The Kingdom of Saudi Arabia recognised electronic signatures in 2007 — eight years before the EU finalised eIDAS, and a full eighteen years before Qatar issued its current Trust Service Provider regulation. Royal Decree No. M/18 of 2007 (the Electronic Transactions Law) gave electronic signatures legal effect at a moment when most regional frameworks were still nascent. The Saudi ecosystem evolved differently from the eIDAS-clone shape adopted later by the UAE, Qatar, and Oman: it sits on a more centralised national PKI operated by the National Center for Digital Certification, anchored on Nafath as the identity rail, with commercial CSPs operating as subordinate CAs under the national root. Layered on top: NCA cybersecurity controls, SAMA's banking-sector framework, the 2023 PDPL data-protection regime, and Vision 2030's digital-government targets. This is the operational picture B2B teams actually need.
the Electronic Transactions Law of 2007 — Saudi Arabia's foundational e-signature statute. Article 9 establishes general legal effect; Article 14 sets the reliability conditions for a signature equivalent to wet ink (unique linkage, sole control, tamper-evident binding, detectable post-signing alteration)
Bureau of Experts at the Council of Ministers, Kingdom of Saudi Arabia
the National Center for Digital Certification — operates the Saudi National PKI Root CA under the Digital Government Authority (DGA). All Saudi-licensed certification service providers operate as subordinate CAs under NCDC's root, which gives the Kingdom a more centralised trust architecture than the eIDAS Trusted List model
National Center for Digital Certification, DGA
annual Nafath authentication volume — Saudi Arabia's national digital identity service. Nafath powers identity verification for government services, banking onboarding, and increasingly for private-sector signing flows. Combined with a qualified certificate from a Saudi CSP, Nafath enables practical QES-tier signing
Saudi Data and AI Authority (SDAIA) / Digital Government Authority
The legal foundation: Royal Decree M/18 of 2007
The Saudi Electronic Transactions Law was enacted by Royal Decree M/18 in 1428 AH (2007 AD) and remains the operative statute. Three articles do the heavy lifting:
Article 9 establishes general validity: an electronic signature cannot be denied legal effect or admissibility as evidence solely because it is in electronic form. This is the non-discrimination clause analogous to eIDAS Article 25(1) and Qatar's Article 39.1.
Article 14 sets the reliability conditions for a signature carrying the same legal weight as a wet-ink signature: the signature-creation information must be uniquely linked to the signatory, capable of identifying the signatory, created under conditions allowing the signatory's sole control at the time of signing, and linked to the signed data in a way that any post-signing alteration is detectable. These four conditions directly correspond to what the industry calls an Advanced Electronic Signature (AES) under eIDAS — and they're technology-neutral, satisfied by any properly-implemented signing platform.
Article 16 authorises certification service providers and outlines the licensing framework, with operational details delegated to implementing regulations.
What M/18 deliberately does NOT do: it does not formally codify the three-tier (SES/AES/QES) classification that became standard in eIDAS-aligned frameworks. The 2007 Saudi law has a more binary structure — signatures either meet the Article 14 reliability conditions or they don't. In practice, regulators and CSPs in the Kingdom now use SES/AES/QES vocabulary, but it lives in sector regulations and practice rather than in the statute itself.
The three-tier framework in practice
Although M/18 doesn't formally name three tiers, the operational landscape uses the eIDAS taxonomy. Here is the mapping that every B2B signing decision in KSA actually runs against:
Saudi signature tier required by document type under Royal Decree M/18 and sector regulations. SES with strong evidence satisfies Article 9 for the overwhelming majority of B2B commercial signing; AES via a Saudi CSP strengthens evidentiary record; QES via Nafath-anchored qualified certificate is reserved for state-facing acts and specific regulated instruments.
