Kuwait

This year, Kuwait’s merger control regime has been reshaped by legislative reforms and constitutional challenges. The framework now requires close attention to the scope of notifiable transactions, the financial thresholds that trigger a filing obligation, and the exemptions designed to exclude routine restructurings. Parties must also navigate detailed notification requirements, supporting documentation, filing fees, and a multi-stage review before the Kuwait Competition Protection Agency (“CPA”). Recent constitutional rulings—most notably the 2025 decision striking down the CPA’s power to impose revenue-based fines—have added a new dimension to enforcement and signal further reform on the horizon. Merger control in Kuwait is governed by Law No. 72 of 2020 on the Protection of Competition and its Implementing Regulations, issued under Resolution No. 14 of 2021 and amended by Decree No. 25 of 2022. Together, they establish the CPA, prohibit anti-competitive practices, and set out merger control obligations, review procedures, and exemptions. This overview walks through the scope of notifiable transactions, the financial thresholds that trigger notification, and carve-outs for routine restructurings, before outlining the notification process, documentation, and filing fees. We then explain the CPA’s multi-stage review and monitoring practices and concludes with constitutional developments—particularly the ruling that limited the CPA’s power to impose revenue-based fines—and their implications for enforcement and legislative reform. A merger control filing with the CPA is required when a transaction (i) qualifies as an economic concentration. Under the Competition Law, an economic concentration includes mergers, acquisitions of control, and joint ventures that create an autonomous economic entity. In the event a transaction is considered an economic concentration, then the financial thresholds must be analysed. The obligation to notify the CPA is triggered when certain financial thresholds are met, based on the audited financial statements of the preceding fiscal year. Specifically, notification is required if any of the following financial thresholds are met (“Financial Thresholds”): One party to the concentration generates revenues in Kuwait exceeding KWD 500,000; The aggregate revenues of all parties exceed KWD 750,000; OR The registered assets of the parties in Kuwait exceed KWD 2.5 million. The Competition Law provides several exemptions to ensure that routine transactions are not unnecessarily subjected to merger control filings. These exemptions include acquisitions by banks, insurance companies, and financial institutions engaged in securities trading, provided they do not exercise substantive voting rights and dispose of the securities within one year of acquisition. The disposal period may be extended by the CPA upon a justified request demonstrating that disposal was not reasonably practicable within the one-year period. Exemptions also apply to acquisitions arising from insolvency, defaults, debt restructuring, or settlements with creditors are excluded, as are intra-group restructurings within the same economic group. These carve-outs reflect the legislature’s intent to capture only those transactions that materially affect market structure and competition in Kuwait. Parties must notify the CPA within 60 days of signing the transaction agreement or related contract. However, in practice, the CPA does not strictly enforce this 60-day requirement. A binding agreement is not strictly required before notification; it is sufficient for parties to file based on a letter of intent, memorandum of understanding, or a good faith intention to reach an agreement. The merger control notification must include detailed corporate documents, financial statements, transaction agreements, market share data, competitor information, and an economic report addressing the potential effects on competition in the relevant market. The filing fee is 0.1% of the combined paid-up capital or Kuwaiti assets of the parties, whichever is less, capped at KWD 100,000, with a minimum charge above zero. The review process before the CPA involves several steps. Once a filing is submitted, the CPA chairman has five days to refer the application to the executive director for review. The executive director then conducts a substantive examination of the transaction, which must be completed within 90 days. This period may be extended if additional information is required or if third-party objections are raised. After the executive director’s assessment, the matter is referred to the CPA’s board of directors, which must issue a decision within 30 days on whether to approve, conditionally approve, or reject the transaction. The parties must be formally notified of the board’s decision within 15 days, ensuring transparency and closure of the review process. In practice, clearance