What is AI regulation in Kuwait?
AI regulation: countries and regions
Kuwait has no dedicated AI law and no AI regulator as of 2026. AI is governed indirectly through existing rules: the Communications and Information Technology Regulatory Authority (CITRA) Data Privacy Protection Regulation (Decision No. 26 of 2024), the Electronic Transactions Law (No. 20 of 2014), the Cybercrime Law (No. 63 of 2015) and civil liability codes. A draft Kuwait National AI Strategy (2025 to 2028) sets direction but is policy, not binding law.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Kuwait does not regulate artificial intelligence through a single statute. There is no Kuwaiti equivalent of the EU AI Act, no AI-specific regulator, and no binding AI rulebook. Anyone deploying AI in Kuwait is governed by general laws that were not written with AI in mind: data protection rules issued by CITRA, the Electronic Transactions Law, the Cybercrime Law, sector rules from the Central Bank of Kuwait, and the Civil Code's liability provisions.
The country has set a clear direction of travel. A draft Kuwait National AI Strategy (2025 to 2028) was published in early 2025 by the Central Agency for Information Technology (CAIT), aligned with the long-term national plan Kuwait Vision 2035 (also called New Kuwait). The strategy is a roadmap and a set of recommendations, not enforceable law. It signals an intention to build a regulatory and ethical framework over time.
So the practical position is simple to state. As of 2026, AI in Kuwait is governed by a patchwork of existing laws plus voluntary strategy. The institutions that matter today are CITRA, CAIT, the National Cybersecurity Center and the Central Bank of Kuwait, each acting within its existing remit rather than as a dedicated AI authority.
Why it matters
For organisations, the absence of a dedicated AI law does not mean an absence of obligations. It means the obligations sit in laws you might not associate with AI. If your AI processes personal data and you are a CITRA-licensed telecom or internet provider, the Data Privacy Protection Regulation applies directly, including consent, transparency, breach notification and a right not to be subject to solely automated decisions. If you are not a licensee, the Electronic Transactions Law and the Cybercrime Law still govern how you handle electronic personal data and create criminal exposure for unlawful access or disclosure. If you run AI in financial services, the Central Bank of Kuwait's expectations on governance, oversight and accountability apply. And because Kuwait has no AI-specific liability regime, harm caused by AI is allocated through ordinary civil liability: a human or company, never the AI itself, bears responsibility. Getting this wrong creates real legal and reputational risk even though no law has the words "artificial intelligence" in its title.
How it works
No dedicated AI statute, but a working patchwork
Kuwait has not enacted a comprehensive AI law, and governance of AI-related personal data is derived from existing instruments. The core pieces are the Electronic Transactions Law (No. 20 of 2014) and its Executive Regulations, which set baseline duties for handling electronic personal data across public and private bodies; the Cybercrime Law (No. 63 of 2015), which criminalises unauthorised access, alteration, disclosure and destruction of data; and the CITRA Data Privacy Protection Regulation. The Constitution of Kuwait of 1962 establishes a right to privacy, including the confidentiality of communications under Article 39, which sits beneath these statutes.
The CITRA Data Privacy Protection Regulation
CITRA first issued a Data Privacy Protection Regulation as Decision No. 42 of 2021. It was replaced by Decision No. 26 of 2024, effective 19 February 2024. The 2024 version narrowed the scope significantly: as Chambers and Partners summarises, the regulation "as amended by Decision No 26 of 2024" now "applies exclusively to CITRA-licensed telecom and internet providers (the 'Licensees') and imposes consent, transparency, security, transfer notice and breach notification duties on those Licensees." For those licensees it requires explicit consent before collecting or processing personal data, clear information in Arabic and English, breach notification to CITRA within 72 hours, security measures, record-keeping, and a right not to be subject to automated individual decision-making, including profiling. CITRA also repealed its former Data Classification Policy under Decision No. 34 of 2024.
The institutions
Three bodies define Kuwait's digital governance. CITRA, established under Law No. 37 of 2014, regulates telecoms and IT, licenses operators and oversees privacy and cloud compliance. CAIT leads government digital transformation and national cloud and AI adoption in the public sector. The National Cybersecurity Center, created in 2022, oversees cybersecurity and data-classification matters. None of these is a dedicated AI regulator. Kuwait does not currently have a single authority with overarching jurisdiction over data protection, let alone AI.
Financial services: the Central Bank of Kuwait
The Central Bank of Kuwait runs an innovation hub called Wolooj, a supervised environment for testing artificial intelligence, fintech, information security and regulatory technology. Kuwait has not issued a binding central-bank AI rulebook of the kind some Gulf peers now have; instead, AI in banking is governed through existing prudential, cybersecurity and consumer-protection instructions and through the bank's general supervisory expectations on governance and human accountability.
The draft national strategy and a stalled bill
The draft Kuwait National AI Strategy (2025 to 2028) was published in early 2025 by CAIT, building on an earlier Microsoft-authored "Kuwait National AI Strategy Framework" whitepaper, which Microsoft describes as "a strategic guide for the Kuwaiti Government in shaping a robust and forward-thinking national AI strategy." It aligns with Kuwait Vision 2035 and proposes first-year ambitions including establishing an AI Centre of Excellence, launching pilot AI projects and developing a centralised data repository, as well as a high-level steering committee. It is a draft roadmap, not binding law. Separately, five members of parliament (Dawoud Maarefi, Abdullah Fehad, Hassan Jawhar, Fahd Al-Masoud and Badr Al-Mulla) submitted a bill in December 2023 to establish a Public Authority for Artificial Intelligence (PAAI) that would draft AI legislation. That bill has not advanced. On 10 May 2024 the Amir dissolved the National Assembly and suspended parts of the Constitution; the Assembly remains suspended as of 2026, so the bill has effectively lapsed and any new AI law would now have to come by Amiri decree.
