The Technology, Media and Telecommunications Review: Saudi Arabia


Technology, media and telecommunications are key pillars underpinning the objectives and themes of Saudi Arabia's Vision 2030 programme.2 This is seen through significant investment in technology-enabled megaprojects such as NEOM,3 Qiddiya4 and the Red Sea Project5 and the creation of new government agencies within the last 12 months, including the Saudi Data and Artificial Intelligence Authority and its sub-entities, the National Data Management Office, the National Information Center and the National Center for AI, that are dedicated to the furtherance of a technology-enabled society. As noted in the sections below, Saudi government policy is firmly in support of investment in and deployment of technology and telecommunications products and services.

Key trends we are seeing in Saudi Arabia include:

  1. Encouragement of foreign direct investment (FDI) into Saudi Arabia – particularly in the technology sector with dedicated resources within government agencies focusing on FDI into the technology sector.6
  2. The rollout of 5G – 5G spectrum has been available to retail customers since mid-2019 with the Saudi Ministry of Communications and Information reporting in February 2020 that Saudi Arabia had 6,500 5G towers in operation and noting that Saudi Arabia had received a Government Leadership Award from the Mobile World Congress for its efforts in developing national digital infrastructure.7
  3. Growth of e-commerce – in late 2019, the United Nations Conference on Trade and Development E-Commerce Index (UNCTRAD B2C E-Commerce Index) identified Saudi Arabia as being one of the top 10 developing countries in the e-commerce sector8 and the Ministry of Commerce published specific regulations applicable to e-commerce service providers in Saudi Arabia9 and the issue of these regulations coincide with a significant growth in electronic and mobile commerce activity.

Migration to cloud-based services – like most technologically mature economies, enterprises in Saudi Arabia are seeking to utilise cloud-based services. In parallel, the Communications and Information Technology Commission and the National Cybersecurity Authority have issued regulations and guidance applicable to the use of cloud computing services in Saudi Arabia.


i The regulators

The technology and telecommunications sector in Saudi Arabia is principally regulated by two bodies: the Ministry of Communications and Information Technology (MCIT)10 (formerly, the Ministry of Post, Telegraph and Telephone) and the Communications and Information Technology Commission (CITC).

A small number of other authorities have more discrete remits. Recently, Saudi Arabia has expanded regulation into the field of cybersecurity, which has led to the creation of the National Cybersecurity Authority (NCA)11 and the National Cyber Security Center (NCSC), both overseen by the Ministry of Interior (MOI).12

The key regulators for media and media protection in Saudi Arabia are the Ministry of Media (MoM)13 and General Commission for Audiovisual Media (GCAM).14

Further details on each regulator are set out below.

Technology and telecommunications

Key regulators

The MCIT is responsible for making general policies and development programmes and representing Saudi Arabia in domestic, regional and international bodies in the technology and telecommunications sector.

The CITC is responsible for issuing licences in accordance with the Telecom Act and implementing approved plans and programmes for the supervision and management of the technology and telecommunications sector. Decisions made by the CITC can be appealed to MCIT.

Other relevant regulators

  1. The Saudi Authority for Data and AI (SDAIA): the SDAIA and its sub-entities the National Data Management Office (NDMO), the National Information Center (NIC), and the National Center for AI (NCAI) work on providing a data-driven and AI-supported government and economy, and to own the national data and AI agenda to help achieve Vision 2030's goals.15
  2. The National Centre for Digital Certification (NCDC): established in 2001 and transferred to the remit of the MCIT for management in 2005, the NCDC is primarily responsible for the management of public key infrastructure (i.e., a set of roles, policies, and procedures needed to create, manage, and distribute digital certificates and manage public-key encryption).16
  3. The National Digital Transformation Unit (NDTU): established in 2017, the NDTU aims to develop and further the digitisation of citizen services in partnership with the private sector. A notable example of this in 2017 was the setting up of FekraTech, an interactive platform that enables citizens to participate in Saudi Arabia's national digital transformation by submitting digital solutions to existing challenges; the NDTU worked alongside the Ministry of Health for the initiative's initial project, whereby individuals proposed solutions to a number of health-related issues.17
  4. The Saudi Authority for Intellectual Property (SAIP): established in 2018 with the aim of organising, supporting, sponsoring, protecting and promoting intellectual property in Saudi Arabia in accordance with global best practices.18

Cybersecuity regulators

The MOI oversees numerous bodies that work to maintain Saudi Arabia's security and manage its internal affairs. Its objectives and responsibilities include:

  1. achieving security and stability, providing safety for Saudi Arabia citizens and protection against crime;
  2. reinforcing security relationships with neighbouring Arab and GCC countries, to maintain safety in Saudi Arabia and abroad, to control crime and drug smuggling, and exchange security information; and
  3. reinforcing security cooperation with neighbouring countries to protect cultural possessions and achievements, supporting internal and external security, controlling crime, terrorism and drug smuggling, and developing Arab security institutions.

