GLA & Company

Kuwait has entered a transformative phase in its public-health and compliance architecture with the issuance of Decree-Law No. 159 of 2025, effective December 14, 2025, a comprehensive overhaul of the narcotics, psychotropics, and chemical-precursor regime, repealing the four-decade-old 1983 and 1987 laws. The new framework modernizes Kuwait’s approach to substance control through a structured system of licensing, surveillance, treatment, data governance, and inter-agency coordination. Although the law’s immediate focus is public health and anti-trafficking enforcement, its implications extend into healthcare, pharmaceuticals, logistics, research, compliance, risk management, and corporate governance. This impacts pharmacies, manufacturers, technology providers, and supply-chain operators. This shift aligns with Kuwait’s broader objective of building institutional systems capable of supporting the next generation of economic and social reforms. At its core, the new regime establishes an integrated governance model, anchored in the Ministry of Health but coordinated with the Ministry of Interior, Customs, laboratories, treatment centers, and cross-border regulatory bodies. The forthcoming Executive Regulation is expected to unify these operational requirements through a detailed rulebook governing licensing, storage, electronic tracking, treatment protocols, and surveillance mechanisms. Institutional Architecture: Ministry of Health at the Center of a Cross-Sector Control Ecosystem The law repositions the Ministry of Health as the national authority responsible for the scientific, medical, regulatory, and oversight pillars of the framework. Under the law, the Ministry licenses all entities dealing with narcotic drugs, psychotropics, and chemical precursors; establishes central registers, quota systems, batch-tracking controls, and electronic monitoring platforms; and governs prescribing, dispensing, storage, destruction, and transport through detailed procedures to be formalized in the Executive Regulation. It further oversees rehabilitation and treatment centers, medical committees, and post-treatment monitoring systems. The Ministry of Interior plays a parallel enforcement role, particularly with respect to smuggling, trafficking networks, digital crime, and controlled deliveries, while Customs controls cross-border flows of substances and precursors. This alignment reflects a shift toward integrated compliance governance, where medical, enforcement, and data-governance mandates intersect. The structure is designed to create a controlled, traceable ecosystem capable of preventing diversion, ensuring public safety, and supporting evidence-based health interventions. From Policy to Implementation: Licensing, Electronic Tracking, and Supply-Chain Controls The law introduces a comprehensive licensing and control system applicable to hospitals, pharmacies, manufacturers, warehouses, research institutions, veterinary facilities, and transport operators. Its core pillars include electronic tracking systems covering import, storage, dispensing, return, and destruction of controlled substances; batch-tracking and serialization requirements for manufacturers and warehouses; supply-chain controls over qualified transport vehicles, secure containers, GPS-enabled routes, and mandatory reporting of delays or discrepancies; real-time, Ministry-linked electronic prescriptions to eliminate fraudulent or unauthorized dispensing; and inspection rights allowing regulators to access premises, records, samples, and audit trails. These measures mirror international best practices and reflect a deliberate move toward digital compliance, reducing diversion risk and strengthening Kuwait’s pharmaceutical and clinical governance environment. “For both healthcare providers and manufacturers, compliance will ultimately be expressed contractually. Agreements with vendors, logistics operators, and software providers must embed traceability tools, inspection cooperation, serialization obligations, and incident-reporting workflows aligned with regulatory expectations.” Treatment, Rehabilitation, and Medical Oversight: A Modern Public-Health Approach A core innovation in the law is the establishment of a medical-based model for addiction treatment. Under the articles, a specialized medical committee evaluates addiction cases and determines individualized treatment plans. Treatment may be voluntary or court-ordered, with strict confidentiality requirements; commitment periods count toward sentencing for eligible offenses; and release decisions are based on medical, not punitive, criteria. Rehabilitation programs involve coordinated social, psychological, and vocational support, anchored in clinical best practices. The law positions addiction as a medical condition, integrating treatment, rehabilitation, and post-care monitoring into the national health system. This public-health approach reduces stigma while strengthening institutional capacity to manage long-term addiction cycles and reintegration outcomes. Data Governance and Surveillance: A Controlled and Traceable Information System The law establishes sophisticated data-governance requirements comparable to those applied in Kuwait’s cyber and cloud sectors. It mandates centralized electronic databases covering licenses, imports, exports, prescriptions, dispensing records, inventories, and destruction logs; confidential medical records with limited access pathways for judicial and medical authorities; mandatory reporting of irregularities, losses, discrepancies, and adverse reactions; and digital integration between ministries, laboratories, customs authorities, and enforcement bodies. These systems create a unified surveillance environment in which every dose of controlled substance is traceable, and every treatment event is securely recorded. Enforcement and Regulatory Expectations: High Penalties, Clear Duties The law separates (i) criminal offenses (such as trafficking, manufacturing, distribution, and smuggling) from (ii) regulatory breaches by licensed or registrable entities. Criminal offenses carry severe custodial penalties up to life imprisonment when aggravating factors are present. Aggravating factors that can elevate penalties to the death penalty include exploiting or involving a minor or a person lacking capacity, abusing an official position, or acting on behalf of a criminal organization. Regulatory and administrative sanctions apply to non-compliance with licensing, storage, dispensing, transport, record-keeping, or destruction obligations by regulated entities. Authorities may order immediate confiscation of