Early cybercrime regulation

The KSA took early steps to combat cybercrime by enacting the Anti-Cyber Crime Law of 2007 (Royal Decree No. M/17) ('the Cybercrime Law'). The Cybercrime Law applies to all individuals and organisations in the KSA, including companies and government entities.

The Cybercrime Law aims at enhancing information security and protecting rights, taking into account public interest, morals, and values. It defines 'cybercrime' as a crime that is committed online, using a computer or the internet, such as hacking online data, violating the privacy of individuals, or promoting and/or supporting illegal activity and criminal sites. Cybercrimes also include: acquiring property or illegal accessing of data, such as credit data; causing information networks to be altered, destroyed, distorted, or broken down; and producing materials that conflict with public morals, laws, and religious values. 

Where a cybercrime has been committed, punishments through periods of imprisonments and/or fines are investigated and imposed by the Office of Public Prosecutor assisted by the Communications and Information Technology Commission ('CITC'). Such penalties can range up to a period of ten years imprisonment and a fine of SAR 5 million (approx. €1,335,330) depending on the cybercrime committed. Whilst the Cybercrime Law sets out the types of actions that would constitute a cybercrime, it also provides the courts with the power to exempt penalties in cases where the perpetrator was unaware of the violation or before any harm has been caused.

The new order: the National Cybersecurity Authority

The National Cybersecurity Authority ('NCA') was established in 2017 to regulate and improve the cybersecurity position in the KSA, as part of the National Cyber Security Strategy ('the Strategy'). The NCA is responsible for developing cybersecurity controls and capabilities, stimulating growth, and encouraging innovation and investment globally in the cybersecurity sector.

The Strategy was formulated to create a safe cyberspace in the KSA by coordinating national efforts, led by the NCA, to combat cyber risks. The Strategy sets out 18 key elements of cybersecurity with six main themes. Broadly, the Strategy covers the following:

• Integration: developing and reviewing policies, regulations, and directions in relation to cybersecurity maintenance and ensuring governance and management of government and private entities.
• Regulation: encouraging the implementation of risk management processes, by complying with the National Standards and Controls (see the ECC and CSCC sections below), to identify gaps in cybersecurity and reduce the occurrence of threats.
• Assurance: raising cybersecurity awareness, strengthening national digital identities, encouraging the implementation of national data encryption mechanisms, and protecting sensitive internet resources.
• Defence: establishing guidelines that assist with developing a defence mechanism and contingency plan in the event of a cybersecurity threat and ensuring the continued protection of critical infrastructure.
• Cooperation: building partnerships and information sharing in relation to cybersecurity policies, cyber threats and prevention, and rapid response techniques adopted in the event of a cyber incident.
• Construction: (i) encouraging cybersecurity research to share and support innovation; (ii) building a national capacity which includes units specialising in cybersecurity education and training; and (iii) adopting methods to ensure a secure infrastructure and the development of evaluation and testing mechanisms to ensure safety and readiness in the event of cyber threats.

Essential cybersecurity controls

The NCA introduced the Essential Cybersecurity Controls ('ECC') which apply to government entities and private sector entities that own or operate critical national infrastructure.

Broadly, the ECC are organised into five domains: governance; defence; resilience; third party and cloud computing; and cybersecurity for industrial controls systems. The full extent of the requirements can be accessed in the whitepaper¹ on the NCA website. However, it is useful to highlight the following:

• organisations must provide a clear and defined cybersecurity strategy, including risk management procedures and cybersecurity training and awareness programmes, which are reviewed and updated periodically;
• a detailed inventory of technology assets must be maintained in the KSA alongside security-based controls for access, such as, authentication-based usernames and passwords;
• organisations must ensure a clear threat management and security process is available to all in the event of a cyber breach, attack, or threat;
• an authorising official must be appointed to support the implementation and management of cybersecurity programmes within the organisation; and
• any third parties which are contracted by the organisation to be engaged in operating and management services through remote access must be provided through a location based in the KSA.

Critical Systems Cybersecurity Controls

As an extension to the ECC, the NCA established a particular set of controls for critical systems. The Critical Systems Cybersecurity Controls ('CSCC') prescribe the minimum cybersecurity requirements for critical systems in organisations. The CSCC applies to any organisation that owns or operates a critical system. To be fully compliant with the CSCC, organisations must also comply with the requirements contained within the ECC and implement all necessary measures that are prescribed by the NCA. 

