Korean IT Expansion in Saudi Arabia: Navigating Data Center and Cloud Compliance
Korea Focus
Hyungmin SongSenior Associate,Korea Group
David YatesPartner, Head of Digital & Data
South Korea is home to many excellent and influential IT companies. As Saudi Arabia attracts world-class cloud providers, Korean companies are also joining the rush. In this context, we provide an overview of the Saudi data center regulations (the “Data Center Regulations”) and cloud regulations (the “Cloud Regulations”).
a. Scope of the Regulations
The Data Center Regulations apply to both wholesale and retail “Data Center Service Providers” that offer “Data Center Services” to others in KSA. (Defined terms are reproduced below for ease of reference.)
“Data Center Services” mean colocation services that include space, power, and cooling provided by Data Center Service Providers to Customers to host “co-locate” servers, network components, storage equipment etc.
“Data Center Service Providers” shall mean any entity which owns or rents, in whole or in part, a Data Center in the Kingdom, and has direct or effective control over the data center, and aims to provide Data Center Services for others.
The Data Center Regulations require Data Center Services Providers to register with the Communications, Space and Technology Commission (the “CST”) for each data center that it owns/operates, during all stages of the development of a data center. It is important to note that if a Data Center Service Provider also intends on providing cloud computing services, then additional registrations under the Cloud Regulations will apply.
b. Registration Data Center Service Providers must register with the CST (for each data center) from where they will be offering Data Center Services to customers in accordance with the four registration categories specified. Registrations are valid for three years (and may be renewed for similar periods) and there is no fee associated with registrations or renewals. The four registration categories are:
Qualifying Category: for entities that will develop new data centers (i.e., pre-operational). Qualifying data centers have the right to upgrade their categorization upon completion of the data center.
Limited Category: for pre-existing entities (new data centers cannot register under this category) that either hold a Tier I certification or a Tier design certification only, or those that do fulfil the requirements for Standard or Advanced categories.
Standard Category: for entities that hold a CST recognized Tier II construction certification. Standard data centers are required to be carrier neutral (i.e., allow other CST licensed connectivity providers to connect with the data center) and are required to provide energy management and sustainability plans for the reduction of energy consumption, carbon emissions and electronic waste.
Advanced Category: for entities that hold a CST recognized Tier III construction certification. Advanced data center must also be carrier neutral and are also required to provided energy management and sustainability plans.
c. Obligations of Registered Data Center Service Providers In addition to the registration requirements, Data Center Service Providers must, as per the Data Center Regulations:
Maintain their commercial registration and keep other relevant certifications valid (including registrations under the Data Center Regulations).
Provide necessary physical security for their facilities and ensure only authorized persons have access.
Provide their customers (in advance) the technical characteristics and financials fees for their services.
Provide a Service Level Agreement (SLA) to their customers and if requested, notify customers of the actual level of SLA conventions.
Adhere to rules and guidance issued by CST with respect to SLAs, business continuity, disaster recovery and risk management for data centers.
Notify customers about liability insurance coverage that they maintain (so that customers can make informed decisions about their risk exposure).
Notify customers (within 15 days) of any decision to permanently shut down or stop offering services and continue to provide customers with services for at least three months (unless agreed otherwise) prior to shutting down.
Additionally, unless agreed otherwise:
Data Center Service Providers must also bear responsibility for any damage that occurs to their customers as a result of their acts or negligence which incur liabilities for their customers, irrespective of whether such acts or negligence occurs in KSA or abroad.
Service providers may not vacate their contractual liability towards their customers for losses or damages resulting from (i) a lack of physical security; or (ii) data center outages (if such losses and damages are attributable (in whole or in part) to intentional acts, negligence or omissions of the Service Provider.)
d. Non-Compliance and Penalties In case of non-compliance or violations, CST may impose penalties and fines pursuant to the Telecommunications and Information Technology Act (Telecoms Law) – i.e., a fine of up to SAR 25,000,000 (USD 6.6 million). Additionally, CST may also revoke or suspend registrations.
Data Center Regulations and the Cloud Regulations, the cloud service providers should also comply with the various regulations of other government authorities, including the National Cybersecurity Authority and the General Authority for Media Regulation.
a. Scope The Cloud Regulations apply to cloud services provided to subscribers in KSA and contains obligations on both cloud service providers and cloud customers. These include requirements to comply with obligations to localize government data and restrictions on transfers of data to recipients outside Saudi Arabia unless in accordance with applicable law.
One challenge with the Cloud Regulations is in assessing the scope of its application. It potentially applies to a variety of service providers, ranging from SaaS platform operators to IaaS service providers. As mentioned above the Data Center Regulations indicates that data center owners/operators per se are not themselves ‘cloud service providers’ - unless they are also providing cloud computing services. The absence of a clear distinction between the different types of service providers makes the application of some of the requirements unclear.
b. Registration Regulation 3.2.1 of the Cloud Regulations provides a registration requirement for cloud service providers who, “exercise direct or effective control over the data center or the critical infrastructure of a cloud computing system hosted and used in the Kingdom, in whole or in part, for the purpose of providing cloud computing services”.
The Cloud Regulations at Article 3.3 specifies the various subscriber data classification categories, and these classifications determine the relevant cloud service provider registration class. In general terms, subscriber data is split into data of KSA government agencies (which is classified in terms of ‘top secret’, ‘secret’, ‘restricted’ and ‘public’ – see the table in 3.3 of the Cloud Regulations) and data of non-government agencies (which is split into ‘data received from government agencies’ (as per the government classifications); and ‘other’).
If a company wants to service the ‘full range’ of potential cloud customers, then it needs to ensure its data centers fall into Class C.
Applications for registration must be submitted to CST online. Registrations are valid for a period of three years and there is no cost associated with registration.
c. General Obligations For completeness, we mention that the Cloud Regulations includes other general obligations which not only apply to registered cloud service providers but to all cloud computing services in KSA (i.e., SaaS providers as well). These general obligations include customer protection type considerations including: minimum information in contracts, unfair terms, customer data protection, quality standards and liability for illegal / unlawful content.
In addition to the Data Center Regulations and the Cloud Regulations, the cloud service providers should also comply with the various regulations of other government authorities, including the National Cybersecurity Authority and the General Authority for Media Regulation.
For further information,please contact Hyungmin Song and David Yates.
Published in October 2025