substances, equipment, vehicles, and proceeds; close facilities; suspend or revoke licenses; impose doubled fines and activity suspensions on legal persons; and, for non-Kuwaiti offenders convicted of relevant crimes, deportation. Inspectors are empowered to enter, search, and inspect premises; review and copy records; require destruction of stock; and mandate compliance remediation. “Supervisory expectations are rising. Entities that maintain documented standard operating procedures, conduct periodic control assessments, and implement compliance monitoring programs will face fewer corrective measures following inspection. Contracting and Operational Implications for Healthcare and Industry The new framework requires that operational relationships reflect regulatory controls through clear contractual alignment. Priority themes include inventory-management and serialization obligations; secure transport requirements tied to permit conditions; joint inspection and cooperation clauses; record-keeping commitments aligned to retention mandates; data-sharing and confidentiality frameworks that comply with health-records protection rules; and incident-reporting workflows consistent with statutory timelines. For pharmaceutical companies, hospitals, laboratories, and logistics operators, the completeness of these terms will increasingly determine regulatory resilience and audit readiness. A National Control Strategy: Future Trajectory The forthcoming Executive Regulation is expected to integrate technical storage standards; e-prescribing and e-tracking specifications; detailed licensing conditions; precursor-control requirements; laboratory and destruction protocols; and inter-agency coordination procedures. Once issued, these regulations will solidify Kuwait’s movement toward a more mature, compliance-driven public-health system to connect enforcement, treatment, and supply-chain governance within a unified national structure. Conclusion Law No. 159 of 2025 represents a generational modernization of Kuwait’s narcotics and psychotropics regime. Far beyond a criminal framework, it introduces a national compliance infrastructure spanning healthcare, supply chains, digital systems, treatment models, and cross-border coordination. As Kuwait moves from legislative reform to operational execution, entities that engage early, align their internal controls with the new regulatory requirements, and prepare for the forthcoming Executive Regulation will not only mitigate legal and operational risk but also contribute to a safer and more resilient public-health environment. Authors: Legal Director, Mohammed Al Awadhi, Senior Associate, May El Mahdy and Trainee Lawyer, Fahad Al Zouman    

Kuwait is taking a major step toward strengthening the integrity of its financial system with the announced establishment of a specialized Public Prosecution for Banking Affairs, which is expected to commence operations in 2026. The proposal, announced by the Public Prosecutor, shows Kuwait’s ongoing efforts to strengthen protection of the banking sector and respond to the rapid growth of financial crimes driven by digital transformation. The newly established prosecution will function as a specialized body dedicated to investigating and prosecuting banking related crimes. Its duty will cover a range of financial offenses, with particular focus on electronic fraud, forgery, and the issuance of cheques without sufficient funds. These offenses have become increasingly common alongside the growth of electronic banking and digital payment systems, the fact that makes specialized oversight and enforcement a regulatory necessity. The Public Prosecutor emphasized that accelerating financial developments have created an urgent need for an advanced institutional response capable of safeguarding confidence in banking transactions. The new prosecution is expected to contribute to this objective by strengthening enforcement mechanisms and improving the efficiency of legal procedures related to banking crimes. This development represents a shift toward more specialized prosecution functions within Kuwait’s criminal justice system. Selection of Prosecutors assigned to the Banking Affairs Prosecution will be based on objective criteria, including professional experience and technical competence. The goal is to establish a highly capable prosecuting framework equipped to address the nature of financial crimes with its continuous evolving in both scale and complexity. For the first time, the new prosecution will also assume responsibility for preparing analytical studies and periodic reports aimed at monitoring patterns and methods of banking related crimes. These reports are expected to support proactive crime prevention strategies and position the prosecution as a key reference for data and analysis in this field. In parallel, the prosecution will play a vital role in public legal awareness. Where necessary, it will launch legal awareness programs targeting institutions and individuals to enhance understanding of digital crime. Overall, the establishment of the Public Prosecution for Banking Affairs represents an important milestone in reinforcing Kuwait’s financial security framework through enhancing oversight, improving enforcement capabilities, and promoting preventive awareness. This initiative supports economic stability and contributes to a safer and more resilient financial environment to individuals and the national economy. Authors: Ashraf Hendi, Partner and Ahmed Al Buaijan, Trainee Lawyer

Kuwait has developed a structured and proportionate pathway for small and medium-sized enterprises “SMEs” to access public capital through the Emerging Companies Market “ECM” at the Kuwait Stock Exchange “KSE”. Established as a dedicated listing segment under the Capital Markets Authority’s “CMA” market-segmentation framework, the ECM balances reduced entry thresholds with clear governance, disclosure, and investor-protection standards. Designed for growth-stage companies, the ECM provides a regulated route to equity financing while avoiding the full complexity of the main market. Its architecture reflects Kuwait’s broader policy objective of strengthening capital-market depth, improving SME access to funding, and institutionalising governance across the private sector in line with international best practices. Although the ECM is primarily a capital-raising platform, its implications extend to corporate governance, valuation discipline, disclosure controls, shareholder structuring, and regulatory compliance. For SMEs seeking institutional credibility, diversified funding sources, and long-term scalability, ECM listing