A strategic step to enhance cybersecurity in the Kingdom
In a significant regulatory step aimed at protecting the national cyberspace and enhancing data sovereignty, the National Cybersecurity Authority in the Kingdom of Saudi Arabia has launched a new project to regulate the licensing of cybersecurity services and products. This comprehensive regulatory framework aims to regulate the cybersecurity market, improve the efficiency of services provided, and ensure their compliance with the highest national requirements and standards, thus serving the Kingdom's strategic objectives.
General context: Keeping pace with Vision 2030 and digital transformation
These regulations come within the context of the rapid digital transformation underway in the Kingdom of Saudi Arabia as a key component of Vision 2030. With the increasing reliance on digital technologies across all government and private sectors, the critical need for a robust and reliable cybersecurity infrastructure has become paramount. The National Cybersecurity Authority was established in 2017 as the supreme regulatory and legislative body in this field, and this step complements its efforts to build an integrated defense system capable of countering escalating cyber threats and protecting vital national assets.
Key features of the new regulatory framework
The regulatory framework targets any entity that provides cybersecurity services or solutions to national entities, whether through direct or indirect contracting. The project has established strict controls to ensure its objectives are met, most notably:
- A precise licensing classification: The project adopted a precise national classification encompassing five main areas, each with 25 sub-areas. Based on this classification, two main types of licenses were defined: “Specialized Licenses” for highly sensitive services, and “General Licenses” for less sensitive services, thus ensuring precise governance of the sector.
- National Data Sovereignty: The framework emphasized the principle of data sovereignty, stipulating that services, data processing and storage must be carried out exclusively within the Kingdom of Saudi Arabia, with any access to them from outside the Kingdom prohibited, which enhances the protection of sensitive information.
- Localization of jobs and local content: In support of the national economy and building local capabilities, the regulation stipulated adherence to specific ratios for local content and localization of sensitive jobs, and obligated incident response service providers to employ full-time Saudi specialists.
Accident handling and control mechanism
To establish a rapid and effective response mechanism, the project mandates that entities immediately report any cyber incidents or suspicions via the “Haseen” platform or the dedicated number (936). It also strictly prohibits the publication or sharing of any cybersecurity information belonging to national entities without prior written consent. To ensure compliance, the framework grants the authority broad oversight powers, including comprehensive inspections and the suspension or revocation of licenses in cases of proven violations.
Expected impact at the local and international levels
Domestically, these regulations are expected to contribute to creating a more mature and reliable cybersecurity market, encouraging investment in local companies, and providing quality job opportunities for Saudi talent. Internationally, this step solidifies the Kingdom's position as a leader in cybersecurity governance in the region and sends a clear message to global companies operating in the Saudi market about the necessity of adhering to stringent national standards, particularly regarding data sovereignty and technology localization.
