GLA & Company

This year, Kuwait’s merger control regime has been reshaped by legislative reforms and constitutional challenges. The framework now requires close attention to the scope of notifiable transactions, the financial thresholds that trigger a filing obligation, and the exemptions designed to exclude routine restructurings. Parties must also navigate detailed notification requirements, supporting documentation, filing fees, and a multi-stage review before the Kuwait Competition Protection Agency (“CPA”). Recent constitutional rulings—most notably the 2025 decision striking down the CPA’s power to impose revenue-based fines—have added a new dimension to enforcement and signal further reform on the horizon. Merger control in Kuwait is governed by Law No. 72 of 2020 on the Protection of Competition and its Implementing Regulations, issued under Resolution No. 14 of 2021 and amended by Decree No. 25 of 2022. Together, they establish the CPA, prohibit anti-competitive practices, and set out merger control obligations, review procedures, and exemptions. This overview walks through the scope of notifiable transactions, the financial thresholds that trigger notification, and carve-outs for routine restructurings, before outlining the notification process, documentation, and filing fees. We then explain the CPA’s multi-stage review and monitoring practices and concludes with constitutional developments—particularly the ruling that limited the CPA’s power to impose revenue-based fines—and their implications for enforcement and legislative reform. A merger control filing with the CPA is required when a transaction (i) qualifies as an economic concentration. Under the Competition Law, an economic concentration includes mergers, acquisitions of control, and joint ventures that create an autonomous economic entity. In the event a transaction is considered an economic concentration, then the financial thresholds must be analysed. The obligation to notify the CPA is triggered when certain financial thresholds are met, based on the audited financial statements of the preceding fiscal year. Specifically, notification is required if any of the following financial thresholds are met (“Financial Thresholds”): One party to the concentration generates revenues in Kuwait exceeding KWD 500,000; The aggregate revenues of all parties exceed KWD 750,000; OR The registered assets of the parties in Kuwait exceed KWD 2.5 million. The Competition Law provides several exemptions to ensure that routine transactions are not unnecessarily subjected to merger control filings. These exemptions include acquisitions by banks, insurance companies, and financial institutions engaged in securities trading, provided they do not exercise substantive voting rights and dispose of the securities within one year of acquisition. The disposal period may be extended by the CPA upon a justified request demonstrating that disposal was not reasonably practicable within the one-year period. Exemptions also apply to acquisitions arising from insolvency, defaults, debt restructuring, or settlements with creditors are excluded, as are intra-group restructurings within the same economic group. These carve-outs reflect the legislature’s intent to capture only those transactions that materially affect market structure and competition in Kuwait. Parties must notify the CPA within 60 days of signing the transaction agreement or related contract. However, in practice, the CPA does not strictly enforce this 60-day requirement. A binding agreement is not strictly required before notification; it is sufficient for parties to file based on a letter of intent, memorandum of understanding, or a good faith intention to reach an agreement. The merger control notification must include detailed corporate documents, financial statements, transaction agreements, market share data, competitor information, and an economic report addressing the potential effects on competition in the relevant market. The filing fee is 0.1% of the combined paid-up capital or Kuwaiti assets of the parties, whichever is less, capped at KWD 100,000, with a minimum charge above zero. The review process before the CPA involves several steps. Once a filing is submitted, the CPA chairman has five days to refer the application to the executive director for review. The executive director then conducts a substantive examination of the transaction, which must be completed within 90 days. This period may be extended if additional information is required or if third-party objections are raised. After the executive director’s assessment, the matter is referred to the CPA’s board of directors, which must issue a decision within 30 days on whether to approve, conditionally approve, or reject the transaction. The parties must be formally notified of the board’s decision within 15 days, ensuring transparency and closure of the review process. In practice, clearance typically takes around 45–60 calendar days from the time a complete application is submitted, though delays are common if filings are incomplete or contested. Importantly, transactions cannot be implemented before clearance; violations can result in fines or orders to unwind the transaction. These include fines of up to 10% of total revenues for failing to notify an economic concentration or for submitting misleading or incorrect filings, and the same ceiling for anti-competitive agreements or abuse of dominance. Lesser violations—such as obstructing CPA investigations, failing to comply with obligations after notice, or providing misleading information—carry fines of up to 1% of revenues from the previous fiscal year. In parallel with these sanctioning powers, the CPA has a designated department tasked with reviewing transactions published on social media platforms to ensure that any notifiable transactions, which have not submitted a merger control filing, are investigated and then referred to the CPA disciplinary board. The CPA has sent investigatory letters to both local and foreign parties requesting information and details surrounding published transactions they are involved in. GLA has played a key role in moulding the Kuwait merger control landscape. In February 2025, GLA successfully represented a client facing significant CPA sanctions.  