Qatar Central Bank's 2025 Data Handling Regulation: What It Signals for Bank Authentication

TL;DR

• The Qatar Central Bank (QCB) announced its Data Handling and Protection Regulation on February 16, 2025 — the most recent significant addition to a cybersecurity framework that already includes Information and Cyber Security Regulations for Payment Service Providers, the Insurance Sector Cyber Security Regulation, and the Technology Risks Regulation for banks.
• The QCB framework as a whole is converging with the regional trajectory already established by Saudi Arabia's SAMA and the UAE Central Bank: governance requirements, third-party risk management, incident reporting, and authentication controls that map to phishing-resistant MFA expectations.
• For Qatari banks and PSPs, the practical implication is the same path SAMA-regulated banks walked between 2023 and 2025 — a phased move away from SMS OTP toward strong, phishing-resistant authentication that produces auditable evidence.
• Banks that get ahead of the trajectory will be positioned for the inevitable specific authentication directives. The ones that don't will find themselves re-platforming under deadline pressure.
• Ideem's Passkeys+ is designed to meet the audit, attestation, and provider-policy requirements GCC regulators are converging on, with deployments already live in the region.

The Gulf Cooperation Council's authentication landscape has shifted more dramatically over the past three years than perhaps any other region. Saudi Arabia's SAMA framework set the bar — explicit phishing-resistant authentication expectations, third-party risk requirements that touch identity providers, audit-grade controls that map directly to FIDO Alliance certification. The UAE Central Bank followed with its 2025 OTP directive, accelerating the regional shift away from SMS-based authentication. Banks across the GCC have been watching to see how the rest of the regulators converge.

Qatar's QCB is one to watch closely. The cybersecurity framework Qatar's central bank has been building reads like a steady, deliberate progression toward the same destination SAMA reached — with the additional element of a clear data-protection mandate that frames authentication as a confidentiality, integrity, and availability problem.

What QCB has already published

The QCB cybersecurity stack is more comprehensive than is often appreciated outside the region. On February 16, 2025, the QCB announced its Data Handling and Protection Regulation, establishing the framework for the secure collection, processing, storage, and transmission of data across Qatar's financial sector. The regulation aims to mitigate risks associated with data breaches and cyber threats while ensuring compliance with global best practices.

That regulation sits on top of a body of existing QCB cybersecurity guidance:

• The Information and Cyber Security Regulation for Payment Service Providers, which sets baseline expectations for PSP cyber programs operating under QCB licensure
• The Insurance Sector Cyber Security Regulation, which extends governance and controls expectations across Qatar's insurance carriers
• The Technology Risks Regulation for Banks, which addresses operational risk arising from technology dependencies

Taken together, these documents form a coherent picture: governance, threat intelligence, incident management, third-party risk, regulatory compliance, and — explicitly identified in QCB guidance — authentication security. The framework establishes what Qatari banks and PSPs are accountable for. The implementation choices are the institution's.

The regional convergence pattern

If you sit a QCB regulation alongside SAMA's Cyber Security Framework or the UAE Central Bank's authentication guidance, the structural similarities are striking. All three frameworks treat authentication as a layered discipline. All three require demonstrable third-party governance over identity providers and payment infrastructure. All three are moving toward phishing-resistance as an implicit standard, even when the specific phrase doesn't appear verbatim in every paragraph.

SAMA reached the explicit-authentication-mandate stage between 2023 and 2025. The UAE Central Bank followed in 2025 with the OTP directive that Corbado and others have analyzed at length. The QCB framework, viewed through the lens of regional convergence, looks like a regulator preparing the foundation for a similar move. The 2025 Data Handling Regulation is consistent with that reading — it puts the data-protection scaffolding in place that any subsequent specific authentication directive will reference.

This is the regional pattern Qatari banks should plan for. A general framework first. Specific directives second. Compliance deadlines third. The institutions that anticipate the sequence are the ones that aren't scrambling when the third step arrives.

What Qatari banks should be doing now

The work for QCB-regulated banks and PSPs in 2026 reads in three workstreams.

Map the existing QCB requirements to current authentication controls. The Data Handling and Protection Regulation, the Information and Cyber Security Regulation for PSPs, and the Technology Risks Regulation collectively touch authentication in multiple places. A clean inventory — "for each QCB requirement that names or implies authentication, here is the control in place and here is the evidence" — is the first artifact an examiner is going to ask for.

Identify the SMS OTP migration path. Regional regulators are converging on phishing-resistant authentication. Banks still anchored on SMS OTP for sensitive flows are running on a clock. A defensible 12–18 month migration plan that names the flows, the target authentication factor, and the customer communication strategy is the second artifact regulators are going to look for.

Build the third-party risk story for identity providers. If the bank is using Okta, ForgeRock, Ping, or a homegrown identity stack, the QCB third-party risk and governance expectations touch that vendor relationship. The bank needs the audit-grade evidence that the identity provider meets the cybersecurity expectations — including attestation, certification, and ongoing monitoring — that QCB has laid out across its published regulations.

Where Ideem fits

Ideem's Passkeys+ is built for exactly the regulatory environment the QCB framework describes. The platform produces audit-grade evidence of authentication decisions, supports policy controls that map to QCB cybersecurity expectations, and integrates with existing GCC bank identity stacks — including the customers already deploying Passkeys+ in the region.

Because Passkeys+ is provider-agnostic across the passkey ecosystem (Apple, Google, Microsoft, password managers, hardware security keys), Qatari banks can support the consumer authenticators their customers actually use today while keeping the trust-tier machinery the QCB framework will continue to expect. The architecture supports both synced credentials for retail flows and device-bound credentials for high-value transactions, with the policy controls expressed at the authentication layer rather than buried in custom application code.

The QCB is moving deliberately, in the same direction the rest of the GCC regulators have already moved. The banks that prepare now — using the 2025 Data Handling and Protection Regulation as the obvious anchor for the program — will lead. The ones that wait will be writing the case studies that the early movers reference in their compliance documentation.

Sources

• Qatar Central Bank: Information Security
• QCB: Data Handling and Protection Regulation (PDF)
• QCB: Information and Cyber Security Regulation for Payment Service Providers (PDF)
• QCB: Insurance Sector Cyber Security Regulation (PDF)
• QCB: Technology Risks Regulation for Banks (PDF)
• Ideem: How SAMA Became the Global Gold Standard for Authentication Regulation