| Jurisdiction | Law | Cross-border transfer rule | Intensity |
|---|---|---|---|
| Employment contracts (Saudi nationals + expat) | Labour Law (Royal Decree M/51) / Nitaqat / WPS | SES sufficient. Saudi Labour Law does not require handwritten form for private-sector employment contracts. Filing through HRSD's digital channels accepts AES-strength signing. | Moderate |
| NDAs and commercial contracts | Civil Transactions Law (Royal Decree M/191 of 2023) / Commercial Court Law | SES sufficient. Article 14 reliability conditions met by OTP-anchored PAdES-B-T signature. AES recommended for high-value cross-border arrangements. | Moderate |
| Vendor and service agreements | Commercial Law | SES sufficient. Full evidentiary equivalence to wet ink under Article 9 and Article 14. | Moderate |
| ZATCA e-invoicing | Value Added Tax Law / ZATCA Phase 2 regulation | ZATCA cryptographic stamp is a separate regulatory object distinct from the underlying contract signature. Sales contracts supporting invoiced transactions can be signed via SES/AES; the cryptographic invoice stamp is an additional ZATCA requirement. | Restricted |
| SAMA-licensed financial documents | Banking Control Law / SAMA Cybersecurity Framework | SAMA layers sector-specific cybersecurity and identity-verification requirements on top of M/18. Retail and commercial banking documents — AES typically sufficient. Capital-markets instruments, certain high-value remittances — QES. | Restricted |
| Government tenders (Etimad platform) | Government Tenders and Procurement Law | Etimad supports electronic submission with Nafath authentication. Individual tender requirements vary; some specify QES-tier signing or wet-ink originals for award documentation. | Restricted |
| Notarial acts and powers of attorney | Notarial Law / Ministry of Justice Tawthiq platform | QES required via Tawthiq (توثيق) — the MoJ-operated qualified document authentication system. Powers of attorney, real-estate transactions, and notarial deeds use Tawthiq's qualified signing flow. | Strict |
| Real estate transfers | Real Estate Registration Law | QES required. Real estate ownership transfers run through Ejar / Ministry of Housing channels with qualified-tier signing. | Strict |
| Family law, wills, inheritance | Personal Status Law (Royal Decree M/73 of 2022) | Electronic execution excluded for these acts. Wet-ink, in-person processes through Sharia courts. | Strict |
| Negotiable instruments (cheques, bills of exchange) | Commercial Papers Law | Excluded from electronic execution. Wet-ink form required for the negotiable instrument itself. | Strict |
The Saudi PKI architecture: NCDC, Nafath, Tawthiq
Where Qatar (Decision 3/2025) and the UAE (FDL 46/2021) adopted the eIDAS-style Trusted List model — multiple independent QTSPs listed on a public registry — Saudi Arabia operates a more centralised architecture. Three institutions matter:
NCDC (National Center for Digital Certification) operates the Saudi National PKI Root CA under the Digital Government Authority. Every Saudi-licensed CSP operates as a subordinate CA under NCDC's root, which means trust ultimately chains to the government rather than to an independent commercial QTSP. NCDC was historically under MCIT; the DGA (Digital Government Authority, formerly Yesser) now houses it.
Nafath (نفاذ) is the national digital identity service operated by SDAIA / DGA. It provides identity authentication via the Absher framework and the national digital ID. Nafath does not issue qualified certificates itself — it authenticates the signer, and that authentication assertion is bound to a qualified certificate issued by a Saudi CSP. The combination of Nafath authentication + a Saudi CSP qualified certificate is the practical QES path in the Kingdom.
Tawthiq (توثيق) is the Ministry of Justice's qualified document authentication system. It is the canonical QES platform for notarial acts, powers of attorney, real-estate transfers, and other instruments that legally require qualified signing. Tawthiq is not a general-purpose B2B signing platform — it's the MoJ's own channel for legally-attested documents.
For B2B signing platforms operating in Saudi Arabia, the commercial CSP landscape determines the realistic integration options.
Commercial CSPs in Saudi Arabia
Unlike Qatar (where the Trusted List is currently empty), Saudi Arabia has operating commercial CSPs that B2B platforms can integrate with today. The provider landscape:
Saudi Post (SPL) — SPL eSign / Tawqee
The most established commercial CSP in the Kingdom. Operates a signing-as-a-service API used by enterprise customers across banking, government contracting, and B2B commerce. Subordinate CA under NCDC's national root.
- Commercial signing API with documented enterprise integrations
- Issues qualified certificates to Saudi residents authenticated via Nafath
- Pricing in SAR; transaction-volume tiers available for high-volume B2B platforms
- Operationally proven — the realistic short-list option for SahlSign-class platforms needing Saudi-domestic QES capability
Elm Information Security / Tabadul / Etimad
Government-affiliated technology operator (PIF-backed). Operates large parts of Saudi's digital government infrastructure including Nafath itself, the Etimad procurement platform, and various certificate services through subsidiaries and joint ventures.
