Insights — Open Data Readiness in Saudi Government

Neon sign spelling ‘open’ in a circle, suggesting open government data — Photo: Finn Hackshaw / Unsplash — open data readiness at entity level drives practical reuse beyond the central open data portal alone.

Published April 2026

Five findings that frame Saudi’s Open Data Landscape

01
The ODRL index: the Open Data Readiness Level is a seven-point entity-level scale—from absent to optimising—scored from publicly verifiable signals on each organisation’s open data page; this article applies it across 38 KSA ministries and authorities to complement platform-level measures such as ODIN.
02
Governance versus practice: KSA ranks in the global top third on ODIN (73 of 100) with a mature national platform. Eighteen entities publish only standalone policy pages without verifiable dataset counts, explicit format lists, or a named licence.
03
Open Data Readiness Level (ODRL) bottleneck: increasing Open Data Readiness requires disclosure (counts, formats, licences) rather than engineering.
04
Clustered: the Open Data Platform at data.gov.sa—the public-facing part of the National Data Bank (NDB) ecosystem—has the highest readiness level; the bulk of entities show limited application programming interface (API) evidence.
05
Regulation aligns: classification under the National Cybersecurity Authority (NCA) Data Cybersecurity Controls (DCC; e.g. DCC-1:2022), Personal Data Protection Law (PDPL) safeguards, and Saudi Authority for Data and Artificial Intelligence (SDAIA) open-data standards are sequential.

Opening

Open government data is increasingly measured, not just mandated. National platforms, dataset counts, and licence frameworks are necessary conditions, but they do not, on their own, tell you whether the data ecosystem is working. The question that matters is whether individual government entities, the ministries, authorities, and commissions that hold the data, are actually publishing it in a form that others can find, download, and use.

Saudi Arabia presents a particularly clear case study in that distinction. The Open Data Platform at data.gov.sa hosts more than 11,000 datasets across 289 publishing organisations. That site is the only publicly facing component of the National Data Bank (NDB)—an ecosystem of integrated national data platforms, not a single national database or dataset. The dedicated data and AI authority, SDAIA, issued a formal Open Data Strategy in 2022 and an Interim Regulation that imposed an open-by-default obligation on all public entities. The Kingdom’s 2024 score on ODIN reached 73 out of 100, placing it in the top third of the global index. By any platform-level measure, the architecture is substantial.

Yet when a consistent, entity-level readiness framework is applied to KSA’s 24 ministries and 14 major independent authorities and platforms, a different picture emerges. Nine ministries have no public open data page at all. Eighteen entities sit at ODRL 3: a policy-grade page with no verifiable dataset count, no explicit format list, and no named licence. Demonstrated API access, fully managed catalogues, and third-party reuse evidence remain concentrated in the national open data portal (data.gov.sa) and the narrow ODRL 6–7 tail, not across the wider ministry and authority envelope. The central portal and the bulk of publishers are not yet moving at the same pace.

The architecture: a platform built faster than its publishers

Saudi Arabia’s open data institutional architecture is genuinely unusual. SDAIA holds the data governance mandate, the open data strategy mandate, the AI regulation mandate, and, through the National Data Management Office’s expanded remit following the National Cybersecurity Authority’s 2024 second-phase essential cybersecurity controls cycle, the data localisation mandate as well. The National Data Bank (NDB) should be read as an overarching ecosystem of integrated national data platforms—aimed at better national data quality, inter-agency sharing, and a data-driven economy—rather than as one website, one warehouse, or a single “bank” of datasets. It was established from August 2019 through SDAIA’s National Information Centre (NIC). Alongside government-facing parts of that ecosystem, the Open Data Platform at data.gov.sa is the sole public channel for publishing datasets to citizens and researchers; the figures above describe that portal’s catalogue. By 2026, that portal’s growth still compared well with the EU’s decade-long trajectory from 46% to 83% maturity. The Open Data Strategy, launched in February 2022, was accompanied by the SDAIA Open Data Interim Regulations (Feb 2022) that formally imposed an open-by-default obligation on all public entities.

Saudi Arabia’s 2024 ODIN score of 73 (coverage 66, openness 80) places it ahead of the developing world average and within reach of several EU member states. The higher openness than coverage score is a structural fingerprint visible in many rapidly developing open data systems: the licence framework and the platform are built before entity-level participation catches up. The EU shows the same pattern; even France and Poland, which score 100% overall, record their lowest dimension scores on impact and reuse rather than policy.

