New government cloud computing regulations: Binding standards to promote digital transformation

In a strategic move aimed at accelerating digital transformation in Saudi Arabia, the Digital Government Authority has issued a binding document mandating the adoption of cloud computing across all government entities. This step aims to solidify operational efficiency and enhance the quality of digital services provided, aligning with the objectives of Vision 2030, which places digitalization at the heart of its national priorities.

The context of digital transformation and Vision 2030

This decision is not an isolated event, but rather an extension of the Kingdom's "cloud-first" policy aimed at strengthening its digital infrastructure. Since the launch of its Vision 2030, Saudi Arabia has strived to become a regional hub for technology and innovation, attracting major global technology companies to establish cloud zones within the Kingdom. These new regulations aim to streamline the transition from costly traditional data centers to flexible and secure cloud environments, ensuring national data sovereignty and enhancing business continuity under all circumstances.

Strict governance and a gradual approach to choosing solutions

The authority established a comprehensive regulatory framework requiring government entities to create a specialized cloud computing unit within their organizational structures. To ensure seriousness and professionalism, the regulations stipulate the appointment of a senior manager for the unit with high-level technical and administrative expertise, along with the formation of a high-level governance committee to directly oversee the strategies.

Regarding the technical aspect, the Authority established a strict hierarchy for selecting technical solutions, obligating entities to give the highest priority to the “Software as a Service” (SaaS) model when implementing any new service, followed by “Platform as a Service” (PaaS), and then “Infrastructure as a Service” (IaaS) as a last option, in order to reduce the operational burden and focus on developing services.

Financial oversight and security compliance

To ensure efficient spending, the standards included requiring entities to implement rigorous financial tracking systems to monitor cloud operating expenses and conduct periodic cost-benefit reviews. The authority also emphasized the prohibition of contracting with any cloud computing service provider not registered with the Communications, Space and Technology Authority, to ensure compliance with sovereign regulations.

Regarding information security, the provisions stipulate the need to fully comply with the classification and protection of data in accordance with the regulations of the National Data Management Office, and to adhere to the cybersecurity controls issued by the National Cybersecurity Authority, to ensure the protection of digital assets from any potential threats.

Expected impact: efficiency and flexibility

This regulation is expected to bring about a qualitative shift in the performance of the government sector, as it will contribute to reducing capital costs associated with server and data center maintenance, converting them into well-planned operational expenses. It will also enhance the speed with which government entities respond to technological changes and facilitate data integration across various sectors, positively impacting the quality of life and services provided to citizens and residents.