In addition to the above responsibilities, all cybercrimes must be reported to the MOI.19 Prosecutions are led by the Bureau of Investigation and Prosecution.

The NCA was established by royal decree in October 2017 as the body responsible for the protection and promotion of cybersecurity matters in Saudi Arabia. In October 2017, it issued a set of minimum standards to be applied by various national agencies to reduce the risk of cyber threats; these controls considered governance, strengthening cybersecurity, enhancing external cybersecurity, in addition to cloud computing, and industrial control systems and ultimately became consolidated in the NCA's Essential Cybersecurity Controls (ECC – 1 : 2018)20 and Cloud Cybersecurity Controls (CCC – 1: 2020).21

The NCA has both regulatory and operational functions related to cybersecurity and it works closely with public and private entities to improve the cybersecurity posture of the country in order to safeguard its vital interests, national security, critical infrastructures, high-priority sectors, and government services and activities in alignment with Vision 2030. The NCA also oversees the NCSC and Saudi CERT. The NCSC has a national role in monitoring, analysing cyber risks and threats, and sharing information with government entities and critical national infrastructures. While Saudi CERT's primary mission is to raise cybersecurity awareness in Saudi Arabia.


The MoM is the governmental body tasked with the regulation of Saudi Arabia's media, and Saudi Arabia's communications with other countries.

GCAM is responsible for the regulation of audiovisual media transmission in Saudi Arabia. It reports to the MoM, but is a separate legal entity, with independent finance and administration.

ii Main sources of law

Technology and telecommunications

The key relevant laws in the technology and telecommunications sector are as follows:

  1. The Telecom Act (issued under the Council of Ministers resolution No. (74), dated 05/03/1422H (corresponding to 27 May 2001), and approved pursuant to the Royal Decree No. (M/12), dated 12/03/1422H (corresponding to 3 June 2001).22
  2. The Communication and Information Technology Commission Ordinance (the CITC Ordinance) (issued under the Council of Ministers resolution No. (74), dated 05/03/1422H (corresponding to 27/05/2001), and amended pursuant to the Council of Ministers resolution No. (133), dated 21/05/1424H (corresponding to 21 July 2003).23
  3. The E-Commerce Law 2019 (Royal Decree No. M/126 dated 07/11/1440H (corresponding to 10 July 2019)).24

The CITC's role has expanded beyond telecommunications and it has issued a variety of regulations and consultations25 in a number of sectors in the technology and digital space, including:

  1. the Cloud Computing Regulatory Framework (version 2, revised in February 2019) (the Cloud Regulations): the Cloud Regulations outline the rights and obligations of cloud service providers (CSPs) and users of cloud services (i.e., cloud customers); they only apply to CSPs who own cloud infrastructure in Saudi Arabia or have a direct contractual relationship with customers based in Saudi Arabia;26
  2. the Regulation for the Reduction of Spam (the Spam Regulations): the Spam Regulation requires telecommunications service providers to reduce spam messages transmitted across their networks, including by implementing prevention and monitoring mechanisms. Spam messages are defined as certain types of electronic messages sent without any opt-out mechanism;
  3. CITC Decision No. 395/1439 dated 3/11/1439H (corresponding to 14 August 2018);27
  4. the Internet of Things Regulatory Framework, issued in September 2019;28
  5. Rules and Conditions for MVNO Services and IoT-VNO Services Provision: these update the conditions and licensing requirements related to the request for a licence to provide mobile virtual network operator services. They set out the conditions and licensing requirements relating to the provision of the services by internet of things virtual network operators;29
  6. the Saudi Domain Name Registration Regulation30 and related guidelines and rules;31
  7. the regulations, guidelines and rules for the registration of Saudi country-code top-level domains. They are issued by the Saudi Network Information Centre (SaudiNIC),32 part of the CITC; and
  8. the Rules and Technical Standards for ICT Infrastructure Deployment in New Developments: these are intended to facilitate the implementation and roll-out of telecom networks.33

Additional regulatory documents issued by CITC relating to the technology and telecoms sector can be found on the CITC website.34


The key relevant cybersecurity laws are as follows:

  1. Royal Decree No. 5/11/8697 dated 26/8/1370 H (corresponding to 2 June 1951) (the Law Establishing the Ministry of Interior);
  2. the Anti-Cyber Crime Law (issued under the Council of Ministers Decision No. 79, dated 7/3/1428 H (corresponding to 26 March 2007), and approved by Royal Decree No. M/17, dated 8/3/1428 H (corresponding to 27 March 2007) (the Cyber Law); 35 and
  3. the Cloud Regulations.