represents a strategic legal and commercial milestone. Market Architecture and Regulatory Authority The ECM operates within Kuwait’s statutory capital-markets framework, under which the KSE is authorized, subject to CMA approval, to segment the market and allocate securities to each segment based on published eligibility criteria. No company may list without a formal recommendation from the KSE and approval from the CMA following review of a complete application. Applications must be submitted using Exchange-prescribed forms and supported by documentation required under the Exchange Rulebook and the CMA Executive Bylaws. The CMA is required to decide on a complete application within thirty business days, providing applicants with procedural certainty. This gatekeeping structure ensures that ECM admission standards are enforceable, transparent, and aligned with broader market-integrity objectives. Admission Standards and Eligibility Thresholds While detailed ECM requirements are set out in the Exchange’s rules, the principal eligibility thresholds reflect SME operating realities. Issuers must demonstrate a minimum total fair market value of issued share capital of at least KWD 750,000; a free float of at least 20% of the company’s share capital; and a minimum of 20 shareholders, each holding shares valued at KWD 5,000 or more, except where the company is incorporated as a public joint stock company. The company must demonstrate continuity of activity for the last two financial years in one or more of the main purposes stated in its Articles of Association, with the majority of its revenues generated from those activities. It must also have audited financial statements approved by the General Assembly for the two financial years preceding the listing application. The issuer must be a shareholding company with freely transferable shares, subject only to limited statutory or contractual restrictions. Companies may list newly issued shares, existing shares, or a combination of both, provided that the applicable ECM requirements and CMA approvals are satisfied. Valuation, Offering Structure, and Prospectus Discipline Where ECM admission involves a public or private offering, Kuwait’s dealing-in-securities regime applies. This includes mandatory CMA approval of the prospectus, which must disclose business risks, financial history, governance structures, management details, related-party transactions, and use of proceeds. Where share premiums or fair value are relevant, a valuation report must be prepared by a CMA-licensed investment advisor or asset valuator, setting out the methodology and basis of valuation. In public offerings, allocation safeguards apply, including subscriber withdrawal rights where free-float or shareholder-dispersion thresholds are not met upon allocation. These mechanisms embed pricing discipline and investor confidence into ECM transactions and support orderly capital formation. Governance and Disclosure Obligations Post-Listing ECM issuers are listed companies and are therefore subject to ongoing governance and disclosure obligations. These include compliance with general assembly procedures covering advance notice, agenda disclosure, authenticated minutes, and shareholder participation; transparent board-nomination and election processes with advance disclosure of candidates and their executive or independent status; and the implementation of core governance controls, including board oversight of executive management, an Audit Committee reporting to the board, a risk-management framework, and the appointment of a Compliance Officer or outsourced equivalent. ECM issuers must also comply with periodic financial-reporting obligations, including the publication of annual and semi-annual financial statements audited by CMA-registered auditors, subject to rotation and notification requirements. Failure to meet reporting or governance obligations may trigger trading suspension, disciplinary action against the board, or, where deficiencies persist, delisting. Addressing Structural SME Challenges Through ECM Listing The ECM is designed to address recurring structural challenges faced by SMEs. From a financing perspective, it provides a regulated platform for equity fundraising and access to future capital-market instruments, reducing reliance on bilateral bank financing. From a human-capital perspective, ECM-listed companies are better positioned to implement employee equity and incentive plans within a defined legal and disclosure framework. From an operational standpoint, mandatory reporting cycles, audit oversight, and disclosure controls drive stronger internal controls, financial discipline, and risk management. Institutionally, baseline governance and transparency standards enhance credibility and engagement with investors, lenders, and strategic counterparties. Role of Licensed Market Participants ECM listings rely on coordinated input from licensed market participants. A Listing Advisor, licensed by the CMA to carry out investment-advisory activities for listing purposes, guides the issuer through eligibility assessment, documentation, governance uplift, and regulatory interfaces. Where valuation is required, a CMA-licensed investment advisor or asset valuator provides the valuation report supporting fair value or share premium. Issuers must appoint CMA-registered auditors to anchor financial reporting, and, where offerings are involved, subscription agents and underwriters may be engaged to manage allocation and book-building mechanics. The KSE manages the application intake and recommendation process, while the CMA exercises approval, supervision, and enforcement authority. Practical Legal Workstreams for ECM Readiness From a practical legal perspective, ECM readiness typically involves a structured work plan covering eligibility and free-float gap analysis; review of shareholder agreements and transfer restrictions; governance and committee structuring; coordination of prospectus and valuation documentation; capital-increase approvals and management of pre-emptive rights; audit readiness and IFRS alignment; and establishment of a post-listing compliance calendar covering reporting, disclosures, and general assemblies. Early legal and governance structuring significantly reduces execution risk and regulatory friction during the listing process. Conclusion The Emerging Companies Market represents a calibrated and credible entry point into Kuwait’s capital markets for SMEs with sustainable growth ambitions. By combining proportionate admission standards with enforceable governance and disclosure obligations, the ECM offers a legally robust platform for capital formation, valuation transparency, and institutional credibility. For companies considering ECM admission, early engagement with a Listing Advisor, disciplined governance preparation, and structured legal readiness are essential to achieving a smooth listing and sustaining long-term compliance as a public company. Authors: Mohammed Al Awadhi, Legal Director and Fahad Al Zouman, Trainee Lawyer