typically takes around 45–60 calendar days from the time a complete application is submitted, though delays are common if filings are incomplete or contested. Importantly, transactions cannot be implemented before clearance; violations can result in fines or orders to unwind the transaction. These include fines of up to 10% of total revenues for failing to notify an economic concentration or for submitting misleading or incorrect filings, and the same ceiling for anti-competitive agreements or abuse of dominance. Lesser violations—such as obstructing CPA investigations, failing to comply with obligations after notice, or providing misleading information—carry fines of up to 1% of revenues from the previous fiscal year. In parallel with these sanctioning powers, the CPA has a designated department tasked with reviewing transactions published on social media platforms to ensure that any notifiable transactions, which have not submitted a merger control filing, are investigated and then referred to the CPA disciplinary board. The CPA has sent investigatory letters to both local and foreign parties requesting information and details surrounding published transactions they are involved in. GLA has played a key role in moulding the Kuwait merger control landscape. In February 2025, GLA successfully represented a client facing significant CPA sanctions.  In a landmark ruling by the Kuwaiti Constitutional Court, which significantly altered the CPA enforcement capabilities. The Court declared Paragraph (1) of Article 34 of Law No. 72 of 2020 unconstitutional. This provision had empowered the CPA’s disciplinary board to impose financial penalties of up to 10% of a party’s total revenues for violations of Articles 5–8 (anti-competitive agreements and abuse of dominance). The challenge, successfully argued by GLA & Company Senior Partner, Nader Al Awadhi, on behalf of the Union of Cooperative Societies, was based on constitutional principles, including: Violation of due process and judicial oversight (penalties were imposed administratively, not judicially); Lack of proportionality between penalties and violations; and Encroachment on protections of private ownership and personal liberty. The ruling curtails the CPA’s ability to impose revenue-based fines and raises questions about the validity of past sanctions. Going forward, merger control enforcement will likely need to rely on judicially supervised remedies or amended legislative provisions consistent with constitutional safeguards. Further, by establishing constitutional precedent, the ruling has already influenced subsequent cases, including one that struck down the 1% fine for non-compliance as unconstitutional, and has intensified calls for legislative reform. As a result, draft amendments to the Competition Law have been introduced and are currently awaiting approval. .Kuwait’s merger control regime features relatively low financial thresholds that capture both domestic and cross-border transactions. Parties must prepare comprehensive filings and anticipate a few rounds of queries within the review period. However, the Constitutional Court’s ruling striking down the CPA’s power to impose steep turnover-based fines introduces a new layer of legal complexity. Companies engaging in mergers and acquisitions in Kuwait should closely monitor forthcoming legislative or regulatory adjustments as the state reconciles the Competition Law framework with constitutional requirements. Authors: Asad Ahmad, Head of Anti-Trust & Competition and Fahad Al Zouman, Trainee Lawyer.

In line with Kuwait’s vision to develop its real estate investment environment and regulate non-Kuwaiti participation in this vital sector, Decree No. 195 of 2025 (the “Decree”) was issued to strike a balance between attracting foreign investment while safeguarding the exclusivity of private housing for Kuwaiti nationals and maintaining consistency with the existing legal framework governing non-Kuwaiti ownership. The Decree, while operates alongside Decree No. 74 of 1979 on non-Kuwaiti ownership of real estate, sets out the following provisions: Eligibility and Conditions For Real Estate Ownership (Article 1): In compliance with Decree-Law No. 74 of 1979 on Non-Kuwaiti Real Estate Ownership, companies with non-Kuwaiti partners and which are listed on licensed stock exchanges in Kuwait, as well as real estate funds and investment portfolios licensed by the competent Kuwaiti authorities, may own real estate, subject to the following conditions: One of the activities of such companies, real estate funds, or investment portfolios must include dealing in real estate. The Decree imposes a categorical prohibition on owning or dealing of real estate, plots, or lands designated for private housing purposes regardless of location or project. Exceptions and Equal Treatment (Article 2) The provisions of this Decree expressly preserve two key points: The right of