New cybersecurity regulations in Saudi Arabia: Localization and data sovereignty

0 4 2 minutes

A strategic step to enhance national cybersecurity

The National Cybersecurity Authority (NCA) in Saudi Arabia has announced the launch of a new regulatory framework for licensing cybersecurity services and products. This step is part of the Kingdom's ongoing efforts to enhance its cybersecurity, regulate the technology services market, improve the efficiency of solutions offered, and ensure their full compliance with national requirements. The project, launched through the "Istilaa" platform, aims to regulate the operations of all entities providing cybersecurity services or solutions to national entities, whether through direct or indirect contracts.

The general context within Vision 2030

These new regulations fall within the framework of the comprehensive digital transformation underway in Saudi Arabia as part of Vision 2030. With the massive expansion of digital government services and the growth of the digital economy, the need for a robust and reliable cybersecurity infrastructure has become increasingly critical. The National Cybersecurity Authority (NCA) was established in 2017 as the supreme authority in this field, and since then, it has been developing policies and legislation aimed at protecting the Kingdom’s vital interests, national security, and critical infrastructure. This new regulatory framework represents the culmination of these efforts, moving the sector from a phase of general guidelines to one of precise regulation and mandatory licensing.

Key features of the new regulatory framework

The regulatory framework imposes strict conditions to ensure the highest levels of security and reliability, most notably:

Data sovereignty: The project obliges service providers to conduct all their operations, processing and storing of data related to national entities exclusively within the borders of the Kingdom, while prohibiting any access to this data from abroad, thus enhancing national sovereignty over data.
Localization and local content: In support of the national economy and the development of local talent, the regulations stipulate adherence to specific local content quotas and the localization of critical jobs. For example, incident response service providers are required to employ full-time Saudi specialists.
A precise licensing system: The project adopted a national classification that includes 5 main areas and 25 sub-areas, and based on this, two categories of licenses were identified: “Specialized License” for highly sensitive services, and “General License” for less sensitive services, to ensure precise governance of the sector.
Accident handling mechanism: The project established a clear mechanism for dealing with cyber incidents, obligating entities to report immediately via the “Haseen” platform or the dedicated number (936), while keeping incident records for up to 25 years to ensure tracking and accountability.

Importance and expected impact

Domestically, these regulations will contribute to creating a more mature and regulated cybersecurity market, enhancing investor and user confidence in the Saudi digital environment, and providing quality job opportunities for Saudi youth. Regionally, this step solidifies the Kingdom's position as a leader in cybersecurity governance and could serve as a model for the region. Internationally, these rules will impact global technology companies seeking to operate in the Saudi market, as they will be obligated to comply with data sovereignty and localization requirements, aligning with the growing global trend toward regulating the national digital space.