The 2026 Saudi & Qatar Digital Accessibility Compliance Guidebook.

Contents

What's inside.

1. 01Why this is on the boardroom agenda4
2. 02The global legal landscape6
3. 03Landmark cases — what happened, what it cost8
4. 04The economics — failure vs compliance11
5. 05Saudi Arabia — DGA, Vision 2030, SAMA13
6. 06Qatar — MOTC, Mada, QCB16
7. 07Frameworks at a glance18
8. 08ISO 30071-1 — the procurement standard20
9. 09ESG, SDG 10 and the upside narrative22
10. 10D&O and insurance implications24
11. 11What tenders now require25
12. 12The governance playbook27
13. 13The 12-month operating cadence29
14. 14Choosing an audit partner30
15. 15Glossary31

This briefing is written for the people who sign procurement contracts, sit on risk committees, or carry liability for the digital services their organisation ships. The technical implementation is the back half of a separate document. This one is about exposure, evidence and governance.

Executive summary

The five things to know.

• 01 Digital accessibility moved from soft guidance to enforced procurement gating across the Gulf in the past 24 months. Saudi public-sector tenders increasingly require third-party accessibility audit evidence. Qatari government contracts already do. SAMA-supervised banks face the same scrutiny on customer-facing channels.
• 02 The global legal trend is in the same direction. The European Accessibility Act entered force on 28 June 2025, extending mandatory conformance to private-sector digital services for the first time. United States ADA Title III website lawsuits have run above 4,000 filings per year since 2021. UK, Canadian and Australian regimes are converging on the same standard.
• 03 The benchmark technical standard is WCAG 2.2 Level AA. Every regulator referenced in this guide either requires it or builds on top of it. It is the floor of compliance, not the ceiling.
• 04 The cost of failure is now quantifiable. A US ADA website case settles for $25,000 to $200,000 in legal fees plus remediation. Procurement disqualification in a Gulf tender can be far larger. Reputational cost has its own tail.
• 05 The cost of doing this properly is small relative to either. A continuous-monitoring accessibility program for a typical enterprise sits in the low five-figure annual range. The single largest determinant of outcome is whether the program has a named accountable executive at C-suite level.

The remainder of this briefing maps the legal regimes, summarises the precedent cases, quantifies the economics, and lays out the governance playbook our customers have used to meet it.

§01 · Why this is on the boardroom agenda

Three forces converging in 2026.

1. Procurement gating is now real

The Saudi Digital Government Authority publishes a 0–100 accessibility index for every public-facing digital service. By 2030 every service must score 80 or above. Procurement committees use the index as a pre-qualification filter — services below threshold cannot enter the Unified Citizen Portal, and vendors whose own digital surface fails are increasingly excluded from bidding. Qatar's Ministry of Communications and Information Technology has gone further and made WCAG conformance a mandatory clause in government IT contracts. The Saudi Central Bank (SAMA) and the Qatar Central Bank have both indicated that customer-facing digital channels of regulated entities will face equivalent expectations.

2. Legal precedent has globalised

For most of the past two decades, digital accessibility litigation lived in the United States under ADA Title III. That has changed. The European Accessibility Act, in force from 28 June 2025, applies to private-sector digital services including banking, transport, e-commerce, and e-books. The United Kingdom Equality Act 2010 is being actively used to test website accessibility. Australia, Canada and Israel have their own enforcement regimes. The Middle East regulator class is reading these decisions and writing them into local procurement language.

3. ESG reporting now demands disclosure

Listed Gulf enterprises filing integrated annual reports under SAMA, CMA or QFMA guidelines increasingly include digital-inclusion metrics aligned with UN SDG 10 indicators 10.2 and 10.3. Where prior years allowed narrative descriptions, current reporting frameworks expect quantified outcomes — pass rates, year-over-year trend, and remediation status. Boards are being asked the question and the auditors are scoring the answer.

The strategic question for each operator is no longer whether to invest in accessibility — it is whether to do so as a planned program with documented evidence, or to discover the obligation through a procurement disqualification or a published low score.

