Frequently Asked Questions

NCA Cloud Cybersecurity Controls (CCC) require Saudi government entities to: obtain NCA approval before adopting cloud services; use only NCA-approved cloud service providers; implement a shared responsibility model; maintain data sovereignty for classified data; apply encryption for data at rest and in transit; implement cloud access security and monitoring.

Financial institutions in Saudi Arabia operating in the cloud must satisfy overlapping requirements from both SAMA CSF and NCA ECC, making cloud security governance a multi-layered compliance challenge. Under NCA ECC Article 2-10 (Cloud Computing Security), entities must conduct a formal cloud risk assessment before migration, classify data according to sensitivity, and ensure that critical and sensitive data is hosted within the Kingdom unless explicit regulatory approval is granted for cross-border transfer. SAMA reinforces this through its Cloud Computing Framework, which mandates that banks obtain prior SAMA approval before migrating core banking workloads to public cloud environments. Shared responsibility models must be clearly documented — defining what the cloud service provider (CSP) secures versus what the institution remains responsible for. Key technical controls required include encryption at rest and in transit (AES-256 minimum), multi-factor authentication for cloud console access, continuous cloud posture monitoring (CSPM tooling), and network segmentation. Incident response plans must be updated to include cloud-specific scenarios. From a PDPL perspective, cross-border data transfers require adequate safeguards — either contractual clauses or confirmation that the destination country offers equivalent protection. Institutions should also maintain a Cloud Asset Register, conduct annual cloud penetration tests, and perform configuration audits quarterly. Our platform maps your cloud controls against SAMA CSF Domain 3.4 and NCA ECC requirements, providing a unified compliance dashboard.

Cloud adoption in Saudi financial institutions is governed by a layered regulatory framework. Here is what you must technically implement to remain compliant: **NCA ECC (Art. 2-3 & Cloud Controls Sub-domain):** Data classified as 'National' or 'Sensitive' must reside within KSA borders or in approved sovereign cloud environments. You must conduct a formal cloud risk assessment before migration and maintain a cloud asset register. **SAMA CSF Cloud Requirements:** Before adopting any cloud service, regulated entities must perform due diligence on the Cloud Service Provider (CSP), verify their compliance with recognized standards (ISO 27001, SOC 2 Type II, CSA STAR), and ensure contractual right-to-audit provisions. **Mandatory Technical Controls include:** (1) Encryption at rest and in transit using AES-256 and TLS 1.2+ minimum; (2) Identity and Access Management with MFA enforced for all privileged and administrative accounts; (3) Cloud Security Posture Management (CSPM) tools to continuously detect misconfigurations; (4) Network segmentation and micro-segmentation within cloud environments; (5) Logging and SIEM integration — all cloud activity logs must feed into your SOC with minimum 12-month retention; (6) Data Loss Prevention (DLP) controls to prevent unauthorized data exfiltration; (7) Vulnerability management cadence for cloud workloads. **Practical note:** Many Saudi banks and fintechs use hyperscalers (AWS, Azure, Google Cloud) through their KSA regions. While this satisfies data residency, you remain fully responsible for the 'shared responsibility model' gaps. Engage your vCISO or cloud security team to map your controls against both SAMA CSF and NCA ECC before go-live.

Yes, but with conditions. SAMA allows financial institutions to use public cloud, provided they: conduct a cloud risk assessment; ensure data residency requirements for sensitive customer data; implement appropriate access controls and encryption; maintain regulatory reporting capabilities; have a clear exit strategy; and use SAMA-approved or internationally recognized cloud providers with local data centers in KSA.

Financial institutions in Saudi Arabia operating in the cloud must satisfy overlapping requirements from three primary authorities: **NCA ECC (Cloud Security Controls – Domain 4):** Article 4-2 of the ECC mandates that critical infrastructure entities, including financial institutions, classify cloud deployments and implement controls across data sovereignty, access management, encryption, and incident response. Cloud service providers (CSPs) must themselves be NCA-compliant, and organizations must maintain the right to audit CSP security practices. **SAMA Cloud Computing Guidelines (2017, updated):** SAMA requires prior written approval before migrating critical systems or sensitive customer data to the cloud. Key obligations include: storing customer financial data within Saudi Arabia or in jurisdictions with equivalent data protection standards, conducting cloud-specific risk assessments, and ensuring business continuity and disaster recovery capabilities are not compromised by cloud dependencies. **Practical Implementation Checklist:** - Classify data per PDPL sensitivity tiers before cloud migration - Use FIPS 140-2 validated encryption for data at rest and in transit - Implement Identity and Access Management (IAM) with privileged access controls - Establish a Cloud Security Posture Management (CSPM) tool to continuously monitor misconfigurations - Define clear exit strategies and data portability clauses with CSPs - Map cloud controls to SAMA CSF maturity levels for self-assessment reporting Cloud adoption in Saudi financial services is accelerating, particularly with hyperscalers like AWS, Microsoft Azure, and Google Cloud establishing local regions. However, regulatory pre-approval remains non-negotiable. Engaging a vCISO or GRC platform early in the cloud journey ensures compliance is embedded by design, not retrofitted.