Kuwait has taken a significant leap toward modernizing its notarization system with the issuance of Decree Law No. 147 of 2025, which amends provisions of Law No. 10 of 2020 on notarization. The new law unveils structural reforms that impact how a power of attorney (POA) is granted, renewed, and authenticated in Kuwait. This legislative update doesn’t just strengthen but also shifts the country to align with global best practices in documentation and E-governance. The reform aims to reduce miss use of indefinite authorizations while ensuring periodic verification of representation rights and accelerating Kuwait’s transition toward digital legal services. The Key Changes Include A five-year limit on the validity of all new Powers of Attorney. The automatic expiration of pre-existing POAs within two years. The formal recognition of electronic signatures as legally binding and enforceable. The Decree applies to the following All new Power of attorneys Existing notarized powers executed before the decree’s issuance, which remain valid for only two years from the date the law takes effect. Electronic notarization systems approved by the Ministry of Justice and related government entities. After the expiry of the transitional two-year period, any old power of attorney not renewed in accordance with the new law will automatically lose validity. Key Legal additions under Article 2 of the Decree Article 2 of Decree Law No 147 of 2025 adds two new articles to Law 10 of 2020 which are Article 5 bis and Article 9 bis which represent the foundation of the reform. Article 5 bis states that “Except for commercial agencies and any agencies exempted by decision of the Minister of Justice, a power of attorney shall be valid for five (5) years unless a shorter term is agreed or the agency terminates for another reason. The notarization shall specify the expiry date. The expiration of the notarization period shall not affect the validity of the agency between the parties”. This addition is designated to prevent endless delegation of authority and ensure that representation rights are periodically renewed reducing outdated authorizations. While Article 9 states that “The concerned parties or their representatives may appear before the notary in person, through the accredited electronic system, or by visual connection using modern or electronic means. The implementing regulation shall prescribe the procedures for each case, determine when personal attendance is required or remote appearance permitted, and regulate the manner of recording and evidencing such notarizations in the official registers and all other related provisions”. This addition established legal infrastructure for full digital notarization, in line with Kuwait’s shift toward online government services and paperless documentation. Why legal practitioners should take note The reform closes loopholes created by issuing lifetime power of attorney. Clients can now sign and validate documents remotely through secure electronic systems. Lawyers and companies must review and renew all existing power of attorney before the two-year deadline. Firms that adapt early can guide clients through renewals, reducing risk exposure and maintaining validity of representation. Conclusion The introduction of Decree law No.147 of 2025 marks a pivotal moment in Kuwait’s notarization framework. By limiting the duration of Powers of Attorney, mandating renewal and embracing electronic and remote notarization, the law stabilizes legal certainty with technological progress. These amendments especially the additions to article 2 promote accountability and prevent misuse of indefinite authorizations and modernize how legal documents are executed and authenticated. Critically, these reforms are set to significantly streamline national projects across Kuwait by fostering greater efficiency and transparency in legal processes. This digital transformation directly supports the ambitious objectives of Kuwait Vision 2035, positioning the country as a leader in digital legal services and contributing to sustainable economic development. For practitioners the reform presents an opportunity to lead clients into an era of digital security and transparent documentation aligning with the nation’s strategic future. Authors: Asad Ahmad, Legal director and Ahmed Al Buaijan, Trainee Lawyer

The State of Kuwait has enacted Decree-Law No. 148 of 2025, introducing substantial amendments to Law No. 20 of 2014 on Electronic Transactions (the Electronic Transactions Law). The reform broadens the Law’s scope and reinforces the legal recognition of electronic records, documents, signatures, and transactions across civil, commercial, administrative, and personal-status matters. It forms part of Kuwait’s wider digital-governance initiative aimed at enhancing service efficiency and reducing reliance on paper-based procedures. Under the amended framework, electronic instruments now have the same legal and evidentiary effect as their paper equivalents, provided they meet the procedural and technical requirements prescribed by law. The amendment further confirms that electronic contracts, communications, and registers are legally valid and enforceable, removing uncertainty regarding the reliability of digital documentation before courts and administrative bodies. Procedural and Technical Requirements Pursuant to Article (9) of the amended Law, an electronic document or record shall have legal effect if all of the following conditions are satisfied: It is preserved in the form in which it was created, sent, or received, or in a manner that reliably proves the accuracy of its data at the time of creation, sending, or receipt; Its contents are capable of being stored and retrieved at any time; It identifies the creator or sender and specifies the date and time of creation, sending, or receipt; and It is saved in an electronic format pursuant to the conditions and rules established by the competent supervisory authority. Similarly, Article (19) provides that an electronic signature shall be deemed a protected electronic signature if it fulfills the following requirements: The signatory can be clearly identified; The signature is uniquely linked to the signatory; The signature is created