§02 · The global legal landscape

Where the law sits, jurisdiction by jurisdiction.

What unifies the table: every regime references some flavour of WCAG. What separates them: enforcement mechanism. Some rely on regulator action, some on private right of action, some on procurement gating, and increasingly all three at once.

§03 · Landmark cases — what happened, what it cost

A short history of consequence.

The cases below are the ones general counsel cite when explaining digital accessibility risk to boards. None are Saudi or Qatari — the local regimes are too young — but each has shaped the procurement language and audit expectation that has now reached the Gulf.

§03 · Landmark cases (continued)

§04 · The economics — failure vs compliance

The four cost lines on the page.

Litigation

In the United States, where private right of action is most active, a single ADA Title III website case typically resolves between USD 25,000 and USD 200,000 in legal fees, settlement, and consent-decree remediation cost. A defended case can multiply that. Aggregate market data from monitoring services shows over 4,000 such filings per year, with retail, hospitality, and consumer-finance disproportionately represented.

Procurement disqualification

The numbers here are larger because the contract being lost is larger. A single Saudi government IT tender disqualified on accessibility grounds can foreclose revenue in the tens of millions of riyals. Procurement disqualification rarely makes the press, which is part of the strategic problem — peers do not learn from one another's losses.

Regulatory penalty

Where the regulator has direct fining power — the EU under the EAA, AODA in Ontario, the Saudi DGA where it chooses to escalate — penalties scale by category but are typically capped at moderate amounts per incident. The cost is reputational more than financial. Published non-conformance is a finding the next bidder uses against you.

Cost of compliance

A continuous-monitoring accessibility program for a typical Gulf enterprise — covering a marketing site, a transactional portal, and one or two mobile apps — runs in the range of SAR 50,000 to 200,000 annually, including external audit and tooling. That number includes the staff time required to act on findings. The asymmetry against any of the failure lines above is decisive.

The economics are unusual in that the floor of compliance is small enough that the only rational reasons not to do it are organisational — not budgetary.

§05 · Saudi Arabia — DGA, Vision 2030, SAMA

Where exposure sits in the Kingdom.

The Digital Government Authority index

Every public-facing digital service operated by a Saudi government entity is scored on a 0–100 composite index. The composite rolls up WCAG 2.2 AA technical conformance, Arabic–English parity, mobile experience, authentication flow (Nafath), and citizen support channels. Services must score 80 or above by 2030; the band-by-band consequences below threshold include published low scores, mandatory remediation plans, and ultimately removal from the Unified Citizen Portal until remediated.

Vision 2030 KPI integration

Three Vision Realization Programs — Digital Government, Quality of Life, and Privatization — include digital accessibility as a measured indicator. Program managers report quarterly. Accessibility outcomes affect the published KPI of the ministry or authority operating the service, and therefore the executive accountable for that program.

SAMA-supervised entities

The Saudi Central Bank has indicated through guidance and supervisory dialogue that customer-facing digital channels of regulated entities are expected to meet accessibility expectations at least equivalent to the DGA standard. Banks and insurance companies serving retail customers are the most exposed.

The procurement lens

The most material near-term consequence for private-sector operators is procurement. Saudi government tenders now routinely require accessibility audit evidence as a pre-qualification document. Vendors whose own digital surface fails the standard cannot credibly evidence the standard for the buyer.

§05 · Saudi Arabia (continued)

What counts as evidence

The DGA accepts the following as valid third-party audit evidence:

• A signed PDF report from an independent auditor, dated within the last 12 months.
• An accompanying signed JSON manifest of findings, severity tier, and remediation status — used by inspectors for mechanical verification.
• Raw machine-readable results (axe-core or equivalent) for technical review.
• A statement of independence confirming the auditing firm is not also the agency that built the audited service.

This package can be produced by any qualified auditor. Mueen reports ship in this exact format.

Remediation cadence the DGA expects

• Critical findings — remediated within 30 days.
• Serious findings — 90 days.
• Moderate findings — 180 days.
• Minor findings — annual cycle.

