Other Policies and Strategies

The Cloud First Policy (CFP) guides Saudi Arabia’s governmental entities in accelerating the adoption of cloud computing services. Under this policy, entities must consider cloud solutions a priority when making new IT investment decisions. The private sector is also encouraged to adopt similar internal policies to maximize the benefits of cloud technology.

Aligned with Vision 2030, the CFP supports the National Information Center’s (NIC) Strategy, positioning it as the primary Cloud Service Provider (CSP) for government data. Saudi Arabia’s leadership in the ICT sector, particularly in the Middle East and North Africa (MENA) region, reinforces its ability to capitalize on cloud computing opportunities and establish an advanced, integrated digital infrastructure.

Key objectives of the Cloud First Policy include:

• Enhancing efficiency by promoting resource pooling and shared services across government entities.
• Reducing total cost of ownership (TCO) by optimizing IT investments, typically resulting in ~30% savings.
• Strengthening cybersecurity through secure, accredited platforms hosted within the Kingdom and operated by qualified Saudi professionals.
• Improving interoperability and portability, enabling seamless communication and data exchange between entities.

The CFP applies to all government entities, with exceptions for entities responsible for national security and defense, such as the Saudi Arabian Monetary Authority, Ministry of Defense (MoD), Presidency of State Security (PSS), Ministry of Interior (MoI), and National Cybersecurity Authority (NCA).

In line with Vision 2030, Saudi Arabia is committed to growing a robust, diversified digital economy. The Kingdom has made significant investments, exceeding $1 trillion, to drive economic diversification and social reform while strengthening its leadership in digital services.

The Digital Economy Policy, developed by the Ministry of Communications and Information Technology National Digital Transformation Unit, provides a framework to guide government agencies in leveraging the digital economy to promote sustainable growth and competitive advantages. It also informs both public and private sectors and the international community of the Kingdom’s approach to digital sovereignty and data control.

Key Principles:

• Access: Ensuring high-quality digital infrastructure, data availability, and platforms at affordable rates while maintaining security and privacy.
• Technology Adoption and Use: Supporting digital technologies that enhance productivity and competitiveness.
• Innovation: Promoting research, innovation, and appropriate governance models to drive digital transformation.
• Human Capital: Fostering job creation, training, and capacity-building in the digital economy.

Social Prosperity and Inclusion: Enhancing quality of life through smart city initiatives and ensuring digital inclusion, particularly for disadvantaged groups, women, and rural communities.

The Communications, Space & Technology Commission (CST) has adopted the IoT Regulatory Framework to regulate IoT services and ensure Saudi Arabia becomes a leader in IoT innovation. The framework governs IoT services provided by licensed service providers over mobile and fixed networks.

Key Features:

• Compliance with data security, privacy, and protection requirements in line with CST regulations and technical specifications (RI114).
• Interoperability requirements for IoT networks and equipment.
• IoT identifiers and M2M numbering ranges, with a recommendation to adopt IPv6 for IP addressing.
• Data localization: Requiring all servers and data storage to be hosted within the Kingdom.
• Alignment with current and future data protection regulations issued by CST and other authorities.

The Universal Access and Universal Service Policy, approved in 2006 by the MCIT, ensures that voice telephony and internet services are accessible to all segments of Saudi society.

The policy established the Universal Service Fund (USF) in 2007 through Decision 165/1428. The USF finances projects to extend ICT services to underserved, commercially unprofitable areas.

Highlights:

• Strategic and annual operating plans prepared to expand voice and internet services.
• Competitive bidding processes for USF projects.
• Focus on geographic areas with limited commercial incentives for private sector investment.
• Ongoing government funding to support the USF’s operations since its launch in 2010.

The Digital Government Authority (DGA) adopted the OSS Adoption Strategy in 2021 to promote the use of open-source software across government entities. This strategy aims to:

• Facilitate inter-agency collaboration.
• Leverage global best practices and lessons learned from leading countries.
• Optimize government software spending.

The OSS strategy is a key component of Saudi Arabia’s digital government initiatives, fostering greater transparency, flexibility, and innovation in service delivery. For more information, please visit the following link.

The Digital Government Authority (DGA) has established the Controls of Risk and Business Continuity Management for Digital Government to enhance government entities’ ability to identify risks, mitigate threats, and ensure the continuity of digital services.