entities under the supervision of the Central Bank of Kuwait or the supervision of other regulatory bodies to own real estate in accordance with the law. The treatment of nationals of the Gulf Cooperation Council (GCC) member states shall be treated the same as Kuwaiti citizens with respect to the ownership of land and constructed properties in Kuwait, in accordance with the law. Implementation and Entry into Force (Article 3): Ministers, each within their respective jurisdictions, shall implement this Decree, which shall take effect upon its publication in the Official Gazette. Market participants should, therefore, align internal policies, funds documentation, and transaction screening protocols to ensure compliance with the Decree from the date of publication. As outlined above, Decree No. 195 of 2025 aims to preserve the exclusivity of residential housing for citizens and prevent practices that could disrupt the national real estate market, while clearly ring-fencing the private housing segment for citizens and preserving supervisory and GCC equal-treatment frameworks. In parallel, it promotes sustainable investment within the real estate sector, while remaining consistent with existing laws governing the ownership of property by non-Kuwaitis.. The result is a more defined pathway for non-Kuwaiti capital that aligns with Kuwait’s policy objectives and market stability. Authors: May El Mahdy, Senior Associate and Maha Abdullah, Trainee Lawyer

Kuwait is positioning itself as a leading regional jurisdiction in integrating artificial intelligence and cloud into the digital economy.   Government‑backed collaborations with Microsoft and Google have been announced to advance AI‑enabled cloud capabilities and deploy productivity solutions across public agencies, Supported by Vision 2035 and potential participation by Kuwait’s sovereign ecosystem in global digital infrastructure initiatives, these developments signal a material step toward embedding AI across the nation. This transformation, however, is not being driven by technology alone. Kuwait’s expanding digital ecosystem is developing within a sophisticated legal and institutional framework that governs data protection, cloud computing, and cybersecurity.  For AI vendors and cloud service providers, understanding this framework is essential not only as a matter of compliance but as a prerequisite for market participation.  These institutional foundations are evolving toward a more coordinated governance model under Kuwait’s forthcoming National AI Strategy, which is expected to align the roles of existing regulators and establish a unified national framework for AI oversight and data governance. Institutional architecture: CAIT, CITRA, and the National Cybersecurity Center At the core of this structure stand three institutions that define Kuwait’s digital governance model.  The Central Agency for Information Technology, known as “CAIT,” leads governmental digital transformation and supports the development of national cloud infrastructure and AI adoption across public entities.  Working alongside CAIT is the Communications and Information Technology Regulatory Authority, or “CITRA,” established under Law No. 37 of 2014 to regulate the telecommunications and information technology sectors, license operators, and oversee privacy and cloud compliance through instruments including the Data Privacy Protection Regulation and the Cloud Computing Regulatory Framework.  Complementing both agencies is the National Cybersecurity Center, created by Decision No. 37 of 2022, which serves as Kuwait’s authority for cybersecurity and data‑classification oversight and sets parameters for cross‑border processing of sensitive information. “Taken together, these bodies form a layered governance model.  CITRA’s licensing and cloud rules establish the baseline for service provision and customer protections, while the National Cybersecurity Center’s classification and cross‑border controls determine where sensitive workloads may reside. CAIT’s digital transformation mandate then operationalizes these standards across the public sector, ensuring that modernization initiatives are designed around compliance from inception rather than retrofitted post‑deployment. ” Programs and partnerships: from policy to implementation Recent initiatives demonstrate how these institutions coordinate to align technological development with regulatory oversight. In cooperation with Microsoft, CAIT and CITRA have announced and begun implementing a national program that includes the planned establishment of  AI‑enabled data center capabilities, an integrated AI system, a center for cloud auditing, and a facility dedicated to advancing the digital infrastructure within the public sector.  