There are also a number of sector-specific cybersecurity rules and requirements, for example, for the finance sector, the SAMA Cyber-Security framework (version 1, May 2017).


The key laws regulating media and media protection are as follows:

  1. the Publications Law promulgated by Royal Decree No. M/32 dated 03/09/1421H (corresponding to 29 November 2000);
  2. the Electronic Publications Regulations published on 20/04/1432H (corresponding to 25 March 2011);
  3. the Press Institutions Law promulgated by Royal Decree No. M/20 dated 08/05/1422H (corresponding to 29 July 2001) (the Press Institutions Law);
  4. the General Commission for Audiovisual Media Regulations promulgated by Royal Decree number 33/M dated 25/03/1439H (corresponding to 13 December 2017) (the GCAM Regulations);
  5. the GCAM Implementing Regulations promulgated by Minister of Media resolution No. 16927 dated 04/03/1440H (corresponding to 12 November 2018) (the GCAM Implementing Regulations); and
  6. the Copyright Law promulgated by Royal Decree No. M/41 dated 02/07/1424H (corresponding to 30 August 2003).

Publications and press institutions

For the implementation of media laws in relation to publications, the Ministry of Media applies:

  1. the Law of Printing and Publication and its implementing regulations, regulating print and publication activities; and
  2. the Implementing Regulations For Electronic Publishing, regulating the practice of electronic publishing in Saudi Arabia.


For the implementation of media laws in relation to audiovisuals, the GCAM has issued the implementing regulations governing the following matters:

  1. importing and selling receivers;36
  2. licensing visual and audible media content production companies;37
  3. establishing a representative offices of tv channels;38
  4. importing, distributing, selling and renting visual and audible media content;39
  5. establishing studios;40
  6. audiovisual broadcasting services over telecommunication networks;41
  7. TV and radio competitions;42
  8. SNG services;43
  9. audio social communication services;44
  10. visual broadcasting via closed circuit services;45
  11. on-demand video services issued by the GCAM;46 and
  12. videogame participation.47

iii Regulated activities

Generally, each relevant regulator maintains its processes for issuing its licences pursuant to its own regulations, rules and policies. However, more regulators are adopting the use of a unified e-licence issuing system named 'Meras'48. Meras allows applicants to submit online applications to obtain licences issued by regulators participating in the Meras platform. We expect that any remaining licences requiring in-person attendance will be phased out in favour of online submissions, either through the relevant regulator or through the Meras platform.


The Telecom Act provides a legal foundation for supervising and managing the telecommunications sector in Saudi Arabia. It also outlines certain objectives for the sector. These include:

  1. providing advanced and adequate telecommunications services at affordable prices;
  2. ensuring the provision of access to the public telecommunications networks, equipment and services at affordable prices;
  3. ensuring the creation of a favourable atmosphere to promote and encourage fair competition in all fields of telecommunications;
  4. safeguarding the public interest and user interest as well as maintaining the confidentiality and security of telecommunications information; and
  5. ensuring the transfer and migration of telecommunications technology to keep pace with its development.

Any entity seeking to provide telecommunications services must submit a licence application to the CITC.

The CITC Ordinance establishes the CITC as the regulatory authority for all matters relating to the telecommunications sector in Saudi Arabia. It includes reference to the CITC's responsibilities, board composition and membership, governance, and sources of finance.

The CITC is responsible for a wide variety of roles, including:

  1. issuing the necessary licences in accordance with all relevant laws;
  2. ensuring the implementation of the conditions specified in such licences;
  3. implementing approved policies, plans and programmes for developing the telecommunications sector;
  4. achieving the orderly expansion of the telecommunications infrastructure and telecommunications services provided to the users in an effective and reliable manner; and
  5. encouraging reliance on market forces for the provision of telecommunication services.


CSPs that exercise direct or effective control over data centres or critical cloud infrastructure hosted in Saudi Arabia are required to register with the CITC.



Pursuant to the Publications Law, it is necessary to obtain a licence from the MoM to:

  1. to print, publish, distribute publications or engage in any other publication services;
  2. import, sell or rent movies or video tapes;
  3. produce, sell or rent computer programs;
  4. engage in any press services; and
  5. carry out photography services.

