Regulating cybersecurity licensing in Saudi Arabia: Localization and data protection

In a strategic move aimed at strengthening digital sovereignty and regulating the technology services market, the National Cybersecurity Authority in Saudi Arabia has launched an ambitious project to regulate licenses for providing cybersecurity services and products. This project, launched through the "Istilaa" platform, aims to enhance the efficiency of services offered and ensure their full alignment with the Kingdom's growing national requirements amidst its rapid digital transformation.

The context of digital transformation and the importance of the new organization

This regulatory move comes at a time when Saudi Arabia is experiencing a massive digital transformation drive as part of its Vision 2030 goals. With the increasing reliance on digital solutions in both the public and private sectors, the urgent need for a robust legislative and regulatory framework to ensure the quality and reliability of cybersecurity services has become paramount. This regulation is a cornerstone in protecting the Kingdom's critical infrastructure from escalating global threats, further solidifying Saudi Arabia's position as a regional and international leader in cybersecurity indicators.

License classification and operational mechanisms

The new project adopted a precise and comprehensive national classification covering five main areas, branching into 25 sub-areas. To ensure accurate governance, licenses were divided into two main categories, each with two levels:

• Specialized licensing: This is mandatory for entities that provide highly sensitive services, requiring advanced security standards.
• General license: It is intended for services and solutions of a less sensitive nature.

This framework targets any entity that provides cyber services or solutions to national entities, whether through direct or indirect contracting, with the exception of managed operations centers, which will be subject to independent regulation.

Data sovereignty: a red line

In the interest of national security, the regulatory framework imposes stringent conditions to enhance national data sovereignty. The authority emphasizes the necessity of implementing services, processing data, and storing it exclusively within the geographical boundaries of the Kingdom of Saudi Arabia, prohibiting access from abroad or its transfer in any form. Furthermore, the system categorically forbids the publication or sharing of any cybersecurity information or national entity data with any internal or external party without prior written consent, thus closing any loopholes that could lead to the leakage of sensitive information.

Localization and support for the national economy

The regulations did not overlook the economic aspect, stipulating adherence to local content quotas and the localization of critical jobs. In a move to support national talent, the regulations mandated that incident response service providers employ full-time Saudi specialists. Furthermore, the project restricted participation in vulnerability detection programs to eligible citizens and residents, thereby strengthening the development of qualified national capabilities in this vital field.

Incident response and financial oversight

The project established a precise mechanism for handling cyber incidents, obligating entities to report immediately via the "Haseen" platform or the number "936" upon detecting any suspicious activity. To ensure tracking and accountability, the system mandates that cyber incident records be retained for up to 25 years. From an oversight perspective, it requires entities to submit audited annual financial statements detailing cybersecurity revenues, granting the regulatory authority broad powers, including comprehensive inspections and the suspension or revocation of licenses in the event of any violations.