Overview

What Is the CST Cybersecurity Regulatory Framework?

The Cybersecurity Regulatory Framework (CRF) is a mandatory regulatory framework issued by the Communications, Space & Technology Commission (CST) — formerly CITC — Saudi Arabia's regulator for the telecommunications, ICT, postal, and space sectors. First issued in June 2020 and subsequently updated, the CRF was established to raise the cybersecurity maturity of all licensed and registered service providers across these sectors.

The CRF applies primarily to organisations licensed or registered by CST that are not already classified as Critical National Infrastructure (CNI) — CNI entities instead fall under NCA-ECC. The framework is structured around four pillars — Strategy, People, Technology, and Processes — and aligns with ISO 27001 and NIST, while supporting interoperability with SAMA, PDPL, and ARAMCO CCC for organisations under multiple regulatory regimes.

0
Core Pillars
0
Compliance Levels
0
Year First Issued
0
Months Audit Cycle
📡

Who is in scope? All organisations licensed or registered by CST in the telecommunications, internet service provision, postal services, and IT sectors — including telecom operators, ISPs, MVNOs, data centre operators, postal and courier companies, and IT service providers operating under a CST licence or registration.

Risk-Based Approach

The 3 Compliance Levels

The CRF follows a risk-based, tiered approach with three compliance levels — CL1, CL2, and CL3. The applicable level depends on the size, criticality, and risk profile of the licensed entity, with each level requiring progressively more sophisticated controls.

CL1
Level 1 — Foundational
Basic Compliance
For smaller licensed entities and lower-risk service providers — establishes the foundational cybersecurity hygiene baseline.
  • Basic governance and policy documentation
  • Fundamental access control and asset inventory
  • Basic awareness training for staff
  • Self-assessment submission to CST
CL2
Level 2 — Intermediate
Enhanced Compliance
For medium-sized operators with moderate risk exposure — requires structured processes and active risk management.
  • All CL1 controls plus formal risk management
  • Network segmentation and monitoring (SIEM)
  • Documented incident response procedures
  • Annual independent compliance audit
CL3
Level 3 — Advanced
Comprehensive Compliance
For major telecom operators and critical service providers with the largest user bases and highest risk profiles.
  • All CL2 controls plus advanced threat defence
  • 24/7 SOC and continuous threat intelligence
  • Mandatory penetration testing & red teaming
  • Onsite CST audit and continuous reporting
Framework Structure

The 4 Core Pillars of CRF

The CRF organises its requirements into four interdependent pillars. Compliance requires demonstrable maturity across all four — a strong technology pillar cannot compensate for weak governance or untrained staff.

Strategy
Cybersecurity governance, leadership commitment, strategic alignment with business objectives, policy frameworks, and risk appetite definition.
Governance Pillar
People
Cybersecurity awareness and training, role-based skill requirements, security culture, background screening, and HR security processes.
Workforce Pillar
Technology
Technical security controls — network security, identity & access management, endpoint protection, encryption, secure architecture, and infrastructure resilience.
Technical Pillar
Processes
Operational procedures — incident management, vulnerability management, change management, business continuity, and third-party risk management processes.
Operational Pillar
Mandatory Requirements

Key Obligations Under CST CRF

Across the four pillars, the CRF translates into a set of concrete operational obligations that licensed entities must implement, evidence, and maintain on an ongoing basis.

01
Establish Cybersecurity Governance Structure
Appoint a designated cybersecurity owner (CISO or equivalent) with defined responsibilities, establish a cybersecurity steering committee, and document a board-approved cybersecurity policy with clear accountability lines from operational teams up to executive leadership.
02
Conduct Periodic Risk Assessments
Perform regular cybersecurity risk assessments covering all critical assets, systems, and services. Risk treatment plans must be developed for all identified risks above the defined risk appetite, with clear ownership and remediation timelines.
03
Implement Network & Infrastructure Security Controls
Deploy technical controls proportionate to the assigned compliance level — including network segmentation, firewalls, IDS/IPS, secure remote access, encrypted communications, and protection of telecom infrastructure and signalling systems from unauthorised access.
04
Cyber Incident Reporting to CST
Establish a formal cyber incident response process with defined detection, escalation, containment, and recovery procedures. Significant incidents — particularly those affecting service availability, customer data, or critical infrastructure — must be reported to CST within the regulator's mandated timelines.
05
Cybersecurity Awareness & Workforce Training
Implement role-based cybersecurity training for all staff — from general awareness to specialised technical training for IT and security teams. Completion and effectiveness must be tracked with records maintained for CST audit, with mapping to the Saudi Cybersecurity Workforce Framework (SCyWF) recommended.
06
Annual Compliance Audit & CST Self-Assessment
Submit an annual self-assessment of CRF compliance status to CST. Entities at CL2 and CL3 must additionally undergo an independent compliance audit by a qualified third party, with results and remediation plans formally documented for regulatory review.
Compliance Landscape

