Guide for Cloud Service Providers

in the Kingdom of Saudi Arabia

Issued by

Communication and Information Technology Commission

Contents

1. Introduction .......................................................................... 1

2. Registration Obligation and Procedure ...................................... 2

2.1. Who needs to register? ................................................................................ 2

2.2. Procedure for registration ............................................................................. 2

Appendix “A” Registration application form to provide Cloud

Computing Services ....................................................................... 6

Guide for Cloud Service Providers Page 1 of 7

1. Introduction

The Communications and Information Technology Commission (CITC or ‘the

Commission’) is the entity authorized to regulate the telecommunications and

information technology sector in the Kingdom of Saudi Arabia (the Kingdom) in

accordance with “Telecommunication Act” (the Act) issued by Royal Decree No.

M/12 of 12/3/1422H (4/6/2001G). The Act, provides the legislative foundation for

developing and regulating the sector, on which “the Bylaw” is issued. The

Commission issues regulatory frameworks, rules, guidelines, procedures and

licenses, based on developments in the market, technologies and services, in

accordance with its power to assist in improving the market and providing the

services to end-users.

This document (“Guide for Cloud Service Providers”) issued by the Commission

provides practical guidance on the implementation of the provisions of the

Regulatory Framework on Cloud Computing (the “Regulatory Framework”). This

document explains the registration process and requirements for Cloud Service

Providers (CSPs) operating in the Kingdom. This Guide is published by the

Commission for clarification and information purposes only. It does not constitute

legal advice and its contents may be periodically changed or be subject to changes

in the future, without notice. The terms defined in the regulatory framework, the

Act and its Bylaw will have the same meanings in this guide.

In addition to the Regulatory Framework for Cloud Computing and other relevant

regulations governing the provision of Cloud Computing Services, there are other

relevant regulations in the Kingdom such as the Anti-Cyber Crime Act (issued under

the Council of Ministers Decision No. 79, dated 7/3/1428 H, and approved by Royal

Decree No. M/17, dated 8/3/1428H), the Electronic Transactions Act (issued under

the Council of Ministers Decision No. 80 dated 7/3/1428 H and approved by Royal

Decree No. M/18 dated of 8/3/1428H) and other rules and regulations governing

the provision of Cloud Computing Services in the Kingdom. Similarly, public and

private entities may have to comply with internal or sector-specific rules with

regard to information security requirements, the confidentiality and processing of

data, or other matters implicated in Cloud Computing. Accordingly, the legal

responsibility lies with CSPs registered with the Commission and other interested

parties to seek appropriate legal advice if they have any doubts regarding relevant

regulations in the Kingdom to offer or take advantage of Cloud Computing Services.

Guide for Cloud Service Providers Page 2 of 7

2. Registration Obligation and

Procedure

2.1. Who needs to register?

The registration obligation under “the Regulatory Framework” applies to any

Company or Corporation engaged, in whole or in part, in the provision of Cloud

Services in the Kingdom of Saudi Arabia, which exercises direct or effective control

over:

Datacentres or other critical Cloud System infrastructure hosted in the

Kingdom and used in whole or in part for the provision of Cloud Services,

and/or,

the processing and/or storing of Customer Content classified as ‘Level

Three’ Customer Content based on the classification system described in

Article 3.3 of the Regulatory Framework.

Datacentres are legally defined in the Regulatory Framework as facilities “consisting

of computing infrastructure and supporting components, which are housed in the

same location and used, at least in part, for the storage and/or processing of

Customer Content and Customer Data.

The CSP that meet one or more of the conditions listed above must register with

the Commission, so that the registry would provide additional safeguards for him

and the customers regarding quality and reliability. Additionally, CSPs not meeting

the above conditions may register on a voluntary basis for commercial purposes to

attract customers.

In such cases, the Commission will have the right to reject such a request, at its

discretion and without an obligation to provide a justification. In principle, the

Commission may choose to do so if it has any reasons to believe that the CSP in

question does not sufficiently demonstrate that it meets the required minimum

technical qualifications, proven experience, quality standards, financial resources or

other conditions.

2.2. Procedure for registration

1. Fill out the registration application form, signed by the legal representative and

authenticated by the Chamber of Commerce, as shown in the Appendix A.

Guide for Cloud Service Providers Page 3 of 7

2. Attach a copy of the valid Commercial Registration, compatible with the registration

period.

3. Provide a clear copy of the legal representative’s identity documents (National

Identity Document or proof of residence).

