What's changed

In a significant development for the Saudi Arabian's information technology and communications sector, the Communications and Information Technology Commission (CITC), Saudi Arabia's telecommunications regulator, has regulated Cloud Computing in Saudi Arabia. The CITC published on its website a Cloud Computing Regulatory Framework (CCRF) that will enter into force after 30 days from 20 Jumada Al-Awal 1439 (corresponding to 6 February 2018).

The CCRF aims to provide clarity and certainty on the rights and obligations of Cloud Service Providers (CSPs) and users of cloud services (Cloud Customers). It establishes a framework to manage the potential security risks connected with cloud and encourages improved quality of service.

The CCRF represents one of only a few examples of cloud-specific regulatory frameworks around the world. Some of the provisions, such as security breach notification, are in line with the approach taken in other jurisdictions, i.e. the European Union; while others, such as the registration obligation and content classification are unique to the Kingdom.

What it means for you

Scope of application. The provisions of the CCRF lay down two distinct rules on the scope of application of the law.

First, the CCRF applies to any Cloud Computing service provided to Cloud Customers having a residence or Customer Address (address provided in the Cloud contract or invoicing address) in Saudi Arabia. This will also be the case even if a CSP is not the CSP who has concluded a Cloud contract with Cloud Customers, if the former CSP has datacenters or other elements of the cloud system in the Kingdom (e.g. if the CSP is providing wholesale cloud infrastructure to a retail Software-as-a-Service provider).

Second, certain provisions of the CCRF are binding on a CSP who owns, operates or offers access to the relevant datacenters or other elements of a cloud system located in the Kingdom, even if its customers are located outside the Kingdom. The applicable provisions include reporting on major information security breaches, take down of unlawful or infringing content, and notification of violations of the Anti-Cyber Crime Law.

Registration obligation. Conducting certain cloud computing activities such as (i) the exercise of control over data centres or other critical cloud system infrastructure hosted in the Kingdom; or (ii) the processing and/or storing of Customer Content classified as "Level Three" (including Customer content from sector-regulated industries and sensitive Customer Content from public authorities), trigger a registration requirement with the CITC.

The CSPs' obligation to register with the CITC shall enter into force one month after the CCRF's entry into force.

Reporting of security breaches. CSPs must inform Cloud Customers, without undue delay, of any security breach or information leakage that those CSPs become aware of, if such breach or leakage affects, or is likely to affect, those Cloud Customers' cloud content, customer data or cloud service. CSPs are also subject to notification requirements to the CITC with respect to security breaches or information leakage that they become aware of in certain circumstances.

Content filtering. The CITC is entitled, in accordance with a number of laws and regulations, to filter content generally. However, pursuant to the CCRF, the CITC may decide to exclude certain CSPs from applying the filtering requirements if Customer Data or Customer Content (a) is not directly accessible by any Cloud Users or Internet Users in the Kingdom; or (b) is accessible only to Cloud Users of (i) a private cloud; or (ii) a specific communications network limited to connections between a CSP and connections under the control of a single Cloud Customer.

Customer Content classification. Customer Content can be subject to different levels of required information security. All content processed using cloud services must be identified as falling into one of four security levels; from non-sensitive content at Level 1 to highly sensitive public sector content belonging to governmental agencies or institutions at Level 4. Information classified under certain levels is subject to transfer restrictions outside the Kingdom.

CSPs disclosure obligations. CSPs are subject to a set of disclosure obligations including:

  • CSPs must disclose to the CITC the location and main features of any of their datacentres located in the Kingdom and the foreign country or countries where any of their datacentres used for the processing, storage, transit or transfer of Customer Data or Customer Content of Cloud Customers that have a residence or customer address in the Kingdom are located.
  • CSPs must inform their Cloud Customers in advance whether their Customer Content will be transferred, stored, processed outside the Kingdom, permanently or temporarily.

Protection of Customers Data. A number of Customer Data protections are contemplated in the CCRF and vary depending on the level of classification of the data. Except in certain limited circumstances, CSPs are not permitted to disclose Customer Content or Customer Data or process or use Customer Content or Customer Data for purposes other than those authorised by the Customer.

CSPs must adopt internal rules and policies on business continuity, disaster recovery and risk management and comply with certification schemes and/or standards (including encryption standards) that may be defined as mandatory by the CITC.

Cloud Customer protections. Prior to the conclusion of a Cloud Contract with a Cloud Customer, CSPs must provide clear and transparent information to that Cloud Customer on the object of the service, the conditions of use, Cloud Service levels and applicable payment terms. The CCRF provides for certain mandatory provisions that aim to protect the interests of the Cloud Customers that must be included in Cloud Computing contracts.

Actions to take

Consider if the services that you provide fall under the scope of application of the CCRF and comply with the new requirements imposed by the CITC.