The Regulations for Providing Digital Content Platform Services issued by the Communications, Space and Technology Commission (CST) establish licensing, registration, and notification requirements for local and international digital content platforms within their scope. Covered services include satellite pay-TV, IPTV, video-on-demand (video OTT), audio-on-demand and internet radio, social media, video-sharing, and e-sports participation platforms (Arts. 4–5).
Under Art. 5 and Annexes 1–2, satellite pay-TV and IPTV platforms must obtain a CST licence, valid for 10 years, and pay application and annual regulatory fees. Video OTT platforms and audio-on-demand/internet radio platforms must obtain Category A registration, valid for five years, and pay a registration fee. Social media, video-sharing, and e-sports participation platforms must obtain Category B registration, which is open-ended and not subject to application or annual fees.
In addition, Art. 9 provides that foreign service providers without a commercial registration and/or a foreign investment licence in the Kingdom may contact CST to clarify the requirements for obtaining a CST licence and to confirm the status of an application once submitted. This clarification may be sought before completing the legal steps to obtain a commercial registration, a foreign investment licence, and/or other authorisations required to provide the licensed service in the Kingdom.
Moreover, these service providers shall appoint a Platform Liaison Officer in order to receive and respond to the CST's communications and requests.

According to Section 4 of the Regulations of the General Class License (GCL), the GCL permits the provision of various telecommunications services, including Virtual Voice Services (VVSP). The Regulations on the Provision of Virtual Voice Services further clarify that permit holders may provide virtual voice services via Internet protocol to end users in Saudi Arabia and may purchase and operate the associated equipment.
As set out in Section 6, an applicant for a VVSP permit must apply via the e-licensing system, hold a valid GCL with at least six months’ remaining validity, and submit a valid Saudi commercial registration (with at least three months’ remaining validity) indicating the relevant activity, together with a company profile, technical specifications of the systems and devices, numbering requirements and the required regulatory compliance information. Under Section 5, permit holders must establish in the Kingdom both a network operations centre to provide customer and support services and the technical and interconnection equipment necessary to meet the requirements imposed by the competent authorities. All international telecommunications traffic must pass through networks of CST-licensed international carriers, and CST allocates numbering resources and signalling point codes in accordance with the national numbering plan and related regulations, which the permit holder must use in compliance with CST decisions (Sections 5-1 to 5-5).

It is reported that Saudi Arabia prohibits all imports of goods and services from Israel. Additionally, it is reported that Saudi Arabia has extended this ban to all products and services from Lebanon since 2021.

According to Art. 5.4 of the Internet of Things (IoT) Regulatory Framework, all SIM cards used in IoT devices must be issued by telecommunications service providers licensed by the the Communications, Space & Technology Commission (CST)

According to Art. 9.1 of the Regulations for Licensing of Telecommunications and Information Technology Equipment, any party wishing to import telecommunications and IT equipment, that is in the list of restricted goods, shall apply for Customs Clearance Permission from the Communications, Space, and Technology Commission (CST). The list of restricted goods and their tariff codes can be found at Zakat, Tax and Customs Authority website, however, this is not accessible. It is reported that restricted products include wireless products, satellite internet services, equipment transmitting pictures wirelessly, and pre-paid telephone recharging cards.

Saudi Arabia restricted the import of certain products by requiring permission from the General Commission for Audiovisual Media (GCAM). These include any audio/video content on transportable media, tapes, disks, storage equipment, and audio/video broadcasting and receiving equipment through any communication utility (cable, land or other communication networks).

It is reported that individuals are required to use their legal names when signing mobile-service contracts and must provide a national identification card or residence permit. Moreover, Since 2016 the Communications, Space & Technology Commission (CST), mobile service providers to register the fingerprints of new SIM-card subscribers within 90 days. The collected information is subsequently shared with a centralised database managed by the Ministry of the Interior.

