Measuring Saudi Arabia’s government open data maturity

Published April 2026

Opening

Open government data is increasingly measured, not just mandated. National platforms, dataset counts, and licence frameworks are necessary conditions, but they do not, on their own, tell you whether the data ecosystem is working. The question that matters is whether individual government entities, the ministries, authorities, and commissions that hold the data, are actually publishing it in a form that others can find, download, and use.

Saudi Arabia presents a particularly clear case study in that distinction. The national open data platform holds more than 11,000 datasets across 289 publishing organisations. The dedicated data and AI authority, SDAIA, issued a formal Open Data Strategy in 2022 and an Interim Regulation that imposed an open-by-default obligation on all public entities. The Kingdom’s 2024 score on the Open Data Inventory, ODIN, reached 73 out of 100, placing it in the top third of the global index. By any platform-level measure, the architecture is substantial.

Yet when a consistent, entity-level readiness framework is applied to KSA’s 24 ministries and 14 major independent authorities and platforms, a different picture emerges. Nine ministries have no public open data page at all. Eighteen entities sit at ODRL 3: a policy-grade page with no verifiable dataset count, no explicit format list, and no named licence. Demonstrated API access, fully managed catalogues, and third-party reuse evidence remain concentrated in the national platform and the narrow ODRL 6–7 tail, not across the wider ministry and authority envelope. The platform and the bulk of publishers are not yet moving at the same pace.

This article introduces the Open Data Readiness Level (ODRL) framework, a seven-point scale designed to make that gap measurable at the entity level, applies it across the full KSA government landscape, and asks what regulatory, administrative, and technical steps it would take to close it. It then positions those findings against comparable assessments from the EU, Australia, and the United States, three jurisdictions at different stages of the same maturity journey, to show where the KSA baseline sits in global context and what the trajectory typically looks like.

Why a new framework? Introducing the ODRL

Before mapping KSA’s open data landscape, it is worth being precise about what maturity means. The most widely used international instrument, the EU Open Data Maturity model, measures 34 countries across four national-level dimensions: policy, portal, quality, and impact. Australia’s APS Data Maturity Assessment asks agencies to self-score across seven focus areas on a zero-to-five scale. Neither instrument was designed to produce a comparable, reproducible score for an individual government ministry or authority in a single country context.

The Open Data Readiness Level (ODRL) is a seven-point scale, explicitly modelled on the Technology Readiness Level (TRL) logic, designed to fill that gap. Like TRL, it moves from nothing at level one to fully operational and evidenced at level seven. Unlike TRL, its observable criteria are entirely derived from publicly verifiable signals on an entity’s own open data page, making it reproducible without self-reporting or access to internal systems. The framework synthesises three reference instruments: the ODI Open Data Maturity Model (Edition 2.0, 2025), SDAIA’s National Data Index (NADI), and the ODIN country profile criteria.

Each of the seven levels is defined by a threshold combination of nine observable dimensions: page existence, dataset count visibility, licence explicitness, format explicitness, update frequency visibility, API presence, BI tool availability, feedback mechanism, and national portal syndication. An entity reaches a given level only when all criteria at that level and below are met, making it an ordinal rather than a composite score, which means a single gap prevents progression regardless of how well the entity performs on other dimensions.

This ordinal design has an important implication for the KSA context: the gap between ODRL 3 and ODRL 5, where most entities currently sit, is not a technical gap. It is an administrative one. An entity can move from ODRL 3 to ODRL 5 without writing a single line of code, simply by publishing a dataset count, naming its formats, and linking to its licence text. The gap between ODRL 5 and ODRL 6 requires API investment and metadata standards. The gap between ODRL 6 and ODRL 7 requires governance maturity over time. Knowing which gap an entity faces determines what kind of intervention it needs.

The architecture: a platform built faster than its publishers

Saudi Arabia’s open data institutional architecture is genuinely unusual. SDAIA holds the data governance mandate, the open data strategy mandate, the AI regulation mandate, and, through NDMO’s expanded remit following ECC-2 (2024), the data localisation mandate as well. The national platform was launched in 2019 and reached over 11,000 datasets from 289 organisations by 2026, a build pace that compares well with the EU’s decade-long trajectory from 46% to 83% maturity. The Open Data Strategy, launched in February 2022, was accompanied by the Interim Regulations that formally imposed an open-by-default obligation on all public entities.

Saudi Arabia’s 2024 ODIN score of 73 (coverage 66, openness 80) places it ahead of the developing world average and within reach of several EU member states. The higher openness than coverage score is a structural fingerprint visible in many rapidly developing open data systems: the licence framework and the platform are built before entity-level participation catches up. The EU shows the same pattern; even France and Poland, which score 100% overall, record their lowest dimension scores on impact and reuse rather than policy.

The ODRL map: where 38 entities actually sit

Applying the ODRL framework to KSA’s 24 ministries and 14 major independent authorities and platforms (April 2026 baseline) produces a full ladder: all seven levels are populated when the national catalogue is scored alongside individual publishers.

The dominant level is ODRL 3, occupied by 18 entities. This is not a failure state: it signals a public commitment via a dedicated page. It is a stalling state for reuse, because a page without a verifiable dataset count, explicit formats, and a named licence offers limited practical value to third parties. Five entities reach ODRL 4; three reach ODRL 5 (the Ministry of Justice, the Ministry of Investment, and the Transport General Authority), and function as replication models for peers. The national Open Data Platform (SDAIA / NDB) sits at ODRL 7 as the central catalogue; one additional organisation in the frame reaches ODRL 6. Nine score ODRL 1, including several ministries without a confirmed standalone open-data presence in the baseline.