Public-sector services that miss critical-finding windows are escalated to the Vision 2030 program owner. Private-sector operators bidding into the public sector are expected to demonstrate equivalent internal cadence.

The accountable executive question

Across both the DGA framework and the SAMA supervisory expectation, the recurring procurement question is the same: who at the bidder organisation owns this risk? A named C-suite executive — typically the Chief Compliance Officer, Chief Risk Officer, or Chief Digital Officer — is now the standard expectation.

§06 · Qatar — MOTC, Mada, QCB

Where exposure sits in the State of Qatar.

The MOTC e-Accessibility Policy

The Ministry of Communications and Information Technology issued Qatar's refreshed e-Accessibility Policy in the past 24 months. It applies to every Qatari government digital service and is increasingly cited by the Qatar Central Bank for financial services. The policy requires conformance with WCAG plus MOTC-specific Arabic provisions, the publication of an accessibility statement, a barrier-feedback contact route with a stated SLA, and a periodic external audit.

Procurement clauses

Accessibility is now a mandatory clause in Qatari government IT contracts. Procurement frameworks expect vendors to demonstrate prior conformance — typically through a recent third-party audit on a comparable property — before contract award. The clause language is closely modelled on EU public-sector procurement standards.

Mada certification

Mada — the Qatar Assistive Technology Center — administers a certification program for digital services that meet WCAG plus Mada-specific Arabic and assistive-technology criteria. Certification is a commercial differentiator: services on the Mada Accessibility Catalog gain visibility with Qatari public-sector buyers and are increasingly favoured by Qatari banks for retail-customer channels.

Cross-border operators

Operators with both Saudi and Qatari exposure typically run one audit against both frameworks because the overlap is substantial. The differences worth noting: Qatar emphasises a published accessibility statement on every property and a published barrier-feedback SLA; Saudi places more weight on the composite index score and bilingual parity weighting.

§06 · Qatar (continued)

What the MOTC evidence pack contains

• Signed PDF audit report dated within the last 12 months.
• Bilingual accessibility statement live on the audited property.
• A documented barrier-report contact route with an SLA commitment (typically 2 working days).
• If seeking Mada certification: a separate Mada conformance summary.
• A statement of independence from the auditing firm.

Operating-in-Qatar gotchas

• An Arabic version delivered via a query parameter rather than a true equivalent URL can fail bilingual parity audits.
• SMS-based two-factor authentication can fail accessibility when the SMS content is not screen-reader friendly.
• Third-party embeds (maps, payment widgets) inherit those vendors' accessibility posture. The audit covers them.
• Mobile-app audits are weighted more heavily in Qatar than in some other regimes — native app conformance is not optional.

§07 · Frameworks at a glance

Eight frameworks. One coherent audit.

A single audit can be mapped to every framework below, which is what avoids the worst failure mode: maintaining parallel accessibility evidence streams that drift out of alignment over time.

§08 · ISO/IEC 30071-1 — the procurement standard

Why your buyer asks for this by name.

ISO/IEC 30071-1:2019 is not a technical specification. It is an organisational one. Where WCAG asks is this control accessible?, ISO 30071-1 asks does your organisation have a documented process to make controls accessible, and can you prove it?

Procurement officers cite it because it gives them a way to assess vendor maturity, not just a product snapshot. A vendor that conforms to ISO 30071-1 has done the organisational work — named accountable executive, documented policy, integrated lifecycle, trained staff, annual external audit, supplier controls, user feedback mechanism — that gives the buyer confidence the next deliverable will also be accessible.

Evidence pack expected at procurement

• Accessibility policy document, signed by an executive.
• Organisation chart showing the accountable role and reporting line.
• Training records covering designers, developers, content authors, QA, procurement and customer support.
• The most recent third-party audit report.
• Sample artefacts demonstrating accessibility-at-build (design specs, sprint tickets, release gates).
• Published barrier-feedback channel with SLA commitment.
• Statement of conformance signed by the accountable executive.

Where organisations most commonly fail it

The most frequent ISO 30071-1 gap is not technical. It is the absence of a single accountable executive. "Accessibility is everyone's job" is not a defensible answer to a procurement committee.