- Identity-side integration anchor — Nafath authentication is operated by Elm group
- Certificate services more oriented to government and large-enterprise use cases than open commercial API
- Best fit for platforms with existing government-channel relationships
- Strategic partner for identity verification + Saudi government procurement integration
Other operators with historical CSP status include stc Solutions, Mobily Business, and various enterprise PKI services. As of 2026, the actively-commercial B2B integration paths for Saudi-domestic QES are SPL eSign (via Saudi Post) and Tawthiq (via the MoJ for notarial-tier documents specifically).
The sector overlays: NCA, SAMA, and PDPL
For B2B platforms operating in the Kingdom, three sector layers run alongside M/18 and shape signing-platform compliance:
NCA Essential Cybersecurity Controls (ECC-1:2018)
The National Cybersecurity Authority publishes 114 cybersecurity controls across five domains that apply to all government and critical-sector organisations. For an e-signature vendor evaluation, enterprise procurement at Saudi banks, healthcare systems, and government contractors will run signing platforms against the ECC controls — data residency, encryption (TLS 1.2+, AES-256 at rest), identity and access management, incident response, third-party risk. Covered in detail in our NCA cybersecurity post.
SAMA Cybersecurity Framework
The Saudi Central Bank maintains a separate Cybersecurity Framework that layers additional requirements on top of NCA's baseline for SAMA-licensed financial institutions. Data sovereignty (in-Kingdom hosting for Saudi customer data), annual penetration testing, third-party risk assessments for critical software vendors. Any signing platform serving Saudi banks must produce SAMA-tier compliance evidence during procurement.
Saudi PDPL (Royal Decree M/19 of 2023)
The Personal Data Protection Law governs handling of Saudi-resident personal data. Applies to every signing workflow that collects signer PII — names, emails, IP addresses, signed documents, audit logs. Data residency provisions, cross-border transfer requirements, subject-rights obligations. Covered in our PDPL compliance post.
The practical guidance for Saudi B2B teams
For private-sector B2B commercial agreements — NDAs, employment contracts, vendor and service agreements, commercial leases, supply contracts, software licences — a Simple Electronic Signature with strong cryptographic evidence (PAdES-B-T seal, RFC 3161 timestamping from an EUTL-listed TSA, hash-chained audit) satisfies Article 9 of M/18 and the Article 14 reliability conditions. QES via Tawthiq or a Saudi CSP becomes necessary only for notarial acts, real estate, government tenders that explicitly require it, and SAMA-regulated capital-markets instruments. The right tier is the lowest one that satisfies the receiving authority.
— The realistic positioning for Saudi commercial signing
The QES upgrade path for SaaS platforms
For platforms that want to offer true QES-tier signing in Saudi Arabia, the integration shape is well-established:
Nafath authentication
Signer is redirected to Nafath app, authenticates with national ID + biometric or PIN. Nafath returns an identity assertion bound to the signer's qualified identity record. Sandbox available; production approval via DGA partner channel.
Saudi CSP qualified certificate
Saudi Post (SPL) or another Saudi-licensed CSP issues a qualified certificate bound to the Nafath-verified identity. The CSP operates as a subordinate CA under NCDC's national root, so the certificate chains to the Saudi government trust anchor.
Qualified signing call
Platform POSTs the document hash to the CSP's remote-signing API. CSP applies the qualified signature using a server-side QSCD (HSM-backed) and returns the signed hash. The platform embeds the result into the PAdES container.
PAdES-LT preservation
For long-term validity, the platform applies PAdES-LT or PAdES-LTA to embed validation material (certificate chain, OCSP responses, CRLs) into the signed PDF so signatures remain verifiable after the certificate expires.
Bilingual completion certificate
The Certificate of Completion cites Royal Decree M/18 Articles 9 and 14, identifies Nafath as the identity anchor and the issuing Saudi CSP as the certificate authority, renders in Arabic RTL and English LTR, and includes the public verification URL.
This is structurally identical to how DocuSign and Adobe Sign integrate with European QTSPs under eIDAS — only the CSP and the identity anchor change. The PAdES container, the audit chain, and the document-side application code remain framework-neutral.
