1. GOVERNING TEXTS

There have been significant developments in Saudi Arabia on cybersecurity regulation recently. The Regulation of the National Cybersecurity Authority ('the NCA Regulation') was approved under Royal Decree No. 6801 of 11/2/1439H (31 October 2017). As elaborated below, it establishes and defines the roles and responsibilities of the National Cybersecurity Authority ('NCA'). The Law on the Use of Information Communications Technology in Government Agencies (only available in Arabic here) ('the ICT Law') under Council of Ministers Resolution No. 555 of 23/09/1440 H (28 May 2019) reinforces the role of the NCA by requiring government sector entities to comply with the NCA's regulatory guidance and instructions. There are also mandatory sectoral guidelines on cybersecurity, issued by relevant regulators in Saudi Arabia (including the NCA).

More generally, personal data protection considerations may also be relevant in a cybersecurity context. Saudi Arabia has recently issued the Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No.98 dated 14 September 2021 (only available in Arabic here) ('PDPL'), which applies to all personal data processing activities. Materially, the PDPL requires all personal data processing to be carried out pursuant to the consent of data subjects (with a few exceptions. Although the PDPL was to become effective on 23 March 2022 (subject to a one-year grace period for compliance), on 21 March 2022, following recommendations from the Saudi Authority for Data and Artificial Intelligence ('SDAIA') and other key stakeholders, a Royal Order was issued postponing the implementation of the PDPL to 17 March 2023.

Many aspects of the PDPL are to be clarified by executive regulations. In March 2022, the SDAIA, in collaboration with the National Data Management Office ('NDMO'), issued for public consultation a draft version of the Executive Regulations ('the Draft Executive Regulations').

Until the Draft Executive Regulations are finalised, the NDMO's National Data Governance Interim Regulations ('the Interim Regulations') are relevant. They contain requirements for controllers on processing personal data, including the requirement to obtain consent of the data subject for all processing activities

1.1. Legislation

General

The NCA Regulation sets out the key features and responsibilities of the NCA, including that it should enhance cybersecurity in Saudi Arabia by, among other things:

• preparing a national cybersecurity strategy and supervising its implementation;
• developing and circulating policies, frameworks, and standards for cybersecurity implementation, risk management, incident response, and encryption, as well as supervising their implementation; and
• building, supervising, and operating national and sectoral (as required) cybersecurity operation centres and platforms in Saudi Arabia, with the capability to command, control, investigate, monitor, and exchange information and analysis on cybersecurity.

The NCA Regulation also requires the NCA to educate, train, and raise awareness about cybersecurity through establishing affiliated centres to conduct some of its competencies and tasks, direct engagement with and tasking of public and private sector employees, holding workshops, running training programs, and issuing printed materials. Moreover, under the NCA Regulation, all Saudi authorities must fully cooperate with the NCA in its work and notify the NCA immediately of any risk, threat, or hacking, whether existing or possible.

The NCA is overseen by a governor and a board comprising the President of State Security, the President of the General Intelligence Presidency, Deputy of the Minister of Interior, Assistant Minister of Defence, and Governor of the NCA.

Sectoral legislation

In the government sector, the ICT Law broadly regulates the use of technologies in the government sector and addresses aspects of cybersecurity as well. The government sector is required to comply with regulations issued by the NCA, including governance policies and mechanisms, frameworks, standards, and guidelines related to cybersecurity.

Additionally, it requires the government sector to use electronic signature technology and certification of electronic data, documents, and correspondence in coordination with National Centre for Digital Certification, and in accordance with guidance issued by the NCA in respect of data protection. There are also mandatory sectoral guidelines, issued by relevant regulators in Saudi Arabia. A brief outline of these is set out in section 1.3. below.

1.2. Regulatory authority 

Government sector and critical national infrastructure operators

• The NCA

Financial sector

• The Saudi Central Bank ('SAMA')

Health sector

• The Ministry of Health ('MoH')

1.3. Regulatory authority guidance

Government sector and critical national infrastructure operators

The NCA has only recently been established under the direct power of the King and Crown Prince of Saudi Arabia. The NCA does not yet have any corrective powers or the ability to issue monetary fines. The NCA issued the Essential Cybersecurity Controls 2018 ('ECC') in 2018 which is in force under Royal Decree No. 57231 of 10/11/1439H (23 July 2018). The ECC applies to government agencies (namely ministries, authorities, institutions, or other) and affiliated entities and companies. Private sector entities that own, operate, or host critical national infrastructure must also comply with the ECC. In addition, it ensures cloud computing, cloud hosting, and industrial control systems' cybersecurity are applicable to, and binding on, any entity that currently uses, or plans to use, those services/systems.

