Why “go cloud” is the wrong question for regulated industries
The “should we go cloud?” framing has been answered for regulated Saudi industries — yes, you should, but only for the right workloads, in the right region, on the right platform. The harder question, and the one this piece addresses, is which workloads can move to public cloud, which must stay on-premise, and how to architect the hybrid layer that connects them. Answering that requires reading the regulatory landscape carefully — and that landscape has shifted significantly in 2024-2026.
SAMA cloud framework — what banks can and can’t move
Saudi Central Bank (SAMA) issued its Cloud Computing Regulatory Framework providing guidance for financial institutions. The framework permits public cloud use for specified workloads while restricting others, with explicit requirements for data classification, residency, encryption, and operational controls.
What can move to public cloud: customer-facing digital experience layers, non-sensitive analytics workloads, development and test environments, software-as-a-service for productivity (M365, Salesforce, etc.), customer relationship management, and disaster recovery for non-critical systems.
What stays on-premise or in approved Saudi-region cloud: core banking systems with primary customer financial data, payment processing systems handling card data, regulatory reporting systems, AML/KYC processing, treasury and trading platforms, and any system processing politically-exposed-person (PEP) data.
The key distinction is data classification. Once data is classified, the regulatory permissions follow.
NCA cloud cybersecurity controls (CCC) — the universal layer
The National Cybersecurity Authority’s Cloud Cybersecurity Controls (CCC) apply broadly across regulated entities and provide the universal layer of cloud-specific security requirements. Controls cover: cloud service provider assurance, data location and sovereignty, identity and access management in cloud contexts, encryption requirements (at rest and in transit), monitoring and logging, incident response in cloud environments, and exit and portability requirements.
For any regulated KSA organisation moving workloads to cloud, CCC compliance is a baseline requirement regardless of sector. The framework is well-aligned with international standards (CSA STAR, ISO 27017, ISO 27018), reducing duplicate compliance effort for organisations already pursuing those.
The healthcare data residency reality
Healthcare data in Saudi Arabia — patient records, clinical data, imaging, prescription information — operates under data sovereignty rules that effectively require Saudi-region cloud or on-premise hosting. Major hyperscaler offerings now include Saudi-region availability zones (Microsoft Azure has launched Saudi region; AWS plans similar), making compliant cloud increasingly achievable.
Specific healthcare considerations: integration with Saudi Ministry of Health systems, alignment with the Saudi Data and Artificial Intelligence Authority (SDAIA) regulations, telehealth platforms requiring Saudi-region hosting, and emerging genomic data regulations.
For healthcare cloud migration, the typical pattern is: clinical data and patient records to Saudi-region cloud (Azure Saudi or equivalent), administrative and analytics workloads to international cloud where regulations permit, productivity (M365) and collaboration tools to multi-region cloud.
Government and semi-government cloud constraints
Government workloads in Saudi Arabia operate under cloud-first policies that explicitly favour cloud adoption — but with strict controls. The G-Cloud (Saudi Government Cloud) is the preferred destination for many government workloads. Approved international cloud providers with Saudi-region presence are permitted for specific workload categories.
Specific government considerations: data classification dictates cloud destination, certain workloads are prohibited from leaving G-Cloud, integration between G-Cloud and approved international cloud providers is operational, and procurement processes specifically favour cloud-aligned vendors.
The 6-R workload disposition model — applied to KSA
The standard 6-R model for cloud migration (rehost, replatform, refactor, repurchase, retire, retain) needs KSA-specific adaptation:
Retain: workloads regulatory-restricted from cloud, specialised industrial systems, legacy systems with niche compliance requirements.
Rehost (lift-and-shift): standard infrastructure workloads where regulatory permits cloud — typically the largest category.
Replatform (lift-and-modernise): workloads that benefit from managed-database or managed-application services available in Saudi-region cloud.
Refactor: workloads being modernised to cloud-native patterns; typically newer applications with active development.
Repurchase (SaaS replacement): replace legacy applications with SaaS where regulations permit — common for productivity, CRM, ERP modules, HR systems.
Retire: legacy applications no longer required.
For regulated KSA organisations, the typical disposition mix: 30-40% retain, 35-50% rehost or replatform to Saudi-region cloud, 5-15% repurchase to SaaS, 5-15% refactor.
Saudi-region availability zones — Azure, AWS, Oracle ranking
The Saudi-region cloud landscape in 2026:
Microsoft Azure: Saudi region operational with multiple availability zones. Strong M365 integration. Robust enterprise sales and partner ecosystem in KSA. Default choice for organisations with significant Microsoft investment.
AWS: Saudi region operational. Broad service portfolio. Strong digital-native and modernisation use cases. Increasing presence in KSA enterprise market.
Oracle Cloud: Saudi region operational. Strong for organisations migrating Oracle workloads. Specialist applications (ERP, database) advantage.
Google Cloud: limited Saudi-region presence as of 2026; presence growing.
Local Saudi providers: STC Cloud, Mobily Cloud — increasingly competitive for specific use cases, particularly G-Cloud-adjacent workloads.
Hybrid architecture patterns that pass audit
The architecture patterns that consistently meet KSA regulatory audit requirements share several characteristics: clear data classification driving cloud destination decisions, comprehensive identity federation between on-premise and cloud, encryption with customer-managed keys for sensitive workloads, network connectivity through dedicated private circuits (ExpressRoute, Direct Connect) rather than public internet for sensitive flows, and consolidated logging and monitoring across both environments.
Common pattern for regulated mid-large enterprises: on-premise core (regulated workloads, primary databases) + Saudi-region cloud (compliant workloads, modernised applications) + multi-region cloud (productivity, collaboration, analytics) connected through hub-and-spoke virtual networks with dedicated private connectivity.
Cost dynamics in regulated workloads
Cloud cost dynamics in regulated environments differ from unrestricted cloud. Drivers: Saudi-region pricing is typically 15-25% above standard regions, dedicated/private connectivity adds significant costs, customer-managed encryption keys add operational overhead, and compliance tooling and monitoring adds platform cost.
The economic case for regulated cloud is strongest for: workloads with significant variable demand (cloud elasticity benefit clearest), modernisation candidates that can adopt managed services, and organisations small enough to benefit from cloud’s operational scale. The case is weakest for: highly stable workloads with predictable capacity, organisations with significant data egress to traditional partners, and workloads with strong on-premise specialisation.
For a written cloud strategy aligned with your specific regulatory profile, book a cloud discovery call. We deliver a workload disposition map and a phased migration plan tailored to SAMA, NCA, healthcare, or government constraints. Pair cloud computing with cyber security, server solutions, and IT consulting for a complete modernisation programme.
