Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Saudia Arabia: Updates telecommunications law and regulatory regime
The Kingdom of Saudi Arabia (KSA) has revamped its regulatory regime for telecommunications with the issuance of a new Telecommunications and Information Technology Act1 (the Telecoms Act) and the publication of implementing regulations to support the new law. Dino Wilkinson, Masha Ooijevaar, Shamma Sied, and Ken Wong, from Clyde & Co, take a look at the provisions of the Telecoms Act, how it differs from previous legislation, and what companies need to consider.
The Telecoms Act was issued under the Council of Ministers Resolution No. 592 dated 01/11/1443 AH and approved pursuant to Royal Decree No. M/106 dated 02/11/1443 AH (corresponding to June 1, 2022). It took effect on December 7, 2022 and repealed the prior Telecommunications Law, which dated back to 2001. The Telecoms Act expanded the scope and focus of the legislation from telecommunications to include new forms of technology and digital services.
The Implementing Regulations to the New Telecoms Act2 (the Regulations) were enacted by Ministerial Decision No. 13/1444 issued on 14/05/1444 H (corresponding to December 8, 2022). The Regulations replace the former Bylaws under the old Telecommunications Law and provide more detail on the processes and procedures for obtaining licenses and the obligations of service providers in KSA.
Scope of the Telecoms Act
The Telecoms Act has a broader scope of application than the previous law and applies to a range of ICT activities and services. It regulates emerging technologies with a specific focus on promoting digital transformation in Saudi Arabia and encouraging innovation, entrepreneurship, research, and technical development. The regulatory authority itself has rebranded from the Communications & Information Technology Commission (CITC) to the Communications, Space & Technology Commission (CST) in part to reflect a wider scope in its mandate.
The definition of 'telecommunications' under the Telecoms Act now expressly references machine-to-machine communication systems and apparatus. The Telecoms Act also defines 'information technology' in broad terms to include technologies and systems for creating, collecting, processing, storing, or analyzing data or information, including telecommunications and IT applications. This potentially brings a range of digital service providers within the scope of the new regime.
Aims and objectives
The Telecoms Act has clearly stated aims to develop and promote digital transformation in the KSA and upgrade the services provided within the ICT field.
There is a strong theme of innovation through entrepreneurship and research that is intended to help develop this field within the KSA. There is also a reference to encouraging the development of emerging technologies.
All of these aims are consistent with the KSA government's wider plans to develop a digital economy, which is further evidenced by expressly stated aims in the Telecoms Act to 'transfer and localise' technology and develop local content share.
Licensing, registration, and authorization
Licenses are required under the Telecoms Act for both the provision of telecommunications services and for using telecommunications networks for these purposes. This suggests the potential regulation of 'over-the-top' services that provide telecommunications functionality.
Other licensable activities include providing infrastructure services to public telecommunications networks, using any numbering resource or frequency spectrum and providing Saudi domain name registration services, or establishing centers for its registration.
In addition to the licensing regime, the Telecoms Act also references alternative types of approval in the form of registration or authorization. The CST Board may require a license, registration, or authorization for the provision of specific services relating to telecommunications or IT (including digital content platforms), possessing or using ICT devices, and creating a special telecommunications network. This allows for the CST to regulate current, emerging, or future technologies by way of subsequent rules or decisions.
Since the issuance of the Telecoms Act and the Regulations, the CST has issued further specific regulations setting out a licensing regime for specialized wireless telecommunications services3 in April 2023 and a registration requirement for data center services4 in August 2023.
As under the previous regime, the CST Board has the ability to cancel, suspend, or modify any license registration. However, this decision should be based on a reasoned decision linked to changes in technology, market conditions, or the National Frequency Plan.
The Telecoms Act revises the provisions for the assignment of a license. It requires the CST's approval to be obtained before any 'substantial change' in ownership of a licensee or registrant (or the waiver of a license, registration, or authorization to others) and confirmation of the CST's non-objection to any 'substantial change' in the senior management of the licensee of the registrant.
Neither the Telecoms Act nor the Regulations specify what constitutes a substantial change in senior management, but the Regulations do confirm that a substantial change in ownership would include an amendment to any of the essential clauses of a company's memorandum of association or articles of association, any ownership-related amendment to the commercial register, or any legal action resulting in another person owning at least 5% of the licensee's capital. The CST must issue its decision on any change within 90 days following the lodging of an application, otherwise, the application will be deemed successful.
Encouraging competition
As per the previous regime, the Telecoms Act stipulates that service providers are responsible for implementing proper prices for ICT services and that 'controlling service providers' (i.e. those with more than 40% of the relevant market) must meet interconnection or accessibility requests on fair terms and at fair prices based on CST-approved costs.