Furthermore, the NCA's Cloud Cybersecurity Controls 2020, as amended ('the CCC 2020') have been developed to supplement the ECC in order to achieve a higher level of cybersecurity in the use of cloud services by Cloud Service Tenants ('CST'), i.e. government agencies of Saudi Arabia (including ministries, authorities, institutions, and others) and affiliated entities and companies, and private sector entities that own, operate, or host critical national infrastructure (i.e. critical industry sector entities). The CCC 2020 contains various cybersecurity controls in respect of cloud services including in relation to localisation and on information security type considerations.

Additionally, the NCA's Critical Systems Cybersecurity Controls 2019 ('the CSCC 2019') introduces further restrictions on the use of cloud services outside the Kingdom. The CSCC 2019 supplements the ECC and sets out specific cybersecurity requirements for 'critical systems' of subject entities. Critical systems are defined as any system or network whose failure, unauthorised change to its operation, unauthorised access to it, or to the data stored or processed by it, may result in negative impact on the organisation's business and service availability, or cause negative economic, financial, security, or social impacts on the national level. The CSCC 2019 also contains localisation type requirements and a prohibition on remote access for identity and access management of critical systems.

More recently, in April 2022, the NCA issued the Cyber Security Controls Document for Operational Systems (only available in Arabic here) ('the Operational Systems Controls Document'). In particular, the Operational Systems Controls Document:

• is aimed at the adoption of the best standards and practices in the field of cybersecurity for operational systems associated with sensitive industrial facilities at government and private agencies;
• sets out approved controls for securing operational systems and enabling entities to apply minimum requirements for protection; and
• covers implementation of cybersecurity controls and commitment to safeguarding against cyber risks as well as follow-up and updated mechanisms in connection with the implementation of such controls.

Financial sector

The SAMA has a role in ensuring that its regulated entities comply with the SAMA Cyber Security Framework of 2017 ('the SAMA Cybersecurity Framework') issued in May 2017. The SAMA Cybersecurity Framework is a regulatory document rather than legislation but is 'in force' in the sense that it has been issued by the SAMA and all SAMA-regulated entities are required to comply with it.

The SAMA Cybersecurity Framework applies to all banks, insurance and reinsurance companies, finance companies, credit bureaux, and financial market infrastructure in Saudi Arabia. The SAMA Cybersecurity Framework is principle/risk-based and prescribes key principles and objectives to be adopted/met by entities regulated by the SAMA.

Moreover, the SAMA Cybersecurity Framework sets out:

• various levels of maturity, with the minimum level for an organisation's cybersecurity policies, standards, and procedures being established;
• compliance with cybersecurity policies, standards, and procedures is monitored (preferably using governance, risk, and compliance tools); and
• key performance indicators are defined, monitored, and reported.

Health sector

The National Health Information Center ('NHIC') issued the Saudi Health Information Exchange Policies ('the SHIE Policies') and the Saudi Health Information Exchange Testing and Certification Policies ('the SHIE Testing Policies') in 2016. The NHIC provides support and technical counselling for health information systems and has also developed a Health Information Data Center. The aim of the SHIE initiative is to link hosting systems and electronic services to enable standards-based e-health interoperability while ensuring information security.

Under the SHIE Policies, the implementation of ongoing technological improvements to the healthcare system is contemplated on two main fronts. The first is the adoption of secure technology solutions to enable streamlined patient care via online health records. The second is making available deidentified patient data that can inform research. This can be used by both the public sector, for example, by guiding public health policy responses (e.g. containment and prevention of epidemics, or targeting health awareness programmes), and by the private sector, for example, by developing new treatments and pharmaceuticals. Researchers in both the public and private sector can also benefit from it. The SHIE Testing Policies are intended to be primarily applied to the testing of products interoperability to be deployed as SHIE Nodes, connected to the Saudi eHealth Exchange Platform.

