Cybersecurity - Saudi Arabia

The National Cybersecurity Authority was established by Royal Order No. 6801 (31 Oct 2017, amended by Royal Order No. 7053 of 2021) as the kingdom's supreme cybersecurity reference, empowered to set national strategy and issue binding cybersecurity frameworks and controls.

The NCA's Essential Cybersecurity Controls (originally ECC-1:2018, updated to ECC-2:2024) set mandatory minimum requirements across domains such as governance, defense, resilience, third-party/cloud, and industrial control systems. They apply to government bodies and to entities owning/operating Critical National Infrastructure.

The NCA issued new Cybersecurity Controls for Private Sector Entities Not Considered Critical Infrastructure (NCNICC-1:2025), extending mandatory baseline cybersecurity requirements to private organisations across the kingdom that fall outside CNI scope.

The Anti-Cyber Crime Law, enacted by Royal Decree No. M/17 (2007), criminalizes unauthorized access, interception, data interference, and related offences, providing the penal backbone alongside the NCA's preventive/regulatory frameworks.

The Saudi Central Bank (SAMA) Cyber Security Framework (launched 2017, based on NIST/ISO/PCI/ISF/BASEL) is mandatory for SAMA-regulated banks, insurers, finance companies, payment service providers and fintechs, covering risk management, security operations, incident response and governance.

Under the Personal Data Protection Law (PDPL), controllers must notify the data-protection regulator SDAIA of a personal-data breach within 72 hours of becoming aware (where harm or rights infringement may result) and inform affected individuals without delay; reporting runs through the National Data Governance Platform. NCA frameworks separately require incident-response procedures and reporting of cyber incidents.