Virtual and Hybrid General Assemblies

Technology, Procedure, and Governance for the Digital Assembly

جدول المحتويات

First: Introduction

The General Assembly was, for most of the last century, an essentially physical event: shareholders gathered in a hall, voted by show of hands or paper ballot, and went home. Within a single decade, that model has been transformed. Driven first by the regulatory push toward shareholder participation, accelerated decisively by the pandemic, and now sustained by the maturity of Saudi Arabia’s digital infrastructure, virtual and hybrid Assemblies have become the norm for listed companies.

This transformation has been profoundly positive for shareholder participation: attendance rates that were historically low for individual shareholders have risen substantially when participation is just a tap away. But it has also introduced new governance challenges. The Assembly is no longer a single room under the direct control of the Corporate Secretary; it is a distributed digital event whose validity depends on technology that the company does not always fully own.

💡 Key Insight

Virtual and hybrid Assemblies are not just the old Assembly with cameras added. They require a fundamentally different operating model: stricter pre-event preparation, harder identity verification, more redundancy, and a different chairing style. Companies that approach them as a digital version of the physical meeting often fail; companies that redesign their procedures for the digital format thrive.

Second: Definitions and Formats

1. Three Formats

1.1 Physical (In-Person) Assembly

All shareholders gather at a single physical location. Voting may be paper-based or, more commonly today, electronic via in-hall handsets. The Chairperson, the board, and the support team are all in the same room. Remote participation is not supported.

1.2 Virtual (Fully Remote) Assembly

No physical venue. All shareholders join via a virtual platform — typically a video-conferencing service integrated with Tadawulaty for voting and identity verification. The Chairperson and the head-table officers may be co-located in a broadcast studio, or each may join from their own location.

1.3 Hybrid Assembly

A physical venue plus a parallel virtual platform. Some shareholders attend in person; others join remotely. The two channels must be tightly integrated so that questions, voting, and announcements reach all attendees simultaneously. This is the most demanding format from an operational standpoint, but also the most inclusive.

2. Legal Recognition in Saudi Arabia

The Saudi Companies Law and the CMA Regulations explicitly authorize virtual and hybrid General Assemblies for listed companies, subject to compliance with technical and procedural requirements set by the regulator. The legal validity of resolutions adopted in a virtual or hybrid Assembly is identical to that of resolutions adopted in a physical Assembly, provided that the procedural requirements have been satisfied.

3. The Strategic Choice

Format	Reach	Cost	Operational Risk	Best Suited For
Physical	Local only	High venue cost	Low (familiar)	Small private companies
Virtual	Global	Low	High (single tech failure)	Listed companies, routine years
Hybrid	Global + local	Highest	Highest (two channels)	Listed companies, sensitive years

Third: The Technical Architecture

1. Core Components

1.1 The Voting Platform

In Saudi listed companies, Tadawulaty is the standard voting platform. It handles eligibility verification (linked to the share register at Edaa), the voting interface, the recording of votes, and the generation of the audit log. The voting platform must be available before the meeting (for pre-meeting voting), during the meeting (for live voting on procedural matters that may arise), and after the meeting (for retrieving the audit trail).

1.2 The Video-Conferencing Platform

Used for presenting content, allowing the Chairperson and head-table officers to speak, and enabling shareholders to ask questions. Common choices include enterprise-grade platforms such as Microsoft Teams, Zoom, Cisco Webex, or specialized AGM platforms. The platform must support identity verification, queued questions, recording, and integration with the voting platform.

1.3 The Identity Verification Layer

Shareholders must be authenticated before they can vote or speak. In Saudi Arabia, this typically involves Nafath (the National Single Sign-On) integrated with Tadawulaty, supplemented by multi-factor authentication. For non-Saudi shareholders, alternative verification flows are required.

1.4 The Streaming Layer

Live streaming on the company’s investor relations website, on Tadawul, or via the AGM platform itself ensures broad transparency. The stream is the public face of the Assembly even for shareholders who do not log in to vote.

1.5 The Backup and Failover Layer

Every component must have a backup: redundant network connections, backup power for the studio, alternative platforms ready to activate, and clear escalation procedures.

2. Integration Requirements

Single source of truth for attendance: The voting platform’s attendance list must be the single source of truth, with quorum calculated against it.
Synchronized clocks: All platforms must be synchronized to a common time source.
Unified question queue: Questions from in-person and remote attendees must enter the same queue.
Synchronized announcements: The Chairperson’s announcements must reach all channels simultaneously.

⚠️ Caution

Integration failures are the leading cause of virtual Assembly problems. Each platform works fine in isolation, but the boundaries between them — the voting platform, the video platform, the identity layer, the streaming layer — are where defects emerge under pressure. Pre-event integration testing must simulate real load and real failures, not just check that each platform launches.