using a secure signature tool under the exclusive control of the signatory at the time of signing; and Any alteration to the data associated with the signature or its link to the signatory can be detected. The Executive regulations will further specify the detailed technical controls and standards governing these conditions. Practical Implications In practice, these reforms enable public authorities, financial institutions, and private entities to: Execute and store contracts, notices, and records entirely through electronic means; Transition toward fully digital filing and registration systems; Shorten processing timelines and reduce administrative costs; and Rely on electronic registers established by competent authorities as valid proof of rights and obligations. Compliance Considerations In light of Decree-Law No. 148 of 2025, companies should promptly align their internal practices with the new amendments. Key preparatory steps include: 1. Adopt Secure and Verifiable E-Signature Tools Ensure all e-signature systems satisfy the criteria under Article (19), including signatory identification, exclusive linkage to the signer, control at the time of signing, and tamper-detection capabilities. 2.Implement Reliable Electronic Archiving Systems Establish compliant electronic record-keeping aligned with Article (9), ensuring data accuracy, retrievability, and traceability through standardized metadata, timestamps, and system logs. 3.Update Internal Policies and Templates Revise corporate policies, document templates, and approval workflows to formally recognize the legal validity of electronic records and signatures. Decree-Law No. 148 of 2025 was published in the Official Gazette on 23 October 2025 and entered into force on the date of publication. This measure represents a significant milestone in Kuwait’s legal modernization and its continued shift toward a comprehensive digital transformation of public and private sector processes. Authors: Asad Ahmad, Legal Director and Fahad Al Zouman, Trainee Lawyer

This year, Kuwait’s merger control regime has been reshaped by legislative reforms and constitutional challenges. The framework now requires close attention to the scope of notifiable transactions, the financial thresholds that trigger a filing obligation, and the exemptions designed to exclude routine restructurings. Parties must also navigate detailed notification requirements, supporting documentation, filing fees, and a multi-stage review before the Kuwait Competition Protection Agency (“CPA”). Recent constitutional rulings—most notably the 2025 decision striking down the CPA’s power to impose revenue-based fines—have added a new dimension to enforcement and signal further reform on the horizon. Merger control in Kuwait is governed by Law No. 72 of 2020 on the Protection of Competition and its Implementing Regulations, issued under Resolution No. 14 of 2021 and amended by Decree No. 25 of 2022. Together, they establish the CPA, prohibit anti-competitive practices, and set out merger control obligations, review procedures, and exemptions. This overview walks through the scope of notifiable transactions, the financial thresholds that trigger notification, and carve-outs for routine restructurings, before outlining the notification process, documentation, and filing fees. We then explain the CPA’s multi-stage review and monitoring practices and concludes with constitutional developments—particularly the ruling that limited the CPA’s power to impose revenue-based fines—and their implications for enforcement and legislative reform. A merger control filing with the CPA is required when a transaction (i) qualifies as an economic concentration. Under the Competition Law, an economic concentration includes mergers, acquisitions of control, and joint ventures that create an autonomous economic entity. In the event a transaction is considered an economic concentration, then the financial thresholds must be analysed. The obligation to notify the CPA is triggered when certain financial thresholds are met, based on the audited financial statements of the preceding fiscal year. Specifically, notification is required if any of the following financial thresholds are met (“Financial Thresholds”): One party to the concentration generates revenues in Kuwait exceeding KWD 500,000; The aggregate revenues of all parties exceed KWD 750,000; OR The registered assets of the parties in Kuwait exceed KWD 2.5 million. The Competition Law provides several exemptions to ensure that routine transactions are not unnecessarily subjected to merger control filings. These exemptions include acquisitions by banks, insurance companies, and financial institutions engaged in securities trading, provided they do not exercise substantive voting rights and dispose of the securities within one year of acquisition. The disposal period may be extended by the CPA upon a justified request demonstrating that disposal was not reasonably practicable within the one-year period. Exemptions also apply to acquisitions arising from insolvency, defaults, debt restructuring, or settlements with creditors are excluded, as are intra-group restructurings within the same economic group. These carve-outs reflect the legislature’s intent to capture only those transactions that materially affect market structure and competition in Kuwait. Parties must notify the CPA within 60 days of signing the transaction agreement or related contract. However, in practice, the CPA does not strictly enforce this 60-day requirement. A binding agreement is not strictly required before notification; it is sufficient for parties to file based on a letter of intent, memorandum of understanding, or a good faith intention to reach an agreement. The merger control notification must include detailed corporate documents, financial statements, transaction agreements, market share data, competitor information, and an economic report addressing the potential effects on competition in the relevant market. The filing fee is 0.1% of the combined paid-up capital or Kuwaiti assets of the parties, whichever is less, capped at KWD 100,000, with a minimum charge above zero. The review process before the CPA involves several steps. Once a filing is submitted, the CPA chairman has five days to refer the application to the executive director for review. The executive director then conducts a substantive examination of the transaction, which must be completed within 90 days. This period may be extended if additional information is required or if third-party objections are raised. After the executive director’s assessment, the matter is referred to the CPA’s board of