In a landmark ruling by the Kuwaiti Constitutional Court, which significantly altered the CPA enforcement capabilities. The Court declared Paragraph (1) of Article 34 of Law No. 72 of 2020 unconstitutional. This provision had empowered the CPA’s disciplinary board to impose financial penalties of up to 10% of a party’s total revenues for violations of Articles 5–8 (anti-competitive agreements and abuse of dominance). The challenge, successfully argued by GLA & Company Senior Partner, Nader Al Awadhi, on behalf of the Union of Cooperative Societies, was based on constitutional principles, including: Violation of due process and judicial oversight (penalties were imposed administratively, not judicially); Lack of proportionality between penalties and violations; and Encroachment on protections of private ownership and personal liberty. The ruling curtails the CPA’s ability to impose revenue-based fines and raises questions about the validity of past sanctions. Going forward, merger control enforcement will likely need to rely on judicially supervised remedies or amended legislative provisions consistent with constitutional safeguards. Further, by establishing constitutional precedent, the ruling has already influenced subsequent cases, including one that struck down the 1% fine for non-compliance as unconstitutional, and has intensified calls for legislative reform. As a result, draft amendments to the Competition Law have been introduced and are currently awaiting approval. .Kuwait’s merger control regime features relatively low financial thresholds that capture both domestic and cross-border transactions. Parties must prepare comprehensive filings and anticipate a few rounds of queries within the review period. However, the Constitutional Court’s ruling striking down the CPA’s power to impose steep turnover-based fines introduces a new layer of legal complexity. Companies engaging in mergers and acquisitions in Kuwait should closely monitor forthcoming legislative or regulatory adjustments as the state reconciles the Competition Law framework with constitutional requirements. Authors: Asad Ahmad, Head of Anti-Trust & Competition and Fahad Al Zouman, Trainee Lawyer.

In line with Kuwait’s vision to develop its real estate investment environment and regulate non-Kuwaiti participation in this vital sector, Decree No. 195 of 2025 (the “Decree”) was issued to strike a balance between attracting foreign investment while safeguarding the exclusivity of private housing for Kuwaiti nationals and maintaining consistency with the existing legal framework governing non-Kuwaiti ownership. The Decree, while operates alongside Decree No. 74 of 1979 on non-Kuwaiti ownership of real estate, sets out the following provisions: Eligibility and Conditions For Real Estate Ownership (Article 1): In compliance with Decree-Law No. 74 of 1979 on Non-Kuwaiti Real Estate Ownership, companies with non-Kuwaiti partners and which are listed on licensed stock exchanges in Kuwait, as well as real estate funds and investment portfolios licensed by the competent Kuwaiti authorities, may own real estate, subject to the following conditions: One of the activities of such companies, real estate funds, or investment portfolios must include dealing in real estate. The Decree imposes a categorical prohibition on owning or dealing of real estate, plots, or lands designated for private housing purposes regardless of location or project. Exceptions and Equal Treatment (Article 2) The provisions of this Decree expressly preserve two key points: The right of entities under the supervision of the Central Bank of Kuwait or the supervision of other regulatory bodies to own real estate in accordance with the law. The treatment of nationals of the Gulf Cooperation Council (GCC) member states shall be treated the same as Kuwaiti citizens with respect to the ownership of land and constructed properties in Kuwait, in accordance with the law. Implementation and Entry into Force (Article 3): Ministers, each within their respective jurisdictions, shall implement this Decree, which shall take effect upon its publication in the Official Gazette. Market participants should, therefore, align internal policies, funds documentation, and transaction screening protocols to ensure compliance with the Decree from the date of publication. As outlined above, Decree No. 195 of 2025 aims to preserve the exclusivity of residential housing for citizens and prevent practices that could disrupt the national real estate market, while clearly ring-fencing the private housing segment for citizens and preserving supervisory and GCC equal-treatment frameworks. In parallel, it promotes sustainable investment within the real estate sector, while remaining consistent with existing laws governing the ownership of property by non-Kuwaitis.. The result is a more defined pathway for non-Kuwaiti capital that aligns with Kuwait’s policy objectives and market stability. Authors: May El Mahdy, Senior Associate and Maha Abdullah, Trainee Lawyer

Kuwait is positioning itself as a leading regional jurisdiction in integrating artificial intelligence and cloud into the digital economy.   Government‑backed collaborations with Microsoft and Google have been announced to advance AI‑enabled cloud capabilities and deploy productivity solutions across public agencies, Supported by Vision 2035 and potential participation by Kuwait’s sovereign ecosystem in global digital infrastructure initiatives, these developments signal a material step toward embedding AI across the nation. This transformation, however, is not being driven by technology alone. Kuwait’s expanding digital ecosystem is developing within a sophisticated legal and institutional framework that governs data protection, cloud computing, and cybersecurity.  For AI vendors and cloud service providers, understanding this framework is essential not only as a matter of compliance but as a prerequisite for market participation.  