It is reported that, in September 2022, the General Commission for Audiovisual Media (GCAM) introduced the “Mawthooq” protocol requiring individuals who generate income from online marketing, including social media influencers, to obtain an official licence to advertise on social media. Under this framework, non-Saudi residents and visitors are prohibited from posting advertisements on social media unless they hold a valid licence and operate through an established commercial entity. The regulatory text could not be located in publicly available online sources.

Online publishers (including publishers of blogs, forums and short messaging) cannot operate without explicit approval from the highest levels of government. The Executive Regulation for Electronic Publishing Activity stipulates licensing by the Media Ministry as a requirement for those seeking to publish online (Article 7). The regulation requires applicants to be Saudi nationals, at least 25 years old, a university graduate, of “good conduct,” and not be employed by the government. Article 15 of the Law prohibits publishing anything that contravenes Islamic law, violates public order, or serves “foreign interests,” as well as material inciting a “spirit of discord” within society.

The communications regulator in the Kingdom of Saudi Arabia, the Communications, Space and Technology Commission, has issued updated Cloud Computing Services Provisioning Regulations, which replace version 3 of the Cloud Computing Regulatory Framework (CCRF v3). Under the cloud regulatory framework, any cloud computing service provider that exercises direct or effective control over a data centre or other critical cloud infrastructure hosted and used in Saudi Arabia for the provision of cloud computing services must be registered with CST. In addition, such providers are required to use telecommunications infrastructure (including international connectivity) only through operators licensed by CST.

According to Section 4 of the Regulations of the General Class License (GCL), the GCL permits the provision of several telecommunications services, including Internet of Things Virtual Network Operator (IoT-VNO) services and IoT services using licence-exempt frequency bands.
In addition, pursuant to Section 5-2 of the Internet of Things (IoT) Regulatory Framework, only entities that have obtained the relevant licences from the CST are allowed to provide IoT connectivity services using wired fixed-line networks or licensed-frequency wireless networks.

The Regulations for Providing Digital Content Platform Services issued by the Communications, Space and Technology Commission (CST) establish licensing, registration, and notification requirements for local and international digital content platforms within their scope. Covered services include satellite pay-TV, IPTV, video-on-demand (video OTT), audio-on-demand and internet radio, social media, video-sharing, and e-sports participation platforms (Arts. 4–5).
Under Art. 5 and Annexes 1–2, satellite pay-TV and IPTV platforms must obtain a CST licence, valid for 10 years, and pay application and annual regulatory fees. Video OTT platforms and audio-on-demand/internet radio platforms must obtain Category A registration, valid for five years, and pay a registration fee. Social media, video-sharing, and e-sports participation platforms must obtain Category B registration, which is open-ended and not subject to application or annual fees.
In addition, Art. 9 provides that foreign service providers without a commercial registration and/or a foreign investment licence in the Kingdom may contact CST to clarify the requirements for obtaining a CST licence and to confirm the status of an application once submitted. This clarification may be sought before completing the legal steps to obtain a commercial registration, a foreign investment licence, and/or other authorisations required to provide the licensed service in the Kingdom.
Moreover, these service providers shall appoint a Platform Liaison Officer in order to receive and respond to the CST's communications and requests.

According to Section 4 of the Regulations of the General Class License (GCL), the GCL permits the provision of various telecommunications services, including Virtual Voice Services (VVSP). The Regulations on the Provision of Virtual Voice Services further clarify that permit holders may provide virtual voice services via Internet protocol to end users in Saudi Arabia and may purchase and operate the associated equipment.
As set out in Section 6, an applicant for a VVSP permit must apply via the e-licensing system, hold a valid GCL with at least six months’ remaining validity, and submit a valid Saudi commercial registration (with at least three months’ remaining validity) indicating the relevant activity, together with a company profile, technical specifications of the systems and devices, numbering requirements and the required regulatory compliance information. Under Section 5, permit holders must establish in the Kingdom both a network operations centre to provide customer and support services and the technical and interconnection equipment necessary to meet the requirements imposed by the competent authorities. All international telecommunications traffic must pass through networks of CST-licensed international carriers, and CST allocates numbering resources and signalling point codes in accordance with the national numbering plan and related regulations, which the permit holder must use in compliance with CST decisions (Sections 5-1 to 5-5).