§09 · ESG, SDG 10 and the upside narrative

The growth story, not just the risk story.

This briefing has so far been weighted toward risk because that is what triggers boardroom attention. The growth narrative is at least as material, and it is the framing that procurement-led organisations have learned to lead with internally.

SDG 10 and integrated reporting

UN Sustainable Development Goal 10 — Reduced Inequalities — has two indicators that digital accessibility addresses directly. Indicator 10.2 covers inclusion irrespective of disability. Indicator 10.3 covers equal opportunity. ESG-reporting frameworks now expect quantified outcomes against these indicators. Mueen reports include a one-page SDG 10 evidence summary designed to drop directly into an integrated annual report.

Vision 2030 alignment

For Saudi operators, accessibility evidence is no longer a compliance burden — it is a deliverable that maps directly into Quality of Life and Digital Government VRP indicators. Program managers can roll up a single audit into three or more KPI lines without retranslation, which makes accessibility a meaningfully easier program to fund than equivalent risk-mitigation lines.

Market reach

Roughly one in six people globally lives with a disability, and roughly one in ten in the Gulf states lives with a disability that affects digital use. The growth-side argument for accessibility is straightforward: a service that excludes that share of the addressable market does so before any operator has a chance to compete for it. ESG narrative meets commercial narrative here.

§10 · D&O and insurance implications

What general counsel should already know.

Director liability for known unremediated risk

Once a board has been briefed on accessibility risk and a documented audit has identified specific failings, the duty-of-care analysis changes. Unremediated known critical findings are increasingly cited in shareholder and stakeholder complaints, particularly in jurisdictions with active private right of action.

D&O policy exclusions

Many directors-and-officers liability policies exclude losses arising from known regulatory non-compliance. A documented accessibility audit creates a record of knowledge. The mitigation is straightforward: a remediation plan with timeline against each finding closes the exclusion window. The risk is in commissioning an audit and then sitting on it.

Cyber and compliance policy overlap

Increasingly, professional indemnity and cyber-liability policies expect named regulatory-compliance programs covering accessibility. Underwriters ask the question at renewal; policyholders who cannot evidence a program face higher premiums or coverage exclusions.

Whistleblower channels

Operating a published, SLA-backed barrier-feedback channel — required by the Qatar MOTC policy and increasingly expected by the Saudi DGA — also functions as a regulatory-compliant whistleblower route for accessibility issues. Boards that close this channel close a defensive mechanism, not just an obligation.

§11 · What tenders now require

The clauses to expect.

Pre-qualification questions

• Date and scope of your most recent third-party accessibility audit.
• Headline conformance level (typically WCAG 2.2 AA).
• Score against the relevant national index where applicable (DGA in KSA, MOTC scoring in Qatar).
• Name and title of the accountable executive for accessibility.
• Existence of a documented accessibility policy and date of its most recent executive sign-off.

Contract clauses

• Conformance warranty at handover (typically WCAG 2.2 AA).
• Right of audit on demand, exercised by buyer or a buyer-nominated third party.
• Remediation timelines aligned with the regulator (30/90/180-day windows for critical/serious/moderate).
• Service-credit or penalty mechanisms for non-conformance during the term.
• Bilingual parity clause for Arabic-language properties.

Bid disqualification triggers

• No audit on the bidder's own primary property.
• Audit older than 12 months at submission.
• Auditor is not demonstrably independent of the bidder.
• Score on the bidder's own property below the threshold set for the procured service.

§12 · The governance playbook

What good looks like, six elements.

1. Named accountable executive. A C-suite or C-suite-1 role with explicit ownership. The accountable executive sits on the risk committee and reports a standing accessibility line item.
2. Documented policy. Signed off annually by the accountable executive. Published internally and externally. Includes scope, standards referenced, audit cadence, and feedback channels.
3. Quarterly metrics. Score, trend, open critical findings, open serious findings, average time to remediation. Reported to the risk committee.
4. Annual external audit. Independent from the build team. Produces an artefact that is procurement-acceptable.
5. Trained staff. Role-appropriate training records for designers, developers, content authors, QA, procurement, and customer support. Refresh cadence defined.
6. Published feedback channel. Accessible barrier-report route with a published SLA, integrated into the support function.