These activities are restricted to Saudi nationals. In addition, the holder of a licence may transfer, lease or share ownership of such licence after obtaining the approval of the MoM. Furthermore, the Electronic Publications Regulations stipulates that it is required to obtain a licence from the MoM in order to carry out electronic publication. Such licence is also restricted to Saudi nationals.

The author, publisher, printer or distributor must obtain the MoM's approval prior to circulating a publication. The MoM will not approve a publication that prejudices Islam, the Saudi regime, the interests of the country or public morals and customs.

Press institutions

The Press Institutions Law stipulates that in order to establish a press institution that carries out the business of publishing magazines and newspapers, an application shall be submitted by the founders of the institution accompanied with the details of the business and the founders to the MoM. The number of founders shall not be less than 30 and all must be Saudi nationals.

The Minister of Media and Information can only grant a licence after the approval of the Council of Ministers. Both the general manager and chief editor of the press institution must be Saudi nationals. The headquarters of the press institution shall be in the city specified by the licence. Some of its publications may be issued in other cities pursuant to approval of the MoM.


In order to obtain, renew or cancel a licence from the GCAM, the approval of the Council of Ministers is required based on the recommendation of GCAM.

There are three types of licences that can be obtained from GCAM: media activity licenses, cinema licences and broadcasting and distribution licences.

iv Ownership and market access restrictions

Typically only those activities listed in the Ministry of Investment (MISA) negative list are prohibited for foreign investors. The MISA negative list is narrow and does not touch upon any of the activities listed in this chapter. However, we note that each regulator has broad discretion when it comes to issuing their licences. Separate from the MISA negative list, each regulator may apply foreign ownership restrictions whether based on its own regulatory framework, policies, security concerns, other interests or solely at its discretion.

v Transfers of control and assignments

Any merger or acquisition transaction shall be subject to the antitrust regime of Saudi Arabia, as implemented by the General Authority for Competition.49 From an operational perspective and depending on the type of licence, the requirements for licences transfers may range from no action required, notification to the relevant regulator, to obtaining regulator consent (including re-application).

Telecommunications & internet access

i Internet and internet protocol regulation

The regulation and classification of internet and IP-based services are handled by the same authorities and pursuant to the same broader set of legislation governing the telecommunications sector in Saudi Arabia.

There are, however, specific regulations targeting internet and IP-based services in place – for example, see the references in the above sections to the E-Commerce Law and Cloud Regulations as well as the various regulations issued by the CITC and referred to above.

i Universal service

Saudi Arabia has encouraged the development of telecom and broadband infrastructure and adopted the same under its Vision 2030. Prior to the strategies adopted under Vision 2030, the CITC issued the Universal Access and Universal Service Policy50 (the Policy) in July 2007, which aims to enable 100 per cent of the population to obtain, at a minimum, 'public access to a defined ICT service at a defined quality through reasonably available and affordable public or community facilities' and to subscribe to and use a defined ICT service at a defined quality on an individual or household basis.51

ii Restrictions on the provision of service

Service providers are regulated broadly under the Telecom Act.

In addition to that, the CITC has issued regulations that speak to the rights, obligations and terms of ICT service providers and users (the Service Providers Regulations)52 issued in 2017, and the SPAM Regulations (see above), which aim to reduce unsolicited calls and messages. Both sets of regulations apply to all service providers licensed by the CITC and any users thereof.

Under the Service Providers Regulations, the following general principles must be clearly stated in Arabic and English on any service contracts between a provider and user:

  1. the minimum age of the applicant is 15;
  2. service providers may refuse to offer monthly cellular subscriptions to users who have proven to have outstanding balances whether with the same service provider or another; and
  3. service providers may require that applicants applying for monthly cellular subscriptions provide insurance in certain circumstances.

Contracts must include:

  1. price list including details related to each service offered and information related to any down-payment requirements;
  2. details related to the service offered and specifications thereof;
  3. details of the conditions and obligations of the user and consequences of breach of such conditions and obligations as well as details of any discounts or offers;
  4. details of any restrictions or exceptions related to the service offered and any additional fees which would apply if such restrictions or exceptions were triggered;
  5. the duration of the contract and renewal mechanism;
  6. dates of invoices;
  7. the mechanism adopted for amending or cancelling the service; and
  8. situations in which the service provider may suspend or cancel the service.

In addition, the Service Providers Regulations state that each service provider must offer its services to any users applying for the services being offered, and each service must be offered in a consistent manner to all users. This includes maintaining the same prices for services offered, quality of service, time during which the services are offered, and any other conditions imposed by the CITC.

