Kuwait’s National Cybersecurity Center: The 2025 National Data Classification Framework

Kuwait’s National Cybersecurity Center: The 2025 National Data Classification Framework

22-10-2025

CybersecurityData ProtectionCompliance

Overview

On 19 October 2025, Kuwait’s National Cybersecurity Center (NCSC) issued Decision No. (1) of 2025, officially titled “Regulation of the National Framework for Data Classification.” This decision was published in the Official Gazette (Al-Kuwait Al-Youm, Issue No. 1761, 19 October 2025) and repeals Decision No. (7) of 2023 concerning electronic data classification.

This new framework establishes binding standards for the classification, management, and protection of government data, aligning Kuwait with ISO/IEC 27001, ISO/IEC 27701, and NIST SP 800-60 methodologies.

Scope and Legal Effect (Article 3)

The regulation applies to all data forms—electronic or otherwise—held, processed, or transmitted by governmental, military, security, and public entities, as well as private bodies designated by the Center under Decree No. (37) of 2022establishing the NCSC. It covers every stage of the data lifecycle: creation, storage, processing, transfer, modification, and destruction.

Core Definitions (Article 1)

Article 1 introduces standardized definitions that now carry regulatory force:

  • Sensitive Data: Information whose unauthorized disclosure or misuse could cause serious harm to national security, public order, the economy, environment, or individuals.

  • Restricted Data: Information whose improper disclosure could cause limited or moderate harm to concerned entities or persons.

  • Public Data: Information accessible without restriction, where disclosure causes no harm.

  • Data Classification Document: An officially approved internal document issued by each entity, setting out procedures, roles, and security controls for data classification.

  • Classification Tags and Labels: Technical markers applied to data assets indicating sensitivity level and handling requirements.

Purpose (Article 2)

The framework establishes a national, methodical system for classifying data according to sensitivity, value, and impact. This ensures confidentiality, integrity, and proper use in line with applicable policies and laws.

Obligations of Entities (Article 4)

Entities subject to the decision must:

  1. Classify data into at least three categories (Sensitive, Restricted, Public) and define sub-levels as needed.

  2. Issue and submit a Data Classification Document approved by senior management and consistent with the NCSC’s guidance manual.

  3. Implement technical and organizational measures appropriate to each classification level.

  4. Designate qualified officers (national staff) to supervise classification and interface with the NCSC.

  5. Train employees through periodic workshops and awareness programs.

  6. Obtain NCSC approval before handling or transferring sensitive data outside Kuwait, in accordance with the “Accreditation and Approval Policy.”

These obligations are explicitly derived from Article 4 (a)–(h) of the decision.

Accountability and Compliance (Article 5)

Article 5 assigns clear responsibility to each entity for:

  • Preparing and maintaining its classification document.

  • Ensuring data protection through appropriate security measures.

  • Holding employees accountable for violations of approved procedures.

  • Conducting periodic reviews and submitting implementation reports to the NCSC.

Entities remain legally liable for damage resulting from negligent data handling.

Accreditation and Approval Policy (Article 6)

Article 6 details two formal processes:

  1. Accreditation of the Data Classification Document:

  2. Entities must complete the official forms (Forms 1–4) and submit to grcinfo@ncsc.gov.kw.

  3. The NCSC reviews requests within 10 working days and issues either partial or full approval.

  4. Partial approval requires revision within 3 months; full approval is valid for 12 months.

  5. Approval to Process or Transfer Sensitive Data Outside Kuwait:

  6. Requires prior document accreditation and submission of Forms 5 and 6.

  7. The NCSC may hold bilateral meetings before granting authorization.

Implementation and Repeal (Articles 7 – 9)

  • Article 7: Implementation under Decree No. (37) of 2022 establishing the NCSC.

  • Article 8: The regulation takes effect upon publication in the Official Gazette on 19 October 2025.

  • Article 9: Repeals Decision No. (7) of 2023, dated 16 July 2023, and any conflicting provisions.

Signed by Eng. Abeer Anwar Al-Awadhi, Chairperson of the National Cybersecurity Center.

Legal Commentary and Impact

This decision represents a comprehensive legal upgrade to Kuwait’s cyber governance framework:

  • It consolidates previous electronic data rules into a unified, binding national standard.

  • It creates an approval-based compliance system for data classification and cross-border processing.

  • It elevates data classification from a technical exercise to a legal duty of care imposed on each entity.

  • It aligns Kuwait with global best practices in data sovereignty and public-sector information security.

For legal advisors and compliance officers, Decision (1) of 2025 demands close review of government contracts, outsourcing arrangements, and data-handling clauses to ensure alignment with NCSC requirements.

Conclusion

The introduction of the 2025 National Data Classification Framework marks a pivotal moment in Kuwait's approach to cybersecurity governance. By establishing clear standards and responsibilities, the NCSC is paving the way for enhanced data protection and compliance within both public and private sectors. This framework not only safeguards sensitive information but also fosters trust in Kuwait's digital landscape.

Related articles

Kuwait’s Delivery-Platform Rulebook: A Compliance Roadmap Before 1 September 2026

Kuwait’s Delivery-Platform Rulebook: A Compliance Roadmap Before 1 September 2026

Learn more
Eight Clearances, One Gazette: What Kuwait's Latest Merger-Control Batch Tells Global Dealmakers

Eight Clearances, One Gazette: What Kuwait's Latest Merger-Control Batch Tells Global Dealmakers

Learn more
Yield on Idle Client Cash and a Bounded Margin Facility: A Broker’s Roadmap to CMA Resolution 85/2026

Yield on Idle Client Cash and a Bounded Margin Facility: A Broker’s Roadmap to CMA Resolution 85/2026

Learn more
Faster Benches: What Kuwait's Specialized-Court Reforms Mean for Business

Faster Benches: What Kuwait's Specialized-Court Reforms Mean for Business

Learn more
Kuwait's Disclosure Filing Switches to iFSAH Only: What Issuers, Licensed Firms and Auditors Must Do Now

Kuwait's Disclosure Filing Switches to iFSAH Only: What Issuers, Licensed Firms and Auditors Must Do Now

Learn more
Kuwait Modernises the KPC Law, and Bans Local Agents on Its Contracts: What Decree-Law No. 67 of 2026 Means

Kuwait Modernises the KPC Law, and Bans Local Agents on Its Contracts: What Decree-Law No. 67 of 2026 Means

Learn more