Art. 3.4.3 of the Cyber Security Framework of Saudi Arabian Monetary Authority mandates that financial institutions should use cloud services located in Saudi Arabia. If the cloud services are outside Saudi Arabia, financial services should obtain explicit approval from the Saudi Arabian Monetary Authority. These applies to banks, insurance and/or reinsurance companies, financing companies, and credit bureaus operating in Saudi Arabia.

Saudi Arabia’s National Data Management Office published the National Data Governance Interim Regulations, which requires firms to store and process personal data within Saudi Arabia “in order to ensure preservation of the digital national sovereignty over such data.” Data Controllers may only process or transfer personal data outside the Kingdom after obtaining written approval from the relevant regulatory authority (Art. 5.4.16).

Art. 5.4 of the General Principles for Personal Data Protection in the Telecommunication, IT, and Postal Services requires that service providers of telecommunication, IT and postal services process customers’ personal data within Saudi Arabia and prohibits them from processing customers’ personal data out of Saudi Arabia without the authorization of Communication and Information Technology Commission (CITC).

The National Cybersecurity Authority (NCA) has developed and implemented the Essential Cybersecurity Controls (ECCs) with the objective to set the minimum cybersecurity requirements for information and technology assets in organisations. The ECCs apply to all government organisations in the Kingdom and its companies and entities (i.e. semi-government entities), as well as private-sector organisations owning, operating, or hosting Critical National Infrastructures (CNIs). Section 4.2.3.3 of the ECCs, which deals with cloud computing and hosting cybersecurity, mandates that an applicable organisation's information hosting and storage must be inside the Kingdom of Saudi Arabia. It is reported that the NCA strongly encourages all other organisations in the Kingdom to 'leverage these controls and implement best practices to improve and enhance their cybersecurity'.
On the other hand, the NCA issued its Cloud Cybersecurity Controls (CCC) which aim to enhance the reliability of cloud computing services by providing secure cloud computing services that help withstand various cyber threats. In particular, the NCA noted that the CCC applies to cloud service providers and cloud service tenants which constitute any government organisation in the Kingdom of Saudi Arabia inside or outside the Kingdom and its companies and entities, as well as private sector organisations owning, operating, or hosting CNIs that currently use or are planning to use any cloud service. The CCC framework requires operators to provide cloud computing services from within country, including all systems including storage, processing, monitoring, support, and disaster recovery centers (Sections 2-3-P-1-10 and 2-3-P-1-11). The requirement applies to all levels of data.

The Communication and Information Technology Commission (CITC), the telecommunications regulator in the Kingdom of Saudi Arabia (KSA), issued a revised version 3 of its Cloud Computing Regulatory Framework (CCRF v3), which came into effect on 18/04/1442 H (corresponding to 3 December 2020). The CCRF v3 replaces version 2 of the Cloud Computing Regulatory Framework (CCRF v2). This version clarifies the restrictions regarding transfers of KSA government generated customer content outside Saudi Arabia.
Art. 3.3.8 of the CCRF v3 states that cloud computing service providers (CSP) and cloud computing subscribers shall not transfer any Saudi Government data outside the Kingdom, for whatever purpose and in whatever format, whether permanently or temporarily (e.g. for caching, redundancy or similar purposes), unless this is expressly allowed under the laws or regulations of the Kingdom. Art. 3.3.9 also adds that cloud computing subscribers may not transfer, store, or process shared content from Saudi government agencies' data to any public cloud computing system, community cloud computing system or hybrid cloud computing system belonging to a service provider within the Kingdom, unless the CSP is properly registered with CITC.

Saudi Arabia has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Communications and Information Technology Commission (CITC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Under the Implementing Regulations of the Telecommunication Act, the Communications and Information Technology Commission (CITC) is permitted to limit the number of licensees for type A Class Licences which include: i) national and international voice call resale services; ii) very small aperture terminal (‘VSAT’) satellite services; iii) public pay telephone services; iv) radio paging services; v) temporary network services; vi) internet of Things-Mobile Virtual Network Operator (‘IoT-MVNO’) services.

The Saudi Arabia Telecom market is dominated by three players holding unified licenses: Etihad Etisalat Company (Mobily), Saudi Telecom Company (STC), and Mobile Telecommunication Company Saudi Arabia (Zain KSA) in 2021. All of them are SOEs. It is reported that, although Saudi Arabia has undertaken a limited privatization process for state-owned companies and assets since 2002, the process, which is open to domestic and foreign investors, has resulted only in partial privatization of SOEs in the telecommunication sector.

According to the Saudi Arabia's Accounting Separation Regulatory Framework, accounting separation is applied and required by law for the operators with significant market power. However, functional separation for operator with significant market power is not required by law.

It is reported that there is an obligation for passive infrastructure sharing in Saudi Arabia to deliver telecom services to end users. It is practiced in the mobile sector and in the fixed sector based on commercial agreements.

Saudi Arabia does not limit foreign ownership in the telecommunication sector. However, it is reported that certain restrictions attached to obtaining full ownership have proven difficult to meet and precluded many investors from taking full advantage of the reform. These include a requirement to invest over USD 50 million during the first five years and to ensure that 30% of all products sold are manufactured locally. In addition, access network (last mile) is still owned by a State-Owned Enterprise, the Saudi Telecom Company (STC).

Trade secrets are governed by the Regulations for the Protection of Confidential Commercial Information (Trade Secrets Regulations). A commercial secret is defined under the Trade Secrets Regulations as information not known in its final form or where information is not usually easily obtainable by those engaged in this type of business, as well as where the information is of commercial value due to its confidentiality, and where the rightful owner takes reasonable measures to maintain its confidentiality. However, the Trade Secrets Regulations do not protect commercial secrets which are inconsistent with Shariah, public order and/or public morals (Art. 7). Obtaining, using or disclosing any commercial secret in a manner that is inconsistent with "honest commercial practices" and without the consent of the rightful owner is deemed an abuse of the commercial secret under the Trade Secrets Regulations.

Saudi Arabia has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Art. 11.9 of the Regulations for Importation and Licensing of Telecommunications and Information Technology Equipment provides a general requirement to disclose details of encryption systems contained in ICT equipment being imported.