Home Knowledge base Cloud CST's cloud rules explained: the Cloud Computing Regulatory Framework, registration categories, and what buyers should verify KNOWLEDGE BASE
CST's cloud rules explained: the Cloud Computing Regulatory Framework, registration categories, and what buyers should verify
CLOUD

CST's cloud rules explained: the Cloud Computing Regulatory Framework, registration categories, and what buyers should verify

SKYLINE Knowledge Base

Saudi Arabia regulates cloud providers through CST's cloud computing framework: a registration regime with categories tied to the data a provider may handle, a government/non-government data classification, and residency restrictions for certain government data. Here is what it m

Sooner or later, every Saudi procurement of cloud services hits the same line in the tender template: "The provider shall be registered with the competent authority." Which authority? Registered as what? And what does the registration actually guarantee you as a buyer? The answers live in the Kingdom's cloud regulatory framework administered by the Communications, Space & Technology Commission (CST) — a regime that is genuinely buyer-relevant, and genuinely misunderstood.

This explainer covers what the framework is, how the registration categories work, and — the practical part — the six things you should verify about any provider before signing. As always with evolving regulation: CST updates its instruments and guides, and the binding source is the current text on cst.gov.sa, not any summary.

Who regulates cloud in Saudi Arabia? (It's not one body)

Cloud buyers in the Kingdom deal with a division of labour that is worth one table:

Authority What it governs for cloud
CST (Communications, Space & Technology Commission, formerly CITC) The cloud market: registration of cloud service providers, the regulatory framework for providing cloud services, subscriber data classification and related residency restrictions
NCA (National Cybersecurity Authority) Cyber controls: the Cloud Cybersecurity Controls (CCC) that split security duties between providers and tenants — see our NCA CCC compliance guide
SDAIA Personal data: PDPL and its cross-border transfer rules — see the PDPL hosting guide
Sector regulators (SAMA, health authorities, etc.) Additional rules for their sectors — for financial entities, see the SAMA cloud checklist

If a provider's marketing conflates these — "we are fully licensed and compliant with all Saudi regulations" — treat it as a prompt for specific questions, not as an answer.

From CCRF to today's rules

The Cloud Computing Regulatory Framework (CCRF) was first issued in 2018 by the CITC (as CST was then named) — one of the earliest dedicated cloud regulatory regimes anywhere. A significantly revised version 3 followed, in effect from December 2020, simplifying registration and refining data classification. Since then, CST has approved updates under the banner of the Cloud Computing Services Provisioning Regulations and accompanying guides. Practitioners still say "CCRF" the way people say "CITC" — the label persists, the current text governs. For a buyer, the version history matters less than the three ideas that run through all of it: providers register, data is classified, and certain data faces residency restrictions.

Registration categories, decoded

The framework establishes a registration regime for cloud service providers with tiered categories — the national portal describes a qualification tier plus categories commonly labelled A, B and C — where higher categories correspond to stricter technical and organisational requirements and, correspondingly, to the more sensitive classes of subscriber data a provider may handle. Category C sits at the demanding end; it is the level global providers publicise when they want to serve Saudi government-linked workloads, and public compliance pages of several hyperscalers operating in the Kingdom reference exactly this.

The buyer's translation: a provider's category is a statement about what may be entrusted to it, not a quality medal. A modest category is perfectly adequate for a company website; a government data platform needs the top of the ladder. Matching category to workload is the whole game.

The data classification that drives everything

The framework's engine is its subscriber data classification. In broad strokes — and the current CST text controls the details — data divides into government data and non-government data, with government data further sub-levelled by sensitivity. Two consequences follow:

  1. Residency restrictions attach to certain government data classes — some categories must remain within the Kingdom on appropriately registered infrastructure.
  2. Private-sector, non-government data travels a lighter path — which is why an SME's website faces none of the friction a ministry's case-management system does.