Why a new framework? Introducing the ODRL

Before mapping KSA’s open data landscape, it is worth being precise about what maturity means. The most widely used international instrument, the EU Open Data Maturity model, measures 34 countries across four national-level dimensions: policy, portal, quality, and impact. Australia’s Australian Public Service (APS) Data Maturity Assessment asks agencies to self-score across seven focus areas on a zero-to-five scale. Neither instrument was designed to produce a comparable, reproducible score for an individual government ministry or authority in a single country context.

The Open Data Readiness Level (ODRL) is a seven-point scale, explicitly modelled on the Technology Readiness Level (TRL) logic, designed to fill that gap. Like TRL, it moves from nothing at level one to fully operational and evidenced at level seven. Unlike TRL, its observable criteria are entirely derived from publicly verifiable signals on an entity’s own open data page, making it reproducible without self-reporting or access to internal systems. The framework synthesises three reference instruments: the Open Data Institute’s Open Data Maturity Model (Edition 2.0, 2025), SDAIA’s National Data Index (NADI), and the ODIN country profile criteria.

Details on the ODRL methodology

The framework tracks nine observable dimensions on an entity’s public open data presence: page existence; dataset count visibility; licence explicitness; format explicitness; update frequency visibility; application programming interface (API) presence (or equivalent bulk access); business intelligence (BI) tool availability; feedback mechanism; and national portal syndication. Those nine are not separate sub-scores. They are pass/fail checks that are bundled into an ordinal ladder: an entity is assigned a single ODRL level, and that level means “every requirement for this level and for all lower levels is satisfied.” One missing dimension caps the whole entity at the highest level where the chain is still complete.

The seven-row scale that follows is the concise statement of that bundle. Each row adds new expectations on top of the previous row; reading downward is reading how the nine dimensions are progressively switched on. Levels 1–2 are pre-publication (page and datasets effectively absent); level 3 establishes the page only, while deliberately not yet meeting the publication-detail dimensions; levels 4–5 add the core catalogue hygiene (datasets, formats, licence, updates, count, feedback); level 6 adds machine access, metadata discipline, request SLAs, and dataset-level syndication to the national portal; level 7 adds in-browser BI and the further evidencing items named in the row (reuse, NADI alignment, DCAT or schema.org, independent quality audit), which extend metadata, governance, and reuse visibility beyond the base catalogue checks.

Open Data Readiness Level (ODRL) scale (synthesises the nine dimensions)
ODRL	Label	Threshold criteria
1	Absent	No open data page, no datasets, no public reference to open data
2	Acknowledged	National open data policy referenced, but no dedicated page and no datasets
3	Page established	A dedicated page exists; publication principles are described; no dataset count, format list or explicit licence on the page
4	Initial publication	At least one visible dataset; some formats mentioned; licence referenced in general terms; update frequency stated for at least one dataset
5	Defined publication	Dataset count disclosed; all formats explicitly named; licence explicitly stated with terms; update schedule visible for all datasets; feedback mechanism active
6	Managed	All ODRL-5 criteria plus API or bulk download confirmed; dataset-level metadata standard applied; service-level agreement (SLA) stated for data requests; national portal syndication confirmed per dataset
7	Optimising	All ODRL-6 criteria plus in-browser BI tools; evidence of third-party reuse; NADI alignment documented; Data Catalog Vocabulary (DCAT) or schema.org metadata; independent data quality audit

Nine dimensions: where they first enter the ODRL ladder
Dimension	First ODRL where it is part of the threshold	How it shows up in the scale row
Page existence	3	Dedicated open data page (levels 1–2: no such page)
Dataset count visibility	5	Total dataset count disclosed on the page (ODRL 3 explicitly lacks this; ODRL 4 has datasets but not necessarily a full count)
Licence explicitness	4 (general) → 5 (explicit)	Licence referenced in general terms at 4; explicit terms linked at 5
Format explicitness	4 (partial) → 5 (full)	Some formats at 4; all formats named at 5
Update frequency visibility	4 (partial) → 5 (full)	Update frequency for at least one dataset at 4; for all datasets at 5
Feedback mechanism	5	Active channel for input on the page
API presence (or bulk download)	6	Confirmed API or bulk download, with dataset-level metadata standard and SLA for requests
National portal syndication	6	Each dataset syndicated to the national catalogue, not only a page-level link
BI tool availability	7	In-browser BI or equivalent exploration tools, plus the row’s reuse, NADI, DCAT/schema.org, and audit clauses

This ordinal design has an important implication for the KSA context: the gap between ODRL 3 and ODRL 5, where most entities currently sit, is not a technical gap. It is an administrative one. An entity can move from ODRL 3 to ODRL 5 without writing a single line of code, simply by publishing a dataset count, naming its formats, and linking to its licence text. The gap between ODRL 5 and ODRL 6 requires API investment and metadata standards. The gap between ODRL 6 and ODRL 7 requires governance maturity over time. Knowing which gap an entity faces determines what kind of intervention it needs.

