Photo by Asad/Xinhua via Getty Images

Close observers of policy trends in the Gulf Cooperation Council (GCC) will notice that digital transformation and data governance are becoming vital issues in the region. Over the last decade, Gulf countries have introduced ambitious plans to digitally transform their public and private sectors, with the goal of providing reliable, rapid, and efficient public and private services. In 2013, for example, the United Arab Emirates (UAE) launched its mGovernment initiative, which entailed creating One App, an application that offers more than 4,000 federal and local government services such as issuing or renewing visas, passports, licenses, or paying utility bills. Meanwhile, the Kingdom of Saudi Arabia (KSA) recently established the Unified National Platform (Gov.sa), which aims to provide high quality and efficient public services. Currently, the platform provides 3,300 services to around 890,000 users. At the same time, the private sector is showing a considerably increased interest in digitizing its business activities: According to the Microsoft Digital Transformation survey, conducted in 2018, 2 in 3 GCC businesses seek to invest at least 5% of their annual income in digital transformation. Another PwC survey showed that more than 60% of the region’s enterprises believe in the importance of big data and advanced analytics.

To an ever increasing extent, Gulf countries are being swept up in the global data revolution as they shift from oil-driven economies to data-driven economies. The large amounts of data that will be generated in the region will offer lucrative opportunities for companies and investors interested in the data utilization and storage industry. Therefore, the data centers industry is experiencing massive and rapid growth in the region to support the private sector’s need to store data and utilize it for profit.

It is important to understand the nature of “data centers” before trying to understand their role. Simply put, data centers are physical facilities equipped with computing and networking infrastructure to securely store, process, and provide access to large amounts of data. Just as you store your personal data on iCloud or Google Drive instead of on your phone or laptop's internal storage, many organizations are now using public clouds to store their entire databases because it helps them save on expenses as they pay only for the space they use without any need to buy physical hardware or design complicated software. Cloud computing also enables employees to access the organizations’ databases from anywhere in the world at any time as long as they are connected to the internet. Moreover, one of the main added benefits of cloud computing is that it allows organizations to utilize their data at reduced costs through cooperating with third parties such as data analytics companies to get real-time data-driven insights. Last but not least, cloud computing can enhance coordination and supervision among public agencies as it enables governments to establish central databases for gathering public entities’ data in one place. 

For all of these reasons, cloud computing has become one of the fastest expanding sectors in the Gulf with a compound annual growth rate (CAGR) of over 25%. According to International Data Company (IDC), the total cloud spending by public and private entities in the region will amount to $2.5 billion by 2025. Because of the coronavirus pandemic, the interest in cloud computing has surged dramatically, with 43% of chief information officers (CIOs) in the GCC saying that they are considering spending more on public cloud software (also known as “software as a service,” or SaaS) than before the pandemic. In the UAE, the data centers market is expected to create 31,650 new jobs between 2017 and 2022 in anticipation of a rise in cloud computing spending to reach Dh1.51 billion ($411 million) in 2022 compared with Dh439 million ($120 million) in 2017. In KSA, the cloud computing market size is expected to amount to $10 billion by 2030. By comparison, the cloud market size in Qatar is expected to increase from only $24 million in 2017 to $112 million in 2022. Meanwhile, the Kingdom of Bahrain has initiated its Cloud-First policy that aims to enhance the adoption of cloud computing by the public sector. Under this framework, public agencies will be obligated to integrate the adoption of cloud technology as part of their IT plans. To date, more than 40 public services have successfully moved to the cloud.

Despite the tremendous upturn in the cloud computing and data centers market in the GCC, there is still a huge room for legislative and regulatory improvements to foster the rising data market. Accordingly, this report aims to review the state of the data industry from the legislative, connectivity, security, and regulatory perspectives to provide effective policy recommendations that support the efforts of the region’s policy-makers to create a comprehensive framework that boosts the growth of the data centers market. 

The GCC’s digital infrastructure 

Having an efficient digital infrastructure is critical for creating a suitable cloud-computing environment. High-quality internet connectivity and high-speed broadband are essential for ensuring cloud market expansion. Therefore, governments should work on increasing the affordability and accessibility of telecom services in order to boost their readiness for the adoption of cloud computing. 

Over the years, the GCC countries have invested heavily in improving their telecommunication infrastructure. In 2020, the overall ICT spending in KSA was expected to exceed $37 billion. Meanwhile, the UAE’s ICT spending is estimated to reach $23 billion by 2024, while Qatar’s spending will amount to $9 billion. However, most of the GCC countries did not rank highly on the UN E-government Development Index (EGDI), “which is a normalized composite index with three components: the Online Services Index (OSI), the Telecommunications Infrastructure Index (TII), and the Human Capacity Index (HCI).” According to the U.N. report, the UAE ranked first among the GCC countries (21st globally), followed by Bahrain (38th), KSA (43rd), Kuwait (46th), Oman (50th), and Qatar (66th). Yet, the GCC countries have launched serious initiatives to prepare the countries’ digital infrastructure to meet their ambitious digital transformation plans. 

