Does my data have to be hosted inside Saudi Arabia?

Not universally. There is no single blanket data-localization rule. Requirements depend on data type and sector: government and CNI data fall under NCA controls and NDMO governance; personal data falls under PDPL, which allows cross-border transfer under safeguards. Healthcare and financial data carry additional sector rules.

Is the PDPL actually enforced, or is it still a grace period?

Enforced. The grace period ended 14 September 2024 and SDAIA is now issuing decisions — 48 reported by early 2026, with fines up to SAR 5 million per breach, a five-day window to respond to a notice, and power to suspend processing.

Can I transfer personal data outside Saudi Arabia?

Yes, under safeguards. SDAIA has not published an adequacy country list, so transfers rely on Standard Contractual Clauses or Binding Common Rules plus a transfer risk assessment for sensitive or large-scale transfers.

Do NCA cybersecurity controls apply to private companies?

Yes — as of NCNICC-1:2025 (in force January 2026), every non-CNI private entity must meet a mandatory baseline, tiered by size. Large entities (250+ staff or revenue over SAR 200M) implement 65 essential controls; SMEs a reduced set. CNI operators remain under the fuller ECC-2:2024, CCC-2:2024 and DCC-1:2022.

Which hyperscaler regions are live in Saudi Arabia?

Google Cloud Dammam (since 2023) and AWS me-central-2 (live January 2026) are operational; Microsoft Azure Saudi Arabia East is confirmed for general availability in Q4 2026. Google also offers Sovereign Controls by CNTXT on Class C infrastructure.

What is the difference between NCA controls and the PDPL?

They are separate, parallel obligations. NCA governs cybersecurity posture; PDPL (SDAIA) governs personal-data handling and cross-border transfer. A company processing Saudi personal data typically must satisfy both at once.

00 · The short version

Hosting data in Saudi Arabia means clearing four regimes at once.

A workload that touches personal — let alone sensitive — data in the Kingdom triggers PDPL/SDAIA, NDMO classification, NCA security controls and CST cloud-class registration simultaneously. The lowest-risk design is in-Kingdom hosting, no cross-border transfer, on a CST-registered provider. This page is the map, the shortcuts, and a navigator that turns your specifics into a checklist.

regulators trigger together: SDAIA · NDMO · NCA · CST

72h

to notify SDAIA of a breach — no materiality threshold

SAR 5M

top general fine (doubles to 10M on repeat)

Not legal advice. The binding legal texts are in Arabic. Every figure, article number, fee, deadline and fine must be confirmed against the primary regulator documents (linked in Sources) and a Saudi-qualified advisor before go-live.

Enforcement statusVerified 26 June 2026

Saudi PDPL enforcement is live — and active.

The grace period ended 14 September 2024. Saudi Arabia’s Personal Data Protection Law is no longer a "prepare for later" obligation — SDAIA is issuing decisions now.^[S1]

What's actually happening

48 enforcement decisions issued by SDAIA in the year to early 2026.
Fines up to SAR 5,000,000 per breach — doublable for repeat violations.
Sensitive-data violations can carry criminal liability, including imprisonment up to 2 years.
Once notified, an organization has only 5 days to respond with evidence.
SDAIA can suspend processing activities — an operational risk, not just a financial one.

Most violations to date trace back to the basics: processing without a valid legal basis, unauthorized disclosure, missing technical and organizational safeguards, and marketing without consent.^[S2]

What this means for hosting decisions

Enforcement risk raises the stakes on where data lives and how transfers happen. SDAIA still has not published an adequacy country list, so cross-border transfers run on standard contractual clauses or binding rules plus a transfer risk assessment — not on a "this country is approved" shortcut.^[S3]

This block is a regulatory reference, not legal advice. Verify the current text of each regulation with its primary source before acting. Last verified 26 June 2026.

The timelineVerified 26 June 2026

How Saudi cloud compliance got here — and what’s next.

The regime assembled in stages: data controls, in-Kingdom regions, PDPL enforcement, and now a private-sector cybersecurity baseline. A few anchors are still pending.

