After introducing its innovative regulatory framework for cloud computing in 2018, Saudi

Arabia's Communications and Information Technology Commission (CITC) has issued an

update that contains some notable changes for cloud service providers and customers alike.

Background

A second version of the Cloud Computing Regulatory Framework (the Framework) was
published on CITC's website on 12 February 2019. It will replace the previous version with
effect from 14 March 2019 to govern the provision of cloud-based IT services in the Kingdom
of Saudi Arabia (KSA).

Summary of changes

Key changes introduced by the update include:

 Reduced scope of application: The Framework is only intended to bind cloud service
providers (CSPs) who conclude agreements for cloud services with customers
resident or having an address in KSA. In the previous version, the Framework was
also binding on CSPs owning, operating or offering access to data centres or any
other elements of a cloud system located in KSA even where that party did not
contract with a Saudi end user.

 Limited registration requirements: Only CSPs that exercise direct or effective

control over data centres or other critical cloud system infrastructure hosted in KSA
are now required to register with CITC. Under the original system, CSPs processing
'Level 3' customer content were also required to register (for the purposes of the
Framework, 'Level 3' means customer content from regulated industries in the
private sector, sensitive content of public authorities or other content for which a
customer requested a Level 3 classification).

 Responsibility for security: Cloud customers are now explicitly responsible for
implementing the necessary security features to protect their content. The previous
version of the Framework was ambiguous in terms of passing this responsibility to
CSPs. The CSP must inform customers upon request of the information security
features they offer.

 Transfers outside KSA: It is now the responsibility of cloud customers (and not CSPs)
to ensure that 'Level 3' content is not transferred outside KSA unless permitted by
law or regulation and that it is not transferred to a public, community or hybrid
cloud other than those operated by registered CSPs.

 Clarification of CSP's safe harbour defences: There is no obligation on CSPs to

monitor their cloud systems for unlawful or infringing content and any official take-
down notice will be satisfied for the purposes of the Framework if the content is
removed from cloud equipment located in KSA.

 Customer protection and unfair contract terms: The updated Framework clarifies
that the customer protection provisions (including restrictions on excluding liability)
extend only to individual consumers. Accordingly, CSPs will have greater scope to
negotiate terms with enterprise customers.

Comment
The updated Framework reduces a number of the obligations on CSPs while maintaining
strong protection for consumer rights. The lower compliance burden should be beneficial for
CSPs operating in KSA with the intention of supporting the country's overall development
strategy, which is underpinned by technological innovation and e-services.

Customers or CSPs that have executed contracts for cloud services in KSA during the last 12
months should be reviewing those arrangements to ensure compliance with the new
regime.

The content of this article is intended to provide a general guide to the subject matter.
Specialist advice should be sought about your specific circumstances.