Examples
A telecom operator deploying an AI chatbot that processes customer data: because the operator is a CITRA licensee, the Data Privacy Protection Regulation (Decision No. 26 of 2024) applies in full. It must obtain explicit consent, provide bilingual notices, honour the right not to be subject to solely automated decisions, and notify CITRA of any personal data breach within 72 hours.
A fintech testing an AI credit-scoring or robo-advisory tool: the firm can apply to the Central Bank of Kuwait's Wolooj innovation hub to test in a supervised environment. There is no AI-specific statute, so the firm remains liable under existing prudential, cybersecurity and consumer-protection rules, and a human compliance function is expected to retain oversight of the model.
A healthtech company using AI on patient records: it is generally not a CITRA licensee, so the Data Privacy Protection Regulation does not apply directly. Instead, the Electronic Transactions Law governs handling of electronic personal data, the Cybercrime Law criminalises unlawful access or disclosure, and the Medical Profession Law (No. 70 of 2020) requires written patient consent for disclosure of medical data.
Common misunderstandings
"Kuwait has an AI law." It does not. As of 2026 there is no dedicated AI statute and no AI regulator. AI is governed through general laws and a non-binding strategy.
"CITRA's data regulation covers all AI use." Since Decision No. 26 of 2024, the Data Privacy Protection Regulation applies only to CITRA-licensed telecom and internet providers, not to every organisation handling personal data.
"The National AI Strategy is binding regulation." The Kuwait National AI Strategy (2025 to 2028) is a draft roadmap and recommendations, not enforceable law.
"There is a national data protection law like the GDPR." Kuwait has no single, state-wide data protection statute. Protection comes from a patchwork of the Electronic Transactions Law, the Cybercrime Law, the Constitution and sector rules.
"AI can be blamed for harm in Kuwait." Under Kuwaiti law an AI system has no legal personality. Liability falls on the human or company deploying it.
Risks and boundaries
This article describes a fast-moving but currently thin legal landscape, and several things are genuinely uncertain. What is confirmed: there is no dedicated AI law, no AI regulator, and the binding rules that touch AI are data, cybercrime, telecom and financial-sector instruments. What is pending or aspirational: the draft National AI Strategy, the proposed Public Authority for Artificial Intelligence, and any future ethics or risk-based framework. What could change quickly: because the National Assembly is suspended, the government can issue or amend laws by Amiri decree without legislative review, so a binding AI instrument could appear with little parliamentary process. This is not legal advice; obligations depend on whether you are a CITRA licensee, your sector and the personal data you handle. Anyone relying on the absence of an AI law should treat that absence as temporary, not durable.
What to do next
First, map which existing laws actually bind you: confirm whether you are a CITRA licensee, whether you process electronic personal data, and whether you operate in financial services. Second, treat the CITRA Data Privacy Protection Regulation as your reference standard for data governance even if you are not a licensee, because it signals the direction of Kuwaiti expectations and broadly tracks international norms. Third, keep a human accountable for every consequential AI decision; Kuwaiti law gives AI no legal personality, so document oversight, validation and audit trails. Fourth, if you are a fintech, engage the Central Bank of Kuwait's Wolooj hub before launching novel AI products. Fifth, monitor CAIT and CITRA announcements and watch for Amiri decrees, since a binding AI framework could arrive without a legislative cycle. Benchmarks that should trigger a review: any enactment of an AI statute or Public Authority for Artificial Intelligence, any CITRA or CBK AI-specific guidance, or any widening of the Data Privacy Protection Regulation back to all controllers.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Kuwait have an AI law?
No. As of 2026 Kuwait has no dedicated AI statute and no AI-specific regulator. AI is governed indirectly through data protection, cybercrime, telecom, financial-sector and civil liability rules, plus a non-binding draft national strategy.
Who regulates AI in Kuwait?
No single body regulates AI. CITRA handles telecom and data privacy for licensees, CAIT leads government digital transformation, the National Cybersecurity Center handles cybersecurity, and the Central Bank of Kuwait supervises AI in finance, each within its existing remit.
What is the CITRA Data Privacy Protection Regulation?
It is Kuwait's main data privacy instrument, first issued as Decision No. 42 of 2021 and replaced by Decision No. 26 of 2024. Since 2024 it applies only to CITRA-licensed telecom and internet providers and includes a right not to be subject to solely automated decisions.
Is the Kuwait National AI Strategy a law?
No. The Kuwait National AI Strategy (2025 to 2028) is a draft roadmap published by CAIT, aligned with Kuwait Vision 2035. It sets direction and recommendations but is not binding regulation.
How is AI liability handled in Kuwait?
Through ordinary civil liability. An AI system has no legal personality under Kuwaiti law, so responsibility for harm falls on the human or company that deploys it. There is no AI-specific liability statute.
Can I test AI financial products in Kuwait?
Yes. The Central Bank of Kuwait operates the Wolooj innovation hub, a supervised environment for testing AI, fintech and related technologies, while existing prudential and consumer-protection rules continue to apply.
How does Kuwait compare with the UAE and Saudi Arabia?
Kuwait is earlier in its journey. The UAE and Saudi Arabia have dedicated AI institutions and strategies that began years earlier, while Kuwait has a draft strategy, fewer data centres and no AI authority yet, though it is moving through government partnerships with Microsoft (a strategic agreement signed on 6 March 2025) and Google Cloud.
Could Kuwait pass an AI law soon?
Possibly. The National Assembly has been suspended since May 2024, so any new AI law would come by Amiri decree rather than legislation. That means a binding framework could appear with little parliamentary process.