The Commission on Information and Communication Technologies (CITC), the telecommunications regulator in the Kingdom of Saudi Arabia (KSA), published a revised version 3 of its cloud computing regulatory framework (CCRF v3), which enter into force on 18/04/1442 H (corresponding to December 3, 2020). CCRF v3 replaces version 2 of the Cloud Computing Regulatory Framework (CCRF v2).
Among other things, the CCRF v3:
- updates the definition and type of captured services within the term “cloud service”;
- reorganizes cloud service provider (CSP) logging levels;
- reviews client content ratings that existed under CCRF v2; i
- clarifies restrictions on transfers of customer content generated by the KSA government outside of KSA.
The issuance of CCRF v3 comes at a time when the CITC is playing an active role in promoting and regulating the use of cloud computing in KSA. On December 31, 2020, the CITC issued a study describing the legislative and regulatory status of cloud computing worldwide and considered KSA’s regulatory framework in relation to that of some of its international partners (including the United States of America and the United States United Kingdom and the European Union). The final findings of the study highlight KSA’s growing adoption of cloud services, with CITC capturing internationally practiced cloud regulations through the issuance of CCRF v3.
Here is the CCRF v3 and how it can affect your business1.
What has changed?
Highlights of the CCRF v3 version include:
Scope of application
CCRF v3 still applies to any cloud service provided to cloud clients that have a residence or client address in KSA2. However, CCRF v3 has updated the definition of “cloud service” to now expressly include software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS).
Anyone exercising direct or effective control over data centers or other critical cloud system infrastructures hosted on KSA and used (in whole or in part) for the provision of cloud services must register with the CITC. Although this registration obligation is not new, CCRF v3 imposes a new obligation on a CSP that exercises control of these data centers to use the telecommunications infrastructure (including international infrastructure) through operators licensed by the CITC.
CCRF v3 rearranges the CSP logging levels: there are three logging categories (“A”, “B” and “C”, with “A” being the lightest and “C” the heaviest) based on the CSP of an applicant complies with certain minimum technical standards / requirements provided by the CITC.
Information security (classification of customer content)
Customer content may be subject to different levels of information security, depending on the level of confidentiality, integrity, and availability required. CCRF v3 has replaced the information security classifications of CCRF v2 and has adopted two new information security classifications. These are:
- “Saudi government data”, which is divided into four different levels, being “top secret”, “secret”, “confidential” and “public”; i
- “Non-governmental data”, which includes data that is not captured in any of the four different security levels of Saudi government data and also “data received from Saudi government entities” (which are classified as receipts from a government agency based on the four levels of classification included in relation to Saudi government data).
As with CCRF v2, it is still the responsibility of the cloud client to select the appropriate level of information security that should be applied to their data, which best suits their security requirements, specific needs, duties. and obligations. This classification should also be reflected in any cloud contract entered into between a CSP client and a cloud.
Cloud customers whose content is classified as Saudi government data must contract with a CITC-registered CSP. Whether a CSP meets the requirements to process client content that belongs to a particular classification will depend on the category for which the CSP is registered.
Data location / residence requirements
There are several data location / residence requirements according to CCRF v3. For example, among other requirements, CSPs registered with CITC and cloud clients must ensure that data from the Saudi government is not transferred outside of KSA, for any purpose and in any form, either permanently or temporarily, unless such transfer is expressly permitted by law or regulation to KSA (other than CCRF v3).
It is important to note that the provisions of CCRF v3 (and in fact CCRF v2) are without prejudice to any other applicable legislation or requirements relating to the ability of a client in the cloud to outsource, transmit, process or store content, data or information. of the client on a cloud system, but if permitted, any associated restrictions or protections must apply.
CSPs must inform cloud clients, the CITC, and the National Cybersecurity Authority (without undue delay) of any cybersecurity incidents or breaches. In addition, CCRF v3 also imposes on CSPs the obligation to inform the CITC of any leakage of information (including personal data) known to the CSP.
In such cases, the CITC is responsible for notifying the National Data Management Office whether such incidents or breaches affect or are likely to affect the data of the Saudi government or a significant number of persons in KSA due to its dependence on one or more cloud services in the cloud. who are affected by the cybersecurity incident (including information leakage).
What should the affected parties do now?
CSPs should assess how their operations are affected by CCRF v3, including CITC registration requirements. CSPs and cloud clients should also review the classification of client content and whether this should be reflected in their cloud service contracts, including data location / residency requirements that may apply as result of this classification.
Other requirements under CCRF v3 may apply, for example, in relation to cloud contracting, data protection and other cloud client rights.