CAIT oversees execution across government entities, while CITRA ensures that the deployment of cloud and AI environments remains consistent with Kuwait’s data‑governance, cybersecurity, and localization requirements. The initiative includes large‑scale training programs in cybersecurity and artificial intelligence, embedding compliance and institutional capability within the government’s transformation framework. “For both vendors and government entities, successful execution hinges on translating these high‑level initiatives into contractually enforceable obligations.  Agreements should embed data residency commitments tied to approved classifications, encryption and key management aligned to supervisory expectations, audit and inspection cooperation mechanisms, and incident workflows that meet statutory notification thresholds.  This contractual scaffolding is how Kuwait’s compliance requirements are made real in day‑to‑day operations.” Data governance pillars: privacy, localization, and cloud compliance CITRA’s regulatory reach extends beyond traditional telecommunications providers to include any entity offering communications or IT services in Kuwait, including cloud platforms, application developers, and AI‑based service providers that process user data.  The Cloud Computing Regulatory Framework requires providers to obtain authorization before operating, comply with technical and security standards, and commit to service‑level and continuity obligations through transparent contractual terms.  It also sets clear rules on data transfers, encryption, and customer exit rights to ensure that information remains protected throughout the term of a service. Meanwhile, the Cybersecurity Center requires organizations handling electronic information to implement internal data classification processes that it reviews and approves, and to obtain authorization before storing or processing sensitive information outside Kuwait.  Together, these requirements  create a comprehensive data‑governance system, ensuring that information flows remain traceable, accountable, and primarily local. The Data Privacy Protection Regulation sets out the main principles governing data processing in Kuwait.  Processing activities must rely on a lawful basis such as consent, legal obligation, or necessity.  Service providers must publish privacy notices in both Arabic and English that clearly explain the purpose of collection, retention periods, and data transfer practices.  Additional protections apply to minors under eighteen, who require guardian consent, while users retain the right to access, correct, erase, or object to the processing of their data.  Marketing communications must include opt‑out mechanisms, and any third‑party or affiliate marketing requires prior consent from the data subject. Data localization requirements apply in defined contexts, including where instruments require classification, encryption, and approvals tied to sensitivity and sectoral scope; organizations should confirm whether obligations arise under statute, regulation, license conditions, or supervisory circulars.  Organizations must classify and encrypt data both in transit and at rest, and in certain cases must notify or obtain authorization from the competent authority before cross‑border transfers.  Sensitive data may only be processed outside Kuwait where the National Cybersecurity Center grants prior approval under applicable classification and cross‑border rules.  Under the Cloud Framework, providers must also maintain exit procedures and data deletion mechanisms to prevent vendor lock‑in and ensure the secure return or destruction of customer data upon termination. Beyond localization, the framework expects a program of security governance.  Entities may be required to or are expected to appoint a data protection officer, conduct regular audits and penetration tests, and maintain business continuity and disaster recovery plans as required or expected under the governing instrument.  Breach reporting is governed by defined timelines, with major incidents often notified within twenty‑four hours for major incidents and seventy‑two hours for other reportable breaches.  These timelines reflect Kuwait’s emphasis on prompt response and transparency in handling cyber incidents. “Organizations face a practical design choice: fully localize sensitive datasets, adopt hybrid architectures that segment workloads and apply strong pseudonymization techniques, or deploy sovereign models with customer‑managed keys. Each path carries different approval, audit, and continuity implications. Early engagement on data classification—paired with architecture diagrams and control evidence—can materially shorten authorization timelines and reduce rework.” Enforcement and supervisory expectations Enforcement under this framework is robust and signals the seriousness of Kuwait’s commitment to compliance.  CITRA retains wide supervisory powers, including the authority to order the blocking of networks,  require the removal of unlawful content, and enforce confidentiality obligations.  