Skip to main content

🇸🇦 Saudi Regulatory Landscape

Operating a business in Saudi Arabia requires strict adherence to multiple government mandates. BayanCore embeds these regulations into its core workflow architecture, ensuring businesses remain compliant automatically.

1. Tax & E-Invoicing (ZATCA)

The Zakat, Tax and Customs Authority (ZATCA) regulates all commercial transactions, taxation, and e-invoice clearance.

  • VAT (Value Added Tax): Enforces the standard 15% VAT on taxable goods and services. Calculations must isolate taxable amounts, VAT amounts, and gross values in both English and Arabic.
  • WHT (Withholding Tax): Applicable to payments made to non-residents (e.g., software licenses, foreign consulting) with rates ranging from 5% to 20%.
  • Fatoora Phase 2 (Integration Phase):
    • B2B Transactions: Require real-time submission to the ZATCA Fatoora API for Clearance before the invoice is delivered to the buyer.
    • B2C Transactions: Require submission for Reporting within 24 hours of invoice generation.
    • Cryptographic Stamps: Invoices must contain a unique cryptographic stamp (CSID), XML structure (UBL 2.1), cryptographic hash chain, and a Base64-encoded Tag-Length-Value (TLV) QR code.
    • Read more in the ZATCA e-Invoicing Spec.

2. Personal Data Protection Law (PDPL)

Enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA), the PDPL governs the processing of personal data.

  • Data Residency: Financial, employee, and customer PII (Personally Identifiable Information) must remain within Saudi Arabia. Cross-border transfer is prohibited unless authorized.
  • Consent Management: Businesses must obtain and record explicit consent before processing user or customer data.
  • PII Protection & Redaction: AI features must redact personal identifiers (Iqama numbers, phone numbers, emails) before feeding data into large language models.
  • Right to Erasure (Data Purge): Customers and employees have the right to request the deletion of their personal records. Systems must purge this data across production databases, log servers, and backups.
  • Read more in the PDPL Compliance Spec and Data Residency Spec.

3. Labor Law & Social Insurance (MHRSD & GOSI)

The Ministry of Human Resources and Social Development (MHRSD) and the General Organization for Social Insurance (GOSI) regulate employment and payroll compliance.

  • Wage Protection System (WPS): Employers must submit monthly payroll reports formatted as standard SIF files directly to their banks. Discrepancies between contracts and actual payouts trigger automated ministry flags.
  • GOSI Contributions: Monthly payroll runs must compute correct GOSI deductions:
    • Saudi Employees: 21.5% total contribution (11.75% employer, 9.75% employee).
    • Non-Saudi Employees: 2% occupational hazard contribution paid entirely by the employer.
  • End-of-Service Benefit (EOSB): The system must calculate statutory gratuities based on Saudi Labor Law:
    • Half-month's salary per year for the first 5 years.
    • Full month's salary per year for subsequent years.
  • Nitaqat (Saudization): Real-time monitoring of Saudi-to-expat ratios to ensure the company maintains its desired green/platinum status on the Qiwa platform.
  • Read more in the Labor and Contracting Spec.

4. Cybersecurity Regulations (NCA)

The National Cybersecurity Authority (NCA) regulates information security policies for systems handling critical commercial operations.

  • Access Control: Mandates multi-factor authentication (MFA) and strict role-based access control (RBAC).
  • Immutable Auditing: All operational events, particularly ledger entries and compliance stamps, must be logged immutably.
  • Read more in the NCA Cybersecurity Spec and Audit Logging Spec.