Key Elements:

• Risk and Business Continuity Management Programs for government entities, suppliers, and operators.
• Guidelines for Business Continuity in Government Entities, serving as a reference to improve crisis response capabilities and service restoration.
• Reporting Digital Government Services Disruption Service, enabling agencies to report service outages and coordinate with DGA.
• IT Disaster Recovery Guidelines and Recovery Time Objectives (RTOs) are under development for release by the end of 2023.

In the event of a large-scale crisis, DGA has the capability to launch dedicated portals or mobile applications within 24 hours to provide timely and verified information to citizens. For example, the COVID-19 portal was launched less than 24 hours after the government’s directive. Additionally, cybersecurity incidents and emergencies can be reported to the CERT and the National Cybersecurity Authority through the national reporting platform.

DGA has published Guidelines for Business Continuity in Government Entities, which serve as a key reference for entities establishing critical procedures and processes. These guidelines aim to increase flexibility, enhance the ability to respond to crises, and restore services securely, efficiently, and seamlessly. By implementing these measures, government entities can ensure the continuity of digital service delivery and strengthen national security resilience across Saudi Arabia.

The Digital Government Authority (DGA) has established comprehensive mechanisms to ensure rapid and coordinated responses to cybersecurity threats, crises, emergencies, and digital service disruptions across government entities.

Individuals and organizations can submit reports directly to the Computer Emergency Response Team (CERT) and the National Cybersecurity Authority (NCA) through the designated national reporting platform for any type of cybersecurity threat, crisis, emergency, or vulnerability.

DGA has launched a dedicated service for Reporting the Interruption of Digital Government Services to maintain the continuity and reliability of digital services. This enables government entities to:

• Report the unavailability of their digital services.
• Notify DGA of service disruptions provided by other government agencies.
• Inform DGA about planned updates or maintenance activities that temporarily affect service availability.

This centralized reporting service aims to unify efforts, enhance partnerships between DGA and government entities, and strengthen public confidence by ensuring the continuous availability of digital government services.

To support these efforts, DGA has introduced Guidelines for “Reporting Digital Government Services Disruption,” offering a clear reference for reporting incidents and notifying DGA of any disruptions.

Furthermore, DGA is preparing to launch comprehensive IT Disaster Recovery Guidelines, including Controls and Recovery Time Objective (RTO) levels, by the end of 2023. These guidelines will provide government entities with in-depth strategies for managing recovery, crisis, and emergency response operations effectively.

The National Perils Council has also worked on frameworks and guides for strategies, plans, policies, frameworks, programs, methodologies, standards, controls, guidelines, and performance measurement indicators related to identifying, assessing, and preventing national risks, planning and preparing for emergencies, crises, and disasters, responding to and recovering from them, ensuring business continuity, and setting standards and indicators to measure the readiness of relevant entities.

Among these indicators is the Resilience Index, which aims to provide the basic requirements for risk, emergency, business continuity, and supply chain management, to understand potential risks, reduce their occurrence and mitigate their effects when they occur, and ensure the resilience of critical infrastructure to maintain the continuity of business and supply chains in providing essential services and necessary products, and to enhance resources, capabilities, and capacities to prepare for, address, absorb, adapt to, contain, respond to, and recover from emergencies, crises, and disasters efficiently, effectively, and sustainably.

In the case of large-scale crises or emergencies, DGA has established internal procedures for the rapid deployment of a dedicated crisis or emergency portal and/or mobile application. These platforms are designed to provide timely, verified information to the public regarding:

• Current threats and risks.
• Recommended measures and protective actions.
• Government decisions and updates.

DGA has the capability to launch such platforms in less than 24 hours following a government directive. For example, the dedicated COVID-19 portal was successfully launched within 24 hours after the government issued the order.

The Risk and Business Continuity Management platform stands as a leading platform in risk, emergency, crisis, and business continuity management, providing tailored solutions to meet user needs in a world full of challenges and changes. The platform offers a comprehensive range of services to empower users to excel and thrive effectively in the evolving business environment. Services include updated standards and guidelines, customizable models, specialized articles and analyses, a periodic journal, interactive workshops, and dedicated technical and consulting support. The platform aims to build a culture that values sustainability and adopts resilience to foster innovation, knowledge sharing, and the development of professional skills in this field.