Saudi Arabia - restrictions
(Section: "Markets and Jurisdictions")
1) Market Picture: Basic Principle
The Kingdom of Saudi Arabia (KSA) applies a complete ban on offline and online gambling.
Casinos/slots/poker/betting (including "social" mechanics with a monetary equivalent) are prohibited.
Any private B2C activity focused on residents/residents of KSA is recognized as illegal, regardless of the jurisdiction of the domain or offshore "license."
Law enforcement practices combine network blocking, blocking payment routes, administrative and criminal liability.
2) Institutions and roles
CST (formerly CITC) - regulator of communication and digital services: blocking domains, IP, applications; interaction with platforms/app stores.
SAMA (central bank) and payment infrastructure (Mada, SADAD, e-wallets) - transaction filtering, banning routes in favor of gambling activities, PSP control.
Saudi FIU (Financial Intelligence) - Reception/Analysis STR/SAR, AML/CFT Coordination.
Law enforcement agencies - cyber units, prosecutors, courts: suppression of illegal services/affiliates, collection, confiscation.
Media/Advertising Supervisors - Removal of Promo, Sanctions for Engaging KSA Audience.
3) What is allowed/forbidden
Allowed (contiguous areas that do not contain a gambling component):- E-sports, e-sports events without bets/cash draws, entertainment and hospitality services without a bet-chance-prize element.
- B2B contracts in non-gaming: cybersecurity, payment analytics for legal industries, IDV/KYC for fintech/telco, etc.
- Any form of offline/online gambling; "lotteries," "sweepstakes" with the purchase of a chance; "crowd raffles," casino bots, betting exchanges.
- Advertising/affiliate promotion of gambling targeted at the KSA audience.
- Bypassing locks: mirrors, proxy/VPN chains, "pseudo-merchants," crypto gateways for deposits/payments.
4) Locks and payments
Network locks: dynamic blacklists of domains, IP, URL, applications; reoccurring mirrors are blocked rapidly.
Payment restrictions: banks/PSPs block MSS/patterns related to gambling activity; increased monitoring of P2P, e-wallet and offshore routes.
Platforms/marketplaces are required to remove illegal applications and promotional content upon request.
5) Responsibility and risks
Organizers/affiliates: fines, confiscation of equipment, blocking of domains/accounts, criminal legal consequences.
Media and influencers: sanctions for promoting gambling content to the KSA audience (including "bypass guides").
Users: administrative implications; repetition/scale is an aggravating factor.
Increased penalties for "hiding traces" (CDN rotation, MCC substitution, crypto mixers).
6) Advertising and Communications
Any creatives with gambling induction ("free spins/bets," "guaranteed winnings"), geo/language targeting of KSA residents, affiliate links to illegal sites are prohibited.
It is recommended to keep a compliance log (screenshots, target settings, dates, sites) to prove the absence of a KSA target and readiness for prompt recall of materials.
7) AML/CFT and data (frame level)
KYB/KYC of partners and contractors, sanctions/PEP, if necessary SoF/SoW.
Transactional monitoring: identification of markers of gambling activity, immediate escalation of STR/SAR in FIU.
Data protection: restriction of access, logging of actions (WORM), storage within the time limits stipulated by company policies and the applicable norm.
8) Vision-economics and reality
Despite the development of an event/entertainment agenda within the framework of economic transformation, gambling is not included in the range of permissible activities. Any expectations of a "quick market opening" do not make operational sense - you need to plan based on a long-term ban.
9) Roadmap: What business can really do
B2C gambling operators
key> Cannot Log On to KSA. Consider other jurisdictions with a licensed model.
B2B suppliers in non-gaming
1. Define a non-gaming role: anti-fraud, cybersecurity, payment analytics, IDV/KYC for legal verticals.
2. Contractual framework: hard SLAs, DPIA/TSAs, clauses banning "gaming features" and geo-targeting KSA.
3. Compliance loop: instant off-switch procedures for creatives/features with risk of violation; compliance log; regular audits.
4. Technologies: secure SDLC, WORM logs, encryption, RBAC/SoD, DR/BCP; readiness for requests from bodies and partners.
10) Technical requirements (best practices)
Logging of key events (registration/payment/limit change/advertising target) with NTP synchronization.
Encryption at rest/in transit; secret management; network segmentation.
Pentests/scans on schedule; incident response plan.
API/uploads for compliance checks; instant deactivation of disputed features/campaigns.
11) Compliance checklists
Legal regime
- Confirmed: no gambling component in products/services
- CST/SAMA/Enforcement Response Procedures
- Responsible persons for compliance/information security/marketing are appointed
Marketing and PR
- Strictly prohibit KSA targeting; geo/language filters enabled
- Compliance log (creatives, target, sites, dates)
- Instant Recall Process
AML/KYC
- KYB partners; sanctions/POP screening; SoF/SoW by Trigger
- Payment monitoring; game MCC/pattern unit
- STR/SAR and SLA
Information security and data
- WORM logs, retention and access control
- Encryption, RBAC/SoD, secret management
- DR/BCP tests, regular pentests/scans
12) First year KPIs
Compliance: 0 ad/payment/content incidents per KSA audience
Information security: MTTR incidents and closing critical vulnerabilities on time
Marketing: 100% compliance with geo-filters, lack of "gaming" triggers
Operations: SLA ≥99% on Partner and Regulatory Responses
13) FAQ
Is it possible to target tourists in KSA with .com without geo-targeting?
No, it isn't. The "actual targeting" factor (language/channels/influencers/geo) is interpreted as an appeal to the KSA audience.
Is there a legitimate B2C path?
No, it isn't. There is zero reason to plan legal B2C gambling on the horizon.
Will affiliate traffic be allowed to offshore sites?
No, it isn't. Promotion of gambling for the KSA audience is prohibited, regardless of the domain zone and "offshore license."
Is it possible to make prize draws in marketing?
Only if there is no gambling component (buying a chance/cash equivalent of winning) and fully comply with local advertising and consumer standards - legal verification and preventive moderation are required.
Note
KSA's enforcement practice is stable in terms of a strict ban on gambling and their promotion. Build any plans as non-gaming, with readiness for prompt compliance and zero tolerance for "gray" schemes.