Cybersecurity in Kuwait: What the new rules mean for businesses

Kuwait has introduced new cybersecurity rules that set minimum standards for how organisations must protect their systems and data. These requirements carry potential regulatory action and potential criminal liability for non-compliance under applicable laws.

In March 2026, the Kuwait National Cybersecurity Centre (NCSC) issued Resolution No. (2) of 2026 on National Basic Cybersecurity Controls, establishing a unified framework for managing cyber risks across the country. While technical in nature, their impact is practical: organisations must review how they classify, store, protect, and transfer data, to ensure they meet new national requirements.

Why this matters

These rules go beyond IT functions and affect day-to-day operations. The framework is intended to:

• Enhance cybersecurity readiness and resilience at a national level
• Protect assets, systems, networks, services, and data from cyber threats
• Strengthen governance, accountability and risk management
• Introduce consistent standards that can be measured and monitored by the NCSC

Failure to comply may result in regulatory action or criminal consequences under applicable laws, making early assessment and preparation important.

Who must Comply

The rules apply on a mandatory basis to “Concerned Entities,” – organisations  that fall under the NCSC’s regulatory oversight – including:

• Government bodies (civil, military, and security)
• Public sector institutions
• Private sector organisations within the NCSC’s jurisdiction
• Any other entities specifically designated by the NCSC

Organisations outside the formal scope are encouraged to adopt the controls voluntarily to enhance resilience and align with national expectations.

Concerned Entities are required to achieve full compliance with the applicable requirements within a period of eighteen (18) months from publication, unless the NCSC grants a documented and time-bound exemption.

What the framework covers

The Cybersecurity Controls introduce a set of baseline requirements, including:

• Data protection and technical security measures (including password and access controls)
• Data classification requirements
• Assessment of potential risks and compliance procedures
• Breach notification obligations
• Cross-border data transfer requirements, including approval processes for transferring Kuwait-sourced data outside Kuwait

Together, these measures aim to ensure data is handled in a consistent, secure and accountable manner.

Key considerations for Organisations

 Organisations should assess their current position against the new requirements. In particular:

• Whether they fall within the definition of a “Concerned Entity”?
• How their data is currently classified and protected.
• Whether they can detect and report cybersecurity incidents in line with the rules.
• Whether cross-border data transfers are subject to required approvals
• Whether internal governance and accountability for cybersecurity are clearly defined
• Whether they are qualified to ask for exemptions

How ASAR can help

ASAR can advise on how the Cybersecurity Controls apply to your organisation and support compliance with the new requirements.

This includes scope assessment, reviewing existing cybersecurity and data governance frameworks, identifying compliance gaps, and supporting implementation. We also advise on key obligations such as data classification, breach reporting, and cross-border data transfer approvals.

If you would like to discuss how these rules affect your organisation, please contact us at asar@asarlegal.com