The Saudi telecommunications market is dominated by three operators holding unified licences: Saudi Telecom Company (STC), Etihad Etisalat Company (Mobily) and Mobile Telecommunication Company Saudi Arabia (Zain KSA). It is reported that the State holds 62% of STC’s shares through the Public Investment Fund (PIF), a further 6.9% through the General Organization for Social Insurance (GOSI), and 4.9% of Zain KSA’s shares through GOSI. Although Saudi Arabia has reportedly pursued a limited privatisation programme for state-owned enterprises and assets since 2002, open to both domestic and foreign investors, this has so far resulted only in the partial privatisation of state-owned operators in the telecommunications sector.

According to Saudi Arabia's Accounting Separation Regulatory Framework, accounting separation is applied and required by law for operators with significant market power. However, functional separation for operators with significant market power is not required by law.

According to Art. 6 of the Implementing Regulations of the Telecommunication Act, the Communications, Space and Technology Commission (CST) Board of Directors may decide to cap the number of licences, registrations or permits in a given telecom/ICT market.

According to Section 5.1.5 of the Regulations of Localization Obligations for Telecommunications Service Providers, service providers must submit localisation and replacement plans to the CST. These plans must include, at a minimum, a career path detailing the courses and training programmes offered to Saudi personnel, the number of such programmes, the entities providing them, and the names, numbers and targets of employees trained, together with related data. They must also specify the total annual spending on training in SAR and its percentage of total revenues, as well as the percentage of spending on local content relative to the company’s total expenses.

Saudi Arabia has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Communications, Space & Technology Commission (CST), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

The National Cybersecurity Authority’s (NCA) Essential Cybersecurity Controls establish baseline cybersecurity requirements for governmental and semi-governmental entities in Saudi Arabia, as well as private organisations managing critical national infrastructure. While the previous version mandated domestic hosting and storage of information, the updated framework removes this explicit obligation and delegates data localisation requirements to the National Data Management Office (NDMO). The NDMO stipulates that personal data transfers remain governed by the Personal Data Protection Law and Data Transfer Regulation, whereas government data is subject to localisation under the Regulations on the Use of Information and Communication Technologies in Government Entities, which require hosting on servers within Saudi Arabia (Arts. 2 and 3). Complementing these measures, the NCA’s Cloud Cybersecurity Controls extend protections to the cloud computing environments used in the public sector and in critical infrastructure, obliging cloud service providers, whether operating domestically or internationally, to deliver services, including storage, processing, monitoring, and disaster recovery, from within the Kingdom to safeguard information systems and infrastructures against cyber threats (Arts. 2.3.P.1.10 and 2.3.P.1.11).

Section 3-3-6 of the Cloud Computing Services Provisioning Regulations, as issued by the Communications, Space & Technology Commission, stipulates that cloud service providers and their subscribers (defined as individuals or entities with whom a cloud service provider agrees to deliver its services under a cloud computing contract or other commercial arrangement) must ensure that data pertaining to Saudi Arabia's public sector is stored within the country's national borders.
The Regulations represent the fourth iteration of this legislation. Since the inception of the first version, the legislation has incorporated certain restrictions. Section 3.3.8 of the initial version, referred to as the Cloud Computing Regulatory Framework, stipulated that no Level 3 data could be transferred outside Saudi Arabia unless explicitly authorised by the government. Level 3 data encompassed, among other categories, sensitive information held by public authorities.

Art. 5.4 of the General Principles for Personal Data Protection in the Telecommunication, IT, and Postal Services requires that service providers of telecommunication, IT and postal services process customers’ personal data within Saudi Arabia and prohibits them from processing customers’ personal data out of Saudi Arabia without the authorisation of Communications, Space and Technology Commission (CST).

Art. 3.4.3 of the Cyber Security Framework of the Saudi Arabian Monetary Authority mandates that financial institutions should use cloud services located in Saudi Arabia. If the cloud services are outside Saudi Arabia, financial services should obtain explicit approval from the Saudi Arabian Monetary Authority. These apply to banks, insurance and/or reinsurance companies, financing companies and credit bureaus operating in Saudi Arabia.

According to Art. 9 of the Government Tenders and Procurement Law, priority in public procurement must be given to local small and medium-sized enterprises (SMEs), local content and companies listed on the Capital Market. Art. 30 further provides that local SMEs should be prioritised where the value of government purchases does not exceed SAR 500,000 (approx. USD 130,000).
In addition, the Regulation on Preference for Local Content, Local SMEs, and Publicly Listed Companies establishes price preferences in government tenders. Under Art. 4 of the Regulation, government entities must grant a 10% bidding price advantage to local SMEs in which Saudi nationals hold more than 50% ownership, and a 5% price advantage to publicly listed companies.

According to Art. 10 of the Regulations on Preference for Local Content and Local SMEs and Companies Listed on the Capital Market in Business and Procurement Transactions, government agencies must apply the National Product Price Preference Mechanism to all contracts in respect of national products that are not included in the mandatory list. Under this mechanism, a national product is granted a price preference by deeming, for evaluation purposes, that the price of the foreign competing product is 10% higher than the price indicated in its bid.

Under the Cloud Computing Services Provisioning Regulations, government entities are permitted to host their data only with cloud service providers (CSPs) that hold the appropriate licences or registrations issued by the Communications, Space & Technology Commission of Saudi Arabia (CST). Section 3.3.7 mandates that subscribers whose data is classified as data of Saudi government agencies must utilise CSPs registered with the CST.
These Regulations represent the fourth iteration of this legislative framework. Since the introduction of the initial version, the legislation has included progressively stringent provisions. Notably, Section 3.3.9 prohibited the transferring, storing, or processing only of Level 3 data unless the provider was registered with local authorities. Level 3 data encompasses, among other categories, sensitive information managed by public authorities.

The Regulatory Arrangements for the Local Content and Government Procurement Law mandates the Local Content and Government Procurement Authority (LCGPA) to set local content requirements for individual contracts, track the amount of local content used by contractors, and obtain and audit commitments by contractors to increase their reliance on local content in the public procurement. The Law defines local content as “total spending in Saudi Arabia from the participation of Saudi elements in the workforce, goods, services, assets, technology, etc.” The Law requires the bidder in public procurement to include a list of items provided locally in their proposal, and this list of items will vary for each bidding. The bidder should meet a minimum baseline of local content provided by LCGPA in order to participate. LCGPA also manages an online portal through which contractors register their commitments to increase local content. Contractors who fall short of their commitments will be fined and could be blacklisted from procurement for repeated failures to honour commitments over the long term.

Companies have reported prolonged delays and difficulties in receiving payments for procurement contracts with national and regional government entities in Saudi Arabia, with some payment delays reportedly exceeding two years.