Dawn of the Data Centres: Data Centre Licensing in Saudi Arabia
Technology, Media & Telecoms Focus
In August 2023, the Communications, Space & Technology Commission (CST) introduced the Data Centres Service Regulations (Regulations).
Law Update: Issue 368 - Technology, Media & Telecoms Focus
Ali AbbasAssociate,Digital & Data
In August 2023, the Communications, Space & Technology Commission (CST) introduced the Data Centres Service Regulations (Regulations). The aim of the Regulations is to enhance data centre offerings in the Kingdom and provide regulatory transparency and a fair competitive environment for the benefit of cloud service providers (Customers) that wish to host and operate their cloud services in data centres located in the Kingdom.
The Regulations apply to both wholesale and retail data centre service providers (Service Providers) that offer Data Centre Services (Services) to others in the Kingdom. Service Providers includes any entities that own or rent (in whole or in part) and have direct or effective control over data centre in the Kingdom. Services includes colocation services such as providing space, power and cooling to customers who either host or co-locate servers, network components and storage equipment. The Regulations require registration of Services Providers during all stages of the development of a data centre.
It is important to note that if the Service Providers also provide cloud computing services, then they must separately register with the CST as a cloud computing service provider (separate from and in addition to the Regulations). Similarly, if a Service Provider holds a telecommunications license, then the Service Provider’s Services will also be subject other applicable telecommunication services related regulations.
Registrations are valid for three years (and may be renewed for similar periods) and there is no fee associated with registrations or renewals. Service Providers must register with the CST for each data centre from where they will be offering Services to Customers.
Registrations are valid for three years (and may be renewed for similar periods) and there is no fee associated with registrations or renewals. Service Providers must register with the CST for each data centre from where they will be offering Services to Customers in accordance with the following registration categories:
Qualifying Category: for entities that will develop new data centres (i.e., pre-operational). Qualifying data centres have the right to upgrade their categorization upon completion of the data centre.
Limited Category: for pre-existing entities (new data centres cannot register under this category) that hold a Tier I certification, Tier design certification only or do not have any certifications or don’t fulfil the requirements for Standard or Advanced categories.
Standard Category: for entities that hold a CST recognized Tier II construction certification. Standard data centres are required to be carrier neutral (i.e., allow other CST licensed connectivity providers to connect with the data centre) and are required to provide energy management and sustainability plans for the reduction of energy consumption, carbon emissions and electronic waste.
Advanced Category: for entities that hold a CST recognized Tier III construction certification. Advanced data centre must also be carrier neutral and are also required to provided energy management and sustainability plans.
The Data Centre Regulations refer to tier construction certification “by certificates recognised by CST”. At present there is no further guidance from CST as to which certificates it recognises. However, the references to Tiers I, II, III or above, appear to be references to the Uptime Institute’s Tier Standard and Tier Classification system.
In addition to the registration requirements, Service Providers must:
Maintain their commercial registration and keep other relevant certifications valid (including registrations under the Regulations).
Provide necessary physical security for their facilities and ensure only authorized persons have access.
Provide their customers (in advance) the technical characteristics and financials fees for their services.
Provide Service Level Agreements (SLA) to their customers and if requester, notify customers of the actual level of SLA conventions.
Adhere to rules and guidance issued by CST with respect to SLAs, business continuity, disaster recovery and risk management for data centres.
Notify customers about liability insurance coverage that they maintain (so that customers can make informed decisions about their risk exposure).
Notify customers (within 15 days) of any decision to permanently shut down or stop offering services and continue to provide customers with services for at least three months (unless agreed otherwise) prior to shutting down.
As per Regulation 7.11, contracts between Service Providers and Customers are to be governed and construed in accordance with the laws of Saudi Arabia. As for any disputes that are not settled within thirty 30 days, the courts of Saudi Arabia have the jurisdiction to resolve disputes.
Although the regulations appear to allow parties an interim period (30 days) to resolve disputes through alternate means, it is unclear whether parties can contract out of the requirements of Regulation 7.11 (either by varying the governing law or by proposing an alternate dispute resolution mechanism). If the provisions of Regulation 7.11 are mandatory, it remains to be seen how Saudi courts will handle technical disputes.
In case of non-compliance or violations of the Regulations, CST may impose penalties and fines pursuant to the Telecommunications and Information Technology Act (Telecoms Law) and CST may also revoke or suspend registrations.
For further information,please contact Ali Abbas.
Published in May 2024