directors, which must issue a decision within 30 days on whether to approve, conditionally approve, or reject the transaction. The parties must be formally notified of the board’s decision within 15 days, ensuring transparency and closure of the review process. In practice, clearance typically takes around 45–60 calendar days from the time a complete application is submitted, though delays are common if filings are incomplete or contested. Importantly, transactions cannot be implemented before clearance; violations can result in fines or orders to unwind the transaction. These include fines of up to 10% of total revenues for failing to notify an economic concentration or for submitting misleading or incorrect filings, and the same ceiling for anti-competitive agreements or abuse of dominance. Lesser violations—such as obstructing CPA investigations, failing to comply with obligations after notice, or providing misleading information—carry fines of up to 1% of revenues from the previous fiscal year. In parallel with these sanctioning powers, the CPA has a designated department tasked with reviewing transactions published on social media platforms to ensure that any notifiable transactions, which have not submitted a merger control filing, are investigated and then referred to the CPA disciplinary board. The CPA has sent investigatory letters to both local and foreign parties requesting information and details surrounding published transactions they are involved in. GLA has played a key role in moulding the Kuwait merger control landscape. In February 2025, GLA successfully represented a client facing significant CPA sanctions.  In a landmark ruling by the Kuwaiti Constitutional Court, which significantly altered the CPA enforcement capabilities. The Court declared Paragraph (1) of Article 34 of Law No. 72 of 2020 unconstitutional. This provision had empowered the CPA’s disciplinary board to impose financial penalties of up to 10% of a party’s total revenues for violations of Articles 5–8 (anti-competitive agreements and abuse of dominance). The challenge, successfully argued by GLA & Company Senior Partner, Nader Al Awadhi, on behalf of the Union of Cooperative Societies, was based on constitutional principles, including: Violation of due process and judicial oversight (penalties were imposed administratively, not judicially); Lack of proportionality between penalties and violations; and Encroachment on protections of private ownership and personal liberty. The ruling curtails the CPA’s ability to impose revenue-based fines and raises questions about the validity of past sanctions. Going forward, merger control enforcement will likely need to rely on judicially supervised remedies or amended legislative provisions consistent with constitutional safeguards. Further, by establishing constitutional precedent, the ruling has already influenced subsequent cases, including one that struck down the 1% fine for non-compliance as unconstitutional, and has intensified calls for legislative reform. As a result, draft amendments to the Competition Law have been introduced and are currently awaiting approval. .Kuwait’s merger control regime features relatively low financial thresholds that capture both domestic and cross-border transactions. Parties must prepare comprehensive filings and anticipate a few rounds of queries within the review period. However, the Constitutional Court’s ruling striking down the CPA’s power to impose steep turnover-based fines introduces a new layer of legal complexity. Companies engaging in mergers and acquisitions in Kuwait should closely monitor forthcoming legislative or regulatory adjustments as the state reconciles the Competition Law framework with constitutional requirements. Authors: Asad Ahmad, Head of Anti-Trust & Competition and Fahad Al Zouman, Trainee Lawyer.

In line with Kuwait’s vision to develop its real estate investment environment and regulate non-Kuwaiti participation in this vital sector, Decree No. 195 of 2025 (the “Decree”) was issued to strike a balance between attracting foreign investment while safeguarding the exclusivity of private housing for Kuwaiti nationals and maintaining consistency with the existing legal framework governing non-Kuwaiti ownership. The Decree, while operates alongside Decree No. 74 of 1979 on non-Kuwaiti ownership of real estate, sets out the following provisions: Eligibility and Conditions For Real Estate Ownership (Article 1): In compliance with Decree-Law No. 74 of 1979 on Non-Kuwaiti Real Estate Ownership, companies with non-Kuwaiti partners and which are listed on licensed stock exchanges in Kuwait, as well as real estate funds and investment portfolios licensed by the competent Kuwaiti authorities, may own real estate, subject to the following conditions: One of the activities of such companies, real estate funds, or investment portfolios must include dealing in real estate. The Decree imposes a categorical prohibition on owning or dealing of real estate, plots, or lands designated for private housing purposes regardless of location or project. Exceptions and Equal Treatment (Article 2) The provisions of this Decree expressly preserve two key points: The right of entities under the supervision of the Central Bank of Kuwait or the supervision of other regulatory bodies to own real estate in accordance with the law. The treatment of nationals of the Gulf Cooperation Council (GCC) member states shall be treated the same as Kuwaiti citizens with respect to the ownership of land and constructed properties in Kuwait, in accordance with the law. Implementation and Entry into Force (Article 3): Ministers, each within their respective jurisdictions, shall implement this Decree, which shall take effect upon its publication in the Official Gazette. Market participants should, therefore, align internal policies, funds documentation, and transaction screening protocols to ensure compliance with the Decree from the date of publication. As outlined above, Decree No. 195 of 2025 aims to preserve the exclusivity of residential housing for citizens and prevent practices that could disrupt the national real estate market, while clearly ring-fencing the private housing segment for citizens and preserving supervisory and GCC equal-treatment frameworks. In parallel, it promotes sustainable investment within the real estate sector, while remaining consistent with existing laws governing the ownership of property by non-Kuwaitis.. The result is a more defined pathway for non-Kuwaiti capital that aligns with Kuwait’s policy objectives and market stability. Authors: May El Mahdy, Senior Associate and Maha Abdullah, Trainee Lawyer

