The Communications and Information Technology Commission (the CITC) which regulates the information communications and technology sector in the Kingdom of Saudi Arabia (the Kingdom) has issued a revised version of its regulatory framework for cloud services (the Framework), which simultaneously reduces the compliance burden on cloud service providers (CSPs) and enhances the statutory protection afforded to them. The revised Framework boosts the Kingdom’s commitment to creating an environment conducive to digital innovation and to attract foreign investment from major players in the ICT sector.

What has changed?

Further to the original version of the Framework (initially published in February 2018), the revised Framework has addressed several concerns voiced by multinational CSPs, including most notably:

  • restricting the scope of application of the Framework to CSPs which either own cloud infrastructure in the Kingdom, or have a have a direct contractual relationship with cloud customers in the Kingdom, and not to all of those parties who may play a part in the delivery of a cloud service as was the case under the old Framework.

  • removal of the registration requirement for CSPs processing or storing data categorised as ‘Level 3’ (meaning sensitive data of public authorities, or private sector regulated entities, such as financial institutions) except in case of those CSPs operating a public, community or hybrid cloud in the Kingdom.

  • the ability for CSPs to limit their liability when contracting with corporate clients as they see fit.

  • reapportioning of responsibility between CSPs and cloud service customers requiring customers to ultimately be responsible for the classification of their data and the security measures applied to it.

  • extension of ‘safe harbour’ protection afforded to CSPs to expressly include protection from liability for hosting unlawful or infringing content under all Saudi laws or regulations.

How does this impact you?

These amendments are significant and will be welcomed by major ICT players operating in the Kingdom. Under the new Framework, CSPs should:

  • assess whether they are (or will continue to be) subject to the cloud computing regulatory requirements under the new Framework;

  • where they have not done so already, assess whether or not they are required to file a registration with the CITC;

  • revisit their contract templates to assess whether the standard positions adopted are appropriate or whether there is now scope to strengthen the limitation of liability provisions or reverse amendments originally aimed at complying with the old Framework’s requirements; and

  • reconsider their contracting structures and contractual commitments to assess whether or not these are appropriate under the Framework including:

    • mapping where liability has been assumed directly to customers under vendor contracts where the CSP concerned is not the ultimate contracting party; and

    • whether the customer or the CSP is contractually responsible for selecting the appropriate classification of data.

What’s next?

The revised Framework is a welcome development which may well act as a catalyst for increased investment in the Kingdom’s ICT sector in line with the Kingdom’s efforts to realise Vision 2030. This legal development should also support the delivery of more market leading, cost efficient and fully scalable IT services which also stands to benefit Saudi businesses generally, and in particular SMEs. We will keep you updated on any further developments as and when they arise.

Our previous client alert of March 2018 regarding the original issue of the cloud computing regulations can be seen here.

Contributors: Kellie Blyth & Ghada El Ehwany