Saudi Arabia: Updated Cloud Cybersecurity Controls including cybersecurity requirements

On 3 February 2021, the National Cybersecurity Authority (NCA) issued the latest update to the Cloud Cybersecurity Controls (CCC) as a continuation of the previously issued Essential Cybersecurity Controls (ECC). The CCC regulates cloud service providers (CSPs) and cloud service tenants (CSTs). Specifically, the CCC applies to CSTs that are public or private organisations inside or outside the Kingdom that own or operate Critical National Infrastructures (CNIs) that use cloud services. Therefore, any CSPs that provide cloud services outside of the Kingdom to non-Saudi companies are not included. The CCC also does not apply to CSPs who do not own or operate CNIs or who provide cloud services to individuals. However, the NCA encourages all relevant businesses to adhere to these controls.To support the creation of the CCC, a mapping study was developed to identify international cloud computing standards. The main domains of the CCC are the same as the domains for the ECC: cybersecurity governance, cybersecurity defence, cyberseurity resilience, and third-party cybersecurity. The CCC requires that all cloud computing services be provided from within the Kingdom such as storage, processing, monitoring, and disaster recovery.