Saudi Arabia’s cloud and data protection framework is substantive, cross-sectoral, and still maturing, creating a dynamic environment for technology companies entering the region. The threshold challenge is not merely identifying the applicable rules but truly understanding how multiple overlapping frameworks interact and where regulatory gaps require considered judgment in the absence of published guidance.
A Multilayered Regulatory Architecture
Cloud service providers (CSPs) operating in Saudi Arabia are subject to a suite of cross-industry instruments, including the Personal Data Protection Law, cloud regulations issued by the Communications, Space and Technology Commission, and National Cybersecurity Authority control frameworks such as the Essential Cybersecurity Controls, Cloud Computing Cybersecurity Controls, and Critical Systems Controls.
Critically, where a CSP’s customer is a government-linked entity or designated critical infrastructure operator, sectoral and National Cybersecurity Authority controls that apply to the customer directly are then often flowed down to the CSP by contract. The practical effect is that a CSP may find itself bound by regulatory obligations it does not itself hold.
Data Residency: Scope and Strictness
The data residency requirements under the cloud regulations are among the most expansive in the region, setting a high bar for providers. For government agency data, localisation is exclusive: all data must remain within Saudi Arabia, subject only to narrow law-based exceptions.
Financial sector obligations are similarly demanding. Offshore hosting of financial institution data requires prior approval from the Saudi Central Bank, and in practice many providers default to full in-KSA hosting to avoid the approval process and its associated uncertainty.
Registration and Contracting
CSPs must register with the Communications, Space and Technology Commission and obtain a class designation (A, B, or C). Class determines the permitted data classifications and sectors a CSP may serve.
Navigating regulatory classifications is only half the battle. To successfully gain and retain clients in Saudi Arabia, CSPs must meet a set of on-the-ground commercial expectations, which usually include:
- Language accessibility: Contracts should not be English-only; clients expect agreements to be drafted in Arabic or at the very least presented in a bilingual format
- Local currency: Financial commitments and Service Level Agreements should be denominated in Saudi Riyals
- Onshore support: Clients often expect to have tangible, local support capabilities within the country
In the second part of this series, we consider the data protection and security obligations applicable to CSPs, so stay tuned for a deeper dive into these critical requirements.