
VMware End of General Support in MENA: The Real Cost of Staying vs. Migrating to HCI
July 5, 2026
Your AI Model Trains on Your Data — in Another Country. Here’s Why That’s a Legal Problem in MENA.
July 5, 2026Saudi Arabia’s digital transformation is accelerating — but for enterprises operating in regulated sectors, cloud adoption does not mean freedom from compliance. The National Cybersecurity Authority (NCA) has established a mandatory framework for cloud services: the Cloud Cybersecurity Controls, version 2 (CCC-2). Understanding CCC-2 requirements operationally — not just conceptually — is the foundation of a defensible cloud posture in the Kingdom.
What CCC-2 Requires and Who It Applies To
CCC-2 is not advisory guidance — it is a mandatory framework issued by the NCA and applies to cloud service providers (CSPs) serving Saudi government entities and regulated industries, as well as to the enterprises that procure those services. The framework is complementary to sector-specific regulations: SAMA’s Cybersecurity Framework applies to banking and financial institutions, while the National Data Management Office (NDMO) governs data classification and handling requirements.
A critical starting point: cloud providers serving Saudi government and regulated entities must hold CSP compliance certification issued by the NCA. Your procurement process must verify this certification before any workload migration begins. Saudi enterprises are also required to conduct a formal cloud risk assessment prior to migration.
The 5 Key CCC-2 Compliance Areas
1. Identity and Access Management (IAM)
- Enforce multi-factor authentication (MFA) for all administrative and privileged accounts without exception.
- Implement role-based access control (RBAC) with least-privilege principles — no standing admin rights without a documented justification and review cycle.
- Maintain a complete, current inventory of identities with cloud access, including service accounts and API keys.
- Enforce access recertification on a defined schedule (quarterly is the common baseline for privileged accounts).
- Log and monitor all privileged access activity with tamper-resistant audit trails retained for the NCA-required period.
- Disable or remove accounts within 24 hours of personnel departure or role change.
2. Data Protection and Classification
Data residency is one of the most operationally significant CCC-2 requirements. The framework mandates that sensitive government data must remain within the Kingdom of Saudi Arabia.
- Complete an NDMO-aligned data classification exercise before selecting cloud regions — classify all data as Public, Internal, Confidential, or Restricted.
- Confirm that your cloud provider’s in-Kingdom data centres are used for all Confidential and Restricted data — contractually and technically.
- Encrypt data at rest using AES-256 or equivalent, with customer-managed keys.
- Encrypt data in transit using TLS 1.2 or higher for all connections.
- Establish and test a data loss prevention (DLP) policy that covers cloud egress points.
3. Incident Management and Security Monitoring
- Define the shared responsibility boundary in writing with your CSP — document exactly which security events the provider reports and within what timeframe.
- Integrate cloud-native logging into your SIEM platform.
- Establish a cloud-specific incident response plan, including escalation paths to the NCA’s National Cybersecurity Operations Center (NCOC).
- Conduct tabletop exercises that include cloud breach scenarios at least annually.
4. Business Continuity and Availability
- Map all cloud workloads to a business impact analysis (BIA) — classify each workload by criticality tier and required availability.
- Design for redundancy across availability zones for any workload classified as critical.
- Test failover and restoration procedures at least once per year; document results and remediate gaps.
- Maintain offline or out-of-band backups for critical data not exclusively dependent on the primary cloud provider.
5. Supply Chain Security
- Require your CSP to disclose all subprocessors handling your data, including their locations and certifications.
- Include right-to-audit clauses in contracts with your cloud provider and any managed service partners.
- Assess third-party vendor cybersecurity posture using a formal vendor risk management process before integration.
- Review supply chain disclosures at least annually or upon any significant change to the provider’s subprocessor list.
What to Verify in Your Cloud Provider Contract
- NCA CSP Certification: Confirm the provider’s current certification status and require notification of any change.
- Data Residency Guarantees: The contract must specify Confidential and Restricted data stays in-Kingdom, with no cross-border replication without written consent.
- Incident Notification SLAs: Provider must commit to notifying your security team within 72 hours or less of any confirmed incident.
- Audit Rights: You must retain the right to conduct or commission independent security audits on a defined cadence.
- Exit and Portability: Define data portability procedures and secure deletion confirmation for contract end.
Taking the Next Step
MomentumX operates sovereign cloud infrastructure from its Riyadh data centre, purpose-built for Saudi regulated workloads. Our team can walk you through how our architecture maps to each CCC-2 control domain.
Ready to move to sovereign cloud?
MomentumX provides sovereign cloud infrastructure across Egypt, KSA, and UAE with full SAMA, NCA, and PDPL compliance. Your data stays in your country.
Enterprise Private CloudHyperAI
GPU Compute for AIHyper Private Cloud
Managed Private Cloud









