Documente Academic
Documente Profesional
Documente Cultură
Background
A second version of the Cloud Computing Regulatory Framework (the Framework) was
published on CITC's website on 12 February 2019. It will replace the previous version with
effect from 14 March 2019 to govern the provision of cloud-based IT services in the Kingdom
of Saudi Arabia (KSA).
Summary of changes
Reduced scope of application: The Framework is only intended to bind cloud service
providers (CSPs) who conclude agreements for cloud services with customers
resident or having an address in KSA. In the previous version, the Framework was
also binding on CSPs owning, operating or offering access to data centres or any
other elements of a cloud system located in KSA even where that party did not
contract with a Saudi end user.
Responsibility for security: Cloud customers are now explicitly responsible for
implementing the necessary security features to protect their content. The previous
version of the Framework was ambiguous in terms of passing this responsibility to
CSPs. The CSP must inform customers upon request of the information security
features they offer.
Transfers outside KSA: It is now the responsibility of cloud customers (and not CSPs)
to ensure that 'Level 3' content is not transferred outside KSA unless permitted by
law or regulation and that it is not transferred to a public, community or hybrid
cloud other than those operated by registered CSPs.
Customer protection and unfair contract terms: The updated Framework clarifies
that the customer protection provisions (including restrictions on excluding liability)
extend only to individual consumers. Accordingly, CSPs will have greater scope to
negotiate terms with enterprise customers.
Comment
The updated Framework reduces a number of the obligations on CSPs while maintaining
strong protection for consumer rights. The lower compliance burden should be beneficial for
CSPs operating in KSA with the intention of supporting the country's overall development
strategy, which is underpinned by technological innovation and e-services.
Customers or CSPs that have executed contracts for cloud services in KSA during the last 12
months should be reviewing those arrangements to ensure compliance with the new
regime.
The content of this article is intended to provide a general guide to the subject matter.
Specialist advice should be sought about your specific circumstances.