Nov 2022Done
NCA Data Cybersecurity Controls (DCC-1:2022) published^↗
4-tier data classification and 47 sub-controls for government bodies and CNI operators.
Nov 2023Done
Google Cloud Dammam (me-central2) region opens^↗
First hyperscaler in-Kingdom region; later adds Sovereign Controls by CNTXT on Class C infrastructure.
14 Sep 2024Done
PDPL grace period ends^↗
The one-year transition closes; the Personal Data Protection Law becomes fully enforceable.
Sep 2024Done
SDAIA issues Standard Contractual Clauses^↗
SCCs become a primary safeguard for cross-border transfers while no adequacy list exists.
Oct 2024Done
NCA ECC-2:2024 replaces ECC-1:2018^↗
Refined to 4 domains and ~110 controls; all cybersecurity roles must be filled by qualified Saudi nationals.
27 May 2025Pending
PDPL Implementing Regulations amendments — consultation closes^↗
Proposed changes to DPO rules and a 10-business-day duty to respond to SDAIA. Not yet confirmed in force.
Jan 2026Done
AWS Middle East (Saudi Arabia) me-central-2 goes live^↗
Three availability zones around Riyadh; ~$5.3B investment.
Jan 2026Active
NCNICC-1:2025 takes effect — private sector in scope^↗
NCA extends mandatory cybersecurity to every non-CNI private entity, tiered by size (Category A 65 controls).
Early 2026Active
PDPL enforcement is active — 48 decisions^↗
SDAIA reports 48 enforcement decisions; fines up to SAR 5M, 5-day response window, power to suspend processing.
Q4 2026Upcoming
Microsoft Azure Saudi Arabia East — GA (confirmed)^↗
Three availability zones built in the Eastern Province; general availability confirmed for Q4 2026.
PendingPending
SDAIA adequacy country list — still awaited^↗
Until published (Art. 3 ARPDT), cross-border transfers rely on SCCs/BCRs plus a transfer risk assessment.

01 · The reality nobody states plainly

There is no single "classification to residency" statute.

People look for one law that says "sensitive data must stay in-Kingdom." It does not exist as a single clause. In-Kingdom hosting is the combined result of two things: (a) PDPL cross-border-transfer rules plus SDAIA safeguards and approval, and (b) CST cloud-class licensing — where only a Class C provider may host secret / top-secret data. NDMO sets the classification; NCA sets the security controls. SDAIA has not published an adequacy whitelist, so today every cross-border transfer needs Saudi SCCs/BCRs or accreditation plus a transfer risk assessment.

Stop hunting for the one residency law. Residency is an emergent property of PDPL transfer rules + CST class licensing.

02 · The four regulators at a glance

Who governs what — and what each one wants from you.

Map your obligations to the right authority before you architect anything.

Verified 26 June 2026

Regulator	Governs	Key instrument	What it wants from you
SDAIA (PDPL)	Personal & sensitive data	PDPL + Implementing Reg + Transfer Reg	Lawful basis, privacy notice, ROPA, DPAs, DPO (if triggered), 72h breach notice, transfer safeguards
NDMO	Data classification & governance	Data Governance Policies + Classification Policy	Classify every dataset into 4 levels; apply handling rules per level
NCA	Cybersecurity controls	ECC-2:2024 · NCNICC-1:2025 · CCC · DCC · NCS · CSCC	Baseline ECC-2 (gov/CNI) or NCNICC-1:2025 (general private sector); add CCC if cloud, DCC for gov/CNI data, NCS for crypto, CSCC if critical/government
CST	Cloud provider licensing	Cloud Computing Services Provisioning Regulations	Register/qualify by class — only Class C may host secret/top-secret

03 · Step one — classify

NDMO four levels, and PDPL personal / sensitive split.

You cannot protect what you have not classified. Every dataset gets an NDMO level; personal data also gets a PDPL flag.

