العربية

Anti-Cybercrime Law (Saudi Arabia)

Saudi Arabia's Anti-Cybercrime Law — digital offenses, penalties for blackmail and defamation, and how to report.

Cybercrime System Saudi Arabia

In this article

  1. What the Anti-Cyber Crime Law Covers
  2. The Statute — Royal Decree M/17
  3. The Five Core Offence Categories
  4. Article 6 — The Provision That Catches Most Cases
  5. Article 4 — Electronic Extortion in Detail
  6. Digital Evidence and Defences
  7. Cross-Border Jurisdiction
  8. Frequently Asked Questions
  9. When You Need Counsel

What the Anti-Cyber Crime Law Covers

The Anti-Cyber Crime Law is the most-invoked criminal statute in modern Saudi prosecution, applied in conjunction with the penal code and other criminal statutes whenever an offence uses digital means. Its drafting was deliberately broad, with provisions elastic enough to capture conduct the original drafters could not have specifically anticipated.

Cybercrime Saudi Arabia
Cybercrime Saudi Arabia

The result is that almost any traditional offence — defamation, extortion, threat, fraud, breach of privacy — receives a harder sentence when prosecuted under this statute. For ordinary social-media disputes that escalate into criminal complaints, this law is the framework under which the case lands.

The Statute — Royal Decree M/17

The Anti-Cyber Crime Law was issued by Royal Decree No. M/17, dated 8/3/1428H (corresponding to March 2007). It comprises 16 articles, with Articles 3 through 7 covering the substantive criminal categories and the remaining articles addressing procedural matters, search-and-seizure authority, and international cooperation.

Enforcement is led by the Public Prosecution's specialised cybercrime unit, working with the Communications and Information Technology Commission for platform-level evidence requests and the General Directorate of Investigations for technical analysis. The Saudi judiciary has built substantial precedent applying the statute since its enactment, and the precedent now significantly shapes how cases are charged.

The Five Core Offence Categories

The substantive offences sit in five articles, each with its own penalty range:

  • Article 3: unauthorised access to information systems and data interception — penalties up to one year and 500,000 SAR
  • Article 4: electronic extortion and threats — penalties up to one year and 500,000 SAR
  • Article 5: content "infringing public morals" and family-sanctity material — penalties up to five years and three million SAR
  • Article 6: content "prejudicing public order, religious values, public morals, or privacy" — penalties up to five years and three million SAR
  • Article 7: terrorist content and unauthorised access to government data — penalties up to ten years and five million SAR

Cases involving multiple articles stack: a defendant charged with both Article 4 extortion and Article 6 privacy breach faces concurrent or consecutive penalties at the court's discretion.

Article 6 — The Provision That Catches Most Cases

Article 6 is where most ordinary cybercrime cases land. Its text is intentionally elastic: "production, preparation, transmission, or storage of material prejudicing public order, religious values, public morals, or privacy" through an information network.

In practice this captures: sharing a video without consent of the people in it; posting screenshots of private conversations; recording calls without disclosure to all participants; distributing photos labelled offensive to public morals; and any social media post that a complainant can frame as a privacy breach. The "privacy" prong of Article 6 is now the most-used provision in Saudi criminal prosecutions.

The width is double-edged. It captures genuinely harmful conduct that would otherwise have no clear remedy. It also catches defendants whose conduct fell within ordinary social-media practice in other jurisdictions but ran afoul of Article 6's privacy and public-order standards. The defence in Article 6 cases typically focuses on whether the alleged content meets the elements rather than disputing that the content was posted.

Article 4 — Electronic Extortion in Detail

Electronic extortion follows a recognisable pattern in Saudi cases: a victim's intimate images or compromising messages are obtained (often from a former relationship, sometimes from a hacked device or romance scam), and the perpetrator demands money or further contact in exchange for non-publication.

