top of page
Search

Kuwait Reinforces Cybersecurity Governance with the 2025 National Data Classification Framework

  • Writer: Wefaq Law Firm
    Wefaq Law Firm
  • 16 hours ago
  • 3 min read

Kuwait Reinforces Cybersecurity Governance with the 2025 National Data Classification Framework

Overview

On 19 October 2025, Kuwait’s National Cybersecurity Center (NCSC) issued Decision No. (1) of 2025, officially titled “Regulation of the National Framework for Data Classification.” It was published in the Official Gazette (Al-Kuwait Al-Youm, Issue No. 1761, 19 October 2025) and repeals Decision No. (7) of 2023 concerning electronic data classification.

This new framework establishes binding standards for the classification, management, and protection of government data, aligning Kuwait with ISO/IEC 27001, ISO/IEC 27701, and NIST SP 800-60 methodologies.

 

Scope and Legal Effect (Article 3)

The regulation applies to all data forms—electronic or otherwise—held, processed, or transmitted by governmental, military, security, and public entities, as well as private bodies designated by the Center under Decree No. (37) of 2022 establishing the NCSC.

It covers every stage of the data lifecycle: creation, storage, processing, transfer, modification, and destruction.

 

Core Definitions (Article 1)

Article 1 introduces standardized definitions that now carry regulatory force:

  • Sensitive Data: Information whose unauthorized disclosure or misuse could cause serious harm to national security, public order, the economy, environment, or individuals.

  • Restricted Data: Information whose improper disclosure could cause limited or moderate harm to concerned entities or persons.

  • Public Data: Information accessible without restriction, where disclosure causes no harm.

  • Data Classification Document: An officially approved internal document issued by each entity, setting out procedures, roles, and security controls for data classification.

  • Classification Tags and Labels: Technical markers applied to data assets indicating sensitivity level and handling requirements.

 

Purpose (Article 2)

The framework establishes a national, methodical system for classifying data according to sensitivity, value, and impact, ensuring confidentiality, integrity, and proper use in line with applicable policies and laws.

 

Obligations of Entities (Article 4)

Entities subject to the decision must:

  1. Classify data into at least three categories (Sensitive, Restricted, Public) and define sub-levels as needed.

  2. Issue and submit a Data Classification Document approved by senior management and consistent with the NCSC’s guidance manual.

  3. Implement technical and organizational measures appropriate to each classification level.

  4. Designate qualified officers (national staff) to supervise classification and interface with the NCSC.

  5. Train employees through periodic workshops and awareness programs.

  6. Obtain NCSC approval before handling or transferring sensitive data outside Kuwait, in accordance with the “Accreditation and Approval Policy.”

These obligations are explicitly derived from Article 4 (a)–(h) of the decision.

 

Accountability and Compliance (Article 5)

Article 5 assigns clear responsibility to each entity for:

  • Preparing and maintaining its classification document.

  • Ensuring data protection through appropriate security measures.

  • Holding employees accountable for violations of approved procedures.

  • Conducting periodic reviews and submitting implementation reports to the NCSC.

Entities remain legally liable for damage resulting from negligent data handling.

 

Accreditation and Approval Policy (Article 6)

Article 6 details two formal processes:

  1. Accreditation of the Data Classification Document:

    • Entities must complete the official forms (Forms 1–4) and submit to grcinfo@ncsc.gov.kw.

    • The NCSC reviews requests within 10 working days and issues either partial or full approval.

    • Partial approval requires revision within 3 months; full approval is valid for 12 months.

  2. Approval to Process or Transfer Sensitive Data Outside Kuwait:

    • Requires prior document accreditation and submission of Forms 5 and 6.

    • The NCSC may hold bilateral meetings before granting authorization.

 

Implementation and Repeal (Articles 7 – 9)

  • Article 7: Implementation under Decree No. (37) of 2022 establishing the NCSC.

  • Article 8: The regulation takes effect upon publication in the Official Gazette on 19 October 2025.

  • Article 9: Repeals Decision No. (7) of 2023, dated 16 July 2023, and any conflicting provisions.

Signed by Eng. Abeer Anwar Al-Awadhi, Chairperson of the National Cybersecurity Center.

 

Legal Commentary and Impact

This decision represents a comprehensive legal upgrade to Kuwait’s cyber governance framework:

  • It consolidates previous electronic data rules into a unified, binding national standard.

  • It creates an approval-based compliance system for data classification and cross-border processing.

  • It elevates data classification from a technical exercise to a legal duty of care imposed on each entity.

  • It aligns Kuwait with global best practices in data sovereignty and public-sector information security.


For legal advisors and compliance officers, Decision (1) of 2025 demands close review of government contracts, outsourcing arrangements, and data-handling clauses to ensure alignment with NCSC requirements.


Here is the full decision as published in the Official Gazette (Al-Kuwait Al-Youm, Issue No. 1761, 19 October 2025).

 

 
 
 

Comments

+965-97009013

Hello@wefaqlaw.com

Sharq, Block 4, Al-Shuhada Street, Building 32,

Floor 11, Office 33, Kuwait City, Kuwait.

  • Threads
  • TikTok
  • Youtube
  • Whatsapp
  • X
  • Instagram
  • LinkedIn
  • Facebook

© 2025Wefaq Law Firm, LLC. All rights reserved. The opinions expressed throughout this website are not intended to provide legal advice or create an attorney-client relationship. 

bottom of page