The Communication and Information Technology Commission (CITC), the telco regulator in KSA, issued the 3rd version of its Cloud Computing Regulatory Framework (CCRF v3), which came into effect on 3.12.2020 (18/04/1442 H).
What does this mean for current business practices?
- Scope of application: The updated version 3 of CCRF applies to any cloud service provided to customers with a residence or address in KSA. The definition of “cloud service” has been updated to include Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).
- CITC registration: Anyone with direct or effective control over data centres or critical cloud system infrastructure in KSA and used for cloud services must register with the CITC and only use telecommunications infrastructure (including international infrastructure) licensed by the CITC. Version 3 of CCRF rearranges the registration levels depending on an applicant’s CSP’s conformance with specific minimum technical standards/requirements.
- Information security (customer content classification): Customer content can be subject to different levels of information security, depending upon the level of confidentiality, integrity and availability required.
It is the responsibility of the cloud customer to select the appropriate information security level which best matches their security requirements, specific needs, duties and obligations. Such classification should be reflected in the cloud contract.
Cloud customers whose content is classified as Saudi Government Data must contract with a CSP registered at the CITC.- Saudi Government Data: “top secret”, “secret”, “confidential”, and “public.”
- Non-Government Data: data that is not captured under any of the four levels for Saudi Government Data.
- Data localisation/residency requirements: There are various data localisation/residence requirements under the CCRF v3. For example, the CSPs registered with the CITC and cloud customers must ensure that Saudi Government Data is not transferred outside of KSA, for any purpose and in any form whatsoever, whether permanently or temporarily, unless such transfer is expressly permitted by law or regulation in KSA (other than the CCRF v3).
- Cybersecurity requirements: CSPs must inform cloud customers, the CITC and the National Cybersecurity Authority (without unjustified delay) of any cybersecurity incident or breach. Or information leakage.
What is the purpose behind this?
While the apparent aim is to protect government, consumer, and personal data, the CCRF pill will also have a good set of positive and negative side effects. While this has been circulating and government entities are taking transitioning to mechanisms compliant with the framework, we can speculate that this will lead to:
- protection of local cloud service providers from international competitions
- foster startups in the cloud sector and in the development of capacity, capabilities and resources on a national level
- delay in data-based consultancy tasks in the transition period
It can be seen as an act of protectionism, which is relatively favourable for the local economy in the long term and is standard practice.
Do CCRFs exist in all countries?
Saudi Arabia’s Ministry of Communications and Information Technology (MCIT) unveiled its official Cloud-First Policy in October 2020, encouraging public sector migration from traditional IT solutions to cloud-based models. Other countries implementing similar policies in the region include the US, UK, Japan, Belgium, the Netherlands, Luxembourg, Norway, Denmark, Sweden, Finland, Germany, UAE and Bahrain.
Frameworks regulating IT, cloud, and SaaS services are well established in Oman and many other countries and welcomed by the local business and public sector.
data jungle adventures 
Leave a comment