Saudi law treats this with particular severity. The penalty escalates if: the victim is female or a minor; multiple victims are involved; or the material was actually published. Public prosecution treats these cases as priority files and frequently coordinates with international authorities when the perpetrator is outside the Kingdom. International perpetrators are increasingly being prosecuted through MLAT (Mutual Legal Assistance Treaty) channels.

The single most important action for victims is preserving evidence without engaging further with the extortionist — every additional message strengthens the prosecution's case while reducing the victim's leverage. The victim's identity is protected throughout the proceeding under the same confidentiality provisions that apply in harassment cases.

Digital Evidence and Defences

Cybercrime defences turn on technical evidence rarely understood by generalist criminal lawyers. Three foundations of defence:

Device forensics: was the alleged content actually generated from the defendant's device, or could it have been planted, spoofed, or generated from a hijacked account? File metadata, EXIF data, and chain-of-custody records all factor into this analysis.

Timeline analysis: do server logs match the prosecution's timeline, or are there gaps that suggest evidence tampering? Platform logs typically retain access patterns for defined retention periods that the defence can request through court order.

Account ownership: in shared-device households or shared business systems, can the prosecution prove the defendant personally operated the account at the moment of the alleged offence? Account compromise is a recognised defence but requires affirmative evidence — login logs, IP records, contemporaneous reports of compromise to the platform.

Cross-Border Jurisdiction

Saudi courts have asserted jurisdiction over content that reaches users within the Kingdom regardless of where the publisher was physically located when posting. This applies particularly to material involving Saudi citizens, Saudi institutions, or Saudi public order. The jurisdiction claim has been enforced through Interpol Red Notices, MLAT requests, and platform-level removal orders that international platforms now routinely comply with.

For Saudi residents posting content from outside the Kingdom — for example, while travelling — the question of when liability attaches is complex. Saudi courts have prosecuted content posted abroad where it was directed at Saudi audiences or reached Saudi viewers. Content with no Saudi nexus, posted by non-residents, is theoretically out of reach but increasingly within range through cooperation channels.

Frequently Asked Questions

Can I be prosecuted for content I posted while abroad? Yes — Saudi courts have asserted jurisdiction over content that reaches users within the Kingdom regardless of the publisher's physical location. This applies particularly to material involving Saudi citizens or institutions.

What if the account that posted the content was hacked? Account compromise is a recognised defence, but the burden of evidence sits with the accused. Platform login logs, IP records, and device forensics are needed to establish that the account was operated by someone other than the registered owner at the moment of the offence.

Is recording a phone call I'm a participant in legal? No — Saudi law requires disclosure to all participants before any audio recording, and the resulting recording is generally inadmissible against the other party. Sharing such a recording can itself be a separate cybercrime offence under Article 6.

How long do cybercrime cases typically take? Public prosecution stage: 30-90 days for non-complex matters. First-instance court: 60-180 days. Appeal: additional 90-120 days. Cases involving cross-border evidence or multiple defendants extend significantly.

When You Need Counsel

Any case involving extortion, leaked private images, accusations under Article 6, or a charge that combines cybercrime with another offence (harassment, fraud, defamation) is not generalist work. The technical evidence demands a lawyer who can read forensic reports and challenge them, who understands platform retention policies, and who has handled similar cases through to verdict.

For the criminal-defence view of cybercrime charges, see Cybercrime Penalties. For related extortion cases, which frequently combine Article 4 with traditional offences, see Extortion and Blackmail Penalties. For the harassment overlay that appears in many sextortion cases, see the Anti-Harassment Law explainer.

For statutory text: The Bureau of Experts at the Council of Ministers (laws.boe.gov.sa) publishes the Anti-Cyber Crime Law. The Communications and Information Technology Commission (citc.gov.sa) publishes implementing guidance.

Need Legal Help in Saudi Arabia?

Licensed Saudi lawyers available 24/7 — free initial consultation via WhatsApp.

WhatsApp Us — Free