Under the Service Providers Regulations, all user information is considered confidential and service providers are obliged to maintain such confidentiality and seek all measures for the purposes of securing user information and prohibiting access, publication, sharing or use thereof. Service providers are also prohibited from disclosing user information unless such disclosure is mandated under another applicable law, is based on the user's consent, or is provided based on a request from the CITC. Furthermore, the same level of data security must be mirrored in the internal policies of service providers and monitored accordingly.

Service providers are also obligated to maintain the confidentiality of user phone calls and any information transmitted to and from the user or information received through one of the service providers' public networks. They must also prohibit access to such information by any employee or affiliate.

iii Privacy and data security

The Basic Law of Governance of 1992 (Royal Order No. A/91 of 1992) (the Basic Law)53 specifies a number of rights that promote self-expression.

For example, Article 40 of the Basic Law specifies that privacy of telegraphic and postal communications, and telephone and other means of communication, shall not be violated.

Furthermore, it specifies that there shall be no confiscation, delay, surveillance or eavesdropping, except in cases provided by the law.

Article 8 of the Publications Law also guarantees freedom of expression in different forms of publication.54

Although the Basic Law and the Publications Law grant rights promoting self-expression, they are subject to other limits and qualifications laid down by applicable law that aim to protect national interests. Examples of those limits include (without limitation):

  1. Article 62 of the Basic Law, which states that if there is an imminent danger threatening the safety of Saudi Arabia, the integrity of its territories or the security and interests of its people, or is impeding the functions of official organisations, the King may take urgent measures to deal with such a danger.
  2. Article 6 of the Cyber Law, which criminalises the production, preparation, transmission, or storage of material impinging on public order, religious values, public morals, and privacy, through the information network or computers. The penalty for committing any of the foregoing crimes is imprisonment for a term not exceeding five years; and a fine not exceeding 3 million riyals.
  3. An Antiterrorism Law introduced in November 2017, which maintains broad definitions of what can be considered a terrorist act. The foregoing law does not restrict the definition of terrorism to violent acts. Other conduct it defines as terrorism includes 'disturbing public order', 'destabilizing national security or state stability', 'endangering national unity' and 'suspending the basic laws of governance', all of which may encompass any form of expression.55

Saudi Arabia does not have a comprehensive general data protection law. Shariah principles (i.e., Islamic principles derived from the Holy Quran and the Sunnah) are the primary source of data protection law in Saudi Arabia – these principles generally protect the privacy and personal data of individuals.

The general right to privacy is also reflected in Article 40 of the Basic Law, which mentions privacy as a right that is related to the dignity of an individual and guarantees the privacy of telegraphic, postal and other types of communication. It also prohibits surveillance and eavesdropping unless permitted by law.

In addition, there is:

  1. sectoral legislation that contains data protection obligations for organisations operating in the financial services, healthcare and telecommunications sectors in Saudi Arabia;
  2. legislation that contains data protection obligations (e.g., the Cloud Regulations and the Internet of Things Regulatory Framework); and
  3. extraterritorial data protection legislation that may apply to Saudi companies and individuals by virtue of their overseas activities (e.g., the General Data Protection Regulation (EU) 2016/679 and Personal Data Protection Act BE 2562 (2019)).

For example, Article 3 of the Cyber Law states that anyone who spies on, intercepts or receives data transmitted through an information network or a computer without legitimate authorisation; or invades an individual's privacy through the misuse of camera-equipped mobile phones etc., shall be subject to imprisonment for a period not exceeding one year; or a fine not exceeding 500,000 riyals or both.56

Article 3.5.2 of the Cloud Regulations states that cloud service providers are not liable for unlawful content or infringing content that has been uploaded, processed or stored on the cloud service providers' systems. However, Article 3.5.4 of the Cloud Regulations states that cloud service providers must remove such unlawful or infringing content or render it inaccessible within the country after written notice by the CITC or any other authorised entity.57

Article 3.5.3 of the Cloud Regulations states that nothing in the same shall be interpreted as a legal obligation on cloud service providers to monitor their systems for unlawful or infringing content. However, Article 3.5.5 of the Cloud Regulations states that cloud service providers may, at their own initiative or following a third-party request, remove from their system or render inaccessible in Saudi Arabia (or any other jurisdiction) any unlawful or infringing content. The foregoing right is exercisable on the condition that such removal is in accordance with the provisions of the cloud contract and the cloud service provider provides adequate notice to the affected customer.

According to the Cloud Regulations:

  1. unlawful content means software, text, files, audio, video, images, graphics, animations, illustrations, information, personal, business or other data, in any format, whether provided by the customer or a third party, that is unlawful under Saudi laws; and
  1. infringing content means content, whether provided by the customer or a third party, that infringes a person's intellectual property rights.