Fourth: Identity Verification

1. Why It Matters

Identity verification is the single most important technical control in a virtual Assembly. If a non-shareholder votes, the resolution is invalidated. If a shareholder votes more than once, the count is corrupted. If a proxy is exercised by someone other than the authorized proxy holder, the count is corrupted again. Every other technical control depends on this foundation.

2. Verification Tiers

2.1 Tier 1: Direct Shareholder Authentication

Tadawulaty credentials: Username and password tied to the shareholder’s investment portfolio.
Multi-factor authentication: SMS code or authenticator app.
Nafath integration: National Single Sign-On, with biometric verification on the user’s device.
Session controls: Single active session per shareholder; multiple concurrent logins blocked.

2.2 Tier 2: Proxy Verification

Pre-meeting proxy submission: Powers of attorney submitted through Tadawulaty or directly to the company before the meeting.
Identity check of the proxy holder: Same Tier 1 verification applied to the proxy holder’s own credentials.
Activation in the system: Proxy is marked active only after the principal’s status is verified (still alive, not declared incompetent, still owns the shares).

2.3 Tier 3: Corporate Representative Verification

Authorization document: Board resolution or other authorization showing that the representative is empowered to act.
Identity check: Standard verification of the representative’s own identity.
Power scope verification: Confirmation that the authorization covers Assembly attendance and voting.

3. Edge Cases

Joint shareholders: Only the designated representative can attend and vote; the system must reflect this.
Beneficial holders behind nominees: Voting is by the registered nominee; beneficial holders must work through their nominee.
Shareholders abroad: Time-zone challenges; pre-meeting voting helps ensure participation.
Shareholders with disabilities: Accessibility requirements (screen readers, captioning, alternative input devices) must be supported.

Fifth: Pre-Meeting Preparation

1. Sixty Days Out

Format decision: Confirm virtual / hybrid / physical based on the year’s circumstances.
Platform selection: Confirm the voting platform, video platform, and integration vendor.
Contract review: Service levels, security commitments, liability allocation with each vendor.
Initial security review: Confirm that the vendors meet the company’s cybersecurity standards.

2. Thirty Days Out

Notice publication: Notice includes detailed instructions for virtual participation.
Shareholder communications: Pre-meeting information packs explaining how to join.
Helpdesk preparation: Dedicated shareholder helpdesk for technical questions.
First integration test: End-to-end test of all platforms together.

3. Fourteen Days Out

Second integration test: With simulated load (hundreds of concurrent connections).
Rehearsal with Chairperson and head-table officers: Full simulation of the meeting flow.
Security penetration test: Independent test of the platforms.
Backup procedures finalized: Documented and rehearsed.

4. Seven Days Out

Final integration test: Including failover scenarios.
Pre-meeting voting opens: Shareholders can begin voting via Tadawulaty.
Helpdesk fully staffed: Extended hours as the meeting approaches.
Final shareholder reminder: Email and SMS reminders with joining instructions.

5. Meeting Day

Studio setup completed: At least two hours before the meeting start.
Pre-meeting technical check: All platforms, all connections, all backups.
Helpdesk live: Available throughout the meeting and for two hours afterwards.
Recording confirmed active: Audio, video, and platform logs.

Sixth: Conducting the Virtual Assembly

1. The Opening

Studio go-live: Camera, audio, and stream confirmed working.
Attendance verification: Real-time view of who is connected and authenticated.
Quorum declaration: By the Corporate Secretary based on the verified attendance.
Procedural announcements: Including the specific virtual format: how to ask questions, how to vote, how to signal problems.

2. The Substantive Phase

Item presentation: Slides shared via screen-sharing; speaker visible in a video tile.
Q&A intake: Written questions via a queue managed by a moderator; live audio/video questions when permitted.
Voting window: Opens on the platform with a clear countdown timer visible.
Result announcement: By the Chairperson, with the on-screen result displayed simultaneously.

3. The Closing

Final remarks: Including a reminder of the disclosure timeline.
Adjournment: Formal adjournment, recorded for the minutes.
Stream ends: Recording is archived.
Helpdesk continues: Available for follow-up questions for at least two hours.

4. Special Chairing Considerations

Camera awareness: The Chairperson is on camera for the entire meeting; body language and tone are amplified, not diminished, by the medium.
Pacing: Virtual meetings can feel rushed or lethargic depending on the Chairperson’s pacing; deliberate pacing with clear transitions works best.
Inclusion of remote voices: Without intentional effort, in-room voices dominate hybrid meetings; the Chairperson must actively call on remote attendees.
Reading engagement: Virtual meetings deprive the Chairperson of much of the body-language feedback of physical meetings; the moderator and support team must compensate.