Verified 26 June 2026

Top Secret

Gravest impact to national interest if exposed. Strictest handling and residency.

Secret

Serious impact. In-Kingdom, Class C hosting territory.

Restricted

Limited/internal impact. Controlled access and logging.

Public

No harm on disclosure. Residency flexible.

PDPL "sensitive data"

Under PDPL Art. 1, sensitive data = data revealing racial or ethnic origin; religious, intellectual or political belief; criminal & security data; biometric data; genetic data; health data; and data indicating a parent is unknown. Sensitive data needs explicit consent, cannot be processed for marketing even with consent, and cannot rely on "legitimate interest".

04 · Step two — where can it live

The residency matrix (derived, not a single statute).

A practical synthesis of PDPL transfer rules + CST class licensing + NDMO levels. Treat the in-Kingdom column as the conservative default.

Verified 26 June 2026

Data	Where it can live	CST class to host it	Cross-border
Public / non-personal	Flexible (in or out)	A or B	Generally permitted
Personal (non-sensitive)	In-Kingdom preferred	A / B / C	Allowed with safeguards + TRA
Sensitive personal (health, biometric...)	In-Kingdom	C	Heightened scrutiny + mandatory TRA
Secret / Top Secret (classified)	In-Kingdom only	C only	Effectively barred

In-Kingdom options commonly cited: AWS me-central-2, Google Cloud Dammam (with Sovereign Controls by CNTXT), Oracle, and sovereign offerings. Confirm a provider CST registration class covers your data before signing — see the verified status table below.

In-Kingdom regions — verified status

Provider	Status	Region	Verified
AWS Middle East (Saudi Arabia)	Live since January 2026 · 3 AZs · US$5.3B	me-central-2 · Riyadh	2026-06-26
Google Cloud Dammam	Live · Sovereign Controls by CNTXT (Class C infra)	me-central2 · Dammam	2026-06-26
Microsoft Azure Saudi Arabia East	GA confirmed Q4 2026 · 3 AZs built	Eastern Province	2026-06-26

Cloud regions commonly used for in-Kingdom hosting. Status verified 26 June 2026 — confirm the provider's CST registration class covers your data before signing.

05 · If any data leaves the Kingdom

No adequacy whitelist — so every transfer carries its own paperwork.

SDAIA has not published a list of "adequate" countries. Until it does, you build your own safeguard for each flow.

Verified 26 June 2026

For any transfer abroad you need an appropriate safeguard — Saudi Standard Contractual Clauses, Binding Corporate Rules, or accreditation — plus a transfer risk assessment. Transfers must not prejudice national security or the Kingdom vital interests, and must observe data minimization (minimum necessary).

Transfer Risk Assessment (TRA)

Mandatory before any transfer relying on appropriate safeguards, and for transferring sensitive data abroad on a continuous or large-scale basis — even if an adequacy decision later exists. SDAIA guideline runs a four-phase method: preparation, assess processing impacts, assess transfer risks, assess vital-interests implications.

Proposed: PDPL Implementing Regulations amendments — Public consultation closed 27 May 2025. Proposed changes repeal/replace the DPO-appointment rules and add a 10-business-day duty to respond to SDAIA compliance inquiries. Treat as proposed — confirm it is in force before citing it as binding.

06 · Step three — secure it

The NCA control stack you actually have to implement.

Your baseline depends on who you are: government and critical-infrastructure entities sit on ECC-2:2024, while the general private sector now has its own mandatory floor in NCNICC-1:2025. Layer the rest by what your workload is.