These institutional foundations are evolving toward a more coordinated governance model under Kuwait’s forthcoming National AI Strategy, which is expected to align the roles of existing regulators and establish a unified national framework for AI oversight and data governance. Institutional architecture: CAIT, CITRA, and the National Cybersecurity Center At the core of this structure stand three institutions that define Kuwait’s digital governance model.  The Central Agency for Information Technology, known as “CAIT,” leads governmental digital transformation and supports the development of national cloud infrastructure and AI adoption across public entities.  Working alongside CAIT is the Communications and Information Technology Regulatory Authority, or “CITRA,” established under Law No. 37 of 2014 to regulate the telecommunications and information technology sectors, license operators, and oversee privacy and cloud compliance through instruments including the Data Privacy Protection Regulation and the Cloud Computing Regulatory Framework.  Complementing both agencies is the National Cybersecurity Center, created by Decision No. 37 of 2022, which serves as Kuwait’s authority for cybersecurity and data‑classification oversight and sets parameters for cross‑border processing of sensitive information. “Taken together, these bodies form a layered governance model.  CITRA’s licensing and cloud rules establish the baseline for service provision and customer protections, while the National Cybersecurity Center’s classification and cross‑border controls determine where sensitive workloads may reside. CAIT’s digital transformation mandate then operationalizes these standards across the public sector, ensuring that modernization initiatives are designed around compliance from inception rather than retrofitted post‑deployment. ” Programs and partnerships: from policy to implementation Recent initiatives demonstrate how these institutions coordinate to align technological development with regulatory oversight. In cooperation with Microsoft, CAIT and CITRA have announced and begun implementing a national program that includes the planned establishment of  AI‑enabled data center capabilities, an integrated AI system, a center for cloud auditing, and a facility dedicated to advancing the digital infrastructure within the public sector.  CAIT oversees execution across government entities, while CITRA ensures that the deployment of cloud and AI environments remains consistent with Kuwait’s data‑governance, cybersecurity, and localization requirements. The initiative includes large‑scale training programs in cybersecurity and artificial intelligence, embedding compliance and institutional capability within the government’s transformation framework. “For both vendors and government entities, successful execution hinges on translating these high‑level initiatives into contractually enforceable obligations.  Agreements should embed data residency commitments tied to approved classifications, encryption and key management aligned to supervisory expectations, audit and inspection cooperation mechanisms, and incident workflows that meet statutory notification thresholds.  This contractual scaffolding is how Kuwait’s compliance requirements are made real in day‑to‑day operations.” Data governance pillars: privacy, localization, and cloud compliance CITRA’s regulatory reach extends beyond traditional telecommunications providers to include any entity offering communications or IT services in Kuwait, including cloud platforms, application developers, and AI‑based service providers that process user data.  The Cloud Computing Regulatory Framework requires providers to obtain authorization before operating, comply with technical and security standards, and commit to service‑level and continuity obligations through transparent contractual terms.  It also sets clear rules on data transfers, encryption, and customer exit rights to ensure that information remains protected throughout the term of a service. Meanwhile, the Cybersecurity Center requires organizations handling electronic information to implement internal data classification processes that it reviews and approves, and to obtain authorization before storing or processing sensitive information outside Kuwait.  Together, these requirements  create a comprehensive data‑governance system, ensuring that information flows remain traceable, accountable, and primarily local. The Data Privacy Protection Regulation sets out the main principles governing data processing in Kuwait.  Processing activities must rely on a lawful basis such as consent, legal obligation, or necessity.  Service providers must publish privacy notices in both Arabic and English that clearly explain the purpose of collection, retention periods, and data transfer practices.  Additional protections apply to minors under eighteen, who require guardian consent, while users retain the right to access, correct, erase, or object to the processing of their data.  Marketing communications must include opt‑out mechanisms, and any third‑party or affiliate marketing requires prior consent from the data subject. Data localization requirements apply in defined contexts, including where instruments require classification, encryption, and approvals tied to sensitivity and sectoral scope; organizations should confirm whether obligations arise under statute, regulation, license conditions, or supervisory circulars.  Organizations must classify and encrypt data both in transit and at rest, and in certain cases must notify or obtain authorization from the competent authority before cross‑border transfers.  Sensitive data may only be processed outside Kuwait where the National Cybersecurity Center grants prior approval under applicable classification and cross‑border rules.  Under the Cloud Framework, providers must also maintain exit procedures and data deletion mechanisms to prevent vendor lock‑in and ensure the secure return or destruction of customer data upon termination. Beyond localization, the framework expects a program of security governance.  