The ODRL map: where 38 entities actually sit

Applying the ODRL framework to KSA’s 24 ministries and 14 major independent authorities and platforms (April 2026 baseline) produces a full ladder: all seven levels are populated when the data.gov.sa national open catalogue (the public Open Data Platform) is scored alongside individual publishers.

Open Data Readiness Level (ODRL) — KSA entities (Apr 2026)

Horizontal bars show entity count per ODRL tier; horizontal axis is number of entities (n=38).

Modelled on Technology Readiness Level (TRL) ordinal logic. Source: entity audit, April 2026 baseline.

KSA government & platform sample: entities per ODRL level (Apr 2026)
ODRL	Label	Entities (n)	Threshold summary
7	Optimising	1	ODRL-6 criteria plus in-browser BI, reuse evidence, NADI alignment, DCAT/schema.org metadata or equivalent, independent quality audit
6	Managed	1	ODRL-5 plus API or bulk download, dataset-level metadata standard, service-level agreement (SLA) for requests, national portal syndication per dataset
5	Defined publication	3	Dataset count disclosed; formats explicit; licence explicit; update schedule for all datasets; active feedback
4	Initial publication	5	At least one visible dataset; some formats; licence referenced in general terms; update frequency for at least one dataset
3	Page established	18	Dedicated page and principles; no dataset count, full format list, or explicit licence on the page
2	Acknowledged	1	National policy referenced; no dedicated page; no datasets
1	Absent	9	No open data page, datasets, or public reference identified

The dominant level is ODRL 3, occupied by 18 entities. This is not a failure state: it signals a public commitment via a dedicated page. It is a stalling state for reuse, because a page without a verifiable dataset count, explicit formats, and a named licence offers limited practical value to third parties. Five entities reach ODRL 4; three reach ODRL 5 (the Ministry of Justice, the Ministry of Investment, and the Transport General Authority), and function as replication models for peers. The Open Data Platform at data.gov.sa—the public layer of the wider National Data Bank (NDB) ecosystem—scores at ODRL 7 as the central open catalogue in this audit; one additional organisation in the frame reaches ODRL 6. Nine score ODRL 1, including several ministries without a confirmed standalone open-data presence in the baseline. Those nine are the Ministry of Defence, the Ministry of National Guard, the Ministry of Hajj & Umrah, the Ministry of Industry & Mineral Resources, the Ministry of Tourism, the Ministry of Sport, the Ministry of Municipal, Rural Affairs & Housing, the Ministry of Media, and the Ministry of Environment, Water & Agriculture.

The Ministry of Justice is the strongest ministerial ODRL 5 case: 99 named judicial indicators, declared XLS/CSV/XML/JSON, explicit KSA National Open Data Licence link, and supporting policy documentation. The Ministry of Investment (MISA) publishes three visible datasets with full format declarations, BI-style access features, and clear governance framing. Together with the Transport General Authority (TGA) they show that ODRL 5 is achievable without new legislation.

Entity-level audit table (organisation, ODRL score, URL)

Scores reflect publicly observable signals at each publisher’s open data landing page as of the April 2026 baseline. “No page identified” denotes absence of a dedicated ministry- or authority-level page in this pass.

