Cyber Law in the Middle East

Saudi Arabia

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes.  The National Cybersecurity Authority (NCA).

Is oversight provided on a centralized or sectoral basis?

Centralized. The NCA oversees compliance with national  requirements. See Essential Cybersecurity Controls (ECC) 2018, pg. 6.

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

N/A

How do they designate within these sectors?

N/A

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes. The ECC of 2018 "set the minimum cybersecurity requirements for information and technology assets in organizations." ECC 2018, pg. 8. 

Does it take a risk-based approach?

Yes. Per Control 1-5-1, "risk management methodology and procedures must be defined." ECC 2018, pg 15.

 

Do the security measures enable the use of international standards?

Unclear. The Introduction of the Essential Cybersecurity Controls of 2018 explain that the controls were developed "after conducting a comprehensive study of multiple national and international cybersecurity frameworks and standards." ECC 2018, pg. 7. 

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Unclear. Documents only reference that Saudi Arabia developed their standards "based on industry leading practices." The controls address many of the areas within the main 5 Framework Core Functions of NIST, but compatibility is not specific. ECC 2018, pg. 8.

 

Do they include prescriptive or technology-based security measures?

Yes. Per Control 1-3-3, cybersecurity policies "must be supported by technical security standards." ECC 2018, page 15. 

Incident Reporting

Are there mandatory incident reporting requirements?

Yes. Per Controls 2-13-1, requirements for cybersecurity incidents and threat management must be "defined, documented and approved." These plans must include response plans and escalation procedures, classifications, reporting requirements, incident notifications, and threat intelligence feeds (2-13-3). ECC 2018, page 24. 

Are there clear thresholds above which an incident should be reported?

Unclear. The thresholds may be set in the required plans mentioned above, but each plan will be unique to the agency or organization designing and implementing it. The proposed CFR requires that LSPs "report major incidents with appropriate details to CITC." Control 4.9.2, draft CRF for the ICT Sector, pg. 37.  

How do they determine the timeline within which an incident must be reported?

Similar to the answer above, these timelines will be unique to each plan. 

Threat Information Sharing

Have they established a national threat information sharing entity?

No. There is no center or entity that is specifically designed for national threat information sharing.

Does this entity share information out to industry, as well as receiving information?

Unclear based on available information.

Is threat information sharing mandatory for any private sector entity?

Yes.  The Essential Cybersecurity Controls require that organizations include cybersecurity incident reporting to the NCA. See ECC, pg 24.

Entities in the ICT Sector are required to provide compliance reporting, as well as information and documentation, upon request from the CITC. See Control Draft CRF for the ICT Sector, pg. 4.  

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

No. Such requirements are not outlined in the ECC or the new draft ICT regulations.

Are there requirements to cede control of facilities in an emergency situation?

No. Such requirements are not outlined in the ECC or the new draft ICT regulations.

Are there requirements to provide source code or other decryption capabilities?

No. Such requirements are not outlined in the ECC or the new draft ICT regulations.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No. Such requirements are not outlined in the ECC or the new draft ICT regulations.

Are there requirements to localize data?

No. Such requirements are not outlined in the ECC or the new draft ICT regulations.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Yes. An individual may be subject to a fine between 500,000-5 million riyals for committing various cyber crimes. Anti-Cyber Crime Law, Royal Decree No. M/17.  

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Yes. An individual may be subject to between 1-10 years for committing various cyber crimes. Anti-Cyber Crime Law, Royal Decree No. M/17

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The Essential Cybersecurity Controls
(ECC – 1: 2018) was published in 2018. The Cybersecurity Framework for the ICT Sector was published on May 29, 2019. 

© 2023 by National Cyber Law Project Reference Site

uscc_3_color_CMYK_K100_R_Stacked transpa

Disclaimer: This material presented in the International Law Project was prepared by Wiley Rein LLP, the United States Chamber, and the National Security Institute at the Antonin Scalia Law School at George Mason Law School.  It is not legal advice.  Chamber members using this information should consult their own counsel as needed for compliance and regulatory issues in particular jurisdictions.  The information contained herein is provided as a resource, as is, based on domestic regulations and laws as of January 30, 2020. Regulations and laws change so you should consult other resources to ensure continued accuracy.