of 2015, in force since January 2016, criminalises unauthorised access, hacking, data theft, fraud, and distribution of harmful content via information systems, and provides the primary criminal-enforcement backbone for cyber offences.

The Communications and Information Technology Regulatory Authority (CITRA), established by Law No. 37/2014, oversees cybersecurity at the national level through its Information Security and Emergency Response Department and the National Cybersecurity Centre (NCSC). CITRA can impose fines up to KD 1 million per violation and order network blocking or content removal.

CITRA's cloud-computing regulatory framework requires cloud service providers to notify authorities of data breaches within 72 hours. The NBCC's 'Respond' domain mandates documented incident-response plans with defined escalation paths and reporting obligations for all covered entities.

NCSC Decision No. 1 of 2025 establishes a mandatory national data-classification regime, requiring government entities to classify data by sensitivity, apply corresponding security controls, and obtain NCSC approval before transferring sensitive (Tier 3/4) data outside Kuwait.