Other than the general right to privacy in the Basic Law, at the time of writing we are not aware of any specific legislation protecting children online in Saudi Arabia. However, we note that parents in Saudi Arabia are increasingly using parental control apps to regulate the time that their children spend online.58

In addition to the discussion in Section II.i about how cybersecurity concerns are being addressed, the Cyber Law aims to ensure information security, the protection of rights pertaining to the legitimate use of computers and information networks, and the protection of public interest, morals and the national economy.

Spectrum policy

i Development

The following pieces of legislation regulate this area.

  1. The Telecom Act: the regulation of radio spectrum usage is one of the main functions of the CITC pursuant to the Telecom Act. Under the Telecom Act, an essential objective of spectrum management is to promote optimal spectrum use by achieving optimum utilisation of this resource, ensuring the creation of a favourable atmosphere to promote and encourage fair competition in all fields of telecommunications, ensuring effective and interference-free usage of frequencies, ensuring clarity and transparency of procedures, ensuring principles of equality and non-discrimination, and ensuring the development of telecommunications technology.
  2. The National Spectrum Strategy 2025: the CITC has recently published a National Spectrum Strategy 202559 that describes the CITC's priorities with respect to the development of Saudi Arabia's spectrum policy going forward. The Spectrum Strategy states that Saudi Arabia has already achieved considerable success in assigning spectrum to public mobile networks that utilise International Mobile Telecommunication standards to provide mobile broadband services, and notes the creation of a dedicated subcommittee in 2019 under the auspices of the CITC to focus on 5G spectrum matters within the National 5G Taskforce.

ii Flexible spectrum use

Under the Spectrum Strategy, a comprehensive review of fixed point-to-point links is contemplated in order to determine the most optimal band plans with the overall objective being to review and optimise a total of 5.4GHz of legacy spectrum by 2025.

Currently, the Spectrum Strategy notes that Saudi Arabia has made notable progress on addressing issues related to the International Mobile Telecommunication (IMT) field, which resulted in it being ranked among the leading nations in awarded IMT spectrum. Furthermore, the Spectrum Strategy also speaks of enabling space spectrum in which the focus would be on championing Saudi Arabia's emerging space industry in international discussions and within Saudi Arabia. This will enable the CITC to work on satellite coordination requests and resolve such requests in a timely manner, thereby allowing existing and future satellite services access to spectrum and manage trade-offs with IMT allocations.

iii Broadband and next-generation services spectrum use

The Spectrum Strategy recognises a number of ways in which the growing need for spectrum for broadband services and next-generation services, among others, is addressed. The Spectrum Strategy states that it aims to identify and resolve existing inefficiencies while overcoming hurdles that prevent international harmonisation and optimal spectrum utilisation. Moreover, there is a push for 5G+ deployment in order to position Saudi Arabia among the leading nations in unlocking innovative high-performance use cases and applications based on 5G.

iv Spectrum auctions and fees

Auctioning spectrum

As of the third quarter of 2020, the CITC has auctioned spectrum to licensed mobile networks operators within Saudi Arabia.

In 2017, the CITC issued a press release stating that it had awarded large blocks of contiguous spectrum, ideal for deployment of next-generation broadband networks across Saudi Arabia to four MNOs.60 This was the first spectrum auction in Saudi Arabia and the first time spectrum in the 700MHz band has been allocated in the MENA region.

The auction raised 5.8 billion riyals for 50MHz in the 700MHz band and 66MHz in the 1,800MHz band.

We are not aware of any plans to auction spectrum to non-licensed entities.

Spectrum fees

Currently, spectrum users must be licensed by the CITC and such licence is accompanied by a fee to be paid to the CITC calculated in accordance with the CITC's Spectrum Fees of Frequency Usage Policy.61


i Regulation of media distribution generally

In addition to the key laws regulating media and media protection specified in Section II.ii, the following laws are also relevant in regulating media and media protection in Saudi Arabia:

  1. the National Committee for Regulating Digital Media Content formed pursuant to a Council of Ministers resolution dated 23/03/1435H (corresponding to 24 January 2014);
  2. the Media Policy in Saudi Arabia issued by the MoM;62 and
  3. the General Commission for Audiovisual Media age classification guide.

