Cybersecurity · Saudi Arabia
Cybersecurity regulation in Saudi Arabia (2026)
Saudi Arabia shaded by its cybersecurity status
Saudi Arabia operates a comprehensive, centralized cybersecurity regime led by the National Cybersecurity Authority (NCA), which sets and enforces mandatory frameworks across government, critical national infrastructure (CNI), and the private sector. This is layered with the Anti-Cyber Crime Law (criminal offences), sector-specific rules from the Saudi Central Bank (SAMA) for financial institutions, and personal-data breach-notification duties under the PDPL administered by SDAIA. The regime has been progressively expanded, with updated controls (ECC-2:2024) and new private-sector controls (NCNICC-1:2025) issued recently.
Key points
The National Cybersecurity Authority was established by Royal Order No. 6801 (31 Oct 2017, amended by Royal Order No. 7053 of 2021) as the kingdom's supreme cybersecurity reference, empowered to set national strategy and issue binding cybersecurity frameworks and controls.
The NCA's Essential Cybersecurity Controls (originally ECC-1:2018, updated to ECC-2:2024) set mandatory minimum requirements across domains such as governance, defense, resilience, third-party/cloud, and industrial control systems. They apply to government bodies and to entities owning/operating Critical National Infrastructure.
The NCA issued new Cybersecurity Controls for Private Sector Entities Not Considered Critical Infrastructure (NCNICC-1:2025), extending mandatory baseline cybersecurity requirements to private organisations across the kingdom that fall outside CNI scope.
The Anti-Cyber Crime Law, enacted by Royal Decree No. M/17 (2007), criminalizes unauthorized access, interception, data interference, and related offences, providing the penal backbone alongside the NCA's preventive/regulatory frameworks.
The Saudi Central Bank (SAMA) Cyber Security Framework (launched 2017, based on NIST/ISO/PCI/ISF/BASEL) is mandatory for SAMA-regulated banks, insurers, finance companies, payment service providers and fintechs, covering risk management, security operations, incident response and governance.
Under the Personal Data Protection Law (PDPL), controllers must notify the data-protection regulator SDAIA of a personal-data breach within 72 hours of becoming aware (where harm or rights infringement may result) and inform affected individuals without delay; reporting runs through the National Data Governance Platform. NCA frameworks separately require incident-response procedures and reporting of cyber incidents.
Timeline - major decisions & events
NCA published the Non-Critical National Information and Communications Infrastructure Cybersecurity Controls (NCNICC-1:2025), imposing mandatory minimum controls — covering governance, access management, incident response, and third-party security — on every private-sector organisation in Saudi Arabia regardless of critical infrastructure status, closing the gap that previously limited mandatory NCA rules to CNI operators.
NCA ↗NCA issued ECC-2:2024 replacing the 2018 version, streamlining controls from 114 to 108 across four domains, aligning with NIST CSF and ISO/IEC 27001, and introducing a Saudization mandate requiring all cybersecurity positions (not just senior roles) to be filled by qualified Saudi nationals.
NCA ↗Saudi Arabia's PDPL (originally enacted September 2021, amended by Royal Decree No. M/148 in March 2023) became fully enforceable, imposing cybersecurity obligations including encryption, access controls, 72-hour breach notification to SDAIA, and data protection impact assessments — creating GDPR-comparable data-security duties on all controllers.
Saudi Government National Portal ↗NCA published the Operational Technology Cybersecurity Controls (OTCC-1:2022), establishing minimum security requirements for Industrial Control Systems (ICS) and OT environments in energy, utilities, and other CNI sectors — directly addressing attack vectors exposed by the Shamoon incidents.
NCA ↗NCA published the Cloud Cybersecurity Controls setting mandatory security requirements for cloud service providers and cloud tenants operating in Saudi Arabia, including data residency obligations and shared-responsibility security standards, later updated as CCC-2:2024.
NCA ↗NCA issued the first Essential Cybersecurity Controls — 114 mandatory controls across five domains (governance, risk management, operations, resilience, third parties) applicable to all government entities and CNI operators — establishing Saudi Arabia's first binding national cybersecurity framework.
NCA ↗Royal Order No. 6801 formally constituted the NCA reporting directly to the King, consolidating previously fragmented cybersecurity functions from the Ministry of Interior and MCIT under a single supreme cybersecurity regulator — the institutional cornerstone of Saudi Arabia's current cybersecurity framework.
NCA ↗Saudi Arabian Monetary Authority issued its mandatory Cyber Security Framework requiring all banks, insurers, and finance companies to establish a Saudi-national CISO, cybersecurity governance committees, and controls spanning risk management, access control, and incident response — with full compliance required by end of 2018.
SAMA ↗A retooled Shamoon variant struck multiple Saudi government agencies and organisations from November 2016 through early 2017, demonstrating the persistent state-sponsored threat and directly accelerating the establishment of the NCA (October 2017) and the subsequent wave of mandatory sector controls.
Wikipedia / Symantec ↗The Shamoon malware (attributed to state-sponsored Iranian actors) destroyed approximately 35,000 Aramco workstations in hours, threatening 10% of global oil supply — the most consequential cyber incident in Saudi history and the primary catalyst for subsequent national cybersecurity legislation and institution-building.
CNN ↗Saudi Arabia enacted its first national cybersecurity law, criminalising unauthorised computer access, data theft, malware distribution, and online fraud, with penalties up to SAR 5 million and 4 years imprisonment for serious offences — the principal criminal statute still underpinning cybersecurity enforcement today.
WIPO Lex / MCIT ↗Saudi Arabia - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →