Gray Hat Security (GHS) logo

GRC · CST Regulations · ICT Sector

CST CRF: The Cybersecurity Regulatory Framework for Saudi Arabia's ICT Sector

July 7, 2026 · 9 min read · GHS Security Team CST CRF GRC ICT Compliance

Quick Answer

CST CRF (the Cybersecurity Regulatory Framework) is issued by the Communications, Space & Technology Commission (CST) — formerly CITC — and sets mandatory cybersecurity requirements for licensed ICT Service Providers in Saudi Arabia: telecom operators, ISPs, and hosting/data center providers.

CRF uses a risk-based approach with three progressive Compliance Levels — CL1, CL2, and CL3 — spanning six control domains: governance, asset management, risk management, logical security, physical security, and third-party security. Many ICT licensees also fall under NCA ECC and must satisfy both frameworks together.