Saudi Arabia


In recent years, Saudi Arabia has seen a fast expansion in the usage of digital technology, which has heightened the risk of cyberattacks. In response to this threat, the Saudi government established the National Cybersecurity Authority (NCA) as the government institution in charge of cybersecurity in the kingdom, serving as the national authority on its issues. The NCA has both regulatory and operational cybersecurity functions, and it collaborates closely with public and private entities to improve the country’s cybersecurity posture in order to protect vital interests, national security, critical infrastructures, high-priority sectors, and government services and activities in accordance with Vision 2030.

Eshield Provides a wide range of services to our clients in the Middle East including but not limited to:

    • Personal Data Protection Law(PDPL): The Kingdom of Saudi Arabia has published its first-ever comprehensive data protection law. The Personal Data Protection Law (PDPL) aims to protect individuals’ personal data privacy and regulate organizations’ collection, processing, disclosure, or retention of personal data. The PDPL provides comprehensive requirements related to processing principles, data subjects’ rights, organizations’ obligations while processing the personal data of individuals, and cross-border data transfer mechanisms and lays out penalties for organizations in case of non-compliance with the PDPL. One of the prominent features of the PDPL is that it does not prejudice any provision that grants a right to the data subject or stipulates better protection in any other law or an international convention to which Saudi Arabia is a party. Reference
    • SAUDI ARABIAN MONETARY AGENCY (SAMA): The Saudi Arabian Monetary Authority (SAMA) is the central bank of Saudi Arabia. SAMA introduced its Cyber Security Framework in 2017 in order to guide regional organizations on how to effectively maintain the protection of information assets and online services. All financial institutions regulated by SAMA are responsible for complying with the Cyber Security Framework – including all banks, insurance companies, and finance companies that operate within Saudi Arabia. Compliance preparation starts with developing and following a data protection strategy. A solid and efficient strategy includes data encryption and wiping. Reference
    • PCI DSS: The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive the adoption of data security standards and resources for safe payments worldwide. The PCI SSC’s mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. We achieve this with a strategic framework to guide our decision-making process and ensure that every initiative is aligned with our mission and supports the needs of the global payments industry. Reference
    • Anti-Cybercrimes Law: The Anti-Cybercrime Law was issued through a Royal Decree in Saudi Arabia in 2007. The law aims at combating cyber crimes by identifying such crimes and determining their punishments to ensure information security, protection of rights pertaining to the legitimate use of computers and information networks, protection of public interest, and morals, and protection of the national economy. Reference 
    • Implementing Regulations of the Telecom Law: The Saudi telecoms market is the largest in the GCC, and its licensing structure provides opportunities for a variety of market participants. In this article, we provide a general outline of the various license categories and the violations associated with non-compliance. Pursuant to the Telecoms Law (Royal Decree No. (M/12) of 12/03/1422H (3 June 2001); Council of Ministers Resolution No. (74) of 05/03/1422H (27 May 2001), the Communications and Information Technology Commission (‘CITC’) is responsible for identifying the telecommunications-related licenses available in the Kingdom, and the conditions an applicant must meet in order for the relevant license to be issued.The Telecoms Law contemplates four broad categories of licenses, which are further detailed in the Telecoms Regulations (Telecom Act Bylaws (Ministerial Resolution No. (11) of 17/05/1423H (27 July 2002)) Reference
    • The Cloud Computing Regulatory Framework: According to Article Three of the Communications Law (hereinafter referred to as the “Law”), the communications and information technology sector shall be regulated – among other objectives – by creating and encouraging an appropriate climate for fair and effective competition in all areas of communication and information technology. Reference
    • The Medical Practitioners Law: The Kingdom of Saudi Arabia has continued to witness dramatic cultural and legal changes in recent years. The Ministry of Health (MOH) is actively working to privatize various portions of the healthcare sector in Saudi Arabia. The National Center for Privatization (NCP) issued the Saudi Privatisation Law in March 2021. The Privatisation Law structures the elements of the relationship between governmental entities and private parties in privatization projects. The Privatisation Law targets The E-commerce Law requires a service provider to only retain a customer’s personal data or electronic communications for the period required by the nature of the electronic transaction unless a different period is agreed upon. Reference
    • The Ecommerce Law of 2019: A service provider is responsible for protecting customer’s electronic communications or personal data in its possession or in the possession of the entities or agents that it deals with, and is prohibited from using customers’ personal data or electronic communications for unauthorized or impermissible purposes and from disclosing the same to third parties, whether against or for no consideration unless the consumer consents to such disclosure or the same are required by law. local and foreign investment to optimize state-owned assets. Reference
    • The National Data Governance Interim Regulations: The Interim Regulations establish the legal outline for individual rights protection regarding the processing of personal data by all internal and external entities of the Kingdom. The Regulation also defines the role of the Saudi Data and Artificial Intelligence Authority (SDAIA) and its sub-entities, such as the National Data Management Office (NDMO). Reference 

    Our services include consulting, assessment, and support services.

    Please visit our Services page for a full range of services offered, and for more info: Contact us