Guide for Cloud Service Providers in the Kingdom of Saudi ...

1 Guide for Cloud Service Providers in the Kingdom of Saudi Arabia Issued by Communication and Information Technology Commission Contents 1. Introduction .. 1. 2. Registration Obligation and Procedure .. 2. Who needs to register? .. 2. Procedure for 2. Appendix A Registration application form to provide Cloud Computing Services .. 6. 1. Introduction The Communications and Information Technology Commission (CITC or the Commission') is the entity authorized to regulate the telecommunications and information technology sector in the Kingdom of Saudi Arabia (the Kingdom ) in accordance with Telecommunication Act (the Act) issued by Royal Decree No.

2 M/12 of 12/3/1422H (4/6/2001G). The Act, provides the legislative foundation for developing and regulating the sector, on which the Bylaw is issued. The Commission issues regulatory frameworks, rules, guidelines, procedures and licenses, based on developments in the market, technologies and services, in accordance with its power to assist in improving the market and providing the services to end-users. This document ( Guide for Cloud Service Providers ) issued by the Commission provides practical guidance on the implementation of the provisions of the Regulatory Framework on Cloud Computing (the Regulatory Framework ).

3 This document explains the registration process and requirements for Cloud Service Providers (CSPs) operating in the Kingdom . This Guide is published by the Commission for clarification and information purposes only. It does not constitute legal advice and its contents may be periodically changed or be subject to changes in the future, without notice. The terms defined in the regulatory framework, the Act and its Bylaw will have the same meanings in this Guide . In addition to the Regulatory Framework for Cloud Computing and other relevant regulations governing the provision of Cloud Computing Services, there are other relevant regulations in the Kingdom such as the Anti-Cyber Crime Act (issued under the Council of Ministers Decision No.)

4 79, dated 7/3/1428 H, and approved by Royal Decree No. M/17, dated 8/3/1428H), the Electronic Transactions Act (issued under the Council of Ministers Decision No. 80 dated 7/3/1428 H and approved by Royal Decree No. M/18 dated of 8/3/1428H) and other rules and regulations governing the provision of Cloud Computing Services in the Kingdom . Similarly, public and private entities may have to comply with internal or sector-specific rules with regard to information security requirements, the confidentiality and processing of data, or other matters implicated in Cloud Computing.

5 Accordingly, the legal responsibility lies with CSPs registered with the Commission and other interested parties to seek appropriate legal advice if they have any doubts regarding relevant regulations in the Kingdom to offer or take advantage of Cloud Computing Services. Guide for Cloud Service Providers Page 1 of 7. 2. Registration Obligation and Procedure Who needs to register? The registration obligation under the Regulatory Framework applies to any Company or Corporation engaged, in whole or in part, in the provision of Cloud Services in the Kingdom of Saudi Arabia, which exercises direct or effective control over: Datacentres or other critical Cloud System infrastructure hosted in the Kingdom and used in whole or in part for the provision of Cloud Services, and/or, the processing and/or storing of Customer Content classified as Level Three' Customer Content based on the classification system described in Article of the Regulatory Framework.

6 Datacentres are legally defined in the Regulatory Framework as facilities consisting of computing infrastructure and supporting components, which are housed in the same location and used, at least in part, for the storage and/or processing of Customer Content and Customer Data. The CSP that meet one or more of the conditions listed above must register with the Commission, so that the registry would provide additional safeguards for him and the customers regarding quality and reliability. Additionally, CSPs not meeting the above conditions may register on a voluntary basis for commercial purposes to attract customers.

7 In such cases, the Commission will have the right to reject such a request, at its discretion and without an obligation to provide a justification. In principle, the Commission may choose to do so if it has any reasons to believe that the CSP in question does not sufficiently demonstrate that it meets the required minimum technical qualifications, proven experience, quality standards, financial resources or other conditions. Procedure for registration 1. Fill out the registration application form, signed by the legal representative and authenticated by the Chamber of Commerce, as shown in the Appendix A.

8 Guide for Cloud Service Providers Page 2 of 7. 2. Attach a copy of the valid Commercial Registration, compatible with the registration period. 3. Provide a clear copy of the legal representative's identity documents (National Identity Document or proof of residence). 4. Provide information that describes the type of Cloud Computing Service (s) that are planned to be provided or are already provided through datacentres and/or other facilities in the KSA to: (a) Cloud Customers with a Residence or Customer Address in the KSA and (b): Cloud Customers outside the KSA. 5. Provide the following information regarding the Cloud Systems you use: a.

9 A brief description of the Cloud System(s) you use or intend to use for the provision of Cloud Services to Cloud Customers in the KSA including, in particular: i. Any Datacentres located in the territory of the KSA, with their full address, contact details (tel/fax/email) and website. ii. The relationship that best describes your access to this Datacentre's capacity and infrastructure ( , owner, operator, co-owner, lessor or lessee of capacity, reseller, etc.). b. A brief description of any network or other key equipment associated with the above Datacentres and the relationship that best describes your access to, and use of, such key equipment.

10 C. A description of any relevant international standards you meet regarding the quality of your services and your overall qualification as a Cloud Service provider. d. Attach to this application proof of any relevant certificates or credentials that you or your main shareholders or partners in the present Cloud Computing venture have in the KSA or elsewhere. e. You may also attach any available technical brochures, website printouts or other technical and commercial information related to the Cloud System(s) you use or intend to use for the purposes of this registration. f.