The CSCC mirrors the domains within the ECC, as listed above, with the full requirements being accessible in the CSCC document². The main provisions include details for the following:

• implementing methods to ensure cybersecurity plans, goals, and systems are compliant with laws and regulations and conducting critical systems tests to review cybersecurity controls within an organisation;
• creating and maintaining an inventory of all technology assets and developing operational requirements to protect technical assets;
• developing cybersecurity requirements for business continuity management such as disaster recovery tests and plans;
• ensuring the efficient management of critical systems with third-party contracts; and
• outlining provisions for cloud computing as per the organisations policies and procedures, laws, and regulations.

Registration of cybersecurity service providers

In April 2022, the NCA called on all entities that provide cybersecurity solutions, services, or products in KSA to register through its website. The objectives of the registration were stated to be the creation of a suitable ecosystem to attract and stimulate local and international investments, enhance the level of cybersecurity services provided in the KSA, support small to medium-sized enterprises, and encourage innovation in the cybersecurity sector.

Optional registrations were accepted from April 2022 and registration became mandatory from 1 August 2022. Applicants are required to complete a registration request form that will be reviewed and approved by the NCA.

The registration is obligatory on every service provider that provides a cybersecurity service as defined in the official charter of the NCA, which defines 'cybersecurity' as 'the protection of information technology systems and networks as well as systems and components of operating technologies, including hardware and software, together with services provided thereby and data included therein, against unlawful hacking, obstruction, modification, access, use or exploitation'.

The NCA also separately announced the launch of a new National Portal for Cyber Security Services ('HASEEN') that will be used by national authorities to enhance their cyber resilience. The platform will include information sharing, compliance management, and email authentication tools.

Cybersecurity guidelines for e-commerce service providers

Regulation has been implemented in the KSA to regulate the rapidly growing e-commerce market. On 1 January 2019, the NCA issued cybersecurity guidelines that apply to e-commerce service providers ('the e-Commerce Guidelines'). The e-Commerce Guidelines aim to educate and assist small to medium-sized e-commerce service providers within the KSA on implementing best practices to secure their business, devices, data, customer accounts, and payment processes while ensuring that a streamlined online shopping experience can be provided to customers.

The e-Commerce Guidelines are centred around seven categories which ensure that e-commerce providers:

1. Use strong authentication methodologies.
2. Protect their e-commerce systems by understanding their e-commerce technology assets, keeping an up-to-date list of all current IT equipment, software, and data, controlling admin accounts, and using anti-malware software.
3. Minimise impact of data breaches by backing up data regularly, protecting data with encryption, protecting customer's financial data, and changing default security settings.
4. Guard social media accounts used for the business by exercising safe behaviour on social media and verifying social media accounts.
5. Defend their network by disabling unnecessary services on systems, segmenting and segregating networks, defending network perimeters through the use of intrusion prevention systems, and testing systems regularly.
6. Continuously educate and train employees by developing and implementing cybersecurity and privacy policies.
7. Strengthen internal e-commerce infrastructure by implementing a spam filter, reviewing audit trails and security logs, using email activation and 'CAPTCHA' field (i.e. online text used to determine whether or not the user is human) for user registration, and utilising fraud prevention software.

The NCA has separately issued the Cybersecurity Guidelines for E-commerce Consumers (which provide instructions to consumers on how to achieve a secure e-shopping experience and protect their devices, accounts, and personal information during the e-shopping process) and the Social Media Accounts Cybersecurity Controls for Organisations (which set out minimum cybersecurity requirements to enable organisations to use social networks in a safe manner).

General communications and IT regulation

Cloud computing in the KSA

Cloud computing is a means of delivering IT services through the cloud which includes the storage, transfer, and processing of customer content in a cloud system. In the KSA, the Communication and Information Technology Commission ('CITC') issued the Cloud Computing Regulatory Framework³ ('CCRF'), which aims to regulate the use of cloud computing. These provisions apply to any cloud service where cloud customers are located or residing in the KSA. It imposes a registration requirement for cloud providers to register their services with the CITC (and the requirements and procedures for registration are outlined in the Guide for Cloud Computing Service Providers in the KSA).

The CCRF requires a Cloud Service Provider ('CSP') to comply with all cybersecurity laws and regulations within the KSA. Additionally, a cloud computing agreement must be in place between the CSP and cloud user, outlining the basis of consent to which the subscriber data can be processed along with the minimum contractual requirements. Subscriber data is also subject to different levels of information security depending on the type and nature of data held. The CCRF classifies two main categories of information security data:

• Saudi Government data: which is divided into four levels being 'top secret', 'secret', 'confidential', and 'public'; and
• non-Government data: which captures any data that is not included under Saudi Government data.

Cloud subscribers who consent to the use of their data are responsible for selecting the level of information security that should apply to their data based on the category of data, and the customers' needs and duties. It is advisable to reflect this within the contract between the cloud subscriber and CSP.