The Saudi government for example, has made noticeable efforts to increase internet connectivity across the country. As part of its Vision 2030 plan, the government launched a nationwide initiative to provide 70% of rural households in remote areas with wireless broadband networks. Currently, 3 million Saudi households are connected to fixed broadband, and 91% of the Saudi population are connected to 4G mobile broadband. To date, KSA has deployed around 6,500 5G towers, which makes it among the world leaders in this domain, ranking 7th globally in terms of internet speed and 5G technology. Furthermore, the Government of Bahrain has been a pioneer within the region in liberalizing the telecommunication industry, which has helped to give Bahrain a well-established ICT infrastructure. As a result, the island country “ranks 1st in the Arab region in the ICT Development Index (IDI) as per the International Telecommunication Union (ITU) report and ranks 4th globally in the Telecommunication Infrastructure Index (TII).”

Although Oman seems less interested in digital projects than other GCC countries, the Omani government launched the National Broadband Strategy to increase its relatively low fixed broadband penetration rate. The main objectives of the Omani strategy are to provide high-speed broadband access at affordable prices to allow Omani enterprises to compete globally, in addition to reducing the digital gap in broadband services in rural areas. Interestingly, Kuwait has a very low fixed broadband penetration rate of only 29%. However, the 4G and 5G mobile broadbands represent 85% of the internet market. In June 2019, 5G services were introduced to the Kuwaiti telecom market for the first time. By the beginning of 2020, two of the mobile network operators announced that their 5G services covered almost the whole country. 

By observing the status of the telecommunication infrastructure in the GCC, it is safe to conclude that all six member states have at least the minimum telecom capacity to embrace the cloud computing industry. However, some countries are better digitally equipped and more capable than others. 

The legislative environment for cloud computing in the region

Some people may think that the talk about developing digital industries revolves only around supporting them by expanding the number of cables, networks, complicated equipment, or even highly skilled individuals who can perform the required tasks. In fact, the sustainable success of most digital industries also relies on establishing efficient regulatory and legislative frameworks that can protect, supervise, and regulate daily business operations and the relations among the broader group of stakeholders. 

When it comes to cloud computing, regulation and legislation must enhance the cloud markets’ ability to operate efficiently while protecting data sovereignty on the national and regional levels. However, the absence of clear regulatory frameworks that outline cloud-related issues in some of the Gulf countries is still a challenge. While some countries have successfully established comprehensive cloud computing frameworks that regulate the issues pertaining to data gathering, data utilization, and data sharing on the state and interstate levels, others still have no effective regulations to tackle these issues. 

"When it comes to cloud computing, regulation and legislation must enhance the cloud markets’ ability to operate efficiently while protecting data sovereignty on the national and regional levels."

As a part of the Kingdom of Bahrain’s plans to become a regional cloud computing hub, the country issued the Cloud Computing Law No. 56 of 2018, which allows the provision of cloud services to foreign parties. Under this law, the framework for “data embassies” is established, which enables foreign clients to store their data in Bahrain while ensuring that their data is being subject to domestic laws and regulations in their country of residence as well as those of their country of origin. Furthermore, in 2016, Qatar issued the Personal Data Protection Law No. 13, which is considered the first data protection legislation in the GCC. The law developed the “cross-border transfer'' principle, which stipulates that no restriction should be imposed on using the data gathered in Qatar or storing these data under other jurisdictions. Nevertheless, Qatari public institutions can revoke this law when dealing with data that affects national security, national sovereignty, the economic interest of the state, or conduct of criminal investigations. In March 2020, it was reported that the Qatari Communications Regulatory Authority had initiated a public consultation on the “Cloud Policy Statement” draft, which includes “a comprehensive set of legal and regulatory requirements that competent government entities should adopt or update, as well as recommendations for stakeholders of the cloud value chain aimed at ensuring compliance with national and international laws and best practices.”

In March 2018, the Saudi Communications and Information Technology Commission (CITC) issued the country’s first Cloud Computing Regulatory Framework that aimed to enhance the adoption of cloud computing locally by clarifying regulations around it. However, in 2019, CITC made noticeable amendments to its regulatory framework to support cloud service providers (CSPs) and users. One of the key benefits of the new amendments is that they reduce the compliance burdens on CSPs in addition to supporting the legal protection provided to them. Moreover, some analysts believe that the new amendments enhance the country’s ability to attract foreign investments to the cloud market. Meanwhile, the Omani government launched the G-Cloud initiative that seeks to help government entities to realize their e-services plans through improving IT infrastructure capacities and overcoming resource scarcity. In 2020, the Omani government granted accreditation to a Omani company to provide cloud services to government administrative entities. 

