Saudi Arabia

Huawei Cloud is committed to providing you with secure and compliant infrastructure and services. Each service has built-in security features and is guaranteed to run securely through continuous O&M. Huawei Cloud ensures that the infrastructure and services it provides have been assessed by authoritative, independent, third-party agencies and reviewed by the relevant certifying bodies.

When using Huawei Cloud services, you are responsible for the security and compliance of internal applications and custom configurations of your workloads on the cloud. As the owner and controller of your data, you are responsible for data security configuration, confidentiality, integrity, availability, as well as identity authentication and authorization for data access.

You are also responsible for compliance with the applicable regulatory requirements for your workloads on the cloud.

You can download HUAWEI CLOUD Security White Paper to view details about the responsibilities of Huawei Cloud and yours.

For more security and compliance issues, contact your account manager or Huawei Cloud.

Huawei Cloud is committed to building secure and trusted cloud services. The infrastructure and services provided by Huawei Cloud have been assessed by authoritative, independent, third-party agencies and reviewed by the relevant certifying bodies.

Huawei Cloud is compliant with a wide range of international standards and practices, including:

• Security standards: ISO 27001, ISO 27017, CSA STAR, PCI DSS, PCI 3DS, ISO 27034, and NIST cyber security framework (CSF), and more

• Privacy standards: ISO 27018, ISO 27701, BS 10012, ISO 29151, and ISO 27799

• Other standards: ISO 22301 (for business continuity management), ISO/IEC 20000 (for IT service management), TL 9000 and ISO 9001 (for quality management), SOC 1, SOC 2, and SOC 3 (for audit)

Learn more from Compliance Certificates in the Compliance Center.

• Saudi Arabian Monetary Agency (SAMA) is the central bank of the Kingdom of Saudi Arabia. It is responsible for issuing currencies, supervising commercial banks, managing foreign exchange reserves, and ensuring price and exchange rate stability, so as to promote the development and stability of the Saudi Arabian financial system. SAMA released the Cyber Security Framework in May, 2017. The Framework enables financial institutions regulated by SAMA to effectively identify and respond to cyber security risks, and provides guidance for financial institutions on how to maintain the security of information assets and online services.

Huawei Cloud white paper Huawei Cloud Compliance with Financial Industry Cybersecurity in Saudi Arabia describes how Huawei Cloud can help you meet the regulatory requirements for the financial industry in Saudi Arabia.

National Cybersecurity Authority (NCA) is the primary government entity responsible for overseeing and operating cybersecurity in the Kingdom of Saudi Arabia. It collaborates closely with public and private entities to enhance the Kingdom's cybersecurity posture to safeguard its critical interests, national security, key infrastructure, high-priority sectors, government services, and activities consistent with Vision 2030.

Communications, Space and Technology Commission (CST): The organization is responsible for organizing the communications and information technology sector in the Kingdom of Saudi Arabia, and overseeing the standardization of ICT regulations. It provides licenses to Communications and Information Technology Organization, regulates the industry, and monitors internet usage within the country. The CST was formerly known as the Communications and Information Technology Commission (CITC). On November 10, 2022, the CITC was officially renamed the CST.

To standardize the use of information technologies and consolidate and improve national cyber security, the National Cybersecurity Authority (NCA) and the Communications, Space and Technology Commission (CST) of Saudi Arabia have released a series of cyber security regulations:

- Essential Cybersecurity Controls (ECC): Basic cybersecurity standards on the Critical National Infrastructures (CNI) of organizations and government departments in the Kingdom of Saudi Arabia.

- Cloud Cybersecurity Controls (CCC): Supplement and are extensions of ECC. CCC outlines cloud computing cyber security requirements from the perspectives of cloud service providers and cloud service tenants to improve security and reduce cyber risks for all services and users.

- Cybersecurity Regulatory Framework (CRF) was released to improve cybersecurity maturity for the information and telecommunications (ICT) sector. Under CRF, cybersecurity risks must be managed in accordance with international best practices and local cybersecurity regulations. LSPs must follow CRF to meet minimum security requirements. The Huawei Cloud white paper, Huawei Cloud Compliance with Cybersecurity in Saudi Arabia, describes how Huawei Cloud can help you meet cybersecurity regulatory requirements in Saudi Arabia.

Huawei Cloud Riyadh region has been registered as a Class C Cloud Service Provider with Communications, Space and Technology Commission (CST) in the Kingdom of Saudi Arabia. The qualification is based on an assessment by the National Cybersecurity Authority (NCA) against the NCA’s Essential Cybersecurity Controls (ECC) and the Cloud Cybersecurity Controls (CCC).

•Personal Data Protection Law , PDPL：The law was published in the Official Gazette of Saudi Arabia on 24 September 2021. The PDPL is a comprehensive personal data protection law that applies to the processing of data of all entities, organizations or individuals in Saudi Arabia. It is a legal framework for personal data protection at the same level as the global personal data protection law formulated by the Kingdom of Saudi Arabia. The revised PDPL will be implemented in September 2024.

•The Implementing Regulation of the Personal Data Protection Law：As the implementing regulations of the Saudi Arabia Personal Data Protection Law PDPL, the PDPL formulates detailed implementation requirements or guidelines for personal data protection and transfer.

•Regulation on Personal Data Transfer outside the Kingdom：The regulation, which came into force in 2024, specifies the obligations of the parties involved in the transfer when personal data is transferred or disclosed to countries or international organizations with insufficient levels of personal data protection.

For more information, see Huawei Cloud Compliance with Saudi Arabia PDPL.