If your organisation handles government data under contract — a common situation for Saudi engineering firms, consultancies and IT vendors — the classification of that specific data determines which providers and categories are even eligible. Ask the contracting authority for the classification in writing; do not guess it.

Who must register — and who is just reselling

The framework's registration duty attaches, in essence, to whoever exercises direct or effective control over the data centres or critical infrastructure used to deliver cloud services in or into the Kingdom. That test cuts through marketing: a brand that resells capacity on someone else's platform is not the entity controlling the infrastructure — which is fine and common, but it means the registration and control questions must be answered about the underlying operator too.

This is also where honesty from providers matters. Skyline Cloud, for example, is a Saudi managed cloud provider whose Saudi locations include Riyadh (ksa-c-1), Jeddah (ksa-w-1) and Dammam (ksa-e-1) — the Dammam option powered by Google Cloud's in-Kingdom region — and it states that plainly, because the layered model is a feature, not a secret: you get managed Saudi hosting with Arabic support and SAR billing, on infrastructure whose location you can name. That is the standard of transparency to demand from every vendor.

The six things buyers should verify

  1. Registration status and category of the provider — and, where the provider builds on another platform, of the underlying infrastructure operator. CST maintains the register; asking a provider for their registration details is a normal, expected question.
  2. Physical location of the specific region or facility that will host your services — city, not country; region name, not brand. Cross-check against the live map in our 2026 Saudi cloud regions guide.
  3. Data classification fit. If any of your data is government data, get its classification in writing and confirm the provider's category can lawfully host it.
  4. The subcontracting chain. Who else touches the service — CDN, backup operator, support outsourcer — and do the location and registration answers hold across the chain?
  5. Incident and cooperation obligations. Registered providers carry reporting and cooperation duties; ask how customer notification fits into their incident process.
  6. Exit and portability. Regulatory alignment does not replace contractual exit terms — data return formats, deletion confirmation, notice periods. Get them in the agreement.

Ten minutes of written answers to these six points tells you more about a provider than any brochure. Providers accustomed to the Saudi market answer them without friction — you can see the pattern on Skyline Cloud's data residency page, and test the operational reality directly with a free 14-day trial, no credit card.

What this means for an ordinary business

If you are a private company hosting your own website, email and applications with non-government data, the framework mostly works for you invisibly: it professionalises the provider market you buy from. You are not the regulated party — the provider is. Your obligations flow instead from PDPL (personal data) and any sector rules. The practical takeaway is simply to buy from providers who can answer the six questions above in writing, because the same transparency that satisfies a regulator is what protects you in an outage, an audit, or an exit.

Frequently asked questions

Is a CST registration the same as an NCA certification?

No. CST registration governs the provision of cloud services as a market activity; NCA's Cloud Cybersecurity Controls govern security controls, with their own provider and tenant duties. A serious provider can speak to both; a buyer should ask about both separately.

Do I, as a cloud customer, need to register with CST?

Registration duties target those providing cloud services and controlling the relevant infrastructure — not ordinary business customers consuming them. Your duties come from PDPL, NCA controls applicable to your organisation, and sector regulators.

My company handles government data under a contract. What changes?

The data's classification (obtained in writing from the contracting authority) determines which provider categories may host it and whether in-Kingdom residency is mandatory. This one question should precede any provider shortlist.

Where do I check the current rules?

CST's website (cst.gov.sa) publishes the current regulations, decisions and guides, and operates the registration services. Frameworks evolve — the 2018 CCRF, the version 3 in effect from December 2020, and subsequent provisioning-regulation updates — so always date-check what you are reading.

Turn regulation into a filter

The Kingdom's cloud framework hands buyers a free due-diligence tool: providers have already been sorted by what they may handle. Use the six questions, match category to workload, and put location in writing. Then test the shortlist the empirical way — open a free Skyline Cloud account (14-day trial, no credit card) and see how a transparent Saudi provider answers before you commit anything that matters.

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile
SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship Cloud for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads
Be the first to leave a comment.