CRF in the Wider Saudi Compliance Landscape

Many CST-regulated entities also fall under additional regulatory regimes depending on their services. The table below clarifies how CRF interacts with other major Saudi cybersecurity frameworks:

Entity Profile Primary Framework Additional Frameworks
Telecom operator (non-CNI) CST CRF PDPL, ISO 27001
Telecom operator (classified CNI) NCA-ECC CST CRF (where applicable), PDPL
ISP / Data Centre Operator CST CRF Cloud Computing Regulatory Framework, PDPL
Postal & Courier Companies CST CRF PDPL
FinTech / Payment Service Provider SAMA CSF CST CRF (telecom layer), PCI-DSS, PDPL
Cloud Service Provider (CSP) Cloud Computing Regulatory Framework CST CRF, PDPL, NCA-ECC (for gov data)

Compliance Roadmap

How to Achieve CST CRF Compliance

Achieving CST CRF compliance is a structured journey across all four pillars. The following seven-step roadmap reflects CyberOps' proven methodology for telecom, ICT, and postal sector clients — scaled to the target compliance level (CL1, CL2, or CL3).

7-Step CST CRF Compliance Roadmap
01
Determine Applicable Compliance Level
Determine whether your organisation falls under CL1, CL2, or CL3 based on licence type, customer base size, criticality of services, and whether the entity also falls under NCA-ECC as Critical National Infrastructure. This classification shapes the entire programme's scope and budget.
Week 1–2
02
GAP Assessment Across All 4 Pillars
Assess current cybersecurity practices against CRF requirements across Strategy, People, Technology, and Processes — at the depth required for your compliance level. Each requirement is rated for compliance status, with gaps documented and risk-rated for the remediation plan.
Week 2–5
03
Governance & Policy Framework Development
Establish the cybersecurity governance structure — appoint the responsible owner, form the steering committee, and develop the full policy suite required by the Strategy pillar: cybersecurity policy, risk management framework, asset management, access control, and acceptable use policies, all senior-management approved.
Week 4–9
04
Technical Controls Remediation
Implement Technology pillar controls at your compliance level — network segmentation, firewall/IDS/IPS, MFA and access management, encryption, endpoint protection, and (for CL2/CL3) SIEM deployment and SOC monitoring. Telecom-specific controls covering signalling and core network protection are prioritised.
Month 2–6
05
Workforce Training & Process Implementation
Roll out the People pillar — role-based training for all staff with specialised tracks for IT, security, and operations, mapped to SCyWF. In parallel implement the Processes pillar: incident management, vulnerability management, change management, and business continuity, each with defined RACI and regular testing.
Month 3–7
06
Vulnerability Assessment & Penetration Testing
Conduct vulnerability assessments across all in-scope systems. For CL2/CL3 entities, mandatory penetration testing by a qualified third party covers network, application, and telecom signalling infrastructure. All critical and high findings must be remediated with evidence retained for the compliance audit.
Month 6–8
07
Self-Assessment Submission & Continuous Compliance
Compile the evidence pack across all four pillars and submit the annual self-assessment to CST. CL2/CL3 entities additionally arrange the independent compliance audit. Establish a continuous improvement programme — annual re-assessment, ongoing risk monitoring, training, and progressive maturity toward higher compliance levels as the organisation grows.
Month 8–10 + Annual
Our Services

CyberOps CST CRF Compliance Service

CyberOps supports telecom operators, ISPs, data centre operators, postal companies, and IT service providers across the full CST CRF compliance lifecycle. Our team understands the unique technical environment of telecom and ICT infrastructure, including signalling security, core network protection, and large-scale subscriber data handling.

Our end-to-end CST CRF service covers: compliance level determination, GAP assessment across all four pillars, governance and policy development, technical controls implementation, SCyWF-aligned training, vulnerability assessments and penetration testing, evidence pack compilation, self-assessment support, and ongoing monitoring — including support for entities navigating overlapping NCA-ECC, SAMA, or PDPL requirements.

Start Your CST CRF Compliance Journey Today

Get a free compliance level determination and readiness assessment from our specialists — and a clear roadmap within 5 business days.

Get in Touch