Page 93 - SAMENA Trends - July-August 2023
P. 93
REGULATORY & POLICY UPDATES SAMENA TRENDS
Telecommunications and Information Technology Act Brings Change in
Saudi Arabia
The Telecommunications and Information Technology Act was
published on 10 June last year and came into effect on 8 Decem-
ber 2022. The new Act replaced previous Saudi telecoms legisla-
tion that had been in place since 2001 and, among other things,
aims to support the development of the Saudi telecoms and IT
sector and encourage digital transformation in the country. Under
the new Act, a greater range of services are potentially subject to
telecoms licensing and regulatory requirements than was the case
before. For example, while the Act lists certain services that were
already subject to licensing – like providing telecoms services to
the public, providing infrastructure service for public telecommuni-
cations networks, using numbering resources or radio frequency
spectrum, – it also requires obtaining a license for providing Saudi
domain name registration services. Further, it gives the board of
the Communications, Space & Technology Commission (the CST)
discretion to require businesses to obtain a license or register with
it in some circumstances. This includes if the business:
• provides certain services related to telecommunications or in-
formation technology, including digital content platforms – the
CST held a public consultation regarding draft Digital Content or where there is “any legal action resulting in another person own-
Platform Regulations previously; ing a stake equal to 5% or more of the licensee’s capital”. Similarly,
• acquires or uses telecommunications or IT-related devices; or service providers are now also required to obtain a non-objection
• establishes a private telecommunications network – the CST certificate from the CST for making any substantial changes in its
has adopted the Regulations for the Provision of Specialized senior management. The implementing regulations provide further
Wireless Telecommunication Networks Services to this effect in detail on this aspect. Another notable issue dealt with by the new
April. Act pertains to internet filtering. While historically and in practice,
At a time of increased digital connectivity across the economy, this the CST has been responsible for internet filtering in the Kingdom,
power could potentially be used to bring businesses across sectors this was never expressly set out in the old telecoms law. The new
into scope of telecoms regulation in Saudi – the CST board is em- Act specifically empowers the CST, after coordinating with other
powered to set the necessary controls for obtaining a license, reg- competent authorities, to filter the internet and limit access to spe-
istration or permit, and implementing regulations that supplement cific content online, and to prevent or restrict access to internet
the Act provide the board with further scope to cap the number of services on the gateways. By-passing or circumventing the King-
licenses, registrations or permits issued for various activities. Tele- dom’s internet filtering system is also prohibited. The new Act has
coms licenses in Saudi obtained prior to the new Act taking effect also introduced new obligations in relation to user data confiden-
remain valid, although such licensees must ensure compliance tiality and protection, supplementing the new Saudi Personal Data
with any new requirements and bridge any regulatory gaps by 8 Protection Law that will take effect in September. Allied to this, the
December 2023. Significantly, many of the core telecoms aspects royal decision approving the Act stressed the importance of the
remain the same. Issues such as frequencies, numbering, intercon- National Cybersecurity Authority (NCA) and compliance with its
nection, use of real estate, competition and M&A, as well as viola- cybersecurity considerations – for service providers considered as
tions and penalties are dealt with in a manner similar under the Act critical national infrastructure, in particular. The NCA is empowered
to the old law. However, in addition to the expanded scope of the to require service providers subject to the new Act to conclude mu-
Act referenced above, there are a few other important changes. For tual agreements to realize cybersecurity objectives, in accordance
example, fixed and mobile telecommunication services no longer with NCA’s controls and guidelines, for example. The NCA can also
need to be provided through joint stock companies that place their follow up and verify the cybersecurity compliance level of service
stock for public subscription. This may be welcomed as a positive providers, in accordance with those controls and guidelines, and
development by businesses interested in offering fixed and mobile impose the cost of that follow-up on the providers if they are found
services in Saudi as it reduces market entry barriers. In addition, negligent. Perhaps most notably, the NCA can also impose penal-
service providers are now required to obtain the CST’s approval be- ties provided for in the Act on service providers for violating cyber-
fore making any “substantial change” in ownership. This is without security obligations. Once the NCA coordinates with the CST on a
prejudice to notification duties under the competition and merger compliance program, such powers may be revoked. Against the
telecoms regime. The implementing regulations provide further de- backdrop of new data protection and cybersecurity obligations, it
tail on what constitutes a “substantial change” – examples include is as yet unclear how potentially overlapping obligations under the
where the provider wishes to amend “any of the essential clauses Act to communicate details of data breach incidents to the CST,
in the memorandum of association or the articles of association” and to affected users, immediately, will interplay in practice.
93 JULY-AUGUST 2023