The Ministry of Justice is the strongest ministerial ODRL 5 case: 99 named judicial indicators, declared XLS/CSV/XML/JSON, explicit KSA National Open Data Licence link, and supporting policy documentation. MISA publishes three visible datasets with full format declarations, BI-style access features, and clear governance framing. Together with TGA they show that ODRL 5 is achievable without new legislation.

The regulatory stack: three frameworks, one unresolved tension

The ODRL framework was designed to be neutral on the question of why entities stall at ODRL 3. But when you overlay the KSA regulatory environment, the explanation becomes clear. Three binding frameworks apply simultaneously to all government entities, and they point in different directions.

SDAIA Open Data Interim Regulations require open by default: data must be published free of charge, machine-readable, non-discriminatory, and without registration. The regulation is the legal basis for the national platform and is the instrument that created the ODRL-3 pages that exist across most entities.

NCA Data Cybersecurity Controls (DCC-1:2022) require classification before sharing: all entities within ECC scope, which covers all Saudi government bodies and critical national infrastructure operators, must formally classify data across its lifecycle before sharing it. The classification decision (public, restricted, or confidential) must precede publication. In practice, many entities treat the classification process as an unresolved blocker rather than a sequential step, and publish nothing while awaiting formal clearance.

PDPL (effective September 2023) requires protection before publishing: any dataset with personal data fields must be de-identified or aggregated before release, and entities handling personal data must appoint a Data Protection Officer. The Ministry of Health is the only entity in the ODRL baseline that explicitly references this obligation on its open data page, noting that de-identification and aggregation are applied to its published datasets.

What the international benchmarks say

Far from being a KSA-specific problem, the entity-level compliance gap is the universal feature of open data maturity programmes at this stage of development. Three comparisons are instructive.

The EU’s 2024 Open Data Maturity Report, covering 34 countries after ten years of the assessment programme, records an average score of 83%, up from 46% in 2015. But even in this mature cohort, impact and reuse remain the weakest dimension across every country group, and the assessment explicitly notes that moving from strong portal infrastructure to demonstrable reuse evidence is the unsolved challenge of the next decade. KSA’s gap is at the entity-level rather than the reuse level, which means it is earlier in the trajectory, but also that the interventions required are simpler.

Australia’s APS Data Maturity Assessment baseline, published in 2024, found an average score of 2.02 out of 5 across all federal agencies, described by the Department of Finance as “developing”. Privacy and security were one of the seven scored focus areas, meaning Australia has already built the DCC-PDPL tension into its measurement instrument. KSA’s ODRL framework should do the same, and the regulatory alignment section of this article provides the basis for that integration.

The US federal open data ecosystem holds more than 350,000 datasets on data.gov, yet by September 2025 only 12 of more than 100 in-scope agencies had published their mandatory open data plans under OMB M-25-05. A separate analysis found that 17% of federal data products were not updated at all in 2025. Volume without governance produces decay, not reuse, and this is the risk that the entity-level ODRL gap creates for KSA’s national platform over time.

The Vision 2030 cost and the path to ODRL 6

The sectors where KSA’s entity-level ODRL gap is most costly to Vision 2030 investors are precisely the sectors with no open data page: environment, tourism, sport, media, and industry. Foreign investors conducting baseline assessments for giga-projects, environmental studies, or market entry analysis need public data from these sectors, and in their absence, they either commission expensive primary surveys or work from international proxies that may not reflect KSA conditions.

The path from the current state to ODRL 6 for any entity requires seven sequential steps that map one-to-one onto existing regulatory obligations with no new legislation or technology investment required.

1. Classify all current datasets under DCC-1:2022, producing a formal public/restricted/confidential register.
2. Review any public-classified dataset for personal data under PDPL, applying de-identification or aggregation where required.
3. Publish a named dataset count with a machine-readable catalogue using DCAT-AP metadata.
4. Declare all format types explicitly and link to the KSA Open Data License text.
5. Schedule update frequency for every published dataset and make it visible on the page.
6. Activate a data request mechanism with a named SLA, as the Ministry of Interior and HRSD have already done.
7. Syndicate to the national portal at the dataset level, not just the page level, and confirm the link publicly.

An entity that completes steps one to seven achieves ODRL 6. Steps one and two are regulatory obligations already binding on every entity. Steps three to seven are administrative. The Ministry of Justice and MISA have already completed steps three to six without an API, making ODRL 5 the achievable near-term target for every entity currently at ODRL 3.

In Saudi Arabia, the governance architectures have outpaced its institutional base, which is a much easier problem to solve than the reverse. The EU spent ten years moving entities from awareness to practice. Australia’s agencies called themselves “developing” in their first baseline year. The US cannot get its agencies to file open data plans. KSA’s ODIN score of 73, its national platform, and its three ODRL-5 entities are a stronger starting point than most. What the ODRL framework adds is precision: a way to know exactly which of the nine observable dimensions any given entity needs to address, in which order, under which regulatory obligation, to move from a page to a practice. That is the work of the next phase of Vision 2030’s data agenda.