Verified 26 June 2026

Control set	Applies when	In one line
ECC-2:2024	Always (baseline)	Essential Cybersecurity Controls — the security floor for any in-scope entity
NCNICC-1:2025	General private sector (non-CNI)	Non-Critical Infrastructure Cybersecurity Controls — the new mandatory baseline for private companies. Cat A (250+ FTE or > SAR 200M): 65 essential controls across Governance, Cyber Defense, and Third-party & Cloud; Cat B (SME, 6–249 FTE or SAR 3M–200M): a reduced set.
CCC (CCC-2:2024)	Cloud is in scope	Cloud Cybersecurity Controls — provider + tenant split of duties
DCC-1:2022	Government or CNI data	Data Cybersecurity Controls — 3 domains, 47 sub-controls, and a 4-tier data classification (note: uses a “Confidential” tier where NDMO §03 says “Restricted” — map the two explicitly).
NCS-1:2020	You use cryptography	National Cryptographic Standards — approved algorithms & key management. NCS-2:2025 is unverified — confirm it is in force before relying on it.
CSCC-1:2019	System is critical / government	Critical Systems Cybersecurity Controls — the hardest tier

Not sure NCA applies to you? → Does NCA cybersecurity apply to my company?

07 · If you provide hosting

CST cloud-class registration — only if you are the provider.

If you merely consume cloud, you pick a registered provider and you are a customer. If you provide cloud/hosting services to others, you register/qualify with CST by class.

Verified 26 June 2026

Class A

Lower-sensitivity workloads. Lightest obligations.

Class B

Mid-tier. Broader personal-data hosting.

Class C

The only class permitted to host secret / top-secret data.

Register via the National Platform (my.gov.sa) under the Cloud Computing Services Provisioning Regulations (in force since 10 Oct 2023). Verify current class definitions against the official CCSPR PDF before relying on this split.

08 · What it costs to get wrong

Penalties, and the 72-hour clock.

PDPL enforcement is active — the grace period ended 14 Sep 2024, SDAIA has issued 48 decisions, and general fines reach SAR 5M (doubling to SAR 10M on repeat).

Verified 26 June 2026

SAR 5M

General violations — doubles to SAR 10M on repeat

2 yrs + 3M

Intentional disclosure of sensitive data (imprisonment + fine)

1 yr + 1M

Unlawful cross-border transfer (imprisonment + fine)

The 72-hour breach clock

A personal-data breach must be notified to SDAIA within 72 hours — with no materiality threshold. Affected data subjects are notified where there is risk of harm. Build and rehearse the runbook before go-live, not after the incident.

09 · The shortcut

Compliance navigator — answer four things, get your stack.

Pick what describes your workload. The navigator returns your residency posture, the CST class you need (if any), your NCA control stack, whether a DPO is likely required, sector overlays, and a tailored checklist you can copy. Conservative by design — it errs toward in-Kingdom + verify with counsel.

What kinds of data does the workload handle?

Select all that apply.

Will any data leave the Kingdom (cross-border transfer)?

Do you provide hosting / cloud services to others?

i.e. are you the provider, not just a customer.

Which sector?

Ask the compliance assistant

Answers are drawn only from the sourced knowledge base on this page and cite their [S#] source. It tells you when it has no verified source instead of guessing.

Try one:

Not legal advice. Confirm against the primary regulator documents (see Sources) and a Saudi-qualified advisor before go-live.

10 · The 90-day shortcut

Master checklist — one pass to go-live.

The whole thing on one page, phased. This is the shortcut version of everything above.

Days 1–30

Phase 1 — Discover & classify

Inventory every dataset and system (you cannot protect what you cannot see)
Classify each against NDMO levels: Top Secret / Secret / Restricted / Public
Flag personal and sensitive personal data under PDPL
Map all data flows — especially anything crossing the Saudi border
Decide required hosting per level (residency matrix)

Days 31–60

Phase 2 — Architect & document

Choose region(s): in-Kingdom where required (AWS me-central-2 / Google Dammam / Oracle / sovereign)
Appoint a DPO if triggered (public body, large-scale sensitive data, or core monitoring)
Publish a PDPL-compliant privacy notice
Build the ROPA (record of processing activities)
Sign DPAs with every processor; collect sub-processor lists
For any transfer abroad: complete a transfer risk assessment + SCCs/BCRs

Days 61–90

Phase 3 — Control & prove

Implement your NCA baseline — ECC-2 (gov/CNI) or NCNICC-1:2025 (private sector); add CCC if cloud, DCC for gov/CNI data
Encryption at rest + in transit; key management per NCS
Wire the 72-hour breach runbook — and test it
If you are a hosting provider, register with CST (qualify by class)
Internal audit against PDPL + NDMO + CCC; close gaps
Set a review cadence — re-assess classification + transfers every 12–24 months

Not legal advice. Confirm specifics against the primary regulator documents and a Saudi-qualified advisor before go-live.

