Internet of Things (IoT) Regulations of Saudi Arabia
July 2024
Author: The Communications, Space & Technology Commission (CST)
RT18
Third Version
July 2024
1- Introduction
The Communications, Space & Technology Commission (CST), in accordance with the Telecommunication and Information Technology Act (act) issued by Royal Decree No. (M/106) dated 2/11/1443 AH, and its Executive Regulations, and CST Ordinance (Commission) as amended by the Council of Ministers Resolution No. (133) dated 21/5/1424 AH, which entrusted CST with regulatory tasks for the information technology sector, and in addition to the provisions of article (seventh) in the Cabinet Resolution No. (292) dated 27/4/1441H, which explicitly stipulates the competence of the Commission to regulate Internet of Things (IoT) technology, is responsible for regulating the communications and information technology sector in the Kingdom of Saudi Arabia (the Kingdom), including Internet of Things (IoT) technology and all resulting use cases, in order to achieve the objectives set forth in Article II of the of the Act, including: Promoting digital transformation, the use of technology and its benefits across all domains, as well as entrepreneurship, innovation, and research and development in the field of information technology, as well as the growth of sub-sectors and new technologies.
Consequently, CST has issued these regulations to adopt the best practices for enabling the Internet of Things market in the Kingdom, in accordance with the commission’s strategy and the strategic directions of the Information Technology and Emerging Technologies sector approved in March 2021. These directives are based on enabling digital transformation and emerging technologies in the Kingdom and encouraging competition and investment.
2- Definitions
Terms and expressions stipulated herein shall have the same meanings defined in Telecommunication and Information Technology Act, Telecom Act Bylaw, CST Ordinance. Unless otherwise required by context, the following terms and expressions shall have the following meanings:
2-1 IoT Devices: Devices possessing autonomous capabilities to sense, monitor, and interact with their surrounding environment, alongside the ability to collect and transmit data. Such devices may be commonly denoted as “IoT” devices.
2-2 Internet of Things (IoT): A network of IoT devices connected to platforms capable of managing these devices, collecting and analyzing information monitored by the same. The stated may be commonly denoted as “IoT”.
2-3 IoT Connectivity: Communication means that enable IoT devices to connect and transmit data between each other, to platforms, or to the Internet.
2-4 IoT Service: A service that allows controlling IoT devices, including obtaining data monitored by the same.
2-5 IoT connectivity service provider: Any entity that provides IoT connectivity to others.
2-6 IoT service provider: Any entity that provides IoT service to others.
2-7 IoT User: Any person or entity that uses IoT service.
2-8 IoT connectivity service user: Any person or entity that uses IoT connectivity service.
2-9 IP (Internet Protocol) address: A unique address that identifies a device on the Internet or LAN.
2-10 License-Exempt Frequency: A frequency or frequency band that can be used on a shared basis without a license from CST, subject to the conditions set by CST for such use.
2-11 Wide Area Networks (WAN): Low-power, wide-coverage, low-data-rate wireless networks, using exempted frequencies; including low-power wide area networks (LPWANs) as well as mesh networks that enable communication between IoT devices.
2-12 Indoor: Private areas, such as homes, airports, private farms, universities, and private compounds, which surrounded by urban boundaries or fences. They are also known as “On-premises”.
2-13 Outdoor: Outdoor areas, such as streets, public parks, and others, which located outside of indoor areas.
2-14 CST website: (www.cst.gov.sa)
3- IoT Regulations Scope of Application
This document applies to IoT technology, IoT connectivity, and IoT devices, and its provisions apply to:
3-1 IoT service providers.
3-2 IoT connectivity service providers.
3-3 IoT service users.
3-4 IoT connectivity service users.
4- IoT Devices
4-1 All IoT devices shall comply with their technical specifications published on CST website.
4-2 IoT devices shall be approved by CST and a conformity certificate shall be obtained from the same, before being imported or used. All requirements and procedures for approval and clearance of telecommunications and information technology equipment are outlined in “Regulations for Licensing of Telecommunications and Information Technology Equipment” published on CST website.
4-3 Device’s features and functions shall be described in the device’s user manual, and this information should indicate which features and functions will be affected if IoT connectivity is limited, interrupted, or unavailable.
4-4 CST recommends verifying that IoT devices support interoperability with IoT connectivity, as well as that IoT devices support interoperability with IoT platforms.
5- IoT connectivity service
5-1 IoT connectivity service is divided into:
5-1-1 IoT connectivity using wired fixed-line networks.
5-1-2 IoT connectivity using licensed frequency wireless networks, such as mobile communications and satellites.
5-1-3 IoT connectivity using license- exempt frequency wireless networks.
5-2 Only those who have obtained the relevant service licenses issued by CST are allowed to provide IoT connectivity services using wired fixed-line networks or licensed frequency wireless networks. The list of licensed service providers can be found on CST website.
5-3 IoT connectivity service providers shall adhere to “National Numbering Plan” published on CST website.
5-4 All SIM cards, whether physical (SIM) or embedded (eSIM), used in IoT devices intended for use in the Kingdom shall be issued by those who have obtained the relevant service licenses issued by CST. The list of licensed service providers can be found on CST website.
5-5 IoT connectivity service can be used and provided using license- exempt frequency wireless networks, provided that the following conditions shall be adhered to:
5-5-1 Only holders of “Facilities-Based Unified Telecommunications Services” License or “Provision of IoT Services using License- Exempt Frequency” License are allowed to create WAN using license- exempt frequencies or provide IoT connectivity services using these networks, and can be found on CST website.
5-5-2 As an exception to Paragraph (5-5-1), WAN may be created and used via license- exempt frequencies if the coverage is indoor and is for non-commercial purposes, while adhering to the following:
5-5-2-1 Compliance with regulations and requirements issued by CST or the relevant authorities in the Kingdom.
5-5-2-2 The establishment of these networks shall be carried out by the owner of indoor area, or by an IoT connectivity service provider holding either of licenses mentioned in Paragraph (5-5-1).
5-5-2-3 Coverage of these networks shall not exceed boundaries of any internal areas owned by the same. 5-5-2-4 Devices used in these networks shall be imported by owners of these internal areas, or by a service provider who holds either of two licenses mentioned in Paragraph (5-5-1).
5-5-3 All IoT devices used in these networks shall comply with technical specifications referred to in Paragraph (4-1).
5-5-4 WAN uses exempted frequencies on a secondary basis, so these networks should not cause harm to the networks of primary users
5-5-5 IoT connectivity service providers and users using license-exempt frequencies used in Wireless Local Area Networks (WLAN) shall adhere to “WLAN Regulations” published on CST website.
5-5-6 IoT connectivity service providers and users using license-exempt frequencies shall adhere to documents issued by CST regulating these frequencies.
5-5-7 IoT connectivity service providers using license-exempt frequencies shall make IoT users aware of the following:
5-5-7-1 Importance of IoT connectivity security.
5-5-7-2 Optimal use, characteristics and quality of IoT connectivity service.
5-5-7-3 Shared use of frequencies with other users.
6- General Provisions
6-1 CST reserves the right to request reports from all IoT service providers and IoT connectivity service providers. CST determines requirements for these reports, the required data, and the time period for providing the same.
6-2 CST recommends using IPv6 protocol, which provides technical advantages in addition to large capacity of this resource.
6-3 CST recommends all IoT service providers and IoT connectivity service providers to make their commercial offerings publicly available and accessible.
6-4 All IoT service providers and IoT connectivity service providers shall adhere to regulations and requirements issued by CST or relevant authorities in the Kingdom, and this includes data management, security, privacy and protection.