Understanding Saudi Arabia’s Draft Open Insurance and InsurTech Framework

4 min 30 sec January 16, 2026 (Edited)

The Kingdom’s Insurance Authority (the “IA”) recently released an initial draft for Open Insurance and Insurance Technology Regulations (the “Draft”). It provides a practical framework covering sandbox operations and exits, digital/online distribution and third-party platforms, and a detailed Open Insurance data sharing regime. The Draft expressly applies to Insurance Companies, Reinsurance Companies, and Insurance Service Providers. The intention is to foster innovation via a regulatory sandbox while safeguarding customers, by enabling controlled testing of InsurTech solutions and promoting competition, informed regulation and strong customer protections.

Currently, the operation of online and insurtech insurance activities is predominantly governed by Online Insurance Activities Regulation 2011 and Insurtech Rules 2023. The concept of Open Insurance is featured for the first time in a proposed regulation in KSA and it is defined under the Draft as “the secure and controlled sharing of insurance data between market participants through Application Programming Interfaces (APIs), with customer consent”. On regulatory sandbox, the IA launched its Insurance Lab initiative in September 2024, introducing a legislative experimental environment to test innovative insurance solutions in a controlled setting. A draft Insurance Regulatory Sandbox Framework was released for public consultation towards the end of 2024, but it has not yet been finalised or issued in binding form.

We highlight below the key differences between the Draft and the existing regulatory framework, expected significance for the KSA insurance market and practical implications for businesses.

Key differences

The Draft establishes a comprehensive Open Insurance regime anchored in customer consent, purpose limitation, parity of protections and auditable Application Programming Interfaces (API) data sharing. It mandates controls over what data is shared, to whom, for how long, and with withdrawal rights; requires identity and eligibility checks for data recipients; obliges maintenance of records of data access/transfers; prohibits disadvantaging customers who opt out; and imposes incident/breach notification to the IA. The current regulatory framework focuses on data security and confidentiality in online operations but do not provide an explicit open‑data architecture.

A second difference is the introduction of a formal Regulatory Sandbox in the Draft, with restricted licenses, defined limits (e.g., number of customers, duration, volumes), the possibility of temporary regulatory relief where appropriate, an IA case manager, robust reporting and a clear exit strategy; none of this exists explicitly in the current Online Insurance Activities Regulation or the Insurtech Rules. The current frameworks require plans, controls and supervisory interaction for online operations and insurtech conduct, but they do not provide a restricted-license test bed or structured waiver mechanism to pilot novel propositions.

Moreover, the Draft advances digital risk, cyber resilience and algorithmic governance requirements. It demands internal controls tailored to digital insurance, including data privacy compliance, cyber resilience aligned to information and communication technology/cyber expectations, defined impact tolerances and recovery plans, identification and mitigation of unfair bias in pricing/underwriting/claims algorithms, clear and non‑misleading digital interfaces and advice, and governance over development and deployment of InsurTech solutions – subject to onsite supervisory inspections. Existing frameworks call for security, continuity, incident response, and clear disclosures for websites and insurtech platforms, but the proposed Draft elevates standards toward end‑to‑end operational resilience and algorithmic fairness.

Additionally, the Draft imposes expanded oversight for third‑party platforms. It requires prior approval to distribute via third‑party websites (including airlines, banks, or non‑insurance entities), a detailed approval pack (including business model, agreement showing outsourcing compliance and clear responsibilities, due diligence evidence, security controls, customer‑protection approach, oversight and monitoring plans, compensation/commission and conflicts), ensures platform licensing as an Insurance Service Provider where activities fall within regulated scope, mandates fair and transparent terms without unjustified channel price differentials, and clarifies the insurer’s ultimate responsibility. The current Online Insurance Activities Regulation also requires the IA’s approval and sets third‑party website conditions, but the Draft’s approval pack and licensing expectation for platforms are more granular and ecosystem oriented.

Finally, the Draft aligns online sales standards with traditional channels, requiring that digital promotions be clear, fair and not misleading, that needs/demands assessments be conducted where advice is given or the product is not a “Simple‑Risk Product,” that key terms, cancellation rights and complaints are clearly accessible, and that robust records of digital journeys be maintained. “Simple-Risk Product” means an insurance product that is easy to understand, and carries limited underwriting complexity, typically characterised by clearly defined benefits, exclusions, and pricing, and which does not require personalised advice or detailed suitability assessments.  While the current Online Insurance Activities Regulation already mandates detailed pre‑sale, sale, and post‑sale obligations online, the draft explicitly imports broader conduct benchmarks and formalises recordkeeping and suitability in automated or complex product contexts.

Significance for the KSA insurance market

The proposed Draft introduces a holistic and market‑wide framework that goes beyond websites to encompass a Regulatory Sandbox, Open Insurance (API‑based data sharing with explicit consent), broader digital governance including algorithmic risk and third‑party platform oversight across the ecosystem, moving from rules on “online” channels to a comprehensive digital innovation and data‑sharing regime.

What should businesses do now

We anticipate the Draft to be available for public consultation during the course of 2026 which will give an opportunity for the sector stakeholders and interested parties to provide their feedback and opinion. In the meantime, the businesses should start putting together a readiness program in anticipation of the introduction of some of the proposed changes.