Phase One – Company Introduction: Saudi Telecom
Company (STC)
Saudi Telecom Company also known as STC is recognized as the largest digital enabler
in the Kingdom of Saudi Arabia and one of the leading telecommunications providers
in the Middle East and North Africa region and was originally established in 1998 as a
government-owned telecom operator before it transitioned into a publicly traded company
listed on the Saudi Exchange and since then STC has expanded its portfolio to include a
wide range of digital services including mobile and fixed-line telecommunications broad-
band fiber optics data center services cloud computing cybersecurity solutions digital
banking through STC Pay and enterprise ICT services via its subsidiary STC Solutions
Source: STC Group Annual Report 2021, https://www.stc.com.sa
The company operates primarily within Saudi Arabia serving over 28 million mobile
users and 2 million fixed-line customers according to recent data and it also holds strate-
gic investments and ownership stakes in several regional telecom entities including STC
Bahrain STC Kuwait and shares in infrastructure providers such as TAWAL and Saudi
Cloud Computing Company SCCC and the company’s operations are fully aligned with
the Saudi Vision 2030 which aims to digitize national infrastructure and enable smart
government services eHealth platforms and nationwide 5G network deployment Source:
Saudi Vision 2030 ICT Objectives, https://www.vision2030.gov.sa
STC processes large volumes of sensitive personal and financial data on a daily basis
including national identification records mobile numbers call detail records location meta-
data customer billing histories payment credentials and biometric login credentials from
users of its MySTC app and STC Pay and due to its role in managing critical national
communications infrastructure the company is categorized under the Kingdom’s Criti-
cal Information Infrastructure as defined by the National Cybersecurity Authority which
imposes strict controls on data governance encryption and access management Source:
National Cybersecurity Authority, Essential Cybersecurity Controls, https://nca.gov.sa
Despite heavy investment in secure digital platforms STC has encountered cyber-
security challenges and threats over the years especially in the form of phishing at-
tempts fraudulent SMS impersonation incidents SIM swap fraud and denial of service
attacks targeting its platforms and mobile customers and in 2020 STC responded to a
wave of social engineering attacks by enhancing two factor authentication protocols and
partnering with the Saudi NCA and CST to investigate and neutralize malicious do-
mains and campaigns Source: STC Press Release, Cybersecurity Response Updates 2020,
https://www.stc.com.sa/wps/wcm/connect/english/individual
Because of its national importance technological capacity and wide exposure to data
STC serves as an ideal case study for understanding the application of cybersecurity laws
ethical responsibilities and strategic defense within a real world Gulf-based enterprise and
allows us to assess how legal obligations are operationalized into policy and how ethical
data handling is maintained in environments with increasing digital risks and regulatory
complexity Source: Alotaibi F, 2021, Cybersecurity Awareness in the GCC, Journal of
Information Security Research
Phase Two – Legal and Regulatory Landscape
Saudi Telecom Company STC operates under the direct oversight of Saudi Arabia’s na-
tional cybersecurity and data governance bodies most prominently the National Cyber-
1
�security Authority NCA the Saudi Data and Artificial Intelligence Authority SDAIA and
the Communications Space and Technology Commission CST each of these institutions
issues mandatory legal frameworks and technical controls which STC must fully comply
with due to its classification as a critical infrastructure operator under national digital
security guidelines Source: National Cybersecurity Authority, https://nca.gov.sa
The most important legal instrument that applies to STC is the Essential Cyberse-
curity Controls ECC published by the NCA which consists of 114 controls distributed
across 5 domains including governance operations technology defense and resilience STC
must implement these controls throughout its infrastructure and services and must un-
dergo self-assessment and external audit for compliance particularly due to its national
role and large-scale user base Source: NCA ECC Guidelines v2.0, 2021
Additionally the Personal Data Protection Law PDPL issued by SDAIA came into
force in 2023 and introduced mandatory legal principles governing personal data handling
STC must obtain user consent disclose the purpose of data processing apply data mini-
mization encryption and retention controls and report any data breach incidents within
72 hours as stipulated by the regulation the company also must publish its data privacy
policy and user rights in clear Arabic language Source: SDAIA PDPL Implementation
Framework, 2023, https://sdaia.gov.sa
Another critical regulation STC adheres to is the Cloud Computing Regulatory Frame-
work issued by CST especially given that STC operates large cloud infrastructure and
offers digital services to government and enterprise customers and this framework imposes
rules regarding data residency, sovereignty, classification, and protection levels and STC
Cloud is publicly certified by CST for local data processing and storage Source: CST
Cloud Regulations 2022, https://cst.gov.sa
Finally STC Pay which is a digital financial subsidiary of the group is regulated sepa-
rately under the Saudi Central Bank SAMA which applies Banking Cybersecurity Frame-
works to STC Pay including threat detection monitoring of financial transactions user
authentication digital signature policies and penetration testing cycles Source: SAMA
Cybersecurity Framework for Financial Institutions, https://www.sama.gov.sa
Table 1: *
Summary Table: Legal Obligations of STC
Authority Regulation Description and Requirements
NCA ECC 114 mandatory cybersecurity controls on gov-
ernance risk and technology
SDAIA PDPL Data processing principles user consent breach
notification and retention
CST Cloud Framework Data localization protection classes service
provider certification
SAMA Banking Cybersecurity Secure identity MFA encryption transaction
logging in fintech
In practice STC complies with these regulations as indicated in its annual reports
audit statements and public privacy policies It publishes its compliance roadmap openly
and aligns its services with government digital trust initiatives and its legal position
remains strong with no recorded penalties or suspensions as of 2024 though it undergoes
regular review and engagement with SDAIA NCA and CST for continuous improvement
Source: STC Group Compliance Strategy Report 2023