11 · Show your work

Primary sources & citation index.

Every claim above traces to an official .gov.sa document or a flagged secondary source. Verify before you rely.

govOfficial .gov.safirmLaw-firm analysispressPress / reportedunverifiedUnverified — confirm

govPersonal Data Protection Law (Royal Decree M/19, amended M/148)— In force 14 Sep 2023
govImplementing Regulation of the PDPL— Published 7 Sep 2023
govRegulation on Personal Data Transfer Outside the Kingdom— Updated 1 Sep 2024
govRules for Appointing a Personal Data Protection Officer— In force
govRisk Assessment Guideline for Transferring Data Outside the Kingdom— Feb/Mar 2025
govNDMO National Data Governance Policies— Version 1
govNDMO Data Classification Policy— Version 1
govNCA Essential Cybersecurity Controls (ECC-2:2024)— October 2024
govNCA Cloud Cybersecurity Controls (CCC)— CCC-2:2024
unverifiedNCA National Cryptographic Standards — NCS-1:2020 current; NCS-2:2025 unverified— Hold at NCS-1:2020 — verify NCS-2:2025 in-force vs. consultation
govNCA Data Cybersecurity Controls (DCC-1:2022)— In force 1 Nov 2022 · gov + CNI · verified 26 Jun 2026
firmNCA Non-Critical Infrastructure Cybersecurity Controls (NCNICC-1:2025)— In force Jan 2026 · mandatory for all non-CNI private entities · verified 26 Jun 2026
govCST Cloud Computing Services Provisioning Regulations— In force 10 Oct 2023
govCST CSP Registration (National Platform)— Live service
pressSDAIA: 48 enforcement decisions in the year to Feb 2026— Reported by IAPP, 25 Feb 2026
firmEnforcement of the Saudi PDP Law — active; SAR 5M; 5-day response window— Clyde & Co, Mar 2026 · verified 26 Jun 2026
firmActive enforcement of the Saudi privacy regime — implications for business— Global Privacy Blog, May 2026
firmCross-border data transfers in KSA — SCCs vs Binding Common Rules— HFW · confirms adequacy list still unpublished
pressAWS me-central-2 (Saudi Arabia) — live since Jan 2026, 3 AZs, US$5.3B— DatacenterDynamics · verified 26 Jun 2026
pressMicrosoft Azure Saudi Arabia East — GA confirmed Q4 2026, 3 AZs— Microsoft, Feb 2026 · verified 26 Jun 2026
pressGoogle Cloud Dammam (me-central2) + Sovereign Controls by CNTXT— Google Cloud · verified 26 Jun 2026
unverifiedPDPL Implementing Regulations — proposed amendments (consultation closed 27 May 2025)— Securiti · proposed — verify if in force
unverifiedSectoral overlays — Health (MOH/CCHI) & Financial (SAMA)— Almost certainly add residency/processing rules — confirm separately

Current as of 25 June 2026 · re-verify against primary regulator sources before go-live.

12 · FAQ

Saudi cloud compliance — frequently asked.

Short, sourced answers to the questions teams ask first. Each links its primary source.

