According to Art. 5.4 of the Internet of Things (IoT) Regulatory Framework, all SIM cards used in IoT devices must be issued by telecommunications service providers licensed by the the Communications, Space & Technology Commission (CST)

According to Art. 9.1 of the Regulations for Licensing of Telecommunications and Information Technology Equipment, any party wishing to import telecommunications and IT equipment, that is in the list of restricted goods, shall apply for Customs Clearance Permission from the Communications, Space, and Technology Commission (CST). The list of restricted goods and their tariff codes can be found at Zakat, Tax and Customs Authority website, however, this is not accessible. It is reported that restricted products include wireless products, satellite internet services, equipment transmitting pictures wirelessly, and pre-paid telephone recharging cards.

Saudi Arabia restricted the import of certain products by requiring permission from the General Commission for Audiovisual Media (GCAM). These include any audio/video content on transportable media, tapes, disks, storage equipment, and audio/video broadcasting and receiving equipment through any communication utility (cable, land or other communication networks).

It is reported that individuals are required to use their legal names when signing mobile-service contracts and must provide a national identification card or residence permit. Moreover, Since 2016 the Communications, Space & Technology Commission (CST), mobile service providers to register the fingerprints of new SIM-card subscribers within 90 days. The collected information is subsequently shared with a centralised database managed by the Ministry of the Interior.

Saudi authorities are reported to regularly block access to news outlets and other websites based on geopolitical and domestic political considerations. While widely used social media and communication applications are not consistently blocked, some users have reported that Clubhouse is inaccessible, despite the absence of an official government statement confirming its restriction. Furthermore, regulators and telecommunications operators have historically taken a restrictive stance toward free or low-cost Voice over Internet Protocol (VoIP) services. These services are perceived as undermining traditional mobile call revenues, circumventing existing regulatory frameworks, and potentially evading surveillance mechanisms. In this context, the Communications, Space, and Technology Commission (CST) and domestic ISPs have previously blocked applications such as Viber, WhatsApp, and FaceTime, as well as integrated messaging features on platforms like Facebook Messenger. As of June 2024, most VoIP applications were accessible in Saudi Arabia, with the exception of WhatsApp, which reportedly remains restricted.
Moreover, between 2017 and 2024, websites affiliated with Qatari, Iranian, and Turkish media were intermittently blocked in the context of ongoing regional tensions. Platforms critical of the Saudi government—such as al-Manar, the Beirut-based broadcaster—have also been subject to restrictions. According to available reports, internet service providers (ISPs) in the Kingdom have deployed WireFilter censorship technology to target specific web pages.

The indicator "7.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 3 in Saudi Arabia for the year 2024. This corresponds to "Rarely but there have been a few occasions throughout the year when the government shut down domestic access to Internet."
Although Saudi Arabia was identified as a 'repeat offender' for implementing internet shutdowns in 2023, a practice it has consistently maintained since 2016, and was among the MENA countries enforcing such measures during that year, reports indicate that the country carried out one internet shutdown in 2024.

It is reported that, in September 2022, the General Commission for Audiovisual Media (GCAM) introduced the “Mawthooq” protocol requiring individuals who generate income from online marketing, including social media influencers, to obtain an official licence to advertise on social media. Under this framework, non-Saudi residents and visitors are prohibited from posting advertisements on social media unless they hold a valid licence and operate through an established commercial entity. The regulatory text could not be located in publicly available online sources.

Online publishers (including publishers of blogs, forums and short messaging) cannot operate without explicit approval from the highest levels of government. The Executive Regulation for Electronic Publishing Activity stipulates licensing by the Media Ministry as a requirement for those seeking to publish online (Article 7). The regulation requires applicants to be Saudi nationals, at least 25 years old, a university graduate, of “good conduct,” and not be employed by the government. Article 15 of the Law prohibits publishing anything that contravenes Islamic law, violates public order, or serves “foreign interests,” as well as material inciting a “spirit of discord” within society.

The communications regulator in the Kingdom of Saudi Arabia, the Communications, Space and Technology Commission, has issued updated Cloud Computing Services Provisioning Regulations, which replace version 3 of the Cloud Computing Regulatory Framework (CCRF v3). Under the cloud regulatory framework, any cloud computing service provider that exercises direct or effective control over a data centre or other critical cloud infrastructure hosted and used in Saudi Arabia for the provision of cloud computing services must be registered with CST. In addition, such providers are required to use telecommunications infrastructure (including international connectivity) only through operators licensed by CST.

According to Section 4 of the Regulations of the General Class License (GCL), the GCL permits the provision of several telecommunications services, including Internet of Things Virtual Network Operator (IoT-VNO) services and IoT services using licence-exempt frequency bands.
In addition, pursuant to Section 5-2 of the Internet of Things (IoT) Regulatory Framework, only entities that have obtained the relevant licences from the CST are allowed to provide IoT connectivity services using wired fixed-line networks or licensed-frequency wireless networks.

The Personal Data Protection Law (PDPL) establishes a comprehensive data protection regime in Saudi Arabia. The PDPL applies to any processing of personal data carried out in Saudi Arabia by companies or public entities by any means, including the processing of personal data of Saudi residents by entities located outside the Kingdom. Furthermore, the second clause of the law establishes the Saudi Data & Artificial Intelligence Authority (SDAIA) as the competent authority to supervise the implementation of the provisions of the system and its regulations. However, a transfer of supervision to the National Data Management Office (NDMO) will be considered in the future.

Art. 7 of the Internet of Things (IoT) Regulatory Framework requires that IoT service providers must provide the technical capabilities in the IoT devices and machines to save and maintain the data to make it possible to be reviewed for a duration not less than 12 months or any other duration specified by the Communications, Space & Technology Commission (CST). This requirement is not included in the in force IoT Regulatory Framework of 2024.

Pursuant to Art. 31 of the Personal Data Protection Law, the Controller must maintain records of personal data processing activities, in a manner appropriate to the nature of its operations, and make such records available to the competent authority upon request. Art. 33 of the Implementing Regulation further specifies this obligation, requiring the Controller to retain these records for the entire duration of the processing and for an additional five years following the end of any personal data processing activity.

According to Art. 5.2 of the General Principles for Personal Data Protection in the Telecommunication, IT, and Postal Services, service providers in certain sectors, including telecom and IT, are mandated to assign the role and responsibilities of customers’ personal data protection to an independent function, which can be intended as a data protection officer.

The Personal Data Protection Law mandates data privacy impact assessments whereby controllers must conduct an evaluation of the effects of processing associated with any product or service provided to the public.