Saudi Arabia’s Standards, Metrology and Quality Organization (SASO) officially published SASO IEC 62443-3-3:2026 on May 14, 2026, mandating IEC 62443-3-3 Security Level 2 (SL2) certification for all cloud-based Video Management Systems (Cloud VMS) deployed in the Kingdom’s critical infrastructure sectors—including energy, water, and transportation. Enforcement begins September 1, 2026. This development directly affects vendors, integrators, and service providers operating in or exporting to these high-assurance domains.

Event Overview

On May 14, 2026, SASO released SASO IEC 62443-3-3:2026. The standard requires that any Cloud VMS used in Saudi critical infrastructure must achieve IEC 62443-3-3 SL2 certification. Additionally, applicants must submit a penetration testing report and security configuration audit report issued by a SASO-recognized laboratory. The requirement becomes mandatory on September 1, 2026.

Industries Affected by Sector

Cloud VMS Solution Providers

Providers developing or selling Cloud VMS platforms targeting Saudi energy, water, or transport operators are directly subject to compliance. Impact includes extended time-to-market due to certification cycles, increased cost of third-party validation, and potential redesign of architecture or access control mechanisms to meet SL2 technical requirements (e.g., secure boot, role-based access enforcement, audit logging integrity).

Systems Integrators & Managed Service Providers

Integrators deploying or managing Cloud VMS in regulated Saudi infrastructure projects must verify vendor compliance prior to implementation. Non-compliant platforms may trigger contractual liability, project delays, or rejection during SASO conformity assessment. Integration workflows now require formal validation of certification status and supporting lab reports as part of procurement and handover documentation.

Cybersecurity Testing Laboratories

Laboratories accredited by SASO—or seeking accreditation—face heightened demand for IEC 62443-3-3 SL2 assessments. This includes both penetration testing and security configuration audits specific to cloud-hosted VMS environments. Labs must confirm their scope explicitly covers cloud deployment models (e.g., multi-tenant SaaS, containerized microservices) under the updated standard.

Key Considerations and Recommended Actions for Stakeholders

Monitor official SASO guidance and recognized lab updates

SASO has not yet published a full list of laboratories authorized to perform SASO IEC 62443-3-3:2026 assessments. Stakeholders should track SASO’s official portal and notifications for updated accreditation lists and interpretation notes—particularly regarding acceptable cloud deployment topologies and evidence formats.

Verify SL2 scope alignment for cloud-specific architectures

IEC 62443-3-3 SL2 certification is system-specific and environment-dependent. Vendors and integrators must confirm whether existing certifications cover the exact deployment model (e.g., AWS GovCloud vs. local Saudi cloud), data residency configuration, and identity federation setup used in target projects—rather than relying on generic or on-premises SL2 certificates.

Distinguish between policy issuance and operational enforcement readiness

Although the standard takes effect September 1, 2026, SASO’s capacity to conduct audits, review reports, and issue conformity statements remains subject to internal capability ramp-up. Projects scheduled for commissioning between September and December 2026 may encounter procedural delays; early engagement with SASO-accredited bodies is advisable to identify evidence gaps.

Prepare documentation and procurement workflows ahead of deadline

Organizations procuring or deploying Cloud VMS in Saudi critical infrastructure should update vendor evaluation checklists to include SL2 certification validity, lab report issuance date, and explicit coverage of cloud delivery. Internal procurement policies and contract templates should reference SASO IEC 62443-3-3:2026 as a mandatory compliance clause—not just a recommendation.

Editorial Perspective / Industry Observation

Observably, this update signals SASO’s formal alignment of industrial cybersecurity expectations with international best practices—specifically the ISA/IEC 62443 series—as applied to cloud-native OT-adjacent systems. Analysis shows it is less a sudden regulatory shift and more a structured escalation of existing cybersecurity accountability, extending beyond on-premises control systems to managed cloud services with direct operational impact. From an industry perspective, it reflects growing recognition that video surveillance infrastructure is no longer auxiliary IT—it is a component of safety-instrumented systems in critical facilities. Current enforcement timing suggests SASO intends this as a calibrated, enforceable baseline—not merely a consultative guideline.

Consequently, stakeholders should treat this as an operational compliance milestone rather than a distant policy signal. However, its real-world impact will depend on consistent interpretation across SASO’s regional offices and accredited labs—factors still evolving and requiring ongoing observation.

The broader significance lies in precedent: SASO’s treatment of Cloud VMS under IEC 62443 sets a template likely to influence future requirements for other cloud-delivered OT support services (e.g., remote diagnostics platforms, predictive maintenance SaaS). For now, it is most accurately understood as a targeted, sector-specific enforcement action—not a wholesale overhaul of Saudi ICT regulation.

This update is best interpreted as a defined compliance obligation with clear technical and procedural boundaries, rather than an open-ended security directive. Its enforceability hinges on laboratory capacity and stakeholder preparedness—not theoretical risk posture.

Information Source: Official publication notice from the Saudi Standards, Metrology and Quality Organization (SASO), dated May 14, 2026. Note: The list of SASO-recognized laboratories for SASO IEC 62443-3-3:2026 assessments remains pending public release and is under active observation.