Kuwait is positioning itself as a leading regional jurisdiction in integrating artificial intelligence and cloud into the digital economy.   Government‑backed collaborations with Microsoft and Google have been announced to advance AI‑enabled cloud capabilities and deploy productivity solutions across public agencies, Supported by Vision 2035 and potential participation by Kuwait’s sovereign ecosystem in global digital infrastructure initiatives, these developments signal a material step toward embedding AI across the nation. This transformation, however, is not being driven by technology alone. Kuwait’s expanding digital ecosystem is developing within a sophisticated legal and institutional framework that governs data protection, cloud computing, and cybersecurity.  For AI vendors and cloud service providers, understanding this framework is essential not only as a matter of compliance but as a prerequisite for market participation.  These institutional foundations are evolving toward a more coordinated governance model under Kuwait’s forthcoming National AI Strategy, which is expected to align the roles of existing regulators and establish a unified national framework for AI oversight and data governance. Institutional architecture: CAIT, CITRA, and the National Cybersecurity Center At the core of this structure stand three institutions that define Kuwait’s digital governance model.  The Central Agency for Information Technology, known as “CAIT,” leads governmental digital transformation and supports the development of national cloud infrastructure and AI adoption across public entities.  Working alongside CAIT is the Communications and Information Technology Regulatory Authority, or “CITRA,” established under Law No. 37 of 2014 to regulate the telecommunications and information technology sectors, license operators, and oversee privacy and cloud compliance through instruments including the Data Privacy Protection Regulation and the Cloud Computing Regulatory Framework.  Complementing both agencies is the National Cybersecurity Center, created by Decision No. 37 of 2022, which serves as Kuwait’s authority for cybersecurity and data‑classification oversight and sets parameters for cross‑border processing of sensitive information. “Taken together, these bodies form a layered governance model.  CITRA’s licensing and cloud rules establish the baseline for service provision and customer protections, while the National Cybersecurity Center’s classification and cross‑border controls determine where sensitive workloads may reside. CAIT’s digital transformation mandate then operationalizes these standards across the public sector, ensuring that modernization initiatives are designed around compliance from inception rather than retrofitted post‑deployment. ” Programs and partnerships: from policy to implementation Recent initiatives demonstrate how these institutions coordinate to align technological development with regulatory oversight. In cooperation with Microsoft, CAIT and CITRA have announced and begun implementing a national program that includes the planned establishment of  AI‑enabled data center capabilities, an integrated AI system, a center for cloud auditing, and a facility dedicated to advancing the digital infrastructure within the public sector.  CAIT oversees execution across government entities, while CITRA ensures that the deployment of cloud and AI environments remains consistent with Kuwait’s data‑governance, cybersecurity, and localization requirements. The initiative includes large‑scale training programs in cybersecurity and artificial intelligence, embedding compliance and institutional capability within the government’s transformation framework. “For both vendors and government entities, successful execution hinges on translating these high‑level initiatives into contractually enforceable obligations.  Agreements should embed data residency commitments tied to approved classifications, encryption and key management aligned to supervisory expectations, audit and inspection cooperation mechanisms, and incident workflows that meet statutory notification thresholds.  This contractual scaffolding is how Kuwait’s compliance requirements are made real in day‑to‑day operations.” Data governance pillars: privacy, localization, and cloud compliance CITRA’s regulatory reach extends beyond traditional telecommunications providers to include any entity offering communications or IT services in Kuwait, including cloud platforms, application developers, and AI‑based service providers that process user data.  The Cloud Computing Regulatory Framework requires providers to obtain authorization before operating, comply with technical and security standards, and commit to service‑level and continuity obligations through transparent contractual terms.  It also sets clear rules on data transfers, encryption, and customer exit rights to ensure that information remains protected throughout the term of a service. Meanwhile, the Cybersecurity Center requires organizations handling electronic information to implement internal data classification processes that it reviews and approves, and to obtain authorization before storing or processing sensitive information outside Kuwait.  Together, these requirements  create a comprehensive data‑governance system, ensuring that information flows remain traceable, accountable, and primarily local. The Data Privacy Protection Regulation sets out the main principles governing data processing in Kuwait.  Processing activities must rely on a lawful basis such as consent, legal obligation, or necessity.  Service providers must publish privacy notices in both Arabic and English that clearly explain the purpose of collection, retention periods, and data transfer practices.  Additional protections apply to minors under eighteen, who require guardian consent, while users retain the right to access, correct, erase, or object to the processing of their data.  Marketing communications must include opt‑out mechanisms, and any third‑party or affiliate marketing requires prior consent from the data subject. Data localization requirements apply in defined contexts, including where instruments require classification, encryption, and approvals tied to sensitivity and sectoral scope; organizations should confirm whether obligations arise under statute, regulation, license conditions, or supervisory circulars.  Organizations must classify and encrypt data both in transit and at rest, and in certain cases must notify or obtain authorization from the competent authority before cross‑border transfers.  