Entity	Type	ODRL	Label	Open data URL
Open Data Platform (data.gov.sa), public face of NDB ecosystem	Public portal (NDB)	7	Optimising	data.gov.sa
Ministry of Communications & IT	Ministry	3	Page established	mcit.gov.sa
Ministry of Economy & Planning	Ministry	3	Page established	mep.gov.sa
Ministry of Energy	Ministry	3	Page established	energy.gov.sa
Ministry of Commerce	Ministry	4	Initial publication	mc.gov.sa
Ministry of Finance	Ministry	4	Initial publication	mof.gov.sa
Ministry of Health	Ministry	4	Initial publication	moh.gov.sa
Ministry of Education	Ministry	3	Page established	moe.gov.sa
Ministry of Foreign Affairs	Ministry	3	Page established	mofa.gov.sa
Ministry of Interior / Absher	Ministry	3	Page established	absher.sa
Ministry of Defence	Ministry	1	Absent	—
Ministry of National Guard	Ministry	1	Absent	—
Ministry of Justice	Ministry	5	Defined publication	moj.gov.sa
Ministry of Human Resources & Social Development	Ministry	3	Page established	hrsd.gov.sa
Ministry of Investment	Ministry	5	Defined publication	misa.gov.sa
Ministry of Transport & Logistic Services	Ministry	3	Page established	mot.gov.sa
Ministry of Hajj & Umrah	Ministry	1	Absent	—
Ministry of Industry & Mineral Resources	Ministry	1	Absent	—
Ministry of Culture	Ministry	3	Page established	moc.gov.sa
Ministry of Tourism	Ministry	1	Absent	—
Ministry of Sport	Ministry	1	Absent	—
Ministry of Municipal, Rural Affairs & Housing	Ministry	1	Absent	—
Ministry of Media	Ministry	1	Absent	—
Ministry of Environment, Water & Agriculture	Ministry	1	Absent	—
SDAIA	Authority / regulator	3	Page established	sdaia.gov.sa
GASTAT	Authority	4	Initial publication	stats.gov.sa
National Competitiveness Center	Authority	3	Page established	ncc.gov.sa
CST	Regulator	3	Page established	cst.gov.sa
CNHI	Authority	3	Page established	cnhi.gov.sa
SASO	Authority	3	Page established	saso.gov.sa
K.A.CARE	Authority	3	Page established	energy.gov.sa
Transport General Authority	Authority	5	Defined publication	tga.gov.sa
FFM	Authority / finance entity	3	Page established	ffm.gov.sa
Riyadh Municipality	Municipal authority	3	Page established	alriyadh.gov.sa
Istitlaa	Digital platform / NCC	2	Acknowledged	istitlaa.ncc.gov.sa

The table lists 35 auditable publisher rows from the baseline pass. Three additional organisations in the full n=38 ladder reconcile ODRL 3 (+1), ODRL 4 (+1), and ODRL 6 (+1) relative to this row listing; tier totals in the summary table and chart above are authoritative.

The regulatory stack

The ODRL framework was designed to be neutral on the question of why entities stall at ODRL 3. But when you overlay the KSA regulatory environment, the explanation becomes clear. Three binding frameworks apply simultaneously to all government entities, and they point in different directions.

SDAIA Open Data Interim Regulations require open by default: data must be published free of charge, machine-readable, non-discriminatory, and without registration. The regulation is the legal basis for the national open data portal (data.gov.sa) and is the instrument that created the ODRL-3 pages that exist across most entities.

NCA Data Cybersecurity Controls (DCC-1:2022) require classification before sharing: all entities within the scope of the National Cybersecurity Authority’s Essential Cybersecurity Controls programme, which covers all Saudi government bodies and critical national infrastructure operators, must formally classify data across its lifecycle before sharing it. The classification decision (public, restricted, or confidential) must precede publication. In practice, many entities treat the classification process as an unresolved blocker rather than a sequential step, and publish nothing while awaiting formal clearance.

Personal Data Protection Law (PDPL) (effective September 2023) requires protection before publishing: any dataset with personal data fields must be de-identified or aggregated before release, and entities handling personal data must appoint a Data Protection Officer. The Ministry of Health is the only entity in the ODRL baseline that explicitly references this obligation on its open data page, noting that de-identification and aggregation are applied to its published datasets.

What the international benchmarks say

Far from being a KSA-specific problem, the entity-level compliance gap is the universal feature of open data maturity programmes at this stage of development. Three comparisons are instructive.

The EU’s 2024 Open Data Maturity Report, covering 34 countries after ten years of the assessment programme, records an average score of 83%, up from 46% in 2015. But even in this mature cohort, impact and reuse remain the weakest dimension across every country group, and the assessment explicitly notes that moving from strong portal infrastructure to demonstrable reuse evidence is the unsolved challenge of the next decade. KSA’s gap is at the entity-level rather than the reuse level, which means it is earlier in the trajectory, but also that the interventions required are simpler.

Australia’s APS Data Maturity Assessment baseline, published in 2024, found an average score of 2.02 out of 5 across all federal agencies, described by the Department of Finance as “developing”. Privacy and security were one of the seven scored focus areas, meaning Australia has already built the DCC–PDPL tension into its measurement instrument. KSA’s ODRL framework should do the same, and the regulatory alignment section of this article provides the basis for that integration.

