The Numbers Behind the Headline
Saudi Arabia's Communications, Space and Technology Commission (CST) reported that it imposed SAR 149 million (~$39.7 million) in fines on violators of the Telecommunications Law during 2025. The regulator received 1,219 violation reports over the year — 626 (51%) filed against licensed service providers, the remaining 593 (49%) against other entities — with enforcement concentrated on unauthorized telecommunications activity, misuse of communications services, and non-compliance with licensing and subscriber-identity requirements (Telecompaper). This is not a one-off crackdown. In 2021, the then-CITC fined STC, Mobily, Zain and smaller carriers a combined SAR 40 million (~$10.7 million) for offenses including unlicensed frequency use and unauthorized SIM issuance (Arab News) — the same enforcement architecture, run at higher volume five years later.
What "Subscriber Identity" Enforcement Means in Practice
Saudi Arabia does not merely register SIM cards; it binds them cryptographically to a national identity. The CST's Committee for the Consideration of Violations, established under Article 38 of the Communications Law (Royal Decree M/12), has express jurisdiction over unauthorized telecom device possession, unlicensed network operation, and illegal prepaid card activity (CST) — precisely the categories the 2025 fines cite. On the consumer side, the CST's SIM Authentication Code service routes every new SIM, replacement, or number port through Nafath, the national digital-identity platform, generating a four-hour one-time code that must be handed to the carrier before the transaction completes. The service was explicitly built, per the CST's own description, for subscribers "unable to provide fingerprints" — meaning fingerprint biometric verification is the default rail, and Nafath is the accessibility fallback, not an alternative to identification (CST). There is effectively no path to holding an anonymous or pseudonymous mobile line in the Kingdom.
The Case for Identity-Bound SIMs
The strongest argument for this regime is not authoritarian control — it's fraud and network integrity, and it's a real problem regulators worldwide take seriously. SIM-box fraud, bulk spam origination, and unlicensed frequency use impose direct costs on carriers and consumers, and unregistered prepaid lines are a well-documented vector for scam calls and SMS phishing. India's mandatory SIM-to-Aadhaar linkage and the EU's various KYC-for-telecom pushes rest on the same logic. A regulator that can trace a SIM to a real identity can also shut down the fraud rings and spam operations that a purely anonymous system cannot touch, and the 2025 numbers — over 1,200 violation reports processed — suggest the CST is actually using this authority against operators and bad actors, not just writing rules that sit unenforced.
Where Proportionality Breaks Down
But identity-binding is not neutral infrastructure sitting apart from how a state treats speech — it is the precondition for tracing speech to a person. Saudi Arabia's record on that front is the reason this regulation reads differently than its Indian or European counterparts. Since April 2026, Meta has geo-blocked the Facebook accounts of ALQST for Human Rights, Democratic Diwan, and individual researchers and defenders inside Saudi Arabia at the government's request — part of a pattern in which more than 100 Facebook and Instagram accounts have been restricted since March 2026 (ALQST/Access Now). Separately, Meta's own Oversight Board found in July 2026 that commercial AI models refuse requests to generate material critical of Saudi Arabia's government at roughly double the rate they refuse the same requests about permissive jurisdictions — 31% versus single digits for the US and UK — with at least one model inventing a blanket policy against depicting Crown Prince Mohammed bin Salman at all (MediaNama). Neither finding is about telecom law. Both establish that global platforms already treat Saudi Arabia as a jurisdiction where criticism carries elevated risk to the speaker. A national identity system that makes every SMS, call, and mobile data session attributable to a real name by default is not a separate, apolitical policy lane from that risk calculus — it is the mechanism that makes the risk concrete for whoever holds the SIM.
The Proportionate Path
None of this argues for abandoning subscriber verification — fraud enforcement is legitimate and the CST's 2025 numbers show real capacity to act on it. What proportionate regulation requires is separating the fraud-control function from everything downstream of it: transparent, published criteria for when law enforcement can compel identity disclosure tied to a SIM; an appealable process — not just an internal five-member committee — for subscribers contesting a block or fine; and public reporting that distinguishes fraud-related enforcement from content or speech-related account actions, so outside observers can tell which the CST's fine totals actually reflect. Until that separation is visible in the CST's own reporting, the SAR 149 million figure will read to international observers less as evidence of a well-functioning telecom regulator and more as proof that the infrastructure of accountability and the infrastructure of surveillance in Saudi Arabia are, by design, the same wire.