Importantly, the provisions of the CCRF guarantee a means to safeguard subscribers' data without undermining other laws and regulations relating to the storing, transfer, and processing of subscriber data or information within the cloud system. However, CSPs should be aware of the CITC's enforcement powers, which permits the imposition of a fine, penalty, and/or revocation of a licence following any violation of the CCRF.

Cloud Cybersecurity Controls

In October 2020, the NCA issued the Cloud Cybersecurity Controls ('CCC') with the aim of enhancing reliability of cloud computing services. The CCC, extends the focus of the ECC incorporating cybersecurity matters within cloud services.

The CCC provides a minimum standard for cybersecurity by focusing on four pillars: strategy; people; procedures; and technology. The provisions of the CCC apply to any government entity located inside or outside of the KSA, entities affiliated with the government, CSPs outside of the KSA, and private sector organisations that own, operate, and host critical national infrastructure. It is important to note that the NCA strongly encourages all organisations to leverage compliance with the CCC.

Essentially, the CCC outlines various cybersecurity controls that assist CSPs with the management of cybersecurity threats and risks and the protection of information and technical assets. Similar to the ECC, the CCC focus on key provisions which include governance, defence, resilience, and third-party cybersecurity. These controls closely mirror international standards on cybersecurity such as ISO 27001, Cloud Control Matrix Controls, C5, and others.

As a CSP, it will be necessary to identify a timeline for implementing the policies to ensure compliance with the provisions of the CCC within the organisation. Although the regulatory framework provides limited guidance, a CSP should take into account the following considerations: the size of the organisation; the field in which the organisation operates; the number of employees; current policies implemented; and the number and type of IT components within the organisation's infrastructure.

Internet of Things Regulatory Framework

The CITC, which regulates the IT and telecommunication sector within the KSA, published the Internet of Things Regulatory Framework ('IoTRF') in September 2019 to address servicing provisions for wired or wireless networks, which include Internet of Things ('IoT') services provided through mobile networks, fixed networks, and license-exempt frequencies. The IoTRF requires IoT service providers to obtain a licence from the CITC in order to ensure license serviced activities within the KSA and to register through Manassa Tech portal⁴ which links the service providers with the clients.

Additionally, registered IoT service providers and indoor IoT network implementers must host all servers used in providing IoT services. They must provide technical capabilities in the IoT devices and machines to save and maintain the data to make it possible to be reviewed for a minimum duration of 12 months.

The IoTRF also lists the requirements that must be complied with regarding IoT equipment, which ensures that all IoT equipment complies and is approved by the CITC. Particularly, the IoTRF mentions that all SIM cards used with IoT devices imported into the KSA must be issued by a local licenced provider.

In March 2022, the CITC published a draft update to the IoTRF for public consultation with several edits to the existing version. Among the changes are amendments to the definition of 'IoT' and a new focus on the regulation of devices, connectivity, and connectivity service providers. The proposed new IoTRF takes a more principles-based approach than the current regulations, which focus more on technical specifications. The proposed IoTRF references out to international standards and encourages both the use of Internet Protocol version 6 and interoperability between IoT devices and platforms.

Telecommunications and Information Technology Act

KSA updated its regulatory regime for telecommunications with the issuance of a new Telecommunications and Information Technology Act enacted by Royal Decree No. M/106 dated 02/11/1443H (equivalent to 1 June 2022) ('the Telecommunications Act'). The Telecommunications Act takes effect on 7 December 2022 and will be supplemented by additional regulations to be issued within 180 days from the date of publication of the Telecommunications Act in the Official Gazette. The CITC remains the primary authority responsible for overseeing and enforcing the Telecommunications Act.

The Telecommunications Act has broadened the scope of application from purely telecommunications services under the old law to a range of ICT activities and services. The Telecommunications Act now regulates emerging technologies with a specific focus on promoting digital transformation in the KSA and encouraging innovation, entrepreneurship, research, and technical development.

The Telecommunications Act includes a chapter on the protection of user data and confidential documents. It requires service providers to comply with the provisions of the Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No.98 dated 14 September 2021 ('the Data Protection Law') when using, controlling, or processing any user's personal data. The Telecommunications Act also requires service providers to take all necessary steps and precautions to ensure the protection and confidentiality of users' personal data and documents, including ensuring that user data is not disclosed without the consent of the user.

Service providers have a duty to notify users and the CITC in case of a breach of a user's personal data or documents and they must take appropriate measures to protect personal data.

The Telecommunications Act further specifies that the CITC will ensure the protection of cybersecurity and critical infrastructure (defined as networks and IT devices whose equipment could totally or partially disrupt or impair the stability or security of the sector) by complying with decisions issued by the NCA. The Telecommunications Act also notes that the CITC will assess the cybersecurity level of each service provider to ensure that the protection is adequate in accordance with the levels expected by the NCA.