Separately, we mention the Telemedicine Regulations issued by the Saudi Health Council in June 2018, which also set out certain requirements on the practice of telemedicine in Saudi Arabia. They set out obligations for healthcare providers which have an impact on service providers as well. The regulations address cybersecurity and require compliance with the SHIE Policies mentioned above (where applicable), including all relevant data security and privacy requirements. It further requires compliance with interoperability frameworks and/or the Health Insurance Portability and Accountability Act of 1996 of the US.

2. SCOPE OF APPLICATION

There is no cybersecurity legislation of general application per se in Saudi Arabia. However, the PDPL states that its obligations are without prejudice to the NCA's requirements and, similarly, the Draft Executive Regulations require data controllers to adhere to all controls, standards, guidelines, and other provisions issued by the NCA. Additionally, the Interim Regulations issued by the NDMO requires data controllers to adopt the cybersecurity controls set out by the NCA in certain instances for the protection of personal data. These include:

• preparing and documenting data erasure procedures and policies in order to destroy the data in a secure manner, that prevents data loss, misuse, or unauthorised access, including operational and archived data and backups, according to controls issued by the NCA;
• verifying the data subject's identity before granting them access to their personal data, according to the controls approved by the NCA; and
• using the appropriate security measures in order to protect personal data in accordance with data nature and sensitivity and means used to transfer and store data, according to controls approved by the NCA.

3. DEFINITIONS

Information security program: This is not defined under the applicable law.

Database: This is not defined under the applicable law.

Cybersecurity incident: This is not explicitly defined under the applicable law. The ECC defines 'incident' as a compromise by breaching policies of cybersecurity or acceptable use or practices, controls, or requirements of cybersecurity.

Cybersecurity / information security officer: This is not explicitly defined under the applicable law. However, the Interim Regulations issued by the NDMO defines 'chief data and privacy officer' as the head of the controller's entity, i.e. an executive within the organisation who has the authority and the influence to ensure that the data management and privacy program is followed by providing overall leadership for required initiatives and activities.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

4.1.Cybersecurity training and awareness

The ECC requires subject entities to ensure that the organisation's personnel have the necessary security awareness and are acquainted with their responsibilities in the cybersecurity field and that the organisation's personnel are provided with the skills, qualifications, and training courses required in the field of cybersecurity in order to protect the information and technology assets of the organisation and fulfil their responsibilities for cybersecurity.

The CCC 2020 requires cloud service providers to provide training for employees and third-party personnel to respond to cybersecurity incidents, in line with their roles and responsibilities.

4.2. Cybersecurity risk assessments

The ECC requires subject entities to conduct the following risk assessments:

• cybersecurity strategy must be assessed over scheduled time periods (or if any amendments are made to the relevant legislative and regulatory requirements);
• cybersecurity policies, procedures, and standards must be assessed and updated over-scheduled periods (or if any amendments are made to the relevant legislative and regulatory requirements and standards), and any amendments must be documented and approved;
• the organisation's cybersecurity roles and responsibilities must be assessed and updated over-scheduled periods (or if any amendments are made to the relevant legislative and regulatory requirements); and
• assessment of cybersecurity risks and ensuring there are enough procedures to control such risks before the conclusion of contracts and agreements or upon changing related legislative and organisational requirements.

The CCC 2020 requires cloud service providers to assess and remediate vulnerabilities on external components of the cloud technology stack at least once every month, and at least once every three months for internal components of the cloud technology stack. CSTs are required to assess and remediate vulnerabilities in cloud services at least once every three months.

4.3. Vendor management

The ECC requires subject entities to implement the following controls on third party / vendor management:

• cybersecurity requirements within the organisation's contracts and agreements with third parties are to be determined, documented, and approved. Such requirements must at least include:
• non-disclosure clauses and safe deletion by the third party of the organisation's data upon expiry of the service;
• communication procedures in case of cybersecurity incident;
• obligation on the third party to apply the organisation's cybersecurity requirements and policies and related legislative and organisational requirements;
• requirements of cybersecurity with third parties providing IT outsourcing services or managed services must at least cover:
• assessing cybersecurity risks and ensuring there are enough procedures to control such risks before the conclusion of contracts and agreements or upon changing related legislative and organisational requirements;
• managed cybersecurity service operation centres for operation and monitoring, which use the remote access method, must all be located in-country; and
• requirements of cybersecurity with third parties shall periodically be reviewed.