Seventh: Cybersecurity

1. The Threat Model

Identity fraud: Attackers attempting to vote as a shareholder they are not.
Denial of service: Attacks aimed at preventing the meeting from proceeding.
Data interception: Attempts to intercept voting data in transit.
Insider threats: Authorized users misusing their access.
Social engineering: Manipulation of helpdesk staff or shareholders to gain access.
Disinformation: Coordinated campaigns to spread false information about the meeting.

2. Defensive Controls

Encryption everywhere: All connections, all data, at rest and in transit.
Multi-factor authentication: On every account, no exceptions.
Network segmentation: Meeting infrastructure isolated from corporate networks.
Monitoring: Security operations center actively watching during the meeting.
Incident response plan: Pre-defined actions for each plausible attack scenario.
Vendor security obligations: Contractual commitments with measurable service levels.

3. Compliance Framework

National Cybersecurity Authority (NCA) requirements: Saudi national framework for critical infrastructure.
SAMA Cybersecurity Framework: For financial institutions.
CMA technical guidelines: For capital market participants.
ISO/IEC 27001: International information security management standard.
Personal Data Protection Law: Saudi PDPL compliance for shareholder data.

Eighth: Common Failure Modes

1. Authentication Failures

Mass login at start: Hundreds of shareholders logging in simultaneously can overwhelm the system.
Forgotten credentials: Helpdesk overload as shareholders request password resets at meeting time.
Nafath service outages: External dependency that the company does not control.

2. Voting Failures

Vote not recorded: Connection drop at the moment of submission.
Duplicate votes: User submits twice due to slow response.
Voting window timing: Window closes while shareholders are still trying to vote.

3. Communication Failures

Audio quality: Poor microphone setup degrading the Chairperson’s voice.
Video delays: Lag between audio and video causing confusion.
Question queue overload: Volume of questions exceeding what moderators can manage.

4. Procedural Failures

Inadequate disclosure of virtual procedures: Shareholders unsure how to participate.
Unequal treatment of in-room and remote attendees: Hybrid format breaking down.
Inconsistent treatment of technical failures: Some shareholders disadvantaged, others not.

Ninth: International Practice Comparison

Country / Region	Virtual AGM Legal Status	Mandatory Components	Trend
Saudi Arabia	Authorized for listed companies	Tadawulaty integration	Hybrid is default
United Kingdom	Authorized post-2020	No specific mandates	Hybrid growing
European Union	Mandatory option under SRD II	Electronic voting required	Virtual increasing
United States	Permitted (state law varies)	State-by-state requirements	Hybrid widespread
UAE	Mandatory for listed companies	Approved platforms	Virtual default
Japan	Authorized 2021	Identity verification	Hybrid growing

Tenth: Best Practices

1. Design Principles

Inclusive by default: Every shareholder, regardless of location or accessibility need, can participate equally.
Resilient by design: Every critical component has a backup; every backup is tested.
Transparent throughout: Full recording, full audit trail, full disclosure.
Simple from the user side: Complex infrastructure should result in a simple, intuitive user experience.

2. Operational Practices

Dedicated meeting day team: A team whose only job that day is running the meeting.
Visible incident command: A clear command structure for handling any disruption.
Real-time dashboards: Live views of attendance, voting progress, and system health.
Comprehensive post-event review: Structured debrief within 48 hours.

3. Governance Practices

Board oversight: The risk committee reviews the technical and procedural arrangements before each Assembly.
Annual external review: Independent assessment of the Assembly process.
Shareholder feedback: Post-meeting survey of attendees.
Public reporting: Disclosure of participation metrics in the annual report.

Conclusion

Virtual and hybrid Assemblies are the future of shareholder participation. Done well, they extend the franchise to shareholders who would never have attended a physical meeting, lower the barriers to engagement, and increase the credibility of the company’s governance. Done poorly, they expose the company to identity fraud, procedural challenges, and reputational damage on a scale that physical Assemblies never created.

The difference between done well and done poorly is preparation. Successful virtual Assemblies are not improvised — they are the product of months of vendor management, integration testing, security review, and rehearsal. Saudi listed companies that have invested in this preparation now hold Assemblies that compare favorably with the best international practice. Those that have not invested face an increasingly visible governance gap that institutional investors and regulators will notice.

🎯 Essential Points to Remember

(1) Virtual and hybrid Assemblies are legally recognized in Saudi Arabia and produce resolutions of identical validity to physical Assemblies. (2) Three formats exist: physical, virtual (fully remote), and hybrid; each has different strategic implications. (3) The technical architecture has five layers: voting platform, video platform, identity verification, streaming, and backup/failover. (4) Integration between layers is where most failures occur; integration testing is essential. (5) Identity verification is the single most important control, with three tiers: shareholder, proxy, and corporate representative. (6) Pre-meeting preparation begins 60 days out and intensifies as the date approaches. (7) Chairing a virtual Assembly requires different skills than chairing a physical one. (8) Cybersecurity threats include identity fraud, denial of service, interception, insider threats, and social engineering. (9) Common failure modes are authentication, voting, communication, and procedural; each has well-known mitigations. (10) Best practice combines inclusive design, resilient architecture, transparent operation, and continuous improvement.

