Stay Compliant with The Latest Data Guidelines

The Kingdom of Bahrain is embracing the future of cloud computing as part of its ongoing push toward digital transformation. Bahrain was one of the first nations in the Middle East and North Africa (MENA) to adopt a cloud-first policy back in 2017 for government entities. Currently, the country also seems to be taking steps in adopting multi-cloud and hybrid cloud systems in the government sector. The Bahrain Government issued the Legislative Decree No.56 of 2018 to provide cloud computing services to Foreign Parties (Cloud Law).

The Kingdom has a national cybersecurity framework governed by the General Directorate of Anti-Corruption and Economic and Electronics Security at the Ministry of Interiors (MOI). The Central Bank of Bahrain (CBB) is responsible for the guidelines including cybersecurity and cloud services for the BFSI sector. CBB has also been proactive in introducing new regulatory reforms and policies including framework for open banking, e-KYC framework, and others for the Fintech companies.

In addition, Bahrain has implemented pioneering regulations to protect businesses’ data, including a personal data protection law, in line with GDPR, issued in September 2018 which came into force in August 2019, setting general prohibitions on transferring personal data outside Bahrain. The law also has provided exclusions to the general prohibitions and requirements in case of transfer. Moreover, the country issued a data jurisdiction law, creating a data embassy, that allows data stored in the Kingdom to fall under its home country’s legal jurisdiction.

The United Arab Emirates (UAE) is seen accelerating its technology adoption including cloud services. According to a survey by one of the global data management companies, UAE ranked second in public cloud adoption worldwide. Another report said UAE’s start-ups could see $17 bn of economic benefits by 2030 through the adoption of hyper-scale cloud computing.

With the acceleration of cloud adoption, security becomes significant across the nation as there is critical data that the cloud services providers and users must deal with. To secure the nation from any kind of loss and breaches, the UAE has put in place various guidelines and laws to protect the sanctity of the nation even if it is not a uniform set of laws. The National Electronic Security Authority (NESA) has developed the UAE Information Assurance Standards (IAS), including security controls for cloud computing. At an emirate level, the Abu Dhabi Digital Authority (ADDA) formerly (ADSSSA & ADSIC) and the Dubai Electronic Security Center (DESC) are responsible for implementing information security practices within the respective states. Finally, the Telecommunications Regulatory Authority (TRA) is responsible for regulating the telecommunications sector and governs the data protection law. Additionally, the Central Bank of UAE, the Securities and Commodities Authority, the Dubai Financial Services Authority, and the Financial Services Regulatory Authority have issued guidelines for Financial Institutions adopting enabling technologies, including cloud computing.

In 2021, the UAE published its first federal-level data protection law Federal Decree-Law no.45 of 2021. The law prohibits the transfer of personal data outside the UAE with some exemptions factored under the law. The country has special economic/ free zones. Three of these zones have specific data protection laws. These zones are Dubai International Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM), and the Dubai Health Care City.

The Philippines embraces cloud technology and digital transformation for enhanced efficiency. According to a recent estimate, the Philippines' digital economy is predicted to reach $35 billion in gross merchandise value (GMV) by 2025, up from $20 billion now at a 20% compound annual growth rate (CAGR). As the country ladders up to be a hot spot by investors, government and regulators are working on creating a safe space for transaction of data by issuing relevant laws and regulations from a data security perspective.

The Department of Information and Communications Technology (DICT) regulates cloud adoption in the government sector. The DICT issued the Cloud-First Policy in 2017 and amended in 2020 clearly defining the Data Sovereignty and Data Residency requirement. Cybersecurity regulations are overseen by the Cybercrime Investigation and Coordination Centre (CICC), National Bureau of Investigation (NBI), and Philippines National Police (PNP). The Central Bank (BSP) regulates the banking sector's cybersecurity.

The National Privacy Commission (NPC) governs the data privacy-related guidelines across industries in the country. The country issued its Data Privacy Act way back in 2012.

As Vietnam steps towards its recently released National Digital Transformation goals with a vision towards 2030, it is also gearing up with the right set of guidelines and laws regarding cloud, cybersecurity, and data protection. Ministry of Information and Communication (MIC) issued the cloud guidelines for the government sector as well as private sector organizations.

The National Assembly of Vietnam, MIC, and the Ministry of Public Security (MPS) are responsible for the cybersecurity guidelines across industries. The State Bank of Vietnam (SBV) is the central bank and is responsible for issuing guidelines in the banking and financial institutions including cyber security guidelines.

Vietnam released its first-ever comprehensive data privacy law, Decree No. 13/2023/ND on the Protection of Personal Data (Decree), on April 17, 2023. The Decree is announced to go into force without a transition period on July 1, 2023. The Decree applies to all Vietnamese and foreign enterprises operating in Vietnam or performing data processing activities in Vietnam. Additionally, various sectoral data protection laws, cybersecurity, and information technology laws take care of data protection in the country.

