Database

Browse Database

SAUDI ARABIA

N/A

Pillar Telecom infrastructure & competition  |  Indicator Presence of an independent telecom authority
Presence of independent telecom authority
It is reported that the Communications, Space & Technology Commission (CST), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.
Coverage Telecommunications sector

SAUDI ARABIA

Since 2018 until 2024
Since October 2020
Since May 2019

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Essential Cybersecurity Controls

Cloud Cybersecurity Controls (CCC – 1: 2020)

Regulations on the Use of Information and Communication, Technologies in Government Entities
The National Cybersecurity Authority’s (NCA) Essential Cybersecurity Controls establish baseline cybersecurity requirements for governmental and semi-governmental entities in Saudi Arabia, as well as private organisations managing critical national infrastructure. While the previous version mandated domestic hosting and storage of information, the updated framework removes this explicit obligation and delegates data localisation requirements to the National Data Management Office (NDMO). The NDMO stipulates that personal data transfers remain governed by the Personal Data Protection Law and Data Transfer Regulation, whereas government data is subject to localisation under the Regulations on the Use of Information and Communication Technologies in Government Entities, which require hosting on servers within Saudi Arabia (Arts. 2 and 3). Complementing these measures, the NCA’s Cloud Cybersecurity Controls extend protections to the cloud computing environments used in the public sector and in critical infrastructure, obliging cloud service providers, whether operating domestically or internationally, to deliver services, including storage, processing, monitoring, and disaster recovery, from within the Kingdom to safeguard information systems and infrastructures against cyber threats (Arts. 2.3.P.1.10 and 2.3.P.1.11).
Coverage Public sector and critical infrastructure

SAUDI ARABIA

Since January 2018, last amended in October 2023

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Cloud Computing Services Provisionin​g Regulations​​ ​​
Section 3-3-6 of the Cloud Computing Services Provisioning Regulations, as issued by the Communications, Space & Technology Commission, stipulates that cloud service providers and their subscribers (defined as individuals or entities with whom a cloud service provider agrees to deliver its services under a cloud computing contract or other commercial arrangement) must ensure that data pertaining to Saudi Arabia's public sector is stored within the country's national borders.
The Regulations represent the fourth iteration of this legislation. Since the inception of the first version, the legislation has incorporated certain restrictions. Section 3.3.8 of the initial version, referred to as the Cloud Computing Regulatory Framework, stipulated that no Level 3 data could be transferred outside Saudi Arabia unless explicitly authorised by the government. Level 3 data encompassed, among other categories, sensitive information held by public authorities.
Coverage Cloud-computing sector

SAUDI ARABIA

Since April 2020, last amended in October 2023

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
General Principles for Personal Data Protection in the Telecommunication, IT, and Postal Services
القواعد العامة للمحافظة على خصوصية البيانات الشخصية للمستخدمين في قطاع الاتصالات وتقنية المعلومات
Art. 5.4 of the General Principles for Personal Data Protection in the Telecommunication, IT, and Postal Services requires that service providers of telecommunication, IT and postal services process customers’ personal data within Saudi Arabia and prohibits them from processing customers’ personal data out of Saudi Arabia without the authorisation of Communications, Space and Technology Commission (CST).
Coverage Telecommunication, IT, and postal services

SAUDI ARABIA

Since May 2017

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Cyber Security Framework of Saudi Arabian Monetary Authority
Art. 3.4.3 of the Cyber Security Framework of the Saudi Arabian Monetary Authority mandates that financial institutions should use cloud services located in Saudi Arabia. If the cloud services are outside Saudi Arabia, financial services should obtain explicit approval from the Saudi Arabian Monetary Authority. These apply to banks, insurance and/or reinsurance companies, financing companies and credit bureaus operating in Saudi Arabia.
Coverage Financial sector

SAUDI ARABIA

N/A

Pillar Intellectual Property Rights (IPRs)  |  Indicator Adoption of the WIPO Copyright Treaty
Lack of signature of the WIPO Copyright Treaty
Saudi Arabia has not signed the World Intellectual Property Organization (WIPO) Copyright Treaty.
Coverage Horizontal

SAUDI ARABIA

Since June 2020

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
National Data Governance Interim Regulations
Saudi Arabia’s National Data Management Office published the National Data Governance Interim Regulations, which requires firms to store and process personal data within Saudi Arabia “in order to ensure the preservation of the digital national sovereignty over such data.” Data Controllers may only process or transfer personal data outside the Kingdom after obtaining written approval from the relevant regulatory authority (Art. 5.4.16).
Coverage Horizontal

SAUDI ARABIA

N/A

Pillar Intellectual Property Rights (IPRs)  |  Indicator Adoption of the WIPO Performances and Phonograms Treaty
Lack of signature of the WIPO Performances and Phonograms Treaty
Saudi Arabia has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.
Coverage Horizontal