The US federal open data ecosystem holds more than 350,000 datasets on data.gov, yet by September 2025 only 12 of more than 100 in-scope agencies had published their mandatory open data plans under a US Office of Management and Budget memorandum, M-25-05. A separate analysis found that 17% of federal data products were not updated at all in 2025. Volume without governance produces decay, not reuse, and this is the risk that the entity-level ODRL gap creates for KSA’s central open data portal over time.

International benchmark comparison (normalised metrics)

Scores from your benchmark dataset on a 0–100 scale across six dimensions.

Cross-jurisdiction snapshot (selected indicators)
Indicator	EU-27 (2024)	Australia APS (2024)	US Federal (2025)	KSA (2026 baseline)
Central governance	Yes	Yes	Yes	Yes
Entity participation gap	Resolved via directive	2.02/5 baseline, still developing	12/100+ plans published	9/24 ministries at ODRL 1
Reuse evidence	Weakest dimension	Not yet measured	17% data products stale	Largely centred on data.gov.sa; scarce at ministry level
Security integrated into assessment	No — separate obligation	Yes — one of 7 areas	Separate US Federal Information Security Management Act and Privacy Act obligations	Not yet integrated at the entity level
Years since first assessment	10	1	15+	0 (this is the baseline)

The Vision 2030 cost and the path to ODRL 6

The sectors where KSA’s entity-level ODRL gap is most costly to Vision 2030 investors are precisely the sectors with no open data page: environment, tourism, sport, media, and industry. Foreign investors conducting baseline assessments for giga-projects, environmental studies, or market entry analysis need public data from these sectors, and in their absence, they either commission expensive primary surveys or work from international proxies that may not reflect KSA conditions.

The path from the current state to ODRL 6 for any entity requires seven sequential steps that map one-to-one onto existing regulatory obligations with no new legislation or technology investment required.

Domain coverage baseline (Apr 2026)

Composite readiness by domain across 9 ODRL dimensions, normalised to 0–100 from the 0–2 scoring model, anchored to entities listed in the baseline table.

Data source: April 2026 baseline (9 dimensions per domain, max raw score = 18). Baseline anchor entities: Ministry of Environment, Water and Agriculture (ODRL 1); Transport General Authority (ODRL 5); General Authority for Statistics (ODRL 4); Communications, Space and Technology Commission (ODRL 3).

Classify all current datasets under DCC-1:2022, producing a formal public/restricted/confidential register.
Review any public-classified dataset for personal data under PDPL, applying de-identification or aggregation where required.
Publish a named dataset count with a machine-readable catalogue using the DCAT Application Profile for Europe (DCAT-AP) metadata.
Declare all format types explicitly and link to the KSA Open Data License text.
Schedule update frequency for every published dataset and make it visible on the page.
Activate a data request mechanism with a named service-level agreement (SLA), as the Ministry of Interior and the Ministry of Human Resources and Social Development have already done.
Syndicate to the national portal at the dataset level, not just the page level, and confirm the link publicly.

An entity that completes steps one to seven achieves ODRL 6. Steps one and two are regulatory obligations already binding on every entity. Steps three to seven are administrative. The Ministry of Justice and MISA have already completed steps three to six without an API, making ODRL 5 the achievable near-term target for every entity currently at ODRL 3.

In Saudi Arabia, the governance architectures have outpaced its institutional base, which is a much easier problem to solve than the reverse. The EU spent ten years moving entities from awareness to practice. Australia’s agencies called themselves “developing” in their first baseline year. The US cannot get its agencies to file open data plans. KSA’s ODIN score of 73, its national open data portal, and its three ODRL-5 entities are a stronger starting point than most. What the ODRL framework adds is precision: a way to know exactly which of the nine observable dimensions any given entity needs to address, in which order, under which regulatory obligation, to move from a page to a practice. That is the work of the next phase of Vision 2030’s data agenda.

Methodology and disclaimer

ODRL scores in this article are derived from publicly observable signals on each entity’s open data presence as of the 2026 baseline described in the text. Figures for national platform scale, ODIN, and regulatory references should be validated against primary sources (SDAIA, National Data Bank / National Information Centre, data.gov.sa, ODIN, NCA, PDPL) before use in compliance or investment decisions.

This insight is a strategic briefing and not legal, financial, or investment advice.

Measuring Saudi Arabia’s government open data maturity