Database

Browse Database

SAUDI ARABIA

Since May 2017

Pillar Cross-border data policies  |  Sub-pillar Ban to transfer and local processing requirement
Cyber Security Framework of Saudi Arabian Monetary Authority
Art. 3.4.3 of the Cyber Security Framework of Saudi Arabian Monetary Authority mandates that financial institutions should use cloud services located in Saudi Arabia. If the cloud services are outside Saudi Arabia, financial services should obtain explicit approval from the Saudi Arabian Monetary Authority. These applies to banks, insurance and/or reinsurance companies, financing companies, and credit bureaus operating in Saudi Arabia.
Coverage Financial Sector

SAUDI ARABIA

Since June 2020

Pillar Cross-border data policies  |  Sub-pillar Ban to transfer and local processing requirement
National Data Governance Interim Regulations
Saudi Arabia’s National Data Management Office published the National Data Governance Interim Regulations, which requires firms to store and process personal data within Saudi Arabia “in order to ensure preservation of the digital national sovereignty over such data.” Data Controllers may only process or transfer personal data outside the Kingdom after obtaining written approval from the relevant regulatory authority (Art. 5.4.16).
Coverage Horizontal

SAUDI ARABIA

Since April 2020

Pillar Cross-border data policies  |  Sub-pillar Ban to transfer and local processing requirement
General Principles for Personal Data Protection in the Telecommunication, IT, and Postal Services
Art. 5.4 of the General Principles for Personal Data Protection in the Telecommunication, IT, and Postal Services requires that service providers of telecommunication, IT and postal services process customers’ personal data within Saudi Arabia and prohibits them from processing customers’ personal data out of Saudi Arabia without the authorization of Communication and Information Technology Commission (CITC).
Coverage Telecommunication, IT, and Postal Services

SAUDI ARABIA

Since 2018
Since October 2020

Pillar Cross-border data policies  |  Sub-pillar Ban to transfer and local processing requirement
Essential Cybersecurity Controls (ECC – 1: 2018)

Cloud Cybersecurity Controls (CCC – 1: 2020)
The National Cybersecurity Authority (NCA) has developed and implemented the Essential Cybersecurity Controls (ECCs) with the objective to set the minimum cybersecurity requirements for information and technology assets in organisations. The ECCs apply to all government organisations in the Kingdom and its companies and entities (i.e. semi-government entities), as well as private-sector organisations owning, operating, or hosting Critical National Infrastructures (CNIs). Section 4.2.3.3 of the ECCs, which deals with cloud computing and hosting cybersecurity, mandates that an applicable organisation's information hosting and storage must be inside the Kingdom of Saudi Arabia. It is reported that the NCA strongly encourages all other organisations in the Kingdom to 'leverage these controls and implement best practices to improve and enhance their cybersecurity'.
On the other hand, the NCA issued its Cloud Cybersecurity Controls (CCC) which aim to enhance the reliability of cloud computing services by providing secure cloud computing services that help withstand various cyber threats. In particular, the NCA noted that the CCC applies to cloud service providers and cloud service tenants which constitute any government organisation in the Kingdom of Saudi Arabia inside or outside the Kingdom and its companies and entities, as well as private sector organisations owning, operating, or hosting CNIs that currently use or are planning to use any cloud service. The CCC framework requires operators to provide cloud computing services from within country, including all systems including storage, processing, monitoring, support, and disaster recovery centers (Sections 2-3-P-1-10 and 2-3-P-1-11). The requirement applies to all levels of data.
Coverage Cloud computing and hosting

SAUDI ARABIA

Since December 2020

Pillar Cross-border data policies  |  Sub-pillar Ban to transfer and local processing requirement
Cloud Computing Regulatory Framework
The Communication and Information Technology Commission (CITC), the telecommunications regulator in the Kingdom of Saudi Arabia (KSA), issued a revised version 3 of its Cloud Computing Regulatory Framework (CCRF v3), which came into effect on 18/04/1442 H (corresponding to 3 December 2020). The CCRF v3 replaces version 2 of the Cloud Computing Regulatory Framework (CCRF v2). This version clarifies the restrictions regarding transfers of KSA government generated customer content outside Saudi Arabia.
Art. 3.3.8 of the CCRF v3 states that cloud computing service providers (CSP) and cloud computing subscribers shall not transfer any Saudi Government data outside the Kingdom, for whatever purpose and in whatever format, whether permanently or temporarily (e.g. for caching, redundancy or similar purposes), unless this is expressly allowed under the laws or regulations of the Kingdom. Art. 3.3.9 also adds that cloud computing subscribers may not transfer, store, or process shared content from Saudi government agencies' data to any public cloud computing system, community cloud computing system or hybrid cloud computing system belonging to a service provider within the Kingdom, unless the CSP is properly registered with CITC.
Coverage Cloud computing

SAUDI ARABIA

N/A

Pillar Telecom infrastructure and competition  |  Sub-pillar Signature of the WTO Telecom Reference Paper
Lack of appendment of WTO Telecom Reference Paper to schedule of commitments
Saudi Arabia has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.
Coverage Telecommunications sector

