Saudi Standards, Metrology and Quality Organization (SASO) temporarily suspended import licensing for Building Digital Twin systems effective 1 May 2026. The decision directly impacts manufacturers, exporters, and integrators supplying smart building infrastructure to Saudi Arabia — particularly those relying on China-sourced systems. This action signals a tightening of cybersecurity validation requirements for IoT-enabled building management platforms in the Kingdom.

Event Overview

On 1 May 2026, SASO issued an interim notice halting all import permit approvals for Building Digital Twin systems. The suspension stems from SASO SS 2900-2-2:2026 Clause 4.7, which mandates verification of API interfaces against UL 2900-2-2:2025 Section 8.3.2 ('Remote Invocation Injection Protection'). SASO confirmed that current pre-installed module validations by Chinese vendors cover only UI-layer components and do not extend to backend API security controls. SASO indicated the review window is expected to reopen in mid-June 2026.

Which Sub-Sectors Are Affected

Building Technology Exporters & OEMs

Exporters supplying turnkey Building Digital Twin platforms to Saudi clients face immediate shipment delays and pending customs clearance. Since SASO import permits are mandatory for market entry, unverified systems cannot be legally deployed — affecting revenue recognition and project timelines for ongoing smart building tenders.

System Integrators & Local Distributors

Integrators contracted to deploy Digital Twin solutions in Saudi commercial or government facilities may encounter scope freezes or contractual renegotiations. Without valid SASO permits, integration work involving system commissioning, data ingestion, or API-based interoperability with BMS or FM platforms cannot proceed lawfully.

Embedded Software Developers & Firmware Providers

Vendors providing middleware, API gateways, or firmware modules for Digital Twin backends must now verify whether their code paths fall under UL 2900-2-2:2025 Section 8.3.2. Pre-certified UI-layer libraries do not satisfy the new requirement — meaning retesting and documentation updates are necessary before resubmission.

Third-Party Certification & Testing Labs

Labs accredited for UL 2900-2-2 testing — especially those supporting API-level penetration and injection analysis — may see increased demand for targeted validation services. However, only labs authorized by SASO for SS 2900-2-2:2026 compliance assessments can issue accepted reports.

What Enterprises and Practitioners Should Monitor and Do Now

Track official SASO communications on SS 2900-2-2:2026 implementation guidance

SASO has not yet published detailed interpretation notes or test evidence templates for Clause 4.7. Companies should monitor SASO’s official portal and registered notifications for updates on acceptable evidence formats, lab authorization status, and any transitional provisions ahead of the anticipated mid-June reopening.

Confirm whether existing product certifications cover API interface layers — not just UI modules

Many vendors hold UL 2900-2-2:2025 certifications based on front-end application testing. Analysis shows these certifications typically exclude backend API endpoints, authentication handshakes, webhook handlers, and third-party integration bridges — all now explicitly in scope per SASO SS 2900-2-2:2026 Clause 4.7.

Distinguish between policy announcement and operational enforcement

The suspension applies strictly to new import permit applications. Observably, previously approved permits remain valid for their original duration, and in-country inventory already cleared through customs is unaffected. However, no new shipments can be licensed until SASO resumes processing — making stock planning and lead-time reassessment urgent.

Prepare technical documentation and coordinate with accredited testing labs ahead of the June window

Given the narrow expected timeframe for resubmission (mid-June onward), enterprises should begin compiling API architecture diagrams, threat models, secure coding practices documentation, and logs of prior injection-resistance tests. Early engagement with SASO-recognized labs will help avoid bottlenecks once the review channel reopens.

Editorial Perspective / Industry Observation

This measure is better understood as a targeted regulatory calibration than a broad market restriction. From an industry perspective, SASO’s move reflects growing alignment with international cybersecurity baselines for critical digital infrastructure — specifically extending software assurance beyond user-facing layers into machine-to-machine communication channels. It signals that API security is no longer treated as optional middleware configuration but as a mandated, auditable component of building system certification. Current attention should focus less on reversal likelihood and more on how this requirement may inform upcoming revisions to GCC-wide smart building standards.

It is not yet clear whether SASO will accept retroactive UL 2900-2-2:2025 test reports covering API layers if submitted before mid-June — or whether only newly conducted, SASO-witnessed assessments will qualify. That remains a key variable requiring confirmation.

Conclusion

This suspension underscores a structural shift: Building Digital Twin systems are increasingly regulated as interconnected cyber-physical assets rather than standalone visualization tools. For affected stakeholders, the priority is not speculation about timeline extensions, but precise gap analysis between current certifications and SASO SS 2900-2-2:2026 Clause 4.7. The most pragmatic interpretation is that API security validation is now a non-negotiable, front-loaded compliance gate — not a post-deployment audit item.

Information Source

Main source: Official interim notice issued by Saudi Standards, Metrology and Quality Organization (SASO), dated 1 May 2026. SASO SS 2900-2-2:2026 standard text and UL 2900-2-2:2025 reference edition are publicly available via SASO and UL Standards portals. Note: SASO’s mid-June 2026 review window remains an expectation stated in the notice; its exact start date and procedural details are pending further official confirmation.