In terms of third party / vendor management, the CCC 2020 requires cloud service providers to comply with the following controls:

• ensure fulfilment of the NCA's requests to remove software or services, provided by third-party providers that may be considered a cybersecurity threat to national organisations, from the marketplace provided to CSTs;
• provide security documentation for any equipment or services from suppliers and third-party providers;
• ensure third-party providers are compliant with the law and regulatory requirements relevant to their scope; and
• ensure risk management and security governance on the part of third-party providers as part of general cybersecurity risk management and governance.

4.4. Accountability/record keeping

In terms of accountability / record keeping, the ECC requires subject entities to comply with the following controls:

• the organisation's cybersecurity controls must be assessed and audited by parties independent of the internal cybersecurity department; and
• results of cybersecurity assessments and audits must be documented and presented to the cybersecurity supervisory committee and the 'Competent Person' as described in section 8 below.

5. DATA SECURITY

The ECC

An organisation must set, document, approve, and apply risk management processes, as well as assess cybersecurity risk at the minimum:

• at an early stage of technology projects;
• before making a substantive change to the technical infrastructure;
• when planning to obtain the services of external parties; and
• when planning for, and before launching, new technical products and services.

The SAMA Cybersecurity Framework

Each member organisation must define approve and implement a risk management process. The process should:

• be aligned with the member organisation's enterprise risk management process;
• focus on safeguarding the confidentiality, integrity, and availability of information assets; and
• be initiated at an early stage of the project, prior to critical change, when outsourcing is being considered, and when launching new products and technologies (same as the ECC).

Other obligations include:

• cybersecurity risk identification;
• cybersecurity risk analysis;
• cybersecurity risk response (accept, avoid, transfer, or mitigate); and
• cyber risk monitoring and review.

The SHIE Policies

There is no specific risk management section of the SHIE Policies as their overall purpose is to manage the risk of inappropriate use of health information. Such risks include unauthorised use of data, which is managed by generating audit logs, regular review of audit logs, and external audits. The level of breach reporting depends on the risk the breach poses and whether it is ongoing. Re-identification risk assessments of proposed de-identified data extracts are also to be undertaken.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

The ECC

Each entity subject to the ECC is responsible for developing its own processes to proactively deal with threats, detect incidents, and avoid damage to its works, as well as ensuring the processes are documented and approved. They must cover:

• plans of response to security incidents and escalation mechanisms;
• classification of cybersecurity incidents;
• informing the NCA once any cybersecurity incident occurs;
• sharing alerts and threat intelligence, penetration indicators, and reports on cybersecurity incidents with the NCA; and
• obtaining and dealing with threat intelligence.

The SAMA Cybersecurity Framework

Member organisations should inform the SAMA IT Risk Supervision immediately when a medium or high classified security incident has occurred and been identified. The member organisation should obtain a 'no objection' from the SAMA IT Risk Supervision before any media interaction related to the incident.

The member organisation should submit a formal incident report to the SAMA IT Risk Supervision after resuming operations, including the following incident details:

• title of incident;
• classification of the incident (medium or high);
• date and time of when the incident occurred;
• date and time of the incident was detected;
• information assets involved;
• (technical) details of the incident;
• root-cause analysis;
• corrective activities performed and planned;
• description of impact (e.g. loss of data, disruption of services, unauthorised modification of data, (un)intended data leakage, number of customers impacted);
• total estimated cost of the incident; and
• estimated cost of corrective actions.

The SHIE Policies

Reportable events (defined as action/lack of action, suspected or confirmed, intentional or unintentional, that violates the SHIE Policies and procedures for accessing or using personal health information) must be notified.

The Participating Healthcare Subscriber ('PHCS') must notify the organisation's privacy and security officer(s) within two business days of the discovery of a reportable event. The privacy and security officer(s) or designated person of the PHSC must communicate the review of the reportable event to the SHIE within two business days of notification, documenting whether or not there is a need for further investigation.

