Government cloud computing regulations: New standards for digital transformation

In a strategic move aimed at accelerating digital transformation in Saudi Arabia, the Digital Government Authority a binding document mandating the adoption of cloud computing across all government entities. This step aims to solidify operational efficiency and enhance the quality of digital services, aligning with the goals of Vision 2030, which places digital infrastructure at the heart of its national priorities.

The context of digital transformation and Vision 2030

This decision is not merely an administrative procedure; it is part of a comprehensive system spearheaded by the Kingdom to become a regional and global hub for technology and innovation. Since the launch of Vision 2030, the country has been working to modernize its digital infrastructure, with cloud computing being the primary driver of this modernization. Cloud computing provides the necessary flexibility for government entities to expand their services and reduce the capital costs associated with traditional data centers.

Details of the new regulations: specialized units and administrative structure

The authority established a comprehensive regulatory framework requiring government entities to create a specialized cloud computing administrative unit within their organizational structures. To ensure the effectiveness of these units, the regulations stipulated the following:

• Leadership and Experience: Appoint a senior unit manager with high technical and administrative expertise to lead the transformation process.
• Governance Committee: A high-level governance committee is formed, chaired by the top official in the entity, to directly supervise strategies and critical decisions.
• Capacity building: Developing a comprehensive plan to train the organization's staff and bridge skills gaps to ensure operational sustainability.

The hierarchy for selecting technical solutions

The authority has established a strict methodology for selecting cloud services to ensure maximum benefit from the technology, requiring entities to follow the following order when implementing any new service:

1. Software as a Service (SaaS): As a first and primary option to reduce the burden of development and maintenance.
2. Platform as a Service (PaaS): The second option if off-the-shelf software is not available.
3. Infrastructure as a Service (IaaS): The last resort when a dedicated infrastructure is needed.

Security and sovereignty compliance

Given the importance of national data, the regulations emphasize security and sovereignty aspects, prohibiting contracts with any cloud computing service provider not registered with the Communications, Space and Technology Authority . Entities are also obligated to fully comply with data classification and protection guidelines issued by the National Data Management Office , and to adhere to the cybersecurity regulations issued by the National Cybersecurity Authority to protect digital assets from threats.

Financial oversight and spending efficiency

To ensure financial sustainability, the standards require entities to implement rigorous financial tracking systems to monitor cloud operating expenses. This includes conducting periodic reviews to analyze costs and benefits, and issuing regular reports to the authority containing accurate indicators on adoption rates and spending levels, thus contributing to efficient government spending and preventing financial waste.