SAUDI ARABIA

Since October 2006

Pillar Telecom infrastructure and competition  |  Sub-pillar Presence of independent telecom authority
Presence of independent telecom authority
It is reported that the Communications and Information Technology Commission (CITC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.
Coverage Telecommunications sector

SAUDI ARABIA

Since July 2002

Pillar Telecom infrastructure and competition  |  Sub-pillar Other restrictions to operate in the telecom market
Ministerial Decision No. 11 of 17/05/1423H on Implementing Regulations of the Telecommunication Act
Under the Implementing Regulations of the Telecommunication Act, the Communications and Information Technology Commission (CITC) is permitted to limit the number of licensees for type A Class Licences which include: i) national and international voice call resale services; ii) very small aperture terminal (‘VSAT’) satellite services; iii) public pay telephone services; iv) radio paging services; v) temporary network services; vi) internet of Things-Mobile Virtual Network Operator (‘IoT-MVNO’) services.
Coverage Telecommunications sector

SAUDI ARABIA

Reported in 2021

Pillar Telecom infrastructure and competition  |  Sub-pillar Presence of shares owned by the government in telecom companies
Presence of shares owned by the government in the telecom sector
The Saudi Arabia Telecom market is dominated by three players holding unified licenses: Etihad Etisalat Company (Mobily), Saudi Telecom Company (STC), and Mobile Telecommunication Company Saudi Arabia (Zain KSA) in 2021. All of them are SOEs. It is reported that, although Saudi Arabia has undertaken a limited privatization process for state-owned companies and assets since 2002, the process, which is open to domestic and foreign investors, has resulted only in partial privatization of SOEs in the telecommunication sector.
Coverage Telecommunications sector

SAUDI ARABIA

N/A

Pillar Telecom infrastructure and competition  |  Sub-pillar Functional/accounting separation for operators with significant market power
Lack of mandatory functional separation for dominant network operators
According to the Saudi Arabia's Accounting Separation Regulatory Framework, accounting separation is applied and required by law for the operators with significant market power. However, functional separation for operator with significant market power is not required by law.
Coverage Telecommunications sector

SAUDI ARABIA

N/A

Pillar Telecom infrastructure and competition  |  Sub-pillar Passive infrastructure sharing obligation
Requirement of passive infrastructure sharing
It is reported that there is an obligation for passive infrastructure sharing in Saudi Arabia to deliver telecom services to end users. It is practiced in the mobile sector and in the fixed sector based on commercial agreements.
Coverage Telecommunications sector

SAUDI ARABIA

Reported in 2022

Pillar Telecom infrastructure and competition  |  Sub-pillar Maximum foreign equity share for investment in the telecommunication sector
Practical restrictions on foreign investment
Saudi Arabia does not limit foreign ownership in the telecommunication sector. However, it is reported that certain restrictions attached to obtaining full ownership have proven difficult to meet and precluded many investors from taking full advantage of the reform. These include a requirement to invest over USD 50 million during the first five years and to ensure that 30% of all products sold are manufactured locally. In addition, access network (last mile) is still owned by a State-Owned Enterprise, the Saudi Telecom Company (STC).
Coverage Telecommunications sector

SAUDI ARABIA

Since May 2005

Pillar Intellectual Property Rights (IPRs)  |  Sub-pillar Effective protection covering trade secrets
Regulations for the Protection of Confidential Commercial Information issued by Ministry of Commerce and Industry Decision No. 3218 (as amended)
Trade secrets are governed by the Regulations for the Protection of Confidential Commercial Information (Trade Secrets Regulations). A commercial secret is defined under the Trade Secrets Regulations as information not known in its final form or where information is not usually easily obtainable by those engaged in this type of business, as well as where the information is of commercial value due to its confidentiality, and where the rightful owner takes reasonable measures to maintain its confidentiality. However, the Trade Secrets Regulations do not protect commercial secrets which are inconsistent with Shariah, public order and/or public morals (Art. 7). Obtaining, using or disclosing any commercial secret in a manner that is inconsistent with "honest commercial practices" and without the consent of the rightful owner is deemed an abuse of the commercial secret under the Trade Secrets Regulations.
Coverage Horizontal

SAUDI ARABIA

N/A

Pillar Intellectual Property Rights (IPRs)  |  Sub-pillar Signature of the WIPO Performances and Phonogram Treaty
Lack of signature of the WIPO Performances and Phonograms Treaty
Saudi Arabia has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.
Coverage Horizontal

SAUDI ARABIA

Since April 2018

Pillar Intellectual Property Rights (IPRs)  |  Sub-pillar Mandatory disclosure of business trade secrets such as algorithms or source code
Regulations for Importation and Licensing of Telecommunications and Information Technology Equipment
Art. 11.9 of the Regulations for Importation and Licensing of Telecommunications and Information Technology Equipment provides a general requirement to disclose details of encryption systems contained in ICT equipment being imported.
Coverage Telecommunications and information technology equipment