Saudi Arabia releases version 3 of Cloud Computing Regulatory Framework

The Communication and Information Technology Commission (CITC), the telecommunications regulator in the Kingdom of Saudi Arabia (KSA), issued a revised version 3 of its Cloud Computing Regulatory Framework (CCRF v3), which came into effect on 18/04/1442 H (corresponding to 3 December 2020). The CCRF v3 replaces version 2 of the Cloud Computing Regulatory Framework (CCRF v2).

Amongst other things, the CCRF v3:

  • updates the definition and the type of services captured within the term “cloud service”;
  • rearranges the cloud service provider (CSP) registration levels;
  • revamps the customer content classifications that existed under the CCRF v2; and
  • clarifies the restrictions regarding transfers of KSA government generated customer content outside of KSA.  

The issuance of the CCRF v3 comes at a time when the CITC is playing an active role in fostering and regulating the use of cloud computing in KSA. On 31 December 2020, the CITC issued a study outlining the legislative and regulatory status of cloud computing at a global level, and considered the KSA regulatory framework relative to that of a number of its international peers (including the United States of America, the United Kingdom, and the European Union). The concluding remarks of the study highlights KSA’s growing adoption of cloud services, with the CITC capturing internationally practised cloud regulations through the issuance of the CCRF v3. 

We discuss the CCRF v3 and how it might impact your business in further detail below.[1]

What has changed?

Noteworthy changes under the CCRF v3 include:

Scope of applicationThe CCRF v3 still applies to any cloud service provided to cloud customers having a residence or customer address in KSA[2]. However, the CCRF v3  has updated the definition of “cloud service” to now expressly include Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).  
Registration with CITCAnyone exercising direct or effective control over datacenters or other critical cloud system infrastructure hosted in KSA and used (in whole or in part) for the provision of cloud services must register with the CITC. Whilst this registration obligation is not new,  the CCRF v3 imposes a new obligation on a CSP that exercises control of such datacenters to use telecommunications infrastructure (including international infrastructure) through operators licensed by the CITC.     The CCRF v3 rearranges the CSP registration levels: there are three categories of registration (“A,” “B” and “C,” with “A” being the least onerous and “C” being the most onerous) depending on an applicant CSP’s conformance with certain minimum technical standards / requirements provided by the CITC.  
Information security (customer content classification)Customer content can be subject to different levels of information security, depending upon the level of confidentiality, integrity and availability required.  The CCRF v3 has replaced the information security classifications in the CCRF v2 and has adopted two new information security classifications instead. These are:   “Saudi Government Data,” which is split into four different levels, being “top secret,” “secret,” “confidential” and “public”; and   “Non-Government Data,” which includes data that is not captured under any of the four different security levels for Saudi Government Data, and also “data received from Saudi Government entities” (which is classified as received from a  government agency based on the four classification levels included against Saudi Government Data).   As with the CCRF v2, it is still the responsibility of the cloud customer to select the appropriate information security level that should be applied to its data, which best matches their security requirements, specific needs, duties and obligations. Such classification should also be reflected in any cloud contract entered into between a CSP and cloud customer.   Cloud customers whose content is classified as Saudi Government Data must contract with a CSP registered at the CITC. Whether a CSP qualifies to process customer content which falls within a particular classification will depend upon the category for which the CSP is registered.  
Data localisation/residency requirementsThere are various data localisation/residence requirements under the CCRF v3. For example, amongst other requirements, CSPs registered with the CITC and cloud customers must ensure that Saudi Government Data is not transferred outside of KSA, for any purpose and in any form whatsoever, whether permanently or temporarily, unless such transfer is expressly permitted by a law or regulation in KSA (other than the CCRF v3).    Importantly, the provisions of the CCRF v3 (and indeed the CCRF v2) do not prejudice any other applicable law or requirements concerning a cloud customer’s ability to outsource, transmit, process or store customer content, data or information in a cloud system, but where permitted any associated restrictions or safeguards must be applied.  
Cybersecurity requirementsCSPs must inform cloud customers, the CITC and National Cybersecurity Authority (without unjustified delay) of any cybersecurity incident or breach. Further, the CCRF v3 also imposes an obligation on CSPs to inform the CITC of any information leakage (including personal data) known by the CSP.   In such instances, the CITC is tasked with notifying the National Data Management Office if such incidents or breaches affect, or are likely to affect, Saudi Government Data or a significant number of persons in KSA due to their reliance on one or more cloud customer services that are affected by the cybersecurity incident (including information leakage). 

What should affected parties be doing now?

CSPs should assess how their operations are affected by the CCRF v3, including the registration requirements with the CITC. CSPs and cloud customers must also review their customer content classification and if that must be reflected in their cloud service contracts, including any data localisation/residency requirements that may apply as a result of such classification.

Other requirements under the CCRF v3 may apply, for example, in relation to cloud contracting, data protection and various other cloud customer rights.

Please contact the authors if you would like to discuss any aspect of this article:
Mohamed Moussallati
Faisal Imam

This article has been co-authored by Eamon Holley, Partner, DLA Piper.


[1] This is not an exhaustive list of all requirements and obligations (or changes made) under the CCRF v3.

[2] Note that, regardless of the cloud customers residence or address, specific provisions from the CCRF v3 still apply to the processing or storage of customer content and customer data in datacenters or other elements of a cloud system that are located in KSA – for example, reporting to the CITC on major information security breaches.