It is reported that Saudi Arabia prohibits all imports of goods and services from Israel. Additionally, it is reported that Saudi Arabia has extended this ban to all products and services from Lebanon since 2021.

According to Art. 5.4 of the Internet of Things (IoT) Regulatory Framework, all SIM cards used in IoT devices must be issued by telecommunications service providers licensed by the the Communications, Space & Technology Commission (CST)

According to Art. 9.1 of the Regulations for Licensing of Telecommunications and Information Technology Equipment, any party wishing to import telecommunications and IT equipment, that is in the list of restricted goods, shall apply for Customs Clearance Permission from the Communications, Space, and Technology Commission (CST). The list of restricted goods and their tariff codes can be found at Zakat, Tax and Customs Authority website, however, this is not accessible. It is reported that restricted products include wireless products, satellite internet services, equipment transmitting pictures wirelessly, and pre-paid telephone recharging cards.

Saudi Arabia restricted the import of certain products by requiring permission from the General Commission for Audiovisual Media (GCAM). These include any audio/video content on transportable media, tapes, disks, storage equipment, and audio/video broadcasting and receiving equipment through any communication utility (cable, land or other communication networks).

The E-commerce Law establishes a safe harbour regime for intermediaries beyond copyright infringement. Art. 12 of the law provides a safe harbour for intermediary liabilities by excluding them from penalties if the intermediary platforms delete any content that violates the provisions of the laws and regulations within one day from the date of notification by the government.

Art. 7 of the Internet of Things (IoT) Regulatory Framework requires all servers, devices, and network components providing an IoT service and all data relating to the service must be located within Saudi Arabia. This requirement is not included in the 2024 amendment of the framework.

Art. 17 of the Insurance Market Code of Conduct Regulation stipulates that insurance companies are required, at all times, to ensure the protection of customers’ personal data. This obligation entails, inter alia, that such data must be retained within the Kingdom and must not be disclosed to any third party without the prior authorisation of the Saudi Arabian Monetary Agency (SAMA), except in the case of the companies’ auditors, actuaries, reinsurers, and co-insurers.

Art. 56 of the Implementing Regulations of the Income Tax Law requires that a taxpayer's books be kept in Saudi Arabia.

Art. 29.1 of Saudi Arabia’s Personal Data Protection Law (PDPL) and Art. 2 of the Regulation on Personal Data Transfer Outside the Kingdom permit controllers to transfer or disclose personal data abroad where a legitimate purpose exists, such as fulfilling obligations under agreements to which the Kingdom is a party, serving national interests, performing contractual obligations involving the data subject, enabling centralised processing for operational purposes, providing a service or benefit to the data subject, or conducting scientific research and studies. In addition to fulfilling these purposes, Art. 29.2 of the PDPL requires that transfers neither compromise national security nor vital interests, occur only to jurisdictions offering protection equivalent to Saudi standards as assessed by the Saudi Data and Artificial Intelligence Authority (SDAIA), and involve only the minimum necessary data. These conditions do not apply in cases of extreme necessity, such as safeguarding life or preventing or treating infectious diseases (Art. 29.3). Where no adequacy decision or international agreement exists, Art. 4 of the Regulations mandates appropriate safeguards, including SDAIA-issued Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) for multinational groups, or certification by an SDAIA-licensed entity. Exemptions from adequacy and data minimisation requirements may apply in specific cases, such as transfers between public bodies under agreements serving national interests, occasional or time-limited transfers involving few data subjects, intra-group transfers for central operations, transfers to provide a direct benefit to the data subject without violating expectations, and transfers for scientific research, provided that safeguards such as SCCs, BCRs, or certification are implemented and sensitive data is excluded where required.