The Communications and Information Technology Commission (CITC) which regulates the information communications and technology (ICT) sector in the Kingdom of Saudi Arabia, has issued a revised version of its regulatory framework for cloud services, which simultaneously reduces the compliance burden on cloud service providers (CSPs) and enhances the statutory protection afforded to them.
The revised Framework boosts the Kingdom’s commitment to creating an environment conducive to digital innovation and to attract foreign investment from major players in the ICT sector.
What has changed?
Further to the original version of the Framework (initially published in February 2018), the revised Framework has addressed several concerns voiced by multinational CSPs, including most notably:
- restricting the scope of application of the Framework to CSPs which either own cloud infrastructure in the Kingdom, or have a direct contractual relationship with cloud customers in the Kingdom, and not to all of those parties who may play a part in the delivery of a cloud service as was the case under the old Framework;
- removing the registration requirement for CSPs processing or storing data categorised as ‘Level 3’(meaning sensitive data of public authorities, or private sector regulated entities, such as financial institutions) except in case of those CSPs operating a public, community or hybrid cloud in the Kingdom;
- the ability for CSPs to limit their liability when contracting with corporate clients as they see fit;
- a reapportioning of responsibility between CSPs and cloud service customers, requiring customers to ultimately be responsible for the classification of their data and the security measures applied to it; and
- extending ‘safe harbour’ protection afforded to CSPs to expressly include protection from liability for hosting unlawful or infringing content under all Saudi laws or regulations.
To view the full article, please click here or the Download Article button. Our previous client alert of March 2018 regarding the original issue of the cloud computing regulations can also be seen here.
To speak to us in relation to any IT service regulatory or transactional issues in the Kingdom, please feel free to contact one of the lawyers below, or your usual contact.