Saudi Arabia: New Policy and Regulatory Framework for Managed Security Operations Centre

On March 10, 2024, the National Cybersecurity Authority (NCA) of Saudi Arabia introduced a new policy and regulatory framework to bolster cybersecurity regulations in Saudi Arabia. This framework adds to the array of standards, policies and guidelines already administered by the NCA.

This new policy and regulatory framework will apply specifically to organizations offering managed security operation centre (MSOC) services in the Kingdom.  MSOC services encompass activities such as cyber threat detection, monitoring, recommending remediation measures and implementing solutions against cyber threats.

At the moment, many of these activities are offered to Saudi clients across borders, with the MSOC service provider frequently based outside Saudi Arabia. Such arrangements will no longer be permissible under the new policy and regulatory framework.  Under this new regime, MSOC service providers must form a legal entity in Saudi Arabia, operate locally and process data within its borders.

MSOC service providers are now required to obtain a Tier 1 or a Tier 2 license from the NCA.  A Tier 1 license will allow them to provide MSOC services to government entities or those operating national critical infrastructure.  In order to obtain and retain a tier 1 license, MSOC service providers will be required to meet Saudi ownership requirements and establish their regional headquarters in the Kingdom.  Tier 2 licenses, by contrast, will be authorized to provide MSOC services to any Saudi client, except government entities or those operating national critical infrastructure.  There is no requirement for these licensees to meet Saudi ownership requirements, but they need to be legally incorporated in Saudi Arabia.

Both tiers of licensees will be required to abide by various baseline obligations, including:

• employing a minimum number of NCA-licensed MSOC analysts, likely Saudi nationals;
• providing MSOC services from within Saudi Arabia;
• ⁠ensuring that the MSOC facilities and the data they process remains within Saudi Arabia;
• ⁠integrating with the Saudi Arabia national security operation centre.

These changes mean that organizations offering cybersecurity services from abroad into Saudi Arabia can no longer do so lawfully, significantly altering the cybersecurity landscape in the Kingdom.

Please do not hesitate to contact TMT Law if you have any question or need for practical assistance about how to comply with this new policy and regulatory framework.