Non‑compliance can result in administrative fines reaching up to one million Kuwaiti dinars for each violation up to applicable statutory or regulatory caps.  In severe cases, authorities may suspend or cancel an operator’s or provider’s authorization and refer breaches involving unauthorized disclosure or interception of communications to criminal prosecution.  Entities may also be required to implement remedial measures following inspection or compensate affected users. CITRA’s supervisory toolkit, combining licensing leverage, inspection rights, and administrative penalties—creates concrete incentives for robust control environments.  Entities that maintain a tested incident response plan calibrated to 24/72‑hour reporting thresholds, document periodic control assessments (including penetration testing where required), and retain traceable audit artifacts typically encounter fewer remedial directives following inspection. Contracting and operational implications The strategic partnerships with Microsoft and Google illustrate how legal compliance now shapes every stage of Kuwait’s cloud and digital Cross‑border collaborations must reconcile innovation with the country’s strong commitment to data sovereignty.  Agreements increasingly address data controller and processor responsibilities, localization and encryption requirements, breach notification obligations aligned with statutory timelines, and provisions ensuring compliance with CITRA’s audit, inspection, and termination requirements. In practice, legal compliance has become a central component of contractual design rather than a post‑signing consideration. “For technology providers and regulated customers, key contractual provisions typically scrutinized in Kuwait include: (i) data residency and classification‑tied processing covenants; (ii) encryption standards and key‑management models (including customer‑managed keys where applicable); (iii) audit, inspection, and logging transparency; (iv) incident notification aligned to statutory thresholds; and (v) exit, portability, and secure deletion mechanics.  Well‑designed clauses should be accompanied by operational runbooks to ensure obligations are practicably deliverable at scale. ” National AI Strategy: trajectory and scope Kuwait’s broader digital economy stands at the intersection of rapid digitalization and rigorous legal oversight.  The country’s dual focus on innovation and accountability distinguishes it within the region and offers a model for the responsible integration of artificial intelligence within critical national infrastructure.  As the legal framework continues to mature, companies that engage early and align their internal processes with these requirements will not only mitigate risk but play a defining role in shaping the next phase of Kuwait’s digital economy. Kuwait’s forthcoming National AI Strategy is expected to provide a policy framework that complements these legal and regulatory developments.  The draft strategy proposes establishing a High‑Level Steering Committee, a cross‑sectoral body bringing together senior representatives from CAIT, CITRA, the National Cybersecurity Center, key ministries, academia, and private‑sector partners.  The committee’s objective is to coordinate national AI initiatives and ensure alignment between regulation, infrastructure, and innovation.  The strategy also proposes AI safety frameworks (including safety brakes for critical infrastructure) and a shared‑responsibility model that defines the respective roles of regulators and technology providers in safeguarding AI systems and data.  Aligned with Vision 2035, the strategy calls for strengthening Kuwait’s data and digital foundations through centralized repositories, standardized governance policies, and cybersecurity baselines, enabling responsible AI deployment across sectors such as healthcare, education, energy, and public safety. “Kuwait’s trajectory places it among the region’s more sovereignty‑forward jurisdictions, prioritizing local control, auditability, and public‑sector modernization. For market entrants, the decisive differentiator will be governance maturity: the ability to evidence compliance‑by‑design in architecture, contracts, and operations. Those that internalize this model will mitigate regulatory risk and gain a competitive edge in public‑sector and critical‑infrastructure procurement.” Conclusion Taken together, these measures signal that Kuwait’s data‑localization and cloud‑compliance regimes are part of a wider national effort to embed trust, accountability, and resilience at the core of its AI‑driven digital transformation.  As Kuwait advances from regulatory enforcement to strategic execution, its ability to align law, policy, and innovation will determine how effectively it leads the next wave of AI governance in the region. Authors: Asad Ahmad, Head of Anti-Trust & Competition Fahad Alzouman, Trainee Lawyer.

