Industry News

Saudi SASO Tightens Rules for Iris and Vein Locks

auth.
Biometric Security Architect

Time

Jul 15, 2026

Click Count

On July 14, 2026, Saudi Arabia’s Standards, Metrology and Quality Organization (SASO) updated Appendix D of its technical specification for smart access control systems, setting a new compliance condition for iris and vein biometric locks sold in the Saudi market. From September 1, 2026, built-in biometric templates in these devices must be encrypted with a SASO-approved SM4 algorithm and their template hash values must be registered on the National Digital Identity Platform (NDIP). For manufacturers, exporters, importers, certification teams, and project buyers, this is worth close attention because the requirement is directly tied to SASO CoC eligibility.

Saudi SASO Tightens Rules for Iris and Vein Locks

What the updated rule now requires

According to the information provided, SASO revised Appendix D of the Technical Specification for Smart Access Control Systems on July 14, 2026. The update applies to iris biometric locks and vein biometric locks sold in Saudi Arabia.

The confirmed requirement is that, starting on September 1, 2026, biometric templates stored inside the device must use a SASO-approved SM4 encryption method. In addition, the hash value of the biometric template must be filed on Saudi Arabia’s National Digital Identity Platform, or NDIP.

The compliance consequence is also explicit in the provided information: products that are not filed will not be able to obtain SASO CoC certification.

Where the immediate pressure is likely to appear

Product design and embedded security teams

From an industry perspective, device makers are likely to feel the impact first at the product and firmware level. The reason is straightforward: the requirement is aimed at how biometric templates are stored inside the lock and how related hash values are handled for filing. The business effect is therefore concentrated in encryption design, device software preparation, technical documentation, and internal compliance review before products are placed on the Saudi market.

Exporters, importers, and certification coordinators

Analysis shows that trade-facing teams may be affected at the certification stage. Because non-filed products cannot obtain SASO CoC certification, the issue is not only technical but also procedural. What deserves closer attention is whether product files, compliance evidence, and filing status are aligned early enough to avoid delays in certification, customs planning, or shipment scheduling.

Distributors and project procurement parties

For channel partners and buyers involved in access control deployment, the main exposure is in product selection and delivery timing. If a model is intended for Saudi Arabia but does not meet the encryption and filing conditions by the effective date, the procurement side may face changes in approved model lists, lead-time expectations, or contract communication. Observably, this turns compliance status into a practical screening factor during sourcing.

Service providers supporting implementation

Service providers working around market entry, product compliance, or project coordination may also need to adjust their workflows. The likely impact is on document preparation, supplier communication, and milestone management tied to SASO CoC. In practice, the key question is whether filing-related readiness is being treated as part of the product launch path rather than as a late-stage administrative step.

What companies should watch now

Check whether affected models fall within the new scope

Companies handling biometric access products should first identify whether their Saudi-bound portfolio includes iris or vein biometric locks covered by the updated appendix. This matters because the requirement is product-specific and tied to devices sold in Saudi Arabia.

Separate encryption readiness from filing readiness

Analysis shows that the rule contains two distinct layers: device-side encryption using a SASO-approved SM4 method, and NDIP filing of template hash values. Businesses should avoid treating these as a single checkbox. A product may need both technical modification and procedural preparation before it is certification-ready.

Reassess certification and delivery timelines before September 1

What deserves closer attention is the short interval between the July 14 update and the September 1 effective date. Companies involved in quoting, order confirmation, shipment planning, and certification submission should review whether current delivery commitments assume legacy compliance conditions that may no longer apply.

Prepare supplier and customer communication materials

For teams coordinating across manufacturing, distribution, and end customers, clear communication will matter. The practical focus should be on product status, certification dependency, and any documentation needed to support market entry. This is especially relevant where sales and compliance responsibilities sit in different entities.

Why this reads as more than a technical detail

Observably, this update is not just a narrow product specification change. It links biometric template protection inside the device to a local filing requirement and then connects both to SASO CoC access. Analysis shows that the significance lies in that linkage: technical architecture, compliance administration, and market access are being drawn into the same decision path.

It is more appropriate to understand this as an active compliance development with immediate operational consequences rather than as a distant policy signal. At the same time, it should not yet be overstated as a fully settled long-term industry direction beyond the scope stated in the provided information. Continued attention is warranted because implementation details, official interpretations, and practical filing workflows may become the next points businesses need to verify.

How to read the update at this stage

At this stage, the clearest industry meaning is that Saudi market access for affected biometric lock categories is becoming more tightly linked to localized data-handling compliance. The confirmed result is limited but material: without the required filing, SASO CoC cannot be obtained for the products in scope.

A neutral reading is that this is both a near-term compliance change and a broader regulatory signal worth monitoring. For companies already active in the Saudi access control market, the immediate priority is execution. For companies evaluating entry, the update is best understood as a requirement that needs to be built into product, certification, and delivery planning from the outset.

Basis of this article and what still needs verification

This article is based on the user-provided news title, event date, and event summary. The confirmed inputs are the July 14, 2026 update by SASO to Appendix D of the Technical Specification for Smart Access Control Systems, the September 1, 2026 effective date, the SM4 encryption requirement for built-in biometric templates, the NDIP filing requirement for template hash values, and the statement that non-filed products cannot obtain SASO CoC certification.

For this type of industry update, relevant source categories usually include official regulatory notices, standards documents, certification body guidance, company compliance disclosures, industry association updates, and reporting by authoritative trade media. No specific official source link was provided in the input, so the exact official publication path still needs to be verified on an ongoing basis. Areas that remain worth following include any further official wording, implementation clarification, or compliance process guidance related to the filing requirement.

Recommended News