The media sector may be broadly categorised into the following subsectors: publications, press institutions and audiovisuals. As per the question, this entry predominantly focuses on audiovisuals.

ii Service obligations

In order to engage in broadcasting and other audiovisual media activity in Saudi Arabia, an appropriate licence needs to be obtained. The types of licences contemplated in the licence manual that accompanies the GCAM Implementing Regulations include:

  1. media content production, and operating media production studios;
  2. advertising agencies;
  3. operating cinemas;
  4. satellite distribution;
  5. terrestrial transmission;
  6. satellite uplink stations;
  7. linear and non-linear (e.g., video on demand and over the top) broadcasting;
  8. radio broadcasting;
  9. IPTV and cable television;
  10. media audience measurement; and
  11. importation, distribution, sale and lease of:
    • audiovisual media content;
    • cinematic movies, videos and TV shows; and
    • receivers and accessories.

Licensees are required to pay the applicable fees and comply with the requirements specified in the licence. Furthermore, licensees are required to (among others):

  1. comply with the GCAM's policies with regard to prioritising the use of Kingdom resources, including human resources; and
  2. participate in capacity building in respect of local content production capabilities.

Licensees may need to comply with technical specifications for equipment relating to transmission and reception of media content, and with the allocation of frequencies and associated technical procedures and standards for frequency use.

iii Content restrictions

The Copyright Law protects original and derivative works created in the fields of literature, art and sciences, irrespective of their type, means of expression, importance or purpose of authorship.

The Copyright Law is intended to prevent third parties from copying the protected work. The protection period for sound works, audiovisual works, films, collective works and computer programs is 50 years from the date of the first show or publication of the work, regardless of republication. The protection period for broadcasting organisations shall be 20 years from the date of the first transmission of programs or broadcast materials, and the protection period for the producers of sound recordings and performers shall be 50 years from the date of performance or its first recording, as the case may be.

Cabinet Resolution No. 163 dated 10/24/1417 AH prohibits users within Saudi Arabia from publishing or accessing illegal, harmful or anti-Islamic content on the internet.

Previously, the Internet Service Unit operated a data link that connected Saudi Arabia to the international internet. Users would subscribe to any number of local internet service providers and all web traffic would have been forwarded through servers at the Internet Service Unit. The foregoing structure has been modified, and we understand that multiple data service providers act as a proxy between the internet service providers and the international internet. The CITC is now responsible for administering the internet filtering service, which was previously under the Internet Service Unit's domain.

The CITC provides such services in cooperation with the Permanent Internet Security Committee, and provides a list of banned websites to the data service providers.

Alternatively, users may submit a request to block a particular website where they deem such a website or material to contain undesirable content. Once a user has submitted the web-based form it is reviewed by a team of CITC employees, which determine whether the user's request is justified.

The data service providers are responsible for ensuring that the websites are banned on their internet gateways. If a data service provider fails to comply with the CITC's instructions, it may result in a fine of up to 5 million riyals.63

In terms of the content that is filtered, websites and materials that are inconsistent with Islam, for example, materials relating to pornography, gambling and drugs would be classified as harmful content.

The CITC regulates network operators, and the ICT and postal sector. The Telecom Act provides the legal framework for organising this sector.64

The GCAM regulates the audiovisual sector65 and the MoM supervises all means of visual, audio and written communication content in Saudi Arabia.66

Pursuant to the Publications Law, a licence from the MoM is required to carry out, among other things, the following activities to print, publish, distribute publications or engage in any other publication services, to import, sell or rent movies or video tapes, to produce, sell or rent computer programs, to engage in any press services and to carry out photography services.

The activities mentioned above are restricted to Saudi nationals. In addition, the holder of a licence may transfer, lease or share ownership of such licence after obtaining the MoM's approval.

The author, publisher, printer or distributor must obtain the MoM's approval prior to circulating such publication. The MoM will not approve a publication that prejudices Islam, the Saudi Arabia regime, the interests of the country or public morals and customs.

As such, we understand that traditional media outlets would fall under the remit of the Publications Law.

As described more fully above, there are three types of licences that can be obtained from the GCAM: media activity licences; cinema licences; and broadcasting and distribution licences. As such, we understand that emerging platforms are more likely to fall within the GCAM Regulations and GCAM Implementing Regulations.

iv Internet-delivered video content

There is limited information on how the move from broadcast video distribution to internet video distribution has affected consumers and the ability of internet service providers to control, and be compensated for, the content being transmitted over their networks.

However, according to the CITC's 2017 Annual Report, the penetration rate of internet services has soared over the past years from 64 per cent in 2014 to around 82 per cent by the end of 2017 and, accordingly, the demand for internet and broadband services has risen.67

Furthermore, '96% of people inside the country use the internet, compared to just 2% in the year 2000, while 99% of the country's area has internet access.'68 As such, it is reasonable to presume that the move from broadcast video distribution to internet video distribution has not had a significant negative impact on consumers as 96 per cent of the population in Saudi Arabia has some form of access to the internet.