7. REGISTRATION WITH AUTHORITY

The ECC

Registration is not required. The ECC is only mandatory upon government entities, while they are recommended for all entities.

The SAMA Cybersecurity Framework

The SAMA Cybersecurity Framework applies to SAMA-regulated entities. SAMA-regulated entities are licensed with the SAMA separate to their need to comply with the SAMA Cybersecurity Framework.

The SHIE Policies

To participate in the SHIE, healthcare institutions must execute an effective participation agreement.

8. APPOINTMENT OF A SECURITY OFFICER

The ECC

The ECC requires the appointment of a 'Competent Person.' The Competent Person's role, function, and responsibilities include:

• to ensure the organisation's cybersecurity strategy is set, complies with relevant legislative and regulatory requirements, and is documented, approved, and supported;
• to form a cybersecurity supervisory committee to ensure the compliance, support and follow-up of the application of cybersecurity programmes and regulations;
• to approve the organisation's documented cybersecurity policies and procedures, including cybersecurity controls and requirements;
• set, document, and approve the organisational structure of the governance and the roles and responsibilities of the organisation's cybersecurity and mandate the persons in charge thereof; and
• receive the documented results of cybersecurity assessment and audit with the cybersecurity supervisory committee.

The SAMA Cybersecurity Framework

The SAMA Cybersecurity Framework requires member organisations to have a chief information security officer ('CISO') along with a cybersecurity committee. The CISO should be a full-time senior manager for the cybersecurity function, have Saudi nationality, be sufficiently qualified, and be approved by the SAMA.

Broadly, the CISO must develop the cybersecurity strategy and implement adequate measures, monitor all cybersecurity activities, develop and conduct cybersecurity awareness programs, and measure and report on cybersecurity strategy, policy compliance, standards, and procedures and programs.

The SHIE Policies

The SHIE Policies require the appointment of a privacy and security officer. The officer's role, function and responsibilities include working with the SHIE privacy and security officer on reviewing reportable events.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial Services 

These are listed with reference to the SAMA Cybersecurity Framework in sections 1.3. above and 11 below.

Health 

These are listed with reference to the SHIE Policies in response to sections 1.3..5 above and 11 below.

Telecommunications 

Not applicable.

Employment 

Not applicable.

Education 

Not applicable.

Insurance 

Not applicable.

10. PENALTIES

The ECC

There are no penalties set out in the ECC.

Articles 3, 4, 5, and 7 of the Anti-Cyber Crime Law

There is a range of fines and imprisonment terms for cybercrimes, including by public officials and for any person inciting, assisting, or collaborating with others to commit cybercrimes, contained in the Anti-Cyber Crime Law 2007 (issued under the Council of Ministers Decision No. 79 of 7/3/1428H and approved by Royal Decree No. M/17 of 8/3/1428H) ('the Anti-Cyber Crime Law'). They include hacking, data theft/data corruption, computer sabotage, and computer fraud.

Article 3

Any person who commits one of the following cybercrimes shall be subject to imprisonment for a period not exceeding one year and a fine not exceeding SAR 500,000 (approx. €132,660) or to either punishment:

• spying on or interception or reception of data transmitted through an information network or a computer without legitimate authorisation;
• unlawful access to computers with the intention to threaten or blackmail any person to compel him to take or refrain from taking an action, be it lawful or unlawful;
• unlawful access to a website, or hacking a website with the intention to change its design, destroy, or modify it, or occupy its URL;
• invasion of privacy through the misuse of camera-equipped mobile phones and the like; and
• defamation and infliction of damage upon others through the use of various information technology devices.

Article 4

Any person who commits one of the following cybercrimes shall be subject to imprisonment for a period not exceeding three years and a fine not exceeding SAR 2 million (approx. €530,650), or to either punishment:

• acquisition of movable property or bonds for oneself or others or signing such bonds through fraud or use of false name or identity; and
• illegally accessing bank or credit data, or data pertaining to ownership of securities with the intention of obtaining data, information, funds, or services offered.