Introduction: The Problem of Protecting Commercial Secrets in a Competitive Environment Companies in the modern era face a fundamental challenge in maintaining the confidentiality of their commercial information, which constitutes the core of their competitive advantage and the cornerstone of their success. This problem arises from an inevitable paradox: a company invests vast resources in training and developing its employees, granting them, by the nature of their work, broad authority to access its most sensitive operational and commercial secrets, from marketing plans and client lists to pricing strategies. This very investment in human capital is what creates the most significant vulnerability. A company's success and distinction in the market make it a target for competitors, who seek by various means to obtain the information that gives it an edge. The poaching of employees who hold these secrets, or enticing them to leak information, becomes a primary tool in unfair competition, posing a great threat to the continuity of commercial activity and the integrity of the market. From this standpoint, it has become imperative for companies to establish multi-faceted protection mechanisms that are not limited to technical fortifications but extend to include an integrated legal and procedural system aimed at protecting their intangible assets and deterring all illegal practices that threaten the continuation of their success. This study addresses the legal foundations upon which a company can rely, the caveats that must be heeded, and the legal solutions available to ensure its right to confront these challenges. First Axis: The Employee's Liability and the Company's Right of Recourse The company's right to pursue an employee who has leaked its information is not based on a single legal ground, but on an integrated system of liabilities arising from their action, which grants the company multiple and robust options for recourse against them. Contractual Liability: Direct Breach of the Employment Contract The employment contract signed by the employee represents the primary document governing their obligations. In our case, the act of leaking constitutes an explicit and direct breach of their contractual obligations, specifically: Clause 11 (Confidentiality): The employee has breached their explicit undertaking not to disclose or use any trade secrets or confidential information they became privy to by virtue of their work, such as client lists and pricing agreements. Clause 9 (Termination of Contract): This clause grants the company the right to terminate the contract immediately if "gross misconduct" is proven, and leaking confidential information to a competitor is a perfect embodiment of this concept. Right of Recourse: Based on this liability, the company is entitled to dismiss the employee with cause and with forfeiture of their end-of-service benefits and payment in lieu of notice, which is known as "dismissal with forfeiture of benefits." Labor Liability: Violation of Kuwaiti Labor Law Labor Law No. 6 of 2010 for the Private Sector supports the company's position with mandatory provisions that cannot be contravened: Article (61): This article imposes a general legal duty on every worker to "preserve the secrets of the work" and considers disclosure a "breach of the contract". Article (41): This article grants the employer the right to dismiss the worker without notice, compensation, or indemnity if the worker "discloses secrets of the establishment which has caused or would have caused substantial losses to it". Right of Recourse: These articles provide the company with an absolute legal basis to apply the penalty of dismissal with forfeiture of benefits, which is the most severe penalty under labor law. Criminal Liability: Characterizing the Act as a Criminal Offense The employee's act can be legally characterized to fall within the scope of criminalization, which elevates the matter from a mere labor dispute to a crime punishable under public law. Article (240) of the Penal Code (Breach of Trust): This article applies to the situation, as the employee received "documents and other writings" (whether physical or electronic) in trust by virtue of their work. Their use or dissipation of these for a purpose other than the company's interest (by leaking them) constitutes the complete material and moral elements of the crime of breach of trust. Right of Recourse: The company has the right to file a criminal complaint with the Public Prosecution, which subjects the employee to criminal penalties including imprisonment and a fine. Civil Liability: The Right to Compensation for Damages The rules of the Civil Code allow the company to have recourse against the employee to claim financial compensation for all damages it has incurred as a result of their wrongful act. Basis of the Claim: The lawsuit is based on the principle that "every fault which causes harm to another obliges the one who committed it to provide compensation." Scope of Compensation: Compensation includes direct material losses (such as the loss of current clients or future contracts) and moral damages (such as harm to the company's commercial reputation). Right of Recourse: The company has the right to file an independent civil lawsuit to claim potentially substantial financial compensation, and Kuwaiti judicial precedents confirm the success of such lawsuits. Second Axis: Rules and Procedures for Maintaining Employee Compliance To prevent the recurrence of such incidents, the company must adopt an integrated protection strategy that combines contractual fortification with internal procedural oversight. Contractual Rules (Fortification through the Contract) The employment contract is the first line of defense and must include deterrent and legally sound clauses: Confidentiality Clause: This must be comprehensive, as is the case in your current contract, defining confidential information broadly so as not to be limited to specific categories, explicitly prohibiting acts such as copying, commercial exploitation, and personal use, and clearly stating that the confidentiality obligation extends beyond the termination of