4. Provide information that describes the type of Cloud Computing Service(s) that

are planned to be provided or are already provided through datacentres and/or

other facilities in the KSA to: (a) Cloud Customers with a Residence or

Customer Address in the KSA and (b): Cloud Customers outside the KSA.

5. Provide the following information regarding the Cloud Systems you use:

a. A brief description of the Cloud System(s) you use or intend to use for

the provision of Cloud Services to Cloud Customers in the KSA including,

in particular:

i. Any Datacentres located in the territory of the KSA, with their full

address, contact details (tel/fax/email) and website.

ii. The relationship that best describes your access to this

Datacentre's capacity and infrastructure (e.g., owner, operator,

co-owner, lessor or lessee of capacity, reseller, etc.).

b. A brief description of any network or other key equipment associated

with the above Datacentres and the relationship that best describes your

access to, and use of, such key equipment.

c. A description of any relevant international standards you meet regarding

the quality of your services and your overall qualification as a Cloud

Service provider.

d. Attach to this application proof of any relevant certificates or credentials

that you or your main shareholders or partners in the present Cloud

Computing venture have in the KSA or elsewhere.

e. You may also attach any available technical brochures, website printouts

or other technical and commercial information related to the Cloud

System(s) you use or intend to use for the purposes of this registration.

f. Submit any documents certifying compliance with the technical

standards listed below or, exceptionally, any other technical standards

that are demonstrably equivalent or superior to those standards, subject

to the Commission's satisfaction.

i. ISO/IEC 27001 - Information security management

ii. ISO/IEC 27017 - Code of practice for information security controls

based on ISO/IEC 27002 for cloud services

iii. ISO/IEC 27018 - Code of practice for protection of personally

identifiable information (PII) in public clouds acting as PII

processors

Guide for Cloud Service Providers Page 4 of 7

iv. Certificate rating the level of maturity of the active infrastructure

for the datacentre in the Kingdom. Such classification certificate

must be from a recognized international standard such as:

( ANSI / TIA-942 / TIA-942A ) or Uptime Institute or similar

classification certificate, and must be for the active constructed

facility (not only for the design documents).

6. Provide a brief description of the operations, in the KSA and elsewhere, of your

company, its structure and the ownership details. Also provide any other

statements covering the Applicant's group that belongs to (if available).

7. Provide a list of any licenses held to date in the KSA, granted by the

Commission to (i) the Applicant, (ii) any Affiliate of the Applicant or (iii) any

joint venture in which the Applicant or an affiliate of the Applicant participates.

8. Documents should be provided in Arabic, with the option of attaching other

supporting documents in English.

9. Supporting documentation, agreements or links to websites on the Internet may

be attached to the application.

The application can be delivered by hand or sent by mail to one of the following

addresses:

Riyadh:

Communications & Information Technology Commission (CITC)

P.O. Box 75606, Riyadh 11588

Phone: 011 4618000

CITC Branch in Makkah Region:

Jeddah , Al Salamah District , Prince Sultan St. Opposite of Sultan Mall

ZAHRAN Business Center

The Northern tower , 12th floor , Office No 1205

P.O Box 17313,Jeddah 21484

Phone: 012-2638000

CITC Branch in Eastern Region:

2nd floor , Al Dosary Tower, Alashre'aa Road, Al shati District ,Dammam

P.O. Box 2218 Dammam 31451

Phone: 0138441818

Guide for Cloud Service Providers Page 5 of 7

Within not later than 15 working days from the submission of the registration

application form (or any subsequent submission of the registration application form

if it has previously been deemed incomplete by the Commission), the Commission

will inform the result of the examination of the submission to the applicant:

(a) that its application of registration is complete and the CSP is

validly registered as a CSP by the Commission for a period of 1

year. The registration can be renewed after submitting the

registration requirements referred to in this guide;

(b) that its registration application form is incomplete or otherwise

deficient, with a reference to the information that is required to

complete it; or

(c) that its registration application form cannot be accepted because

the Applicant does not meet the relevant legal requirements for a

registration.

The Commission will publish a list of the registered CSPs on its website and in its

Annual Reports.

Guide for Cloud Service Providers Page 6 of 7

Appendix “A”

Registration application form to

provide Cloud Computing Services

Name of Company or

Corporation (in Arabic)

Name of Company or

Corporation (in English)

Company Registration

Number

Address of

registration

Registration

date

Registration and

expiry date

Name of

representative Position

ID

Number

Location and date

of issue

P.O. Box:

P.O. Box City

ZIP Code Street

District

Or postal address:

Building

number

Street

Name

Quarter

Name City

ZIP

Code

Additional

Number

Landline Fax Mobile

Website e-mail

Guide for Cloud Service Providers Page 7 of 7

I, the undersigned, as the legal representative of the company or corporation

declare the following:

- The company or corporation complies with the Commission statutes and its

decisions related service to be provided and published on its webpage

(www.citc.gov.sa).