What's legally valid for SahlSign-tier signing today
SahlSign issues SES with strong cryptographic evidence — the tier explicitly recognised under M/18 Article 9 and satisfying the Article 14 reliability conditions for B2B commercial signing:
- PAdES-B-T cryptographic sealing anchored on a publicly-trusted CA
- RFC 3161 timestamps from EUTL-listed TSAs
- SHA-256 hash-chained audit trail — tamper-evident at the envelope level
- OTP-anchored signer authentication — sole control via verified email or phone
- Bilingual completion certificates citing M/18 Articles 9 and 14, rendered in Arabic RTL and English LTR
- In-region GCC data residency for organisations under NCA / SAMA / PDPL jurisdiction
For commercial B2B signing in the Kingdom, this is sufficient and legally enforceable today. The QES upgrade path — Nafath + Saudi CSP integration — is the natural next step when SahlSign's customer mix demands it.
Five things to verify before deploying e-signing in Saudi Arabia
Saudi Arabia M/18 deployment checklist
- Confirm the document type does not require QES
The majority of commercial agreements sit under Article 9 with SES-tier signing fully sufficient. QES via Tawthiq or a Saudi CSP is required for notarial acts, real estate transfers, certain SAMA-regulated instruments, and tender documents that explicitly demand it.
- Verify the platform meets Article 14 reliability conditions
Unique linkage to the signatory, sole control at the moment of signing, tamper-evident binding (PAdES-B-T or equivalent), and detectable post-signing alteration (hash-chained audit). Same conceptual conditions as eIDAS Article 26.
- Confirm NCA ECC alignment for enterprise procurement
Saudi banks, government contractors, and healthcare systems will audit signing platforms against the NCA Essential Cybersecurity Controls. Data residency, encryption posture, IAM evidence, incident response documentation. Budget for the procurement compliance review in your sales cycle.
- Plan for ZATCA Phase 2 if e-invoicing is in scope
ZATCA's cryptographic stamp is a separate object from the contract signature. Contracts can be signed via SES/AES; the underlying invoices need ZATCA-compliant stamping if the transaction is taxable.
- Plan for the Nafath QES upgrade path
Even if today's documents are SES, the integration architecture should accept a Nafath + Saudi CSP QES upgrade later without application-layer changes. The PAdES container is the same; the signing call shifts from local sealing to a CSP remote-signing API.
is the foundational statute for electronic signature regulation in Saudi Arabia. Article 9 provides non-discrimination — signatures cannot be denied legal effect because they are electronic. Article 14 sets the reliability conditions for evidentiary equivalence to wet ink, satisfied by any properly-implemented signing platform. The Kingdom's PKI architecture is more centralised than the eIDAS Trusted List model: NCDC operates the national root, Nafath provides identity, and licensed CSPs like Saudi Post (SPL eSign) issue qualified certificates as subordinate CAs. For commercial B2B signing, SES with strong cryptographic evidence is sufficient. For notarial acts, real estate, and specific regulated instruments, QES via Tawthiq or a Saudi CSP is required.
Royal Decree No. M/18 of 1428 AH (2007 AD), Kingdom of Saudi Arabia
Related reading
- AES vs QES with Nafath: Why Most Saudi Business Signing Doesn't Need Qualified — the tier-selection argument in depth; when Nafath-anchored QES is genuinely required versus when AES is the right answer.
- NCA Cybersecurity Controls and E-Signing in Saudi Arabia — the ECC-1:2018 framework applied to e-signature vendor evaluation; what Saudi enterprise procurement actually audits.
- ZATCA Phase 2 E-Invoicing and Electronic Signing — where the ZATCA cryptographic stamp intersects with the underlying contract signature.
- PDPL and PDPPL Compliance in E-Signing — Saudi PDPL applies to every signing workflow that collects signer PII.
- Electronic Signatures in Qatar — the adjacent Qatari framework under Decision No. 3 of 2025; useful comparison for multi-country GCC operations.
Sources
- Royal Decree No. M/18 of 1428 AH (2007 AD) Electronic Transactions Law — Bureau of Experts at the Council of Ministers, Kingdom of Saudi Arabia
- National Center for Digital Certification (NCDC) — Digital Government Authority
- Nafath digital identity service — SDAIA / DGA
- Tawthiq (توثيق) — Ministry of Justice qualified document authentication system
- NCA Essential Cybersecurity Controls (ECC-1:2018) — National Cybersecurity Authority
- SAMA Cybersecurity Framework — Saudi Central Bank
- Personal Data Protection Law (Royal Decree M/19 of 2023) — SDAIA
- Saudi Post (SPL) — eSign / Tawqee — commercial CSP services
- Communications, Space & Technology Commission (CST, formerly CITC) — telecommunications and digital services regulator
- Vision 2030 — Digital Transformation — Kingdom of Saudi Arabia