SAUDI ARABIA

Since February 2024

Pillar Intellectual Property Rights (IPRs)  |  Indicator Mandatory disclosure of business trade secrets such as algorithms or source code
Regulations for Licensing of Telecommunications and Information Technology Equipment
تنظيمات تراخيص أجهزة الاتصالات وتقنية المعلومات
Art. 13.8 of the Regulations for Licensing of Telecommunications and Information Technology Equipment provides a general requirement to disclose details of encryption systems contained in telecommunications and IT equipment intended to be supplied and used in the kingdom.
Coverage Telecommunications and information technology equipment

SAUDI ARABIA

Since May 2005

Pillar Intellectual Property Rights (IPRs)  |  Indicator Effective protection covering trade secrets
Regulations for the Protection of Confidential Commercial Information issued by Ministry of Commerce and Industry Decision No. 3218 (as amended)
Trade secrets are governed by the Regulations for the Protection of Confidential Commercial Information (Trade Secrets Regulations). A commercial secret is defined under the Trade Secrets Regulations as information not known in its final form or where information is not usually easily obtainable by those engaged in this type of business, as well as where the information is of commercial value due to its confidentiality, and where the rightful owner takes reasonable measures to maintain its confidentiality. However, the Trade Secrets Regulations do not protect commercial secrets which are inconsistent with Shariah, public order and/or public morals (Art. 7). Obtaining, using or disclosing any commercial secret in a manner that is inconsistent with "honest commercial practices" and without the consent of the rightful owner is deemed an abuse of the commercial secret under the Trade Secrets Regulations.
Coverage Horizontal

SAUDI ARABIA

Reported in 2022, last reported in 2024

Pillar Public procurement of ICT goods and online services  |  Indicator Other limitations on foreign participation in public procurement
Delay in payments
Companies have reported prolonged delays and difficulties in receiving payments for procurement contracts with national and regional government entities in Saudi Arabia, with some payment delays reportedly exceeding two years.
Coverage Horizontal

SAUDI ARABIA

Since December 2023

Pillar Public procurement of ICT goods and online services  |  Indicator Other limitations on foreign participation in public procurement
Economic Participation Policy
برنامج المشاركة الاقتصادية
According to Sections 2.1-2.5 of the Economic Participation Policy, foreign companies participating in local tenders exceeding SAR 100 million (approx. USD 26.3 million) are required to demonstrate an economic contribution to the Kingdom of at least 35% of the total value of the tender.
Coverage Horizontal

SAUDI ARABIA

Reported in 2025

Pillar Public procurement of ICT goods and online services  |  Indicator Other limitations on foreign participation in public procurement
Local presence requirement for tenders
It is reported that, as January 2024, all international companies must establish a regional headquarters (RHQ) in Saudi Arabia in order to bid for government contracts, except where the cumulative annual value of contracts is below USD 266,000. RHQ licences are obtained via the Ministry of Investment’s “Invest Saudi” platform, and the RHQ must perform strategic and management functions (such as budgeting, business planning, monitoring regional markets and reporting) and employ at least 15 full-time staff in its first year, including three senior executives. The Saudi government may still award contracts to sole suppliers of specific technology or intellectual property without an RHQ, and to non-RHQ companies where their bid is at least 25% lower than that of an RHQ company.
The main concerns reported by foreign companies regarding the HQ policy include the absence of a clear legislative or regulatory basis, uncertainty over the rights and obligations attached to RHQ status and a lack of clarity and predictability concerning the applicable tax regime.
Coverage Horizontal

SAUDI ARABIA

N/A

Pillar Public procurement of ICT goods and online services  |  Indicator Signatory of the WTO Agreement on Government Procurement (GPA) with coverage of the most relevant services sectors (CPC 752, 754, 84)
Lack of participation in the WTO Agreement on Government Procurement (GPA)
Saudi Arabia is not a party to the World Trade Organization (WTO) Agreement on Government Procurement (GPA). However, the country has been an observer of the WTO GPA since 2007.
Coverage Horizontal

SAUDI ARABIA

Since January 2016, last amended in 2024

Pillar Foreign Direct Investment (FDI) in sectors relevant to digital trade  |  Indicator Maximum foreign equity share
Ministry of Investment Services Manual
Pursuant to Section 11.03 of the Ministry of Investment Services Manual, foreign ownership in the telecommunications sector is generally permitted, subject to specific restrictions depending on the nature of the activity. For telecommunications services, foreign ownership is limited to a maximum of 60%, whereas for value-added communications services, the cap is set at 70%.
Coverage Telecommunications sector

Report issue     Report new measure