Mergers between service providers (in KSA or abroad) or the acquisition of more than 5% of stocks or shares in any licensed service provider are subject to prior approval from the CST Board.
The Telecoms Act also prohibits controlling service providers from abusing their dominant position. Examples of acts and practices that constitute an abuse of a dominant position are set out in the Regulations and include the imposition of unfair buying or selling prices or any other unfair commercial terms, refusing to do business with certain service providers without an acceptable reason, discriminatory behavior in the grant of access rights or interconnection, price compression, adopting obstructive technical specifications, or using information acquired through an interconnection or access arrangement to exercise a competitive advantage over other service providers.
Data protection and cybersecurity
A notable addition to the Telecoms Act and the Regulations are detailed provisions on the protection of user data and confidential documents. This follows recent developments in the KSA that included the issuance of the Kingdom's first Personal Data Protection Law (PDPL) in late 2021 (which will take effect in late 2023). The Telecoms Act requires service providers to comply with the provisions of the PDPL when using, controlling, or processing any user's personal data. The Regulations indicate that the CST will issue further specific rules relating to the governance and management of user data and information.
The Telecoms Act requires service providers to take all the necessary steps and precautions to ensure the protection and confidentiality of users' personal information and documents. User data cannot be disclosed without the consent of the user. Telephone communications or information disclosed over public communication networks are expressly stated to be confidential and may not be accessed, viewed, or recorded unless required by law.
Service providers have a duty to notify users and the CST in the case of a breach of users' personal data and to take the appropriate measures to protect personal data.
The Telecoms Act specifies that the CST will ensure the protection of cybersecurity and critical infrastructure (defined as networks and IT devices whose equipment could totally or partially disrupt or impair the stability or security of the sector) by complying with the decisions issued by the National Cybersecurity Authority (NCA). The Telecoms Act also notes that the CST will assess the cybersecurity level of each service provider to ensure that the protection is adequate in accordance with the levels expected by the NCA.
Offenses and sanctions
The core offense of providing telecommunications services or establishing a public telecommunications network without a license is necessarily broadened to cover the carrying out of any of the activities requiring licensing, registration, or authorization under the new regime (see 'Licensing, registration, and authorization' above). In addition, the Telecoms Act now creates a wider offense in relation to the possession, sale, leasing, making available, manufacturing, production, or trading of any equipment, services, or software that does not match the required technical specifications and standards or does not otherwise comply with the rules, controls, and requirements set out by CST.
Sanctions that may be imposed include a fine of up to SAR 25,000,000 (approx. $6,657,500), which is consistent with the previous law. As well as similar rights for the CST to suspend the services of any operator that violates their licensing conditions, the Telecoms Act also expressly references the total or partial blocking of digital content platforms, and the CST is empowered to provide technical support with enforcing final court judgments against digital platform service providers.
Conclusion and looking ahead
The Telecoms Act introduces new concepts and has substantially broadened the core mandate of the CST to include providers of digital infrastructure and services in addition to telecommunications network operators.
While there is a clear focus on innovation and development of the ICT sector in the KSA, this will be subject to the framework of regulation and governance set out in the Telecoms Act and the Regulations.
The announcement by the KSA government in April 2023 of four new special economic zones – which will include a Cloud Computing SEZ5 located in King Abdulaziz City for Science & Technology – will also be of interest to global investors and ICT businesses seeking to take advantage of economic growth in the KSA. The CST will supervise and manage the new SEZ, which is expected to have its own legislative and regulatory regime for cloud computing service providers.
Dino Wilkinson6 Partner
[email protected]
Masha Ooijevaar Associate
[email protected]
Shamma Sied Paralegal
[email protected]
Ken Wong Legal Director
[email protected]
Clyde & Co, Abu Dhabi
1. See: https://www.cst.gov.sa/en/RulesandSystems/CITCSystem/Documents/LA%20_001_E_%20Telecom%20Act%20English.pdf
2. See: https://www.cst.gov.sa/en/RulesandSystems/bylaws/Documents/LA_005_%20E_Telecom%20Act%20Bylaws.pdf
3. See: https://regulations.citc.gov.sa/PublishedDocuments/GovernorApprovalDecision_1475/92734eb4-f927-4ef2-869c-0b3c6c91075e_Regulations%20of%20the%20Provision%20of%20Specialized%20Wireless%20Telecommunication%20Networks%20Services.pdf
4. See: https://regulations.citc.gov.sa/PublishedDocuments/GovernorApprovalDecision_1478/c4fad5d1-aad7-4a0f-a1a1-a68339636613_Data%20Center%20Services%20Regulation.pdf
5. See: https://www.cst.gov.sa/en/services/licensing/Pages/Cloud-Computing-Special-Economic-Zone.aspx
6. See: https://www.clydeco.com/en/people/w/dino-wilkinson