What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of SAMA Cloud Computing Rulebook — Public, Private, Hybrid Bank Allowances. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for SAMA Banking Compliance.

SKYLINE Engineering @skyline

Published: Jan 17, 2026
Last updated: May 28, 2026
Reading time: 4 min

Compliance Ksa Cloud Banking Sama Cloud Data Residency

Overview

The SAMA Cloud Computing Rulebook (issued 2019, updated 2024) defines what cloud usage banks may adopt, under what controls, and which use cases need explicit SAMA pre-approval. The Rulebook works alongside the NCA Cloud Cybersecurity Controls (CCC) — but adds banking-specific requirements around data classification, sub-outsourcing and exit.

Who this applies to

Every SAMA-licensed bank, finance company, insurance provider and PSP.
Any cloud workload that processes Saudi customer data, payment data, or core banking data.

Cloud usage categories

| Category | Examples | SAMA pre-approval | |---|---|---| | Non-customer, non-confidential | Public website, training videos | Not required | | Internal IT support | Email, productivity apps | Notify only | | Customer-facing, non-critical | Marketing CRM, lead capture | Notify + risk assessment | | Critical or customer payment data | Mobile banking back-end, payment switch | Required | | Core banking ledger | Account postings, master records | Required + on-site review |

Data classification

SAMA uses a 4-tier classification:

| Tier | Description | Cloud allowed? | |---|---|---| | Public | Marketing, public website | Any region | | Internal | Internal docs | Any region, KSA preferred | | Confidential | Customer PII, balances | KSA region only | | Restricted | Card data, cryptographic keys, fraud detection models | KSA region + dedicated tenancy |

Step 1: Approval package

For pre-approval submissions:

Business case with cost-benefit analysis.
Data classification mapping.
CSP due-diligence pack (licence, SOC 2 Type II, ISO 27017/27018, ISO 22301).
Cybersecurity assessment versus the SAMA Cybersecurity Framework.
BCM / DR plan including cloud-region failure.
Exit strategy.
Sub-outsourcing disclosure.

SAMA decision window is typically 30-60 business days.

Step 2: Contractual mandates

The cloud contract must include:

Right to audit by the bank, by SAMA and by SAMA's appointed auditor.
Data residency clause: data and replicas in KSA.
24-hour incident notification clause.
90-day exit clause with data-export in non-proprietary formats.
Sub-processor notification 60 days in advance.
Liability cap aligned with banking-data damages, not generic IT cap.

Step 3: Tenant-side technical controls

Customer-managed encryption keys for confidential and restricted data.
Region pinning enforced via account-level guard rails.
Logging shipped to a SIEM inside the bank's perimeter.
Identity federation from the bank's IdP; no local cloud-console accounts.
Network egress restricted to known destinations.

# Sample AWS SCP fragment — deny non-KSA regions
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyOutsideKSA",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": { "aws:RequestedRegion": ["me-central-1"] },
        "Bool": { "aws:ViaAWSService": "false" }
      }
    }
  ]
}

Step 4: Concentration risk

SAMA expects banks to monitor:

% of total IT spend on a single hyperscaler.
% of critical services dependent on a single provider.
Geographic concentration (single region usage).

If a hyperscaler becomes the dominant provider, contingency may include parallel provisioning in a second hyperscaler.

Step 5: Exit strategy

Document:

Trigger events (CSP licence revoked, force majeure, persistent breach).
Target alternative providers and a target migration timeline.
Data extraction procedures, including cryptographic re-keying.
Run-books for parallel operation during cut-over.

Common gotchas

Storing confidential data in a non-KSA region "temporarily" — automatic finding.
Sub-processor change disclosed retroactively rather than 60 days in advance.
CSP-managed keys instead of customer-managed for restricted data.
No documented exit timeline.

Verification

SAMA pre-approval letters per cloud workload.
Data classification map for every cloud bucket / DB.
Region-pinning enforcement via SCP.
Annual cloud-provider assurance reports.
Cloud BCM / DR test results.
Exit-strategy document per critical CSP.

Conclusion

SAMA cloud is permissive — but only when controlled. Get the approval package right, pin the region, manage your own keys, and your cloud bet pays off. Skip a step and SAMA will ask you to pause.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship SAMA Banking Compliance for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops ZATCA & Financial Centre Phase-2 e-invoicing, FATOORA integration, GL controls

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.