the employment relationship. Restrictive Covenants Clause: This clause, present in your contract as number (14), is a vital tool to prevent the leakage of employees to competitors. It must clearly include: Non-Competition Clause: Prohibits the employee from working for any direct competitor for a specified period (12 months in your contract) and within a specific geographical area (the GCC countries in your contract). Non-Solicitation of Clients and Employees Clause: Prohibits the former employee from contacting the company's clients or employees with the intent of enticing them to leave the company. Intellectual Property Clause: It must be emphasized that all innovations and works developed by the employee during their employment are the exclusive property of the company, which prevents them from exploiting such works after their departure. Customized and Updated Confidentiality Declarations: As an additional preventive measure, we recommend implementing a system of "Confidentiality Declarations." This is a separate document or an addendum to the contract signed by the employee, which includes a specific list of the confidential and important information, data, and documents they have access to by virtue of their position (e.g., list of major clients, details of strategic deals, specific software codes). The purpose of this procedure is to eliminate any future ambiguity about the nature of the information, so that the employee cannot claim they were unaware that this specific information was considered confidential or important. This declaration must be updated periodically whenever the employee is promoted, moves to a new department, or gains access to new sensitive information. Procedural and Internal Rules (Fortification through Policies) Information Classification and Security Policy: Establish a clear internal policy that classifies data (public, internal, confidential), defines how to handle each category, and requires employees to mark sensitive documents with a "Confidential" stamp. Limited Access Privileges: Apply the "need-to-know" principle, whereby an employee can only access information necessary to perform their duties, through specific permissions on electronic systems. Periodic Training and Awareness: Conduct regular workshops to educate employees on the importance of information confidentiality, explain their legal and contractual obligations, and clarify the severe consequences of leaks. Exit Process: Upon the resignation of any employee, an exit interview must be conducted in which they are reminded in writing of their ongoing confidentiality and non-competition obligations after leaving the company, and they must sign an acknowledgment of returning all company property (devices, documents) in accordance with Clause 19 of the contract. Third Axis: Legal Caveats and Liabilities When dealing with a leak incident, there are caveats and liabilities that the company must be aware of to avoid any adverse legal consequences. Employee's Liabilities (Consequences of Leaking) Labor Liability: Immediate dismissal without any end-of-service benefits. Criminal Liability: Judicial prosecution on charges of breach of trust, which may lead to imprisonment and a fine. Civil Liability: Being judicially ordered to pay substantial financial compensation to the company to redress the harm. Professional Liability: Severe damage to their professional reputation, which hinders future employment opportunities. Caveats Facing the Company (Risks to be Managed) Burden of Proof and Defining the Nature of Information: The company bears the responsibility of proving the leak incident conclusively and, more importantly, proving that the employee knew with certainty that the leaked information was "confidential" or "important." Here, the importance of the "Updated Confidentiality Declarations" we recommended becomes apparent. The employee's signature on a document that explicitly identifies this information closes the door to any argument or defense on their part that they were unaware of its confidential nature, thereby significantly fortifying the company's legal position. Risk of an Unfair Dismissal Lawsuit: If the company does not follow proper legal procedures in the investigation and dismissal (such as not giving the employee an opportunity to defend themselves), the employee may file a claim for "unfair dismissal," which could cost the company financial compensation. For this reason, the previously proposed action plan (general notice, covert investigation, then formal investigation) ensures the integrity of the procedures. Enforceability of Non-Competition Clauses: Despite their presence in the contract, courts may examine the reasonableness of non-competition clauses. If the duration (12 months) or the geographical scope (all GCC countries) is deemed excessive in a way that prevents the employee from earning a livelihood, the court may rule to reduce them or not enforce them. Therefore, these conditions must be proportionate to the employee's position and the nature of the information they possess. Reputational Damage from Public Litigation: Public litigation may harm the company's reputation, even if its position is strong. A balance must be struck between the right to litigate and the potential impact on the company's market image. Conclusion and Recommendations The company possesses a strong and multi-faceted legal right of recourse against the employee who caused the leak of its information, through labor, criminal, and civil tracks. To fortify the company in the future, we recommend the periodic review of contractual clauses (confidentiality, non-competition) and the implementation of strict internal policies for information security, along with adopting the mechanism of "Updated Confidentiality Declarations" as a decisive preventive tool. As for the current situation, scrupulously following the proposed action plan, with a focus on proper documentation of evidence and adherence to legal procedures in the investigation, is the primary guarantee for the company's success in holding the responsible party accountable, redressing the damage, and deterring any similar future attempts.