Saudi Arabia’s Standards, Metrology and Quality Organization (SASO) updated mandatory certification requirements for Building Digital Twin systems on April 30, 2026. Effective from Q3 2026, all bidders submitting proposals for Building Digital Twin projects in the Kingdom must provide a UL 2900-2-2 cybersecurity test report, and their systems must embed firmware-level vulnerability response mechanisms compliant with IEC 62443-3-3. This requirement is now formally included in the technical annex of NEOM Phase II security procurement documents — making it immediately relevant for smart infrastructure, building automation, and industrial cybersecurity providers operating in or exporting to Saudi Arabia.

Event Overview

On April 30, 2026, SASO issued an update to its mandatory certification framework for Building Digital Twin systems. The update specifies that, starting in Q3 2026, all tender submissions for such projects must include a valid UL 2900-2-2 cybersecurity test report. Additionally, the deployed system must incorporate a firmware-level vulnerability response mechanism aligned with IEC 62443-3-3. This requirement has been formally integrated into the technical annex of the NEOM Phase II security procurement package.

Which Subsectors Are Affected

Smart Building System Integrators

Integrators delivering end-to-end Building Digital Twin solutions for public or mega-project tenders in Saudi Arabia are directly affected. They must now ensure third-party UL 2900-2-2 validation applies to the full system stack — not just individual components — and verify firmware-level compliance across all embedded controllers and edge gateways.

Industrial Cybersecurity Solution Providers

Vendors offering cybersecurity modules, secure boot firmware, or runtime integrity monitoring tools face increased demand for IEC 62443-3-3–aligned capabilities. Their products may be required as embedded components within larger Digital Twin platforms — meaning compatibility, certification traceability, and documentation rigor become critical bid evaluation criteria.

Building Automation Equipment Manufacturers

Manufacturers of BAS controllers, IoT sensors, BMS gateways, and edge servers used in Digital Twin deployments must assess whether their current firmware architecture supports real-time vulnerability detection and automated mitigation per IEC 62443-3-3. Legacy devices without upgradable, standards-compliant firmware may no longer qualify for SASO-certified deployments.

Export-Oriented Technology Suppliers

Suppliers outside Saudi Arabia — particularly those based in Europe, North America, or Asia supplying hardware or software to local integrators — must confirm whether their product documentation, test reports, and firmware update policies meet the newly codified UL and IEC requirements. Absence of UL 2900-2-2 validation may disqualify otherwise technically suitable offerings at the prequalification stage.

What Relevant Enterprises or Practitioners Should Focus On and How to Respond Now

Monitor official SASO implementation guidance and NEOM technical addenda

SASO has not yet published detailed conformity assessment procedures or recognized testing laboratories for UL 2900-2-2 in this context. Enterprises should track SASO’s official portal and NEOM procurement notices for updates on accepted test labs, report validity periods, and interpretation of ‘system-level’ vs. ‘component-level’ validation.

Verify UL 2900-2-2 scope and IEC 62443-3-3 alignment in existing test reports

Many vendors hold UL 2900-2-2 reports — but often for specific subsystems (e.g., cloud APIs or management dashboards), not full Digital Twin deployments including field devices and firmware layers. Current reports must be reviewed for coverage breadth, test version (UL 2900-2-2:2023 vs. earlier), and explicit linkage to IEC 62443-3-3 controls.

Distinguish between policy signal and enforceable requirement timing

The rule takes effect in Q3 2026, but NEOM Phase II tenders referencing it are already active. Analysis shows this reflects a de facto early adoption pathway: compliance is becoming a competitive differentiator *before* formal enforcement begins. Companies treating it solely as a future deadline risk missing near-term bidding windows.

Assess firmware update capability and supply chain documentation readiness

IEC 62443-3-3 requires documented processes for identifying, triaging, and remediating firmware vulnerabilities — including secure update delivery and rollback. Manufacturers and integrators should audit current firmware lifecycle practices and prepare evidence packages (e.g., SBOMs, vulnerability response playbooks, signed update mechanisms) for submission during technical evaluation.

Editorial Perspective / Industry Observation

Observably, this SASO update is less a standalone regulation and more a formalization of an emerging regional benchmark — one tightly coupled to NEOM’s infrastructure ambitions. It signals a shift from ‘cybersecurity as optional feature’ to ‘cybersecurity as architectural prerequisite’ for digital twin deployments in critical national projects. Analysis shows it functions primarily as a procurement filter rather than a broad market准入 barrier — meaning impact is concentrated among firms actively pursuing government or giga-project contracts in Saudi Arabia. From an industry perspective, it reflects growing convergence between operational technology (OT) security standards and building-scale digital infrastructure — a trend likely to influence GCC-wide policy development in coming years.

Conclusion

This SASO update does not introduce new global standards, but it does institutionalize UL 2900-2-2 and IEC 62443-3-3 as non-negotiable elements for Building Digital Twin participation in Saudi Arabia’s highest-priority infrastructure programs. It is best understood not as a general market entry requirement, but as a targeted qualification threshold for specific, high-value tenders — particularly those linked to NEOM and other Vision 2030 flagship initiatives. Current readiness depends less on wholesale product redesign and more on precise documentation alignment, test report validation scope, and demonstrable firmware lifecycle governance.

Information Sources

Primary source: Official SASO announcement dated April 30, 2026 (publicly available via SASO e-portal). Secondary reference: NEOM Phase II Security Procurement Technical Annex (Version dated May 2026, publicly released as part of open tender package). Note: SASO’s formal conformity assessment procedure document and list of accredited laboratories for UL 2900-2-2 in this application remain pending publication and are under ongoing observation.