We hand over policies that are actually enforced, and a team inside the entity that knows what to say to the SDAIA assessor when he walks in.
The National Data Management Office (NDMO) sits under the Saudi Data and AI Authority (SDAIA). It issues the national policies for data management, governance, and personal data protection, and organises 77 controls and 191 specifications across 15 domains: Data Governance, Data Assetization, Data Usage, Data Classification & Availability, and Data Protection. The controls apply to government entities and their operational partners, and intersect directly with the Personal Data Protection Law (PDPL) and its Implementing Regulations.
Assessment against the 77 controls; documents and actual enforcement reviewed, in a form SDAIA's team can read directly.
Entity policies drafted against the NDMO template, data governance committee stood up, roles distributed.
Asset inventory, datasets classified into the four levels, classification register built.
Records of processing, consent management, data subject rights, DPIAs, and incident management.
A simulated SDAIA assessment, evidence collection, and accompaniment through the on-site visits.
We work in SDAIA's technical language. Our practitioners hold international data protection credentials (CIPP/E, CIPM, ISO 27701) and have actually applied the NDMO documents, not just read them. Deliverables arrive in a form the SDAIA assessment team can read directly.
We run the Data Architecture and Modeling (DAM) domain and the NORA DRM domain with the same certified architects, so the EA project and the NDMO compliance project do not duplicate each other. Every artifact references its control number explicitly, so the evidence file lands in language SDAIA assessors recognise from the first line.
The gap between an entity that holds policies and one that enforces them shows up at the first audit. We hand over the second kind of readiness: policies in use, a living classification register, and a team that knows what to say.
NDMO controls cover Saudi government entities and their operational partners. Any processing of personal data for citizens or residents falls under PDPL, supervised by SDAIA.
PDPL is a general law that binds anyone processing personal data. NDMO controls are a technical document for government entities covering 15 domains, with 77 controls and 191 specifications, and extending into data quality, catalog, reference data, and freedom of information.
SDAIA runs an annual cycle: a self-assessment file, a technical document review, and sometimes an on-site visit. Results translate to a compliance level for each of the 77 controls, with a window to fix gaps before the next cycle.
For an entity starting from zero: 16 to 24 weeks. For one with old, unenforced policies: 10 to 14 weeks.
No. The two tracks are formally independent. But an EA built under NORA shortens the NDMO route, because DRM is one of the six NORA domains. We recommend running both tracks in parallel.
Four: Top Secret, Secret, Restricted, Public. Classification rests on the impact of unauthorised disclosure. We start with asset inventory, then classify at the dataset or system level.
Transfers of personal data are governed by PDPL, its Implementing Regulations, and the Transfer of Personal Data Outside the Kingdom guide. Assessing hosting is part of the gap phase, and may lead to migrating some systems, or signing data processing addenda instead of migrating.
Two remote hours with a certified data protection practitioner. You leave with a shared read of your current state and an initial estimate of scope and duration. No cost, no commitment.
Back to all services