Article 5

Any person who commits one of the following cybercrimes shall be subject to imprisonment for a period not exceeding four years and a fine not exceeding SAR 3 million (approx. €795,900) or to either punishment:

• unlawful access to computers with the intention to delete, erase, destroy, leak, damage, alter, or redistribute private data;
• causing the information network to halt or breakdown, destroying, deleting, leaking, or altering existing, or stored programs or data; and
• obstruction of access to, distortion, and causing the breakdown of services by any means.

Article 7

Any person who commits the following cybercrimes shall be subject to imprisonment for a period not exceeding ten years, and a fine not exceeding SAR 5 million (approx. €1.3 million) or to either punishment:

• unlawful access to a website or an information system directly, or through the information network or any computer, with the intention of obtaining data jeopardising the internal or external security of the State or its national economy.

Other cybercrimes

Article 23 of the Electronic Transactions Law 2007, under Royal Decree No. M/18 of 8 Rabi' 1428H (26 March 2007) and Council of Ministers Resolution No. 80 of 7 Rabi' 1428H (25 March 2007), creates a number of offences relating to electronic signatures and certification service providers, including offences relating to fraud and forgery.

Additionally, whilst not specific to cybercrimes, there are other principles and provisions that may be relevant in the context of postal secrecy and secrecy of telecommunication:

• Basic Law of Governance 1992 (Royal Decree No. A/90 of 27 Sha'ban 1412H (1 March 1992)) provides a general right to privacy of communications, as follows: 'Correspondence by telegraph and mail, telephone conversations, and other means of communication shall be protected. They may not be seized, delayed, viewed, or listened to except in cases set forth in the Law.'
• Postal Law (Royal Decree No. M/4 of 21 Safar 1406H (4 November 1985); Council of Ministers Resolution No. 24 of 16 Muharram 1406H (30 September 1985)) contains provisions relating to the confidentiality of postal materials.
• Telecom Act 2001 (Royal Decree No. M/12 of 12 Rabeea'l Awwal 1422H (3 June 2001); Council of Ministers Resolution No. 74 of 05 Rabeea'l Awwal 1422H (27 March 2001)) provides that: 'The privacy and confidentiality of telephone calls and information transmitted or received through public telecommunications networks shall be maintained. Disclosing, listening, or recording the same is not permitted, except for the cases stipulated by the relevant Acts.'
  • PDPL, containing provisions on restrictions on processing personal data; and
  • Interim Regulations.  

The SAMA Cybersecurity Framework

The Banking Control Law, under Royal Decree No. M/5 of 22/2/1386H (12 June 1966) may penalise banks that fail to comply with SAMA decisions (such as the SAMA Cybersecurity Framework) by:

• appointing one or more advisers to advise the bank in the conduct of its business;
• ordering the suspension or removal of any director or officer of the bank;
• limiting or suspending the granting of credits or the acceptance of deposits;
• requiring the bank to take such other steps, as it may consider necessary; or
• where a bank persistently contravenes the law/SAMA regulations/decisions, requiring it to state its reasons and proposals to rectify the position; in serious cases, the Council of Ministers may approve revoking the licence of such a bank.

The SHIE Policies

Under the Law of Practicing Healthcare Professions 2005, under Royal Decree No. M/59 of 4/11/1426H (6 December 2005), medical practitioners can be punished for professional violations by:

• a warning;
• a fine not exceeding SAR 10,000 (approx. €2,650); or
• revocation of the licence, striking their name off the registry, and an inability to reapply for a new licence for two years.

11. OTHER AREAS OF INTEREST

The ECC

The following additional topics are covered by the ECC:

• cybersecurity strategy;
• cybersecurity management;
• cybersecurity policies and procedures;
• cybersecurity roles and responsibilities;
• cybersecurity in management of information and technology projects;
• compliance with cybersecurity legislations and regulations;
• cybersecurity periodical assessment and audit;
• cybersecurity in human resources;
• cybersecurity awareness and training program;
• asset management;
• identity and access management;
• processing facilities protection;
• email protection;
• mobile devices security;
• data and information protection;
• cryptography;
• backup and recovery management;
• vulnerabilities management;
• penetration testing;
• physical security;
• web application protection;
• cybersecurity resilience aspects of business continuity management;
• third-party cybersecurity; and
• industrial control systems protection.