The year in review

In January 2020, the CITC launched a competition to award licences to new MVNOs in Saudi Arabia.69 The process at the time of writing and is expected to conclude in the fourth quarter of 2020.

In July 2020, Saudi Arabia hosted a meeting of G20 Digitial Economy Ministers.70 The meeting brought together all G20 members as well as the OECD and the International Telecommunication Union as knowledge partners and focused on a number of areas that are relevant to the creation of global digital economies (i.e., trustworthy artificial intelligence, cross-border data flows, smart cities, the development of a common framework for measuring the digital economy and maintaining digital security and trust).

In August 2020, the CITC issued a cybersecurity regulatory framework for ICT and postal sector service providers.71 The framework is intended to increase the cybersecurity maturity of such service providers and mainly concerns organisations that are licensed or registered by the CITC or subject to its regulation in Saudi Arabia.

In October 2020, the CITC launched a regulatory sandbox for delivery applications.72 The regulatory sandbox is designed to 'support, enable, and sustain the growth of Saudi Arabia's delivery app ecosystem, for the benefit of all sector stakeholders, including consumers, producers, and delivery drivers'.

Also in October 2020, and as noted above, the NCA issued the final draft of its Cloud Cybersecurity Controls – CCC-1:2020.73

Conclusions and outlook

The technology, media and telecommunications sectors are core to the future economic development of Saudi Arabia and, accordingly, it is likely that we will see further legislative and regulatory developments with respect to these sectors over the next few years.

Looking ahead, we would not be surprised to see further legislation or regulation in one or more of the following areas:

  1. Implementation of a national data privacy regime: in 2020 we saw the implementation of new privacy regimes in Abu Dhabi, Dubai and Egypt. It would be consistent with both regional trends and Saudi Arabia's desire to grow its digital economy to see a dedicated privacy law and privacy regulator put in place in Saudi Arabia.
  2. Reform to national intellectual property laws and registration authorities: the Saudi Authority for Intellectual Property was launched in 2018 and has been busy in 2020 with various public consultations on changes to Saudi Arabia's intellectual property regime.74 These changes are aligned to the Authority's stated mission (i.e., 'promoting the competitiveness of the national economy, supporting the growth of the intellectual property culture in Saudi Arabia') and will be of significant interest to technology, media and telecommunications companies that seek to generate, protect and license intellectual property in Saudi Arabia.
  3. Promotion and support for further foreign direct investment in the TMT sector: the Saudi Arabian General Investment Authority was converted into the MISA in 2020 and we expect that throughout 2021 and beyond, the MISA will seek to implement further measures, including potential regulatory reform, to promote Saudi Arabia as a world-class investment destination.

In short, we expect the next few years to be a very exciting time to be a TMT lawyer operating in Saudi Arabia.


1 Brian Meenagh is a partner, and Alexander Hendry and Avinash Balendran are associates at Latham & Watkins LLP. Homam Khoshaim and Lojain Al-Mouallimi are associates at the Law Office of Salman M Al-Sudairi.

24 An English translation is not yet available.

36 An English translation is not yet available.

37 An English translation is not yet available.

39 An English translation is not yet available.

41 An English translation is not yet available.

42 An English translation is not yet available.

44 An English translation is not yet available.

45 An English translation is not yet available.

47 An English translation is not yet available.

51 Article 1 of the Universal Access and Universal Service Policy.

55 'Terrorist crime' means any act committed, individually or collectively, directly or indirectly, by a perpetrator, with the intention to disturb public order, destabilise national security or state stability, endanger national unity, suspend the Basic Law or some of its articles, undermine state reputation or status, cause damage to state facilities or natural resources, attempt to coerce any of its authorities into a particular action or inaction or threaten to carry out acts that would lead to the aforementioned objectives or instigate such acts; or any act intended to cause death or serious bodily injury to a civilian, or any other person, when the purpose of such act, by its nature or context, is to intimidate a population, or to compel a government or an international organisation to do or to abstain from doing any act.

58 '33% of parents in Saudi Arabia worry about harmful online content', The Saudi Gazette, 1 April 2020.

62 An official English translation is unavailable on the MoM's website.

63 Freedom of the Net 2019, Saudi Arabia, Freedom House.

68 'How Saudi Arabia is deploying ICTs against COVID-19 — and beyond', The Saudi Gazette, 25 July 2020.

Get unlimited access to all The Law Reviews content