Saudi Standards, Metrology and Quality Organization (SASO) announced on May 3, 2026, the immediate suspension of import license approvals for Building Digital Twin systems. This action directly affects vendors and integrators supplying smart building infrastructure to Saudi Arabia — particularly those deploying cloud-connected digital twin platforms in commercial real estate, industrial facilities, and government smart city projects. The suspension signals a tightening of cybersecurity enforcement at the API layer, elevating compliance expectations beyond baseline device-level certifications.

Event Overview

On May 3, 2026, SASO issued an official notice confirming the suspension of all import permit approvals for Building Digital Twin systems. The stated reason is that the currently accepted UL 2900-2-2 cybersecurity certification does not cover critical API security requirements — specifically, OAuth 2.1 dynamic token refresh mechanisms and mandatory enforcement of Cross-Origin Resource Sharing (CORS) policies. SASO requires affected manufacturers to submit supplemental verification reports or transition to the IEC 62443-4-2:2025 certification path.

Which Sub-Sectors Are Affected

Building Technology Integrators & System Vendors
These entities typically assemble, configure, and deploy digital twin platforms using third-party hardware, edge gateways, and cloud APIs. Because SASO’s suspension targets the system-level import approval — not individual components — integrators cannot obtain new permits unless their full stack satisfies the updated API security criteria. Impact includes delayed project go-lives, contract renegotiations, and potential re-architecting of authentication and cross-domain data exchange logic.

Cloud Platform Providers with Middle-East Deployment
Vendors offering SaaS-based digital twin dashboards or analytics engines — especially those relying on OAuth 2.0/2.1 flows and RESTful APIs serving Saudi clients — face direct scrutiny. Even if backend infrastructure resides outside Saudi Arabia, SASO treats the system as imported once deployed for local operation. Non-compliant token handling or permissive CORS configurations may now block market access entirely.

Cybersecurity Certification Labs & Conformity Assessment Bodies
Labs accredited to issue UL 2900-2-2 certificates must now clarify scope limitations regarding API-layer validation. Those supporting clients seeking Saudi market entry will need to either expand testing protocols to include OAuth 2.1 token lifecycle validation and CORS policy auditing — or explicitly redirect clients toward IEC 62443-4-2:2025 assessment, which mandates secure development lifecycle (SDLC) evidence for software components including APIs.

What Relevant Enterprises or Practitioners Should Monitor and Do Now

Track SASO’s official guidance on transition timelines and acceptable evidence formats

SASO has not yet published deadlines, grace periods, or technical specifications for the required supplemental reports. Companies should monitor SASO’s official portal and authorized conformity assessment body bulletins for updates — especially whether legacy UL 2900-2-2 certificates may be grandfathered with add-on test reports.

Inventory all deployed or planned Building Digital Twin APIs for OAuth 2.1 token behavior and CORS enforcement

Organizations should audit whether their current implementations enforce short-lived access tokens, validate token binding, rotate refresh tokens, and reject wildcard CORS headers (e.g., Access-Control-Allow-Origin: *). Automated scanning tools and manual penetration tests focused on API auth flows are now essential pre-submission steps.

Assess feasibility of migrating to IEC 62443-4-2:2025 before resubmitting

Unlike UL 2900-2-2 — which focuses on vulnerability scanning and known exploit mitigation — IEC 62443-4-2:2025 requires documented secure development practices, threat modeling, and evidence of secure coding for software components. Firms should evaluate internal SDLC maturity and determine whether engaging a certified assessor early can accelerate alignment.

Coordinate with local Saudi partners on documentation readiness and customs coordination

Import license applications in Saudi Arabia often require localized technical documentation, Arabic-language user guides, and declarations signed by locally registered representatives. With approval suspended, firms should proactively align with their Saudi agents or distributors to prepare revised compliance dossiers — including updated architecture diagrams highlighting API security controls — ahead of any SASO reopening notice.

Editorial Perspective / Industry Observation

Observably, this is not a broad-based regulatory shift but a targeted clarification of existing cybersecurity expectations — one that exposes a gap between widely adopted product-level standards and system-level operational security realities. Analysis shows SASO is treating Building Digital Twin not as discrete hardware or software, but as an integrated cyber-physical system where API trust boundaries are as critical as firmware integrity. This move better aligns with global trends seen in EU Cyber Resilience Act (CRA) implementation and U.S. NIST SP 800-218 adoption — where runtime behaviors (e.g., token management, origin validation) are now treated as certifiable control objectives. It is more accurately understood as a policy signal than an isolated enforcement action: it indicates SASO intends to treat API security as non-negotiable for any connected building system entering the Kingdom.

Current industry attention should focus less on whether the suspension will be lifted, and more on how quickly vendors adapt their development and certification strategies to meet systemic, not just component-level, assurance requirements.

Conclusion
This suspension underscores a maturing regulatory stance toward operational technology (OT) and IT convergence in smart infrastructure. It reflects growing recognition that digital twin deployments introduce persistent, high-privilege API surfaces — and that legacy device certifications alone no longer suffice. Rather than signaling market closure, it marks a threshold where cybersecurity rigor shifts from ‘compliance checkbox’ to ‘design requirement’. Enterprises are better advised to treat this as a catalyst for strengthening API security governance — not as a temporary barrier.

Information Sources
Primary source: Official SASO notice dated May 3, 2026 (reference number and URL not publicly disclosed in input material).
Note: SASO’s detailed technical annexes, transition roadmap, and list of authorized IEC 62443-4-2:2025 assessment bodies remain pending publication and are under active observation.