Frequently Asked Questions

What formats are available for Saudi general assemblies and what is the legal basis for virtual and hybrid formats?

Three formats are legally available. The physical assembly brings all shareholders to a single venue with in-hall electronic voting via handsets and no remote participation. The virtual assembly has no physical venue — all participants join through a digital platform integrated with Tadawulaty for voting and identity verification, with the chairperson and head-table officers in a broadcast studio or joining remotely. The hybrid assembly combines a physical venue with a parallel virtual channel, requiring tight integration so that questions, voting, and announcements reach all attendees simultaneously. Saudi Companies Law M/132 and the CMA regulations explicitly authorize virtual and hybrid assemblies for listed companies, and resolutions adopted through either format carry identical legal validity to those adopted in a physical assembly provided the procedural requirements are met. Tadawulaty, operated by Edaa, is the standard voting platform for listed companies across all formats and handles eligibility verification linked to the share register, the voting interface, and the audit log.

What technical architecture is required for a virtual or hybrid general assembly in Saudi Arabia?

The architecture consists of five integrated layers. The voting platform — Tadawulaty for Saudi listed companies — handles eligibility verification, vote recording, and audit log generation, and must be available before the meeting for pre-meeting voting, during the meeting for live votes, and after for audit trail retrieval. The video-conferencing platform supports content presentation, Q&A, and shareholder questions, typically an enterprise-grade service such as Microsoft Teams, Zoom, or a specialized AGM platform. The identity verification layer authenticates shareholders before they can vote or speak, using Tadawulaty credentials with multi-factor authentication and Nafath National Single Sign-On with biometric verification, with alternative flows for non-Saudi shareholders. The streaming layer provides live broadcast on the company's investor relations website or Tadawul for broad transparency. The backup and failover layer provides redundancy for every critical component including network connections, power, and alternative platforms. Integration between these layers is where most failures occur — integration testing must simulate real load and real failure scenarios, not just confirm that each platform launches independently.

What are the most common failure modes in virtual general assemblies and how should companies mitigate them?

Four categories of failure recur across virtual assemblies. Authentication failures include mass simultaneous logins overwhelming the system at meeting time, shareholders locked out due to forgotten credentials creating helpdesk overload, and Nafath service outages that the company cannot control — mitigated by load testing at expected scale, proactive credential reminder communications two weeks before, and pre-meeting voting as a fallback. Voting failures include votes not recorded due to connection drops at submission, duplicate submissions from slow response times, and voting windows closing while shareholders are still voting — mitigated by connection quality monitoring, duplicate-vote blocking in the platform, and generous window timing with visible countdown. Communication failures include poor audio degrading the chairperson's voice, video lag causing confusion, and question queue overload — mitigated by professional studio setup, dedicated moderators, and a written question option as backup. Procedural failures include inadequate explanation of how to participate virtually, unequal treatment between in-room and remote attendees in hybrid formats, and inconsistent handling of technical disruptions — mitigated by detailed participant guides published with the notice, chairperson discipline in actively calling on remote attendees, and pre-defined incident response procedures for every plausible disruption scenario.

References and Sources

Saudi Companies Law (M/132).
Implementing Regulations of the Companies Law for Listed Joint-Stock Companies.
Corporate Governance Regulations — CMA.
Tadawulaty Technical Documentation — Edaa.
National Cybersecurity Authority (NCA) Essential Cybersecurity Controls.
SAMA Cybersecurity Framework.
Personal Data Protection Law — Saudi Arabia.
OECD Principles of Corporate Governance — Disclosure and Technology.
ICGN Virtual Meetings Guidance — 2023.
Comparative Study of Virtual AGM Practices — Chartered Governance Institute.

Disclosure of Committee Activities

Disclosure of Committee Activities Annual Report Sections, Transparency Levels, and Regulatory Requirements First: Introduction Committees may operate behind closed doors during the year, but their activities must be transparent to shareholders, regulators, and the broader market. Disclosure of committee activities

June 17, 2026

Committee Performance Evaluation

Committee Performance Evaluation Methodologies, Indicators, Tools, and Continuous Improvement First: Introduction Board committees, as the specialized arm of the board, deserve separate and structured evaluation of their performance. Evaluating committees as part of the overall board evaluation is insufficient —

June 17, 2026

Coordination Between Committees

Coordination Between Committees Overlap Management, Joint Meetings, Responsibility Matrix, and Communication First: Introduction Board committees, while each having its specialized mandate, don’t operate in isolation. Many of the issues facing a company cut across committees: a financial crisis touches audit,

June 17, 2026