A digital authority for KSA public entities

In March 2021, Saudi Arabia's Cabinet approved a Decision to establish a Digital Government Authority ('DGA'). The DGA is responsible for leading the automation of government services and improving coordination between ministries and other state bodies, as well as maximising the return on government technical investments. It also coordinates processes across different government entities with respect to cybersecurity and digital transformation.

The DGA has since issued a number of guidelines and controls, including the Controls of Risk Management for Digital Government in order to enhance the reliability and continuity of digital government services, and the Introductory Guide for Digital Platforms, Products and Services to help government agencies classify their digital business assets according to a unified national classification system.

New data protection landscape

The KSA issued the Personal Data Protection Law in September 2021 to regulate the collection and processing of personal data in the KSA. The Personal Data Protection Law is intended to ensure the privacy of personal data, regulate data sharing, and prevent abuse of personal data in line with the goals of the Saudi Vision 2030. It sets out requirements to guarantee the protection and proper handling of personal data. 

The Saudi Authority for Data and Artificial Intelligence ('SDAIA') will supervise the implementation of the Personal Data Protection Law for the first two years, following which a transfer of supervision to the National Data Management Office ('NDMO') will be considered. The NDMO is the regulatory arm of SDAIA and had previously published data governance regulations in 2020, which will likely be superseded by the Personal Data Protection Law once it becomes enforceable.

The Personal Data Protection Law was intended to come into effect on 23 March 2022 and a number of controls, mechanisms, and requirements in the Personal Data Protection Law were expected to be clarified in supplementing regulations that were also due before March 2022. The draft regulations were published in March, but the consultation was subsequently withdrawn and the SDAIA announced that it was postponing the full enforcement of the Personal Data Protection Law until March 2023 based on views and responses received from various stakeholders.

The Personal Data Protection Law applies to all personal data processing undertaken in Saudi Arabia, including by non-KSA entities that process personal data of KSA residents. The Personal Data Protection Law prohibits the processing of personal data without the consent of the data subject, except in specific circumstances.

All controllers are required to implement necessary regulatory, administrative, and technical measures to ensure the protection of personal data. The regulations will provide further conditions on the measures that should be adopted. Controllers are also required to conduct an impact assessment of the consequences of processing personal data for their processing activities according to the nature of the data. Again, it is likely that further requirements on when and how to conduct such assessments will be set out in the regulations.

If a data breach occurs, controllers will have to notify the competent authority once they become aware of the breach. In certain circumstances, they will also have to notify the data subject where there is ongoing harm to the data subject.

There are also currently strong restrictions in the existing Personal Data Protection Law on transferring personal data outside the KSA, including having to obtain approval from the competent authority. However, it may be that the implementing regulations will provide further clarity around cross-border transfers and align them with the data transfer restrictions in other international data protection laws (e.g. putting in place a list of approved territories that provide an adequate level of data protection).

What's next?

The government of the KSA continues to invest in the digital security sector in order to achieve the social and economic goals of Saudi Vision 2030. The KSA ranked second globally in the cybersecurity index within the World Competitiveness Yearbook ('WCY') for 2022 (published by the International Institute for Management Development), which reports that the KSA has made unprecedented progress in the field of cybersecurity.

The NCA is working on encouraging entrepreneurship and innovation in the field of cybersecurity. It recently launched the CyberIC program for local start-ups for the wider development of the cybersecurity sector, with the aim of developing numerous initiatives, including on training employees of national authorities, accelerating cybersecurity activities to stimulate the sector, and encouraging the development of national cybersecurity products, services, and solutions.

Further regulatory development is expected, including implementing regulations under the Personal Data Protection Law. The Government is committed to transparency and consultation with many draft regulations published for public comment on the Istitlaa platform⁵ run by the National Competitiveness Centre. It is also hoped that future guidance and practice will clarify the roles and responsibilities of the increasing number of regulatory bodies in this space.

Dino Wilkinson Partner
[email protected]
Masha Ooijevaar Senior Associate
[email protected]
Adwa Aljebreen Associate
[email protected]
Zahra Laher Associate
[email protected]
Clyde & Co., Dubai

1. See: https://nca.gov.sa/ecc-en.pdf
2. See: https://nca.gov.sa/files/cscc-en.pdf
3. See: https://www.citc.gov.sa/en/RulesandSystems/RegulatoryDocuments/Documents/CCRF_En.pdf
See: https://www.citc.gov.sa/en/services/tech/Pages/default.aspx
5. See: https://istitlaa.ncc.gov.sa/en/Pages/default.aspx