Entities may be required to or are expected to appoint a data protection officer, conduct regular audits and penetration tests, and maintain business continuity and disaster recovery plans as required or expected under the governing instrument.  Breach reporting is governed by defined timelines, with major incidents often notified within twenty‑four hours for major incidents and seventy‑two hours for other reportable breaches.  These timelines reflect Kuwait’s emphasis on prompt response and transparency in handling cyber incidents. “Organizations face a practical design choice: fully localize sensitive datasets, adopt hybrid architectures that segment workloads and apply strong pseudonymization techniques, or deploy sovereign models with customer‑managed keys. Each path carries different approval, audit, and continuity implications. Early engagement on data classification—paired with architecture diagrams and control evidence—can materially shorten authorization timelines and reduce rework.” Enforcement and supervisory expectations Enforcement under this framework is robust and signals the seriousness of Kuwait’s commitment to compliance.  CITRA retains wide supervisory powers, including the authority to order the blocking of networks,  require the removal of unlawful content, and enforce confidentiality obligations.  Non‑compliance can result in administrative fines reaching up to one million Kuwaiti dinars for each violation up to applicable statutory or regulatory caps.  In severe cases, authorities may suspend or cancel an operator’s or provider’s authorization and refer breaches involving unauthorized disclosure or interception of communications to criminal prosecution.  Entities may also be required to implement remedial measures following inspection or compensate affected users. CITRA’s supervisory toolkit, combining licensing leverage, inspection rights, and administrative penalties—creates concrete incentives for robust control environments.  Entities that maintain a tested incident response plan calibrated to 24/72‑hour reporting thresholds, document periodic control assessments (including penetration testing where required), and retain traceable audit artifacts typically encounter fewer remedial directives following inspection. Contracting and operational implications The strategic partnerships with Microsoft and Google illustrate how legal compliance now shapes every stage of Kuwait’s cloud and digital Cross‑border collaborations must reconcile innovation with the country’s strong commitment to data sovereignty.  Agreements increasingly address data controller and processor responsibilities, localization and encryption requirements, breach notification obligations aligned with statutory timelines, and provisions ensuring compliance with CITRA’s audit, inspection, and termination requirements. In practice, legal compliance has become a central component of contractual design rather than a post‑signing consideration. “For technology providers and regulated customers, key contractual provisions typically scrutinized in Kuwait include: (i) data residency and classification‑tied processing covenants; (ii) encryption standards and key‑management models (including customer‑managed keys where applicable); (iii) audit, inspection, and logging transparency; (iv) incident notification aligned to statutory thresholds; and (v) exit, portability, and secure deletion mechanics.  Well‑designed clauses should be accompanied by operational runbooks to ensure obligations are practicably deliverable at scale. ” National AI Strategy: trajectory and scope Kuwait’s broader digital economy stands at the intersection of rapid digitalization and rigorous legal oversight.  The country’s dual focus on innovation and accountability distinguishes it within the region and offers a model for the responsible integration of artificial intelligence within critical national infrastructure.  As the legal framework continues to mature, companies that engage early and align their internal processes with these requirements will not only mitigate risk but play a defining role in shaping the next phase of Kuwait’s digital economy. Kuwait’s forthcoming National AI Strategy is expected to provide a policy framework that complements these legal and regulatory developments.  The draft strategy proposes establishing a High‑Level Steering Committee, a cross‑sectoral body bringing together senior representatives from CAIT, CITRA, the National Cybersecurity Center, key ministries, academia, and private‑sector partners.  The committee’s objective is to coordinate national AI initiatives and ensure alignment between regulation, infrastructure, and innovation.  The strategy also proposes AI safety frameworks (including safety brakes for critical infrastructure) and a shared‑responsibility model that defines the respective roles of regulators and technology providers in safeguarding AI systems and data.  Aligned with Vision 2035, the strategy calls for strengthening Kuwait’s data and digital foundations through centralized repositories, standardized governance policies, and cybersecurity baselines, enabling responsible AI deployment across sectors such as healthcare, education, energy, and public safety. “Kuwait’s trajectory places it among the region’s more sovereignty‑forward jurisdictions, prioritizing local control, auditability, and public‑sector modernization. For market entrants, the decisive differentiator will be governance maturity: the ability to evidence compliance‑by‑design in architecture, contracts, and operations. Those that internalize this model will mitigate regulatory risk and gain a competitive edge in public‑sector and critical‑infrastructure procurement.” Conclusion Taken together, these measures signal that Kuwait’s data‑localization and cloud‑compliance regimes are part of a wider national effort to embed trust, accountability, and resilience at the core of its AI‑driven digital transformation.  As Kuwait advances from regulatory enforcement to strategic execution, its ability to align law, policy, and innovation will determine how effectively it leads the next wave of AI governance in the region. Authors: Asad Ahmad, Head of Anti-Trust & Competition Fahad Alzouman, Trainee Lawyer.