Sensitive data may only be processed outside Kuwait where the National Cybersecurity Center grants prior approval under applicable classification and cross‑border rules.  Under the Cloud Framework, providers must also maintain exit procedures and data deletion mechanisms to prevent vendor lock‑in and ensure the secure return or destruction of customer data upon termination. Beyond localization, the framework expects a program of security governance.  Entities may be required to or are expected to appoint a data protection officer, conduct regular audits and penetration tests, and maintain business continuity and disaster recovery plans as required or expected under the governing instrument.  Breach reporting is governed by defined timelines, with major incidents often notified within twenty‑four hours for major incidents and seventy‑two hours for other reportable breaches.  These timelines reflect Kuwait’s emphasis on prompt response and transparency in handling cyber incidents. “Organizations face a practical design choice: fully localize sensitive datasets, adopt hybrid architectures that segment workloads and apply strong pseudonymization techniques, or deploy sovereign models with customer‑managed keys. Each path carries different approval, audit, and continuity implications. Early engagement on data classification—paired with architecture diagrams and control evidence—can materially shorten authorization timelines and reduce rework.” Enforcement and supervisory expectations Enforcement under this framework is robust and signals the seriousness of Kuwait’s commitment to compliance.  CITRA retains wide supervisory powers, including the authority to order the blocking of networks,  require the removal of unlawful content, and enforce confidentiality obligations.  Non‑compliance can result in administrative fines reaching up to one million Kuwaiti dinars for each violation up to applicable statutory or regulatory caps.  In severe cases, authorities may suspend or cancel an operator’s or provider’s authorization and refer breaches involving unauthorized disclosure or interception of communications to criminal prosecution.  Entities may also be required to implement remedial measures following inspection or compensate affected users. CITRA’s supervisory toolkit, combining licensing leverage, inspection rights, and administrative penalties—creates concrete incentives for robust control environments.  Entities that maintain a tested incident response plan calibrated to 24/72‑hour reporting thresholds, document periodic control assessments (including penetration testing where required), and retain traceable audit artifacts typically encounter fewer remedial directives following inspection. Contracting and operational implications The strategic partnerships with Microsoft and Google illustrate how legal compliance now shapes every stage of Kuwait’s cloud and digital Cross‑border collaborations must reconcile innovation with the country’s strong commitment to data sovereignty.  Agreements increasingly address data controller and processor responsibilities, localization and encryption requirements, breach notification obligations aligned with statutory timelines, and provisions ensuring compliance with CITRA’s audit, inspection, and termination requirements. In practice, legal compliance has become a central component of contractual design rather than a post‑signing consideration. “For technology providers and regulated customers, key contractual provisions typically scrutinized in Kuwait include: (i) data residency and classification‑tied processing covenants; (ii) encryption standards and key‑management models (including customer‑managed keys where applicable); (iii) audit, inspection, and logging transparency; (iv) incident notification aligned to statutory thresholds; and (v) exit, portability, and secure deletion mechanics.  Well‑designed clauses should be accompanied by operational runbooks to ensure obligations are practicably deliverable at scale. ” National AI Strategy: trajectory and scope Kuwait’s broader digital economy stands at the intersection of rapid digitalization and rigorous legal oversight.  The country’s dual focus on innovation and accountability distinguishes it within the region and offers a model for the responsible integration of artificial intelligence within critical national infrastructure.  As the legal framework continues to mature, companies that engage early and align their internal processes with these requirements will not only mitigate risk but play a defining role in shaping the next phase of Kuwait’s digital economy. Kuwait’s forthcoming National AI Strategy is expected to provide a policy framework that complements these legal and regulatory developments.  The draft strategy proposes establishing a High‑Level Steering Committee, a cross‑sectoral body bringing together senior representatives from CAIT, CITRA, the National Cybersecurity Center, key ministries, academia, and private‑sector partners.  The committee’s objective is to coordinate national AI initiatives and ensure alignment between regulation, infrastructure, and innovation.  The strategy also proposes AI safety frameworks (including safety brakes for critical infrastructure) and a shared‑responsibility model that defines the respective roles of regulators and technology providers in safeguarding AI systems and data.  Aligned with Vision 2035, the strategy calls for strengthening Kuwait’s data and digital foundations through centralized repositories, standardized governance policies, and cybersecurity baselines, enabling responsible AI deployment across sectors such as healthcare, education, energy, and public safety. “Kuwait’s trajectory places it among the region’s more sovereignty‑forward jurisdictions, prioritizing local control, auditability, and public‑sector modernization. For market entrants, the decisive differentiator will be governance maturity: the ability to evidence compliance‑by‑design in architecture, contracts, and operations. Those that internalize this model will mitigate regulatory risk and gain a competitive edge in public‑sector and critical‑infrastructure procurement.” Conclusion Taken together, these measures signal that Kuwait’s data‑localization and cloud‑compliance regimes are part of a wider national effort to embed trust, accountability, and resilience at the core of its AI‑driven digital transformation.  As Kuwait advances from regulatory enforcement to strategic execution, its ability to align law, policy, and innovation will determine how effectively it leads the next wave of AI governance in the region. Authors: Asad Ahmad, Head of Anti-Trust & Competition Fahad Alzouman, Trainee Lawyer.