Each element on its own is unremarkable. Their absence — singly or in combination — is what procurement committees use to disqualify bidders.

§13 · The 12-month operating cadence

A simple annual rhythm.

• Q1 Annual external audit against every in-scope property. Findings categorised by severity. Remediation plan agreed.
• Q2 Critical findings remediated by end of Q2 (30-day cadence applies to each, but as a horizon Q2 is the right discipline). Quarterly risk-committee readout.
• Q3 Serious findings closed. Mid-year refresh audit, scoped to the changes shipped year-to-date. Procurement-evidence pack regenerated for any tenders due in the second half.
• Q4 Moderate findings closed. Annual policy review and executive re-sign-off. Year-end report into the integrated annual report. Year-on-year trend reported to the board.

The cadence above survives team turnover, design refreshes, and framework version bumps. The single most common failure mode is to audit annually and then do nothing in between. The remediation windows the DGA and MOTC have defined are intentionally short enough to make that pattern unworkable.

§14 · Choosing an audit partner

The buyer's checklist.

Required

• Demonstrable independence from any agency that has built your audited property.
• Reports accepted as evidence by the regulator that matters to you (DGA, MOTC, or both).
• Output in the procurement-acceptable format: signed PDF, signed JSON manifest, raw technical results, statement of independence.
• Native Arabic audit capability, including Arabic screen-reader testing and RTL flow verification.
• Coverage of both web and native mobile properties.

Strongly preferred

• Continuous-monitoring option (not just an annual snapshot).
• CI/CD integration that can block regressions before they reach production.
• Mapping to every framework you operate under from a single audit — not parallel audits per framework.
• GRC-formatted risk-register export.
• Vision 2030 KPI tagging where Saudi VRP reporting is in scope.

Red flags

• Audit firms that do not publish their own accessibility statement, or whose own digital surface fails the standard they audit against.
• Reports without machine-readable manifests — these cannot be mechanically verified by inspectors.
• "Pass" letters issued after a single automated scan with no manual review. Fewer than half of WCAG criteria are reliably automatable.
• Lack of statement-of-independence language.

§15 · Glossary

Terms used in this briefing.

ADA

Americans with Disabilities Act (US, 1990). Title III governs places of public accommodation, now including most public-facing websites.

D&O

Directors-and-Officers liability insurance. Typically excludes losses from known unremediated regulatory non-compliance.

DGA

Saudi Digital Government Authority. Publishes the 0–100 digital accessibility index for Saudi public-sector services.

EAA

European Accessibility Act (Directive 2019/882). In force 28 June 2025; extends accessibility requirements into private-sector digital services in the EU.

ESG

Environmental, Social and Governance reporting. Digital inclusion sits under the Social pillar, increasingly with quantified metrics.

GRC

Governance, Risk & Compliance. The framework under which Saudi listed entities increasingly track accessibility risk on the board-level register.

Mada

Qatar Assistive Technology Center. Administers a certification scheme for accessible digital services in Qatar.

MOTC

Qatar Ministry of Communications and Information Technology. Issues the e-Accessibility Policy.

Nafath

Saudi National Single Sign-On service. Accessibility of the Nafath handoff is part of the DGA service score.

QCB

Qatar Central Bank. Sets expectations for customer-facing digital channels of Qatari financial-sector entities.

SAMA

Saudi Central Bank (formerly Saudi Arabian Monetary Authority). Supervises Saudi financial entities including on digital channel accessibility.

SDG 10

UN Sustainable Development Goal 10, Reduced Inequalities. Indicators 10.2 and 10.3 are addressed by digital accessibility programs.

VRP

Vision Realization Program. Saudi Vision 2030's organisational unit. Digital Government and Quality of Life VRPs both carry accessibility indicators.

WCAG

Web Content Accessibility Guidelines, the W3C technical standard at the floor of every regime in this briefing. Current version 2.2; AA is the practical legal target.