Oman's 2040 Vision promotes digitalization and innovation as economic drivers, with AI, ML, 5G, and cloud leading the way. Public cloud services spending in Oman is projected to increase almost 3.9 times from 2019 to $58.3 million in 2024, according to IDC.

To ensure cloud security, the Information Technology Authority (ITA) has released the Cloud Governance Framework and Policy for government entities. Additionally, several regulations in Oman, such as the Electronic Transactions Law, IT Crime Law, Basic Security Controls, IT Risk Management Framework, and Cybersecurity Governance Guidelines, also impact the use of cloud services.

The Central Bank of Oman (CMO) is responsible for laws and regulations for the banking sector, whereas the Capital Market Authority (CMA) is responsible for regulating the insurance providers and public joint stock companies.

The country recently published the Personal Data Protection Law (PDPL) Royal Decree No. 6 of 2022 in February 2022, governed by the Ministry of Transport, Communications, and Information Technology (MTCIT). The law came into effect in February 2023.

Cloud computing is at the centre of Qatar's transformative digital strategy, which is integrated with the Qatar National Vision 2030. As a result, the Communications Regulatory Authority (CRA) has established the cloud policy framework. The Minister of Transport and Communications (MOTC) released the Cyber Security Strategy, as well as two frameworks, the National Security Compliance Framework (NISCF) and the National Information Assurance Framework (NIAF). The NIA framework specifies policies and controls that organizations need to adopt across departments and functions.

Additionally, the Qatar Central Bank (QCB) oversees regulating banks and financial institutions in Qatar. As a result, in 2018, the Technology Risk Circular included Cyber Security Guidelines.

Qatar passed Personal Data Protection Law No. 13 in 2016. The law was revised in 2021 with a few suggestions aligning with the GDPR 2018. Any organization or anyone who receives, and processes data must follow the legislation or face a fine. Qatar Financial Centre, on the other hand, has its own Data Protection Laws and Data Protection Regulations, which were released in 2005 and were revised in 2021, taking effect in June 2022.

Digital transformation is a key pillar for Kuwait Vision 2035. One of the aims of this transformation is to enhance the efficiency of cloud-based applications and enhance the performance of key entities and industries in line with the Kuwait Vision 2035.

These transformation projects are utilizing cutting-edge technologies to enable data exchange at lightning-fast speeds making data security and privacy a very important area to focus on. The country doesn’t have a central entity responsible for the overall cybersecurity regulations but multiple regulatory authorities. Their guidelines and regulations play a key role in governing the security of the government and non-government sectors.

The Central Bank of Kuwait manages regulations related to the financial sector, including the cyber security framework. The Communication and Information Technology Regulatory Authority (CITRA) is responsible for the telecommunications sector and published the cloud-first policy and the data privacy guidelines. Central Agency for Information Technology (CAIT) is responsible for establishing plans and policies for IT at the national level and coordinating all IT development plans among government agencies. The state of Kuwait’s Ministry of Interior is responsible for internal cybersecurity at a national level, including the electronic crimes control department and the cybercrime department, which investigates any violations and incidents.

As part of its 5-year digital transformation strategy, Malaysia Digital Economy Corporation (MDEC) is actively pursuing digital investments. According to the Adyen Malaysia Retail Report 2022, Malaysian firms who embrace digital transformation outperform their industry peers, with a total worth of RM 334 billion. Malaysia's Digital Economy Blueprint (MyDigital), which intends to pave the path for the country's advancement into a digital economy, has been introduced to accelerate digital adoption. Therefore, Malaysian regulatory bodies have issued crucial guidelines in response to the expanding digital adoption.

The Malaysian Communications and Multimedia Commission (MCMC) has established licensing requirements for cloud services in October 2021 and published generic guidelines for securing cloud implementation by service providers in 2020. Cybersecurity responsibilities are handled by central authorities such as CMA (Capital Market Authority), MCMC, and Bank Negara Malaysia (BNM). BNM, the Central Bank of Malaysia, plays a significant role in cybersecurity within the finance sector. The Risk Management in Technology (RMiT) policy is particularly important as it outlines steps and measures to manage and mitigate cybersecurity risks. BNM has also introduced other policies including Business Continuity Management and Outsourcing Policy.

Malaysia enacted the Personal Data Protection Act in 2013, following its release in 2010. In 2015, additional standards were introduced to address security, retention, and data integrity. The PDPA emphasizes seven essential principles, and violations can lead to hefty fines and imprisonment.

Data sovereignty, a crucial topic in cloud computing, is reflected in Malaysia's legal and policy frameworks. Numerous public policies such as the National Policy Objectives of the Communications and Multimedia Act 1998, the National Cyber Security 2006 introduced by the Ministry of Science, Technology, and Innovation, and the Personal Data Protection Act 2010 address this concept.