Does my data have to be hosted inside Saudi Arabia?: Not universally. There is no single blanket data-localization rule. Requirements depend on data type and sector: government and CNI data fall under NCA controls and NDMO governance; personal data falls under PDPL, which allows cross-border transfer under safeguards. Healthcare and financial data carry additional sector rules.^[F1]
Is the PDPL actually enforced, or is it still a grace period?: Enforced. The grace period ended 14 September 2024 and SDAIA is now issuing decisions — 48 reported by early 2026, with fines up to SAR 5 million per breach, a five-day window to respond to a notice, and power to suspend processing.^[F2]
Can I transfer personal data outside Saudi Arabia?: Yes, under safeguards. SDAIA has not published an adequacy country list, so transfers rely on Standard Contractual Clauses or Binding Common Rules plus a transfer risk assessment for sensitive or large-scale transfers.^[F3]
Do NCA cybersecurity controls apply to private companies?: Yes — as of NCNICC-1:2025 (in force January 2026), every non-CNI private entity must meet a mandatory baseline, tiered by size. Large entities (250+ staff or revenue over SAR 200M) implement 65 essential controls; SMEs a reduced set. CNI operators remain under the fuller ECC-2:2024, CCC-2:2024 and DCC-1:2022.^[F4]
Which hyperscaler regions are live in Saudi Arabia?: Google Cloud Dammam (since 2023) and AWS me-central-2 (live January 2026) are operational; Microsoft Azure Saudi Arabia East is confirmed for general availability in Q4 2026. Google also offers Sovereign Controls by CNTXT on Class C infrastructure.^[F5]
What is the difference between NCA controls and the PDPL?: They are separate, parallel obligations. NCA governs cybersecurity posture; PDPL (SDAIA) governs personal-data handling and cross-border transfer. A company processing Saudi personal data typically must satisfy both at once.^[F6]

Regulatory reference, not legal advice. Verify each point against its primary source and qualified counsel. Last verified 26 June 2026.

Hosting data in Saudi Arabia means clearing four regimes at once.

Saudi PDPL enforcement is live — and active.

The grace period ended 14 September 2024. Saudi Arabia’s Personal Data Protection Law is no longer a "prepare for later" obligation — SDAIA is issuing decisions now.^[S1]

What's actually happening

48 enforcement decisions issued by SDAIA in the year to early 2026.
Fines up to SAR 5,000,000 per breach — doublable for repeat violations.
Sensitive-data violations can carry criminal liability, including imprisonment up to 2 years.
Once notified, an organization has only 5 days to respond with evidence.
SDAIA can suspend processing activities — an operational risk, not just a financial one.

Most violations to date trace back to the basics: processing without a valid legal basis, unauthorized disclosure, missing technical and organizational safeguards, and marketing without consent.^[S2]

What this means for hosting decisions

This block is a regulatory reference, not legal advice. Verify the current text of each regulation with its primary source before acting. Last verified 26 June 2026.

How Saudi cloud compliance got here — and what’s next.

The regime assembled in stages: data controls, in-Kingdom regions, PDPL enforcement, and now a private-sector cybersecurity baseline. A few anchors are still pending.

Nov 2022Done

NCA Data Cybersecurity Controls (DCC-1:2022) published^↗

4-tier data classification and 47 sub-controls for government bodies and CNI operators.

Nov 2023Done

Google Cloud Dammam (me-central2) region opens^↗

First hyperscaler in-Kingdom region; later adds Sovereign Controls by CNTXT on Class C infrastructure.

14 Sep 2024Done

PDPL grace period ends^↗

The one-year transition closes; the Personal Data Protection Law becomes fully enforceable.

Sep 2024Done

SDAIA issues Standard Contractual Clauses^↗

SCCs become a primary safeguard for cross-border transfers while no adequacy list exists.

Oct 2024Done

NCA ECC-2:2024 replaces ECC-1:2018^↗

Refined to 4 domains and ~110 controls; all cybersecurity roles must be filled by qualified Saudi nationals.

27 May 2025Pending

PDPL Implementing Regulations amendments — consultation closes^↗

Proposed changes to DPO rules and a 10-business-day duty to respond to SDAIA. Not yet confirmed in force.

Jan 2026Done

AWS Middle East (Saudi Arabia) me-central-2 goes live^↗

Three availability zones around Riyadh; ~$5.3B investment.