The SAMA Cybersecurity Framework

The following additional topics are covered by the SAMA Cybersecurity Framework:

• human resources;
• physical security;
• asset management;
• cybersecurity architecture;
• identity and access management;
• application security;
• change management;
• infrastructure security;
• cryptography;
• bring your own device;
• secure disposal of information assets;
• payment systems;
• electronic banking services;
• cyber security event management;
• cyber security incident management;
• threat management; and
• vulnerability management.

The SHIE Policies

The following additional information security-related policies are covered in the SHIE Policies:

• authentication policy;
• consent and access control policy;
• information security policy;
• identity management policy;
• audit policy;
• purpose of use policy;
• breach notification policy;
• subject of care rights policy; and
• secondary use policy.

Network and information systems

Network security under the ECC

The ECC does not contain a definition of network security per se. All entities subject to the ECC are required to protect their networks from cyber risks by determining, documenting, approving, and applying processes for:

• protecting network parts with firewalls and the defence-in-depth principle;
• separating the production environment network from the development and testing environment networks;
• curtailing unsafe browsing or internet practices, like access to suspicious websites, file sharing, storage sites, and remote access sites;
• use of identity authentication and cryptography;
• conducting a thorough risk assessment before linking wireless networks to the organisation's internal networks to ensure the protection of technical assets;
• limiting and managing network outlets, protocols, and services; and
• the use and management of prevention systems against intrusion, viruses, and malware.

Information systems under the ECC

The ECC does not contain a definition of information systems per se. All entities subject to the ECC are required to protect their information system and processing facilities by determining, documenting, approving, and applying processes for:

• virus and malware protection to the best possible standards, including regular patching of all systems, applications, and devices;
• restrictions on external storage; and
• central clock synchronisation, for example using the Saudi Standards, Metrology and Quality Organization.

Network and information systems under the SAMA Cybersecurity Framework

The SAMA Cybersecurity Framework does not define network and information systems per se. SAMA-regulated entities are to define, approve, implement, and monitor the effectiveness of cybersecurity standards for their infrastructure components. Such standards should include:

• the cybersecurity controls implemented;
• the segregation of duties within the infrastructure component;
• the protection of data aligned with the (agreed) classification;
• the use of approved software and secure protocols;
• segmentation of networks;
• malicious code/software and virus protection;
• vulnerability and patch management;
• distributed denial-of-service protection (where applicable);
• back-up and recovery procedures; and
• periodic cybersecurity compliance review.

Network and information systems under the SHIE Policies

The SHIE Policies do not contain a definition for network and information systems per se. Minimum information security requirements specified in the SHIE Policies include:

• infrastructure needs to be managed in accordance with ISO 27000 or SAS70/SSAE 16, relating to access and core secure management practices;
• contingency and disaster recovery plans need to be implemented to ensure availability and integrity of data held in the SHIE system;
• the exchange of information, from or via the SHIE system, needs to be encrypted, and the encryption must support either advanced encryption standard ('AES') or triple data encryption algorithm ('3DES') data encryption standards;
• intrusion detection measures need to be implemented;
• audit logs need to be carried out; and
• personnel handling health information involved in the support of SHIE systems need to receive proper training in privacy and confidentiality, and a sanctions policy for inappropriate use, transmission, copy, or disclosure of data needs to be implemented.

There is an expectation that SHIE systems may be managed to conform with the ISO/TC 215 standard: ISO 27799:2008, Health informatics - Information security management in health using ISO/IEC 27002, as well as an expectation that participants appoint a privacy/information security officer.

Critical information infrastructure operators

The ECC

Private sector entities that own, operate, or host Critical National Infrastructure ('CNI') are covered by the ECC. CNI is defined as 'such main elements of the infrastructure (i.e. assets, facilities, systems, networks, processes, and main workers who operate and deal with the same), which, if lost or exposed to compromises, may:

• largely affect the availability, integrity, or delivery of basic services, including such services whose integrity being jeopardised may result in a huge loss in properties, lives, and/or injuries, considering large economic and/or social effects; or
• largely affect the national security, national defence, and/or State economy or national capacity.'

The ECC does not contain separate requirements for operators or hosts of CNI. The ECC as a whole is applicable to such entities.