- The company or corporation complies with the provisions of the Cloud

Computing Regulatory Framework, any guidelines and regulations issued by

the Commission and all regulations of the Kingdom, as well as any future

amendments.

- The company or corporation shall extend, not later than one month from the

effective date of this Declaration, its terms and conditions to its existing

Cloud Customers (if any) with a residence or Customer Address in the

Kingdom.

- The Applicant accepts that the Commission may publish any of the

information provided by the Applicant in this Application, with the exception

of any such information reasonably qualifying as a confidential business

secret.

- The company or corporation will visit periodically the website to be updated

on new regulations and conditions for service provision that may be

applicable.

- The Applicant shall inform the Commission immediately of any changes to

the information provided.

- The information provided in this Application and its attachments is true and

correct.

- The Applicant will update information provided to the Commission in the

event of any change.

- The Applicant shall maintain the ID and password used on the Commission website

once created by the Commission, and bear the consequences and responsibility of

any information or any action entered by this ID.

Seal:

_____________________

Name / Title

____________________

Signature

____________________

Date

Checklist for Registration to Provide Cloud Computing Services 1/3

Checklist for Registration to Provide Cloud Computing Services

Name of Company: ………………………..…………………………..

Reference page number

Matching (Yes/No)

Requirement #

Fill out the registration application form, signed by the legal representative and authenticated by the Chamber

of Commerce, as shown in the Appendix A.

1.

Attach a copy of the valid Commercial Registration, compatible with the registration period. 2.

Provide a clear copy of the legal representative’s identity documents (National Identity Document or proof of

residence).

3.

Provide information that describes the type of Cloud Computing Service(s) that are planned to be provided or

are already provided through datacentres and/or other facilities in the KSA to: (a) Cloud Customers with a

Residence or Customer Address in the KSA and (b): Cloud Customers outside the KSA.

4.

A brief description of the Cloud System(s) you use or intend to use for the provision of Cloud Services to Cloud

Customers in the KSA including, in particular:

i. Any Datacentres located in the territory of the KSA, with their full address, contact details

(tel/fax/email) and website.

ii. The relationship that best describes your access to this Datacentre's capacity and infrastructure

(e.g., owner, operator, co-owner, lessor or lessee of capacity, reseller, etc.).

5.

A brief description of any network or other key equipment associated with the above Datacentres and the relationship that best describes your access to, and use of, such key equipment.

6.

A description of any relevant international standards you meet regarding the quality of your services and your

overall qualification as a Cloud Service provider.

7.

Checklist for Registration to Provide Cloud Computing Services 2/3

Attach to this application proof of any relevant certificates or credentials that you or your main shareholders or

partners in the present Cloud Computing venture have in the KSA or elsewhere.

8.

You may also attach any available technical brochures, website printouts or other technical and commercial

information related to the Cloud System(s) you use or intend to use for the purposes of this registration.

9.

Submit any documents certifying compliance with the technical standards listed below or, exceptionally, any

other technical standards that are demonstrably equivalent or superior to those standards, subject to the

Commission's satisfaction.

i. ISO/IEC 27001 - Information security management

ii. ISO/IEC 27017 - Code of practice for information security controls based on ISO/IEC 27002

for cloud services

iii. ISO/IEC 27018 - Code of practice for protection of personally identifiable information (PII) in

public clouds acting as PII processors

iv. Certificate rating the level of maturity of the active infrastructure for the datacentre in the

Kingdom. Such classification certificate must be from a recognized international standard

such as:

( ANSI / TIA-942 / TIA-942A ) or ptime Institute or similar classification certificate, and must

be for the active constructed facility (not only for the design documents).

10.

Provide a brief description of the operations, in the KSA and elsewhere, of your company, its

structure and the ownership details. Also provide any other statements covering the Applicant's

group that belongs to (if available).

11.

Provide a list of any licenses held to date in the KSA, granted by the Commission to (i) the Applicant, (ii) any

Affiliate of the Applicant or (iii) any joint venture in which the Applicant or an affiliate of the Applicant

participates.

12.

Checklist for Registration to Provide Cloud Computing Services 3/3

Documents should be provided in Arabic, with the option of attaching other supporting documents in English. 13.

Supporting documentation, agreements or links to websites on the Internet may be attached to the

application.

14.

Notes