Art. 7 of the Internet of Things (IoT) Regulatory Framework requires all servers, devices, and network components providing an IoT service and all data relating to the service must be located within Saudi Arabia. This requirement is not included in the 2024 amendment of the framework.

Art. 17 of the Insurance Market Code of Conduct Regulation stipulates that insurance companies are required, at all times, to ensure the protection of customers’ personal data. This obligation entails, inter alia, that such data must be retained within the Kingdom and must not be disclosed to any third party without the prior authorisation of the Saudi Arabian Monetary Agency (SAMA), except in the case of the companies’ auditors, actuaries, reinsurers, and co-insurers.

Art. 56 of the Implementing Regulations of the Income Tax Law requires that a taxpayer's books be kept in Saudi Arabia.

Art. 29.1 of Saudi Arabia’s Personal Data Protection Law (PDPL) and Art. 2 of the Regulation on Personal Data Transfer Outside the Kingdom permit controllers to transfer or disclose personal data abroad where a legitimate purpose exists, such as fulfilling obligations under agreements to which the Kingdom is a party, serving national interests, performing contractual obligations involving the data subject, enabling centralised processing for operational purposes, providing a service or benefit to the data subject, or conducting scientific research and studies. In addition to fulfilling these purposes, Art. 29.2 of the PDPL requires that transfers neither compromise national security nor vital interests, occur only to jurisdictions offering protection equivalent to Saudi standards as assessed by the Saudi Data and Artificial Intelligence Authority (SDAIA), and involve only the minimum necessary data. These conditions do not apply in cases of extreme necessity, such as safeguarding life or preventing or treating infectious diseases (Art. 29.3). Where no adequacy decision or international agreement exists, Art. 4 of the Regulations mandates appropriate safeguards, including SDAIA-issued Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) for multinational groups, or certification by an SDAIA-licensed entity. Exemptions from adequacy and data minimisation requirements may apply in specific cases, such as transfers between public bodies under agreements serving national interests, occasional or time-limited transfers involving few data subjects, intra-group transfers for central operations, transfers to provide a direct benefit to the data subject without violating expectations, and transfers for scientific research, provided that safeguards such as SCCs, BCRs, or certification are implemented and sensitive data is excluded where required.

Section 3-3-8 of the Cloud Computing Services Provisioning Regulations stipulates that cloud service providers must notify their subscribers and obtain their consent if their content is transferred outside Saudi Arabia. This iteration represents the fourth version of the legislation. The previous three versions were referred to as the Cloud Computing Regulatory Framework. Since its inception, the legislation has included similar requirements. Section 3.3.11 of both the first and second versions mandated that cloud service providers inform their customers in advance if their content would be transferred, stored, or processed outside the Kingdom, whether permanently or temporarily. In the third version, Section 3-3-10 required that cloud service providers clearly inform both the Commission and the subscriber in advance and obtain their approval if the subscriber's content would be transferred abroad.

Saudi Arabia has not joined any agreement with binding commitments to open transfers of data across borders.

The Personal Data Protection Law (PDPL) establishes a comprehensive data protection regime in Saudi Arabia. The PDPL applies to any processing of personal data carried out in Saudi Arabia by companies or public entities by any means, including the processing of personal data of Saudi residents by entities located outside the Kingdom. Furthermore, the second clause of the law establishes the Saudi Data & Artificial Intelligence Authority (SDAIA) as the competent authority to supervise the implementation of the provisions of the system and its regulations. However, a transfer of supervision to the National Data Management Office (NDMO) will be considered in the future.

Art. 7 of the Internet of Things (IoT) Regulatory Framework requires that IoT service providers must provide the technical capabilities in the IoT devices and machines to save and maintain the data to make it possible to be reviewed for a duration not less than 12 months or any other duration specified by the Communications, Space & Technology Commission (CST). This requirement is not included in the in force IoT Regulatory Framework of 2024.

According to Section 5.1.5 of the Regulations of Localization Obligations for Telecommunications Service Providers, service providers must submit localisation and replacement plans to the CST. These plans must include, at a minimum, a career path detailing the courses and training programmes offered to Saudi personnel, the number of such programmes, the entities providing them, and the names, numbers and targets of employees trained, together with related data. They must also specify the total annual spending on training in SAR and its percentage of total revenues, as well as the percentage of spending on local content relative to the company’s total expenses.

Saudi Arabia has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Communications, Space & Technology Commission (CST), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

The National Cybersecurity Authority’s (NCA) Essential Cybersecurity Controls establish baseline cybersecurity requirements for governmental and semi-governmental entities in Saudi Arabia, as well as private organisations managing critical national infrastructure. While the previous version mandated domestic hosting and storage of information, the updated framework removes this explicit obligation and delegates data localisation requirements to the National Data Management Office (NDMO). The NDMO stipulates that personal data transfers remain governed by the Personal Data Protection Law and Data Transfer Regulation, whereas government data is subject to localisation under the Regulations on the Use of Information and Communication Technologies in Government Entities, which require hosting on servers within Saudi Arabia (Arts. 2 and 3). Complementing these measures, the NCA’s Cloud Cybersecurity Controls extend protections to the cloud computing environments used in the public sector and in critical infrastructure, obliging cloud service providers, whether operating domestically or internationally, to deliver services, including storage, processing, monitoring, and disaster recovery, from within the Kingdom to safeguard information systems and infrastructures against cyber threats (Arts. 2.3.P.1.10 and 2.3.P.1.11).

Section 3-3-6 of the Cloud Computing Services Provisioning Regulations, as issued by the Communications, Space & Technology Commission, stipulates that cloud service providers and their subscribers (defined as individuals or entities with whom a cloud service provider agrees to deliver its services under a cloud computing contract or other commercial arrangement) must ensure that data pertaining to Saudi Arabia's public sector is stored within the country's national borders.
The Regulations represent the fourth iteration of this legislation. Since the inception of the first version, the legislation has incorporated certain restrictions. Section 3.3.8 of the initial version, referred to as the Cloud Computing Regulatory Framework, stipulated that no Level 3 data could be transferred outside Saudi Arabia unless explicitly authorised by the government. Level 3 data encompassed, among other categories, sensitive information held by public authorities.

Art. 5.4 of the General Principles for Personal Data Protection in the Telecommunication, IT, and Postal Services requires that service providers of telecommunication, IT and postal services process customers’ personal data within Saudi Arabia and prohibits them from processing customers’ personal data out of Saudi Arabia without the authorisation of Communications, Space and Technology Commission (CST).

Art. 3.4.3 of the Cyber Security Framework of the Saudi Arabian Monetary Authority mandates that financial institutions should use cloud services located in Saudi Arabia. If the cloud services are outside Saudi Arabia, financial services should obtain explicit approval from the Saudi Arabian Monetary Authority. These apply to banks, insurance and/or reinsurance companies, financing companies and credit bureaus operating in Saudi Arabia.