The Communications and Information Technology Commission (CITC) which regulates the information communications and technology (ICT) sector in the Kingdom of Saudi Arabia, has issued a revised version of its regulatory framework for cloud services, which simultaneously reduces the compliance burden on cloud service providers (CSPs) and enhances the statutory protection afforded to them.

The revised Framework boosts the Kingdom’s commitment to creating an environment conducive to digital innovation and to attract foreign investment from major players in the ICT sector.

What has changed?

Further to the original version of the Framework (initially published in February 2018), the revised Framework has addressed several concerns voiced by multinational CSPs, including most notably:

  • restricting the scope of application of the Framework to CSPs which either own cloud infrastructure in the Kingdom, or have a direct contractual relationship with cloud customers in the Kingdom, and not to all of those parties who may play a part in the delivery of a cloud service as was the case under the old Framework;
  • removing the registration requirement for CSPs processing or storing data categorised as ‘Level 3’(meaning sensitive data of public authorities, or private sector regulated entities, such as financial institutions) except in case of those CSPs operating a public, community or hybrid cloud in the Kingdom;
  • the ability for CSPs to limit their liability when contracting with corporate clients as they see fit;
  • a reapportioning of responsibility between CSPs and cloud service customers, requiring customers to ultimately be responsible for the classification of their data and the security measures applied to it; and
  • extending ‘safe harbour’ protection afforded to CSPs to expressly include protection from liability for hosting unlawful or infringing content under all Saudi laws or regulations.

To view the full article, please click here or the Download Article button. Our previous client alert of March 2018 regarding the original issue of the cloud computing regulations can also be seen here.

To speak to us in relation to any IT service regulatory or transactional issues in the Kingdom, please feel free to contact one of the lawyers below, or your usual contact.


Zahi Younes is a partner in the Saudi Arabia Corporate and Securities practice, specializing in cross-border and domestic mergers and acquisitions, divestitures, joint ventures, global corporate reorganizations, securities and capital markets. Zahi also advises clients on a broad range of technology and media-related matters including cloud computing, data centers, e-commerce/payment solutions and navigating the regulatory landscape in the Kingdom.


Kellie Blyth is a Counsel and Head of the UAE Data and Technology practice of Baker McKenzie Habib Al Mulla, based in Dubai. An experienced technology and privacy lawyer, Kellie has been advising local and multinational clients in the technology, telecoms, financial services, insurance and automotive sectors, on their strategic IT projects, helping them develop, commercialise and implement digital and technology solutions whilst managing legal and regulatory risk.


Ghada El Ehwany is a partner in Baker McKenzie's Corporate Practice Group in Cairo. She has nearly 20 years’ experience in the Middle East, particularly in Egypt, Saudi Arabia and the UAE, focusing on corporate and commercial transactions. Ghada also advises on healthcare regulatory, structuring, insolvency, employment and compliance matters.

Write A Comment