Jan 2026Active

NCNICC-1:2025 takes effect — private sector in scope^↗

NCA extends mandatory cybersecurity to every non-CNI private entity, tiered by size (Category A 65 controls).

Early 2026Active

PDPL enforcement is active — 48 decisions^↗

SDAIA reports 48 enforcement decisions; fines up to SAR 5M, 5-day response window, power to suspend processing.

Q4 2026Upcoming

Microsoft Azure Saudi Arabia East — GA (confirmed)^↗

Three availability zones built in the Eastern Province; general availability confirmed for Q4 2026.

PendingPending

SDAIA adequacy country list — still awaited^↗

Until published (Art. 3 ARPDT), cross-border transfers rely on SCCs/BCRs plus a transfer risk assessment.

Regulator

Governs

Key instrument

What it wants from you

SDAIA (PDPL)

Personal & sensitive data

PDPL + Implementing Reg + Transfer Reg

Lawful basis, privacy notice, ROPA, DPAs, DPO (if triggered), 72h breach notice, transfer safeguards

NDMO

Data classification & governance

Data Governance Policies + Classification Policy

Classify every dataset into 4 levels; apply handling rules per level

NCA

Cybersecurity controls

ECC-2:2024 · NCNICC-1:2025 · CCC · DCC · NCS · CSCC

Baseline ECC-2 (gov/CNI) or NCNICC-1:2025 (general private sector); add CCC if cloud, DCC for gov/CNI data, NCS for crypto, CSCC if critical/government

CST

Cloud provider licensing

Cloud Computing Services Provisioning Regulations

Data

Where it can live

CST class to host it

Cross-border

Public / non-personal

Flexible (in or out)

A or B

Generally permitted

Personal (non-sensitive)

In-Kingdom preferred

A / B / C

Allowed with safeguards + TRA

Sensitive personal (health, biometric...)

In-Kingdom

Heightened scrutiny + mandatory TRA

Secret / Top Secret (classified)

In-Kingdom only

C only

Effectively barred

Provider

Status

Region

Verified

AWS Middle East (Saudi Arabia)

Live since January 2026 · 3 AZs · US$5.3B

me-central-2 · Riyadh

2026-06-26

Google Cloud Dammam

Live · Sovereign Controls by CNTXT (Class C infra)

me-central2 · Dammam

2026-06-26

Microsoft Azure Saudi Arabia East

GA confirmed Q4 2026 · 3 AZs built

Eastern Province

2026-06-26

Control set

Applies when

In one line

ECC-2:2024

Always (baseline)

Essential Cybersecurity Controls — the security floor for any in-scope entity

NCNICC-1:2025

General private sector (non-CNI)

Non-Critical Infrastructure Cybersecurity Controls — the new mandatory baseline for private companies. Cat A (250+ FTE or > SAR 200M): 65 essential controls across Governance, Cyber Defense, and Third-party & Cloud; Cat B (SME, 6–249 FTE or SAR 3M–200M): a reduced set.

CCC (CCC-2:2024)

Cloud is in scope

Cloud Cybersecurity Controls — provider + tenant split of duties

DCC-1:2022

Government or CNI data

Data Cybersecurity Controls — 3 domains, 47 sub-controls, and a 4-tier data classification (note: uses a “Confidential” tier where NDMO §03 says “Restricted” — map the two explicitly).

NCS-1:2020

You use cryptography

National Cryptographic Standards — approved algorithms & key management. NCS-2:2025 is unverified — confirm it is in force before relying on it.

CSCC-1:2019

System is critical / government

Critical Systems Cybersecurity Controls — the hardest tier

Compliance navigator — answer four things, get your stack.

Hosting data in Saudi Arabia means clearing four regimes at once.

Saudi PDPL enforcement is live — and active.

What this means for hosting decisions

How Saudi cloud compliance got here — and what’s next.

