Cloud First Policy of Saudi Arabia 

February 2019

View the original document

Strategies and Action Plans

Author: Ministry of Communications and Information Technology

Cloud First Policy”(CFP) of Saudi Arabia covers governmental entities which are introduced to accelerate the adoption of cloud computing services by directing these entities to consider cloud options when making new IT investment decisions. The private sector is encouraged to follow the same exercise by having an internal CFP. This policy was defined in line with the key pillars of KSA’s ambitious Vision 2030. The policy hence caters to the National Information Center’s (NIC) Strategy – the entity that will serve as the primary Cloud Service Provider (CSP) for Government-related data. This document complements the cloud computing regulations issued or to be issued by other governmental entities.

Cloud-First Policy is meant to define and stimulate public sector migration from traditional IT solutions to cloud-based models. Significant reasons for adopting such a policy are to enhance efficiency in different ways, such as the use of cloud computing for resource pooling and sharing across different applications and entities, leading to increased utilisation of the assets.

The policy is intended to accelerate the pace at which Governmental entities are migrating from traditional IT solutions to cloud solutions, which will serve as a key pillar in supporting and driving the digital transformation in KSA. Entities covered by the scope of this policy are required to consider cloud computing options when making new IT investment decisions, with the goal of achieving the following:

  • Increase the quality of service by using more agile, innovative solutions in the Government services sector (e-services).
  • Reduce total cost of ownership by improving IT utilisation, aggregating demand, and removing duplications in Governmental IT spending.
  • Improve cyber security robustness by using accredited platforms with best-in-class cyber security standards and leveraging Cloud service providers’ expertise in this domain.
  • Enable interoperability with other entities.

This policy is applicable to all governmental entities with the exception of the Saudi Arabian Monetary Authority and other entities primarily responsible for national security and defense, such as the Ministry of Defense (MoD), Presidency of State Security (PSS), Ministry of Interior (MoI) and National Cybersecurity Authority (NCA).