Saudi authorities are reported to regularly block access to news outlets and other websites based on geopolitical and domestic political considerations. While widely used social media and communication applications are not consistently blocked, some users have reported that Clubhouse is inaccessible, despite the absence of an official government statement confirming its restriction. Furthermore, regulators and telecommunications operators have historically taken a restrictive stance toward free or low-cost Voice over Internet Protocol (VoIP) services. These services are perceived as undermining traditional mobile call revenues, circumventing existing regulatory frameworks, and potentially evading surveillance mechanisms. In this context, the Communications, Space, and Technology Commission (CST) and domestic ISPs have previously blocked applications such as Viber, WhatsApp, and FaceTime, as well as integrated messaging features on platforms like Facebook Messenger. As of June 2024, most VoIP applications were accessible in Saudi Arabia, with the exception of WhatsApp, which reportedly remains restricted.
Moreover, between 2017 and 2024, websites affiliated with Qatari, Iranian, and Turkish media were intermittently blocked in the context of ongoing regional tensions. Platforms critical of the Saudi government—such as al-Manar, the Beirut-based broadcaster—have also been subject to restrictions. According to available reports, internet service providers (ISPs) in the Kingdom have deployed WireFilter censorship technology to target specific web pages.

Art. 17 of the Insurance Market Code of Conduct Regulation stipulates that insurance companies are required, at all times, to ensure the protection of customers’ personal data. This obligation entails, inter alia, that such data must be retained within the Kingdom and must not be disclosed to any third party without the prior authorisation of the Saudi Arabian Monetary Agency (SAMA), except in the case of the companies’ auditors, actuaries, reinsurers, and co-insurers.

Art. 56 of the Implementing Regulations of the Income Tax Law requires that a taxpayer's books be kept in Saudi Arabia.

Art. 29.1 of Saudi Arabia’s Personal Data Protection Law (PDPL) and Art. 2 of the Regulation on Personal Data Transfer Outside the Kingdom permit controllers to transfer or disclose personal data abroad where a legitimate purpose exists, such as fulfilling obligations under agreements to which the Kingdom is a party, serving national interests, performing contractual obligations involving the data subject, enabling centralised processing for operational purposes, providing a service or benefit to the data subject, or conducting scientific research and studies. In addition to fulfilling these purposes, Art. 29.2 of the PDPL requires that transfers neither compromise national security nor vital interests, occur only to jurisdictions offering protection equivalent to Saudi standards as assessed by the Saudi Data and Artificial Intelligence Authority (SDAIA), and involve only the minimum necessary data. These conditions do not apply in cases of extreme necessity, such as safeguarding life or preventing or treating infectious diseases (Art. 29.3). Where no adequacy decision or international agreement exists, Art. 4 of the Regulations mandates appropriate safeguards, including SDAIA-issued Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) for multinational groups, or certification by an SDAIA-licensed entity. Exemptions from adequacy and data minimisation requirements may apply in specific cases, such as transfers between public bodies under agreements serving national interests, occasional or time-limited transfers involving few data subjects, intra-group transfers for central operations, transfers to provide a direct benefit to the data subject without violating expectations, and transfers for scientific research, provided that safeguards such as SCCs, BCRs, or certification are implemented and sensitive data is excluded where required.

Section 3-3-8 of the Cloud Computing Services Provisioning Regulations stipulates that cloud service providers must notify their subscribers and obtain their consent if their content is transferred outside Saudi Arabia. This iteration represents the fourth version of the legislation. The previous three versions were referred to as the Cloud Computing Regulatory Framework. Since its inception, the legislation has included similar requirements. Section 3.3.11 of both the first and second versions mandated that cloud service providers inform their customers in advance if their content would be transferred, stored, or processed outside the Kingdom, whether permanently or temporarily. In the third version, Section 3-3-10 required that cloud service providers clearly inform both the Commission and the subscriber in advance and obtain their approval if the subscriber's content would be transferred abroad.

Saudi Arabia has not joined any agreement with binding commitments to open transfers of data across borders.

The Personal Data Protection Law (PDPL) establishes a comprehensive data protection regime in Saudi Arabia. The PDPL applies to any processing of personal data carried out in Saudi Arabia by companies or public entities by any means, including the processing of personal data of Saudi residents by entities located outside the Kingdom. Furthermore, the second clause of the law establishes the Saudi Data & Artificial Intelligence Authority (SDAIA) as the competent authority to supervise the implementation of the provisions of the system and its regulations. However, a transfer of supervision to the National Data Management Office (NDMO) will be considered in the future.

Art. 7 of the Internet of Things (IoT) Regulatory Framework requires that IoT service providers must provide the technical capabilities in the IoT devices and machines to save and maintain the data to make it possible to be reviewed for a duration not less than 12 months or any other duration specified by the Communications, Space & Technology Commission (CST). This requirement is not included in the in force IoT Regulatory Framework of 2024.