Operators of essential services

Operators of essential services are captured by the definition of CNI, as defined above, and are therefore required to comply with the ECC.

Cloud computing services

The ECC

'Cloud computing' is defined as a model for enabling on-demand network access to a shared pool of configurable IT capabilities/resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal operation management effort or service provider interaction, which allows users to access technology-based services from the cloud without knowledge of, expertise with, or control over the technology infrastructure that supports them.

The definition elaborates that a cloud computing model is composed of five essential characteristics:

• on-demand self-service;
• ubiquitous network access;
• location independent resource pooling;
• rapid elasticity and measured service; and
• that there are three types of cloud computing services delivery models:
• Cloud Software as a Service ('SaaS');
• Cloud Platform as a Service ('PaaS'); and
• Cloud Infrastructure as a Service ('IaaS').

Separately, it also explains that, based on the enterprise access for cloud computing, there are four models of cloud computing:

• private cloud;
• community cloud;
• public cloud; and
• hybrid cloud.

Controls under the Cloud Computing and Hosting Cybersecurity Subdomain of the ECC are applicable to, and binding on, any entity that currently uses, or plans to use, cloud computing and hosting services. Organisations subject to the ECC are required to determine, document, approve, and apply processes to ensure the protection of their informational and technical assets on cloud computing service hosted, treated, or managed by third parties. Such processes must cover at a minimum:

• classification of data before hosting the same by providers of cloud computing and hosting services and sending it back to the organisation (in a usable format) upon the service expiry;
• separation of the organisation's environment (especially virtual servers) from environments of other organisations providing cloud computing services; and
• organisation's information hosting and storage site shall be located inside the Kingdom of Saudi Arabia.

The CCC 2020

The CCC 2020 was developed to further clarify cloud computing related cybersecurity controls in the ECC, in particular and most importantly, the prohibition on the use of cloud hosting outside of the Kingdom as contemplated in the ECC. The definition of 'cloud computing' in the CCC 2020 is identical to that contained in the ECC as described above.

The CCC 2020 contains localisation requirements with responsibility for compliance appearing to extend to cloud service providers that cater to government organisations and critical industry sector entities. In terms of the CCC 2020 controls, we note cloud providers would be required to provide cloud services from within Saudi Arabia, including from infrastructure hosted inside Saudi Arabia. There is limited relaxation on the localisation requirement in terms of cloud services provided for monitoring and support purposes (which would likely include cybersecurity related machine data monitoring).

The CCC 2020 also contains requirements for subject entities, i.e. CSTs. In the context of information systems, in addition to controls set out in the ECC, such entities are required to verify that the cloud service provider isolates the community cloud services provided to such entities from any other cloud computing provided to organisations outside the scope of work. Similarly, in the context of network protection, relevant entities are required to protect the 'connection channel' with the cloud service provider.

The SAMA Cybersecurity Framework

Member organisations are required to have the following controls in place for hybrid and public cloud services (but not private cloud services):

• a contract including cybersecurity arrangements must be entered prior to use. The contract must have the SAMA's approval;
• in terms of data location, in principle only cloud services should be used that are located in Saudi Arabia, or when cloud services are to be used outside Saudi Arabia the member organisation should obtain explicit approval from the SAMA;
• data use limitations must be set so that the cloud service provider may not use the member organisation's data for secondary purposes;
• the cloud service provider should implement and monitor the cybersecurity controls as determined in the risk assessment for protecting the confidentiality, integrity, and availability of the member organisation's data;
• data segregation, including that the member organisation's data is logically segregated from other data held by the cloud service provider, and should at all times be identifiable and distinguishable from other data;
• business continuity requirements are to be met in accordance with the member organisation's business continuity policy;
• cybersecurity audit, review, and monitoring by the member organisation must be permitted by the cloud service provider; and
• the member organisation must have termination rights; data must be returned on termination and the cloud service provider has to irreversibly delete the member organisation's data on termination.

Digital service providers

Digital service providers are not required to comply with the ECC. However, the ECC encourages all entities in Saudi Arabia to apply best practices.

Nick O'Connell Partner
N.O'[email protected]
Zil Rehman Associate
[email protected]
Amy Land-Pejoska Associate
[email protected]
Al Tamimi & Company, Riyadh