KSA: Movement in Saudi Arabia’s cybersecurity regulatory regime

Some developments in Saudi Arabia’s cybersecurity landscape have attracted surprisingly little attention. Specifically, there have been changes to the National Cybersecurity Authority’s Essential Cybersecurity Controls 2018. Not all of these are newsworthy, but some key changes can be found in the 2024 version. In this note, we provide a brief overview.

Scope of application

A key problem with the ECC 2018 has always been the scope of application to “government organisations in the Kingdom (including ministries, authorities, establishments and others) and its companies and entities” (as well as to private sector entities that own, operate or host Critical National Infrastructure). In many instances, the scope is very clear, but the wording makes no distinction between, for example, companies that are 100% government owned and companies that have a limited degree of government ownership. Does any government interest in an entity result in the application of the ECC 2024 to that entity? Unfortunately, by simply adding the words “inside and outside the Kingdom” to the original 2018 wording, the ECC 2024 may have missed an opportunity to really clarify this fundamental ambiguity. 

Removal of in-country data hosting and storage requirement

One of the most significant changes found in the ECC 2024 is the removal of the requirement for entities subject to the ECC to host and store data within the Kingdom of Saudi Arabia. These few lines tucked in the back of ECC 2018 (and their relationship with other Saudi rules) have caused a significant amount of confusion over the years, particularly for foreign entities seeking to service Saudi clients that are subject to the ECC. While this data localisation requirement no longer appears in the ECC 2024, it is important to note that localisation considerations may still remain due to requirements found in other rules. 

For example, the Cloud Computing Services Provisioning Regulations (issued by CST, the telecoms regulator) require ‘subscribers’ whose data is classified as ‘data of Saudi government agencies’ to use cloud service providers registered with CST. This requirement is not of as broad an application as first appears, but it basically requires such subscribers to use infrastructure as a service (IaaS) type cloud services that utilise data centres located in Saudi Arabia and that are registered with CST. Further relevant rules may be found in specific sectors, such as financial services and communications, where sector-specific requirements contemplate the use of infrastructure located in the Kingdom for the hosting of data and provision of services. It is worth checking on a case-by-case basis to see whether/how such rules may apply. 

Saudi-ization of cybersecurity roles

The ECC 2024 broadens requirements around cybersecurity positions. Under ECC 2018, the requirement was that senior roles (i.e. the position of cybersecurity function head (e.g., CISO), and related supervisory and critical positions within the function) were to be filled with full-time and experienced Saudi cybersecurity professionals. Under ECC 2024, the requirement is now that all cybersecurity positions must be filled with full-time and qualified Saudi cybersecurity professionals. While there are already broader IT sector Saudi-ization requirements, the practical implication of this new wording in ECC 2024 is that it may become difficult to fill cybersecurity roles as the demand for expertise is likely to outstrip supply in the short to mid-term.

Other changes

Other apparent changes generally fall into the following categories: enhanced security, consolidation and clarity.

• Enhanced security: The ECC 2024 includes various measures aimed at enhancing security standards. These include the introduction of a cybersecurity requirement for network security management to include protection against Distributed Denial of Service (DDoS) attacks to limit risks arising from such attacks, along with more detailed requirements relating to multi-factor authentication.
• Consolidation: The ECC 2024 seeks to consolidate aspects addressed by NCA or other authorities in other documents, by removing controls from the ECC and directing users to corresponding requirements elsewhere. These include removing provisions relating to cryptography, industrial controls and cybersecurity requirements for handling data and directing users to NCA’s Cryptographic Standards, Operational Technology Cybersecurity Controls and Data Cybersecurity Controls, respectively; and by referring users to the Saudi Data & Artificial Intelligence Authority’s National Data Management Office in respect of privacy / personal data.
• Clarity: The ECC 2024 refines some of the terminology found in the ECC 2018, including by adding and deleting terms, definitions and abbreviations.

The ECC 2024 was made available for public consultation between 30 September and 15 October 2024 on the Saudi government's istitlaa consultation website. The website is showing the consultation period as ‘closed’, and the NCA's website now features the 2024 version. It seems that the consultation period was completed very quickly.

For further information on Saudi Arabia’s cybersecurity regulatory regime and how it may impact on your business, please get in touch with Nick O'Connell nick.oconnell@twobirds.com or Simon Shooter simon.shooter@twobirds.com.