Interestingly, although the reliance on cloud services is rapidly increasing in the UAE, there are no comprehensive legislative or regulatory frameworks that organize the cloud market. Instead, the existing laws and regulations contain a group of data protection legal requirements and sector-related regulations that apply to the public sector, critical infrastructure, the banking sector, and the healthcare sector. Furthermore, the country does not have in place a federal data protection law. However, there are some sector-specific laws that regulate data privacy and data security in the country. 

The GCC’s cybersecurity capabilities and challenges

Despite the myriad upsides of digital transformation, it also increases countries’ exposure to cyberattacks. Due to political and economic factors, the oil-rich Gulf countries are being targeted by state and non-state cyber actors. Around 81% of organizations in the GCC region stated that protecting their data is their key challenge. According to Simone Vernacchia, Head of Digital and Cybersecurity Resilience at PwC Middle East, the GCC is expected to witness a rise in state-supported cyberattacks or Advanced Persistent Threats (APTs) compared with criminal cyberattacks. He also pointed out that recent political tensions in the region may raise the number of cyberthreats that target the GCC’s vital infrastructure. Therefore, it is vital to analyze and assess the GCC’s capabilities to deter and defend against potential cyberattacks on the region’s data centers and other digital infrastructure. 

As a response to the aforementioned cyber challenges, the GCC countries have begun to implement several measures to enhance their cybersecurity. In 2017, Saudi Arabia established its National CyberSecurity Authority (NCA) to protect vital Saudi interests, national security, and digital infrastructure through boosting cooperation with public and private entities in this domain. In February 2020, NCA organized the Global Cybersecurity Forum for the first time, hosting more than 1,200 government officials, international organization representatives, business leaders, and academic experts. This reflects the increasing Saudi interest in cybersecurity affairs. A framework for cyber crime enforcement in Saudi Arabia was spelled out in the Saudi Anti-Cyber Crime Law, originally issued in 2007, which enumerates illegal practices and the penalties prescribed for them. 

Meanwhile, the UAE has introduced serious measures to protect its cyberspace such as preparing a National Cyber Strategy that relies on five pillars and 60 initiatives aiming to enhance the cybersecurity ecosystem within the country. The UAE also established the National Electronic Security Authority and the national Computer Emergency Response Team (aeCERT). On a related note, Qatar also has undertaken early actions to protect the safety of its cyberspace as it formed the Qatar Computer Emergency Response Team (Q-CERT) in 2005. Currently, the Cyber Security Division of the Ministry of Transport and Communications works, through its two departments, Q-CERT and Critical Information Infrastructure Protection (CIIP), with all the concerned stakeholders in the country to safeguard Qatari interests and assets in cyberspace. In September 2020, the Qatari Cabinet revealed plans to establish a national agency for cybersecurity, although it is not currently clear what would distinguish the agency from existing Qatari cybersecurity entities, besides being independent of the Ministry of Communications and Transportation. 

Kuwait has been relatively slower than its neighbors in improving its cyber capacity. In 2017, it launched the National Cyber Strategy, which entails establishing a National Cyber Security Center (NCSC) that includes a Security Operation Center (SOC) and Computer Emergency Response Team (CERT). Additionally, the strategy directs the competent authorities to develop cybersecurity curricula for schools and universities along with establishing a national information sharing partnership with the private sector and the leading cybersecurity companies.

Overall, all GCC countries have developed national cybersecurity strategies in addition to establishing competent cybersecurity entities that aim to handle potential cyberthreats. As a result, KSA, Oman, and Qatar ranked among the top 20 countries in the ITU’s Global Cybersecurity Index for 2018 while Kuwait and Bahrain ranked 67 and 68 globally. Moreover, many of the GCC countries have established comprehensive regulatory and legislative frameworks that enhance the growth of the data centers market in the region and outline data-related issues. However, other countries still have a room for improvement. On a positive note, the Gulf region has the required digital infrastructure and technical capacity to boost the expansion and growth of the data centers market.

 

Ahmed El-Masry is a Graduate Research Fellow with the MEI Cyber Program and a public policy graduate student at the American University in Cairo (AUC). His research focuses on digital policies, cybersecurity, and cyber-politics in the MENA region. El-Masry previously worked as a Public Policy Analyst and interned at the European Union Delegation to Egypt and the United Nations Information Centre - Cairo OfficeThe views expressed in this article are his own.

Photo by Asad/Xinhua via Getty Images