NCA Data Cybersecurity Controls (DCC-1:2022) published↗

Google Cloud Dammam (me-central2) region opens↗

PDPL grace period ends↗

SDAIA issues Standard Contractual Clauses↗

NCA ECC-2:2024 replaces ECC-1:2018↗

PDPL Implementing Regulations amendments — consultation closes↗

AWS Middle East (Saudi Arabia) me-central-2 goes live↗

NCNICC-1:2025 takes effect — private sector in scope↗

PDPL enforcement is active — 48 decisions↗

Microsoft Azure Saudi Arabia East — GA (confirmed)↗

SDAIA adequacy country list — still awaited↗

There is no single "classification to residency" statute.

Who governs what — and what each one wants from you.

NDMO four levels, and PDPL personal / sensitive split.

The residency matrix (derived, not a single statute).

No adequacy whitelist — so every transfer carries its own paperwork.

The NCA control stack you actually have to implement.

CST cloud-class registration — only if you are the provider.

Penalties, and the 72-hour clock.

Compliance navigator — answer four things, get your stack.

Ask the compliance assistant

Master checklist — one pass to go-live.

Phase 1 — Discover & classify

Phase 2 — Architect & document

Phase 3 — Control & prove

Primary sources & citation index.

Saudi cloud compliance — frequently asked.

Hosting data in Saudi Arabia means clearing four regimes at once.

Saudi PDPL enforcement is live — and active.

What this means for hosting decisions

How Saudi cloud compliance got here — and what’s next.

NCA Data Cybersecurity Controls (DCC-1:2022) published↗

Google Cloud Dammam (me-central2) region opens↗

PDPL grace period ends↗

SDAIA issues Standard Contractual Clauses↗

NCA ECC-2:2024 replaces ECC-1:2018↗

PDPL Implementing Regulations amendments — consultation closes↗

AWS Middle East (Saudi Arabia) me-central-2 goes live↗

NCNICC-1:2025 takes effect — private sector in scope↗

PDPL enforcement is active — 48 decisions↗

Microsoft Azure Saudi Arabia East — GA (confirmed)↗

SDAIA adequacy country list — still awaited↗

There is no single "classification to residency" statute.

Who governs what — and what each one wants from you.

NDMO four levels, and PDPL personal / sensitive split.

The residency matrix (derived, not a single statute).

No adequacy whitelist — so every transfer carries its own paperwork.

The NCA control stack you actually have to implement.

CST cloud-class registration — only if you are the provider.

Penalties, and the 72-hour clock.

Compliance navigator — answer four things, get your stack.

Ask the compliance assistant

Master checklist — one pass to go-live.

Phase 1 — Discover & classify

Phase 2 — Architect & document

Phase 3 — Control & prove

Primary sources & citation index.

Saudi cloud compliance — frequently asked.

NCA Data Cybersecurity Controls (DCC-1:2022) published^↗

Google Cloud Dammam (me-central2) region opens^↗

PDPL grace period ends^↗

SDAIA issues Standard Contractual Clauses^↗

NCA ECC-2:2024 replaces ECC-1:2018^↗

PDPL Implementing Regulations amendments — consultation closes^↗

AWS Middle East (Saudi Arabia) me-central-2 goes live^↗

NCNICC-1:2025 takes effect — private sector in scope^↗

PDPL enforcement is active — 48 decisions^↗

Microsoft Azure Saudi Arabia East — GA (confirmed)^↗

SDAIA adequacy country list — still awaited^↗

NCA Data Cybersecurity Controls (DCC-1:2022) published^↗

Google Cloud Dammam (me-central2) region opens^↗

PDPL grace period ends^↗

SDAIA issues Standard Contractual Clauses^↗

NCA ECC-2:2024 replaces ECC-1:2018^↗

PDPL Implementing Regulations amendments — consultation closes^↗

AWS Middle East (Saudi Arabia) me-central-2 goes live^↗

NCNICC-1:2025 takes effect — private sector in scope^↗

PDPL enforcement is active — 48 decisions^↗

Microsoft Azure Saudi Arabia East — GA (confirmed)^↗

SDAIA adequacy country list — still awaited^↗