Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Oman
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Kingdom of Saudi Arabia issues new Cybersecurity Controls for the Private Sector

27 Mar 2026 Middle East 8 min read

The Kingdom of Saudi Arabia’s National Cybersecurity Authority (“NCA”) has released new Cybersecurity Controls for Private Sector Entities Not Considered Critical Infrastructure (NCNICC‑1:2025) (the “Controls”). These Controls set out minimum cybersecurity requirements that private sector organisations across the Kingdom (whether small, medium or large) are required to implement across the Kingdom. The Controls mark an important regulatory step toward strengthening the cybersecurity resilience of the private sector, particularly as cyber risks increase and businesses become more dependent on digital systems.

Purpose of the Controls

The Controls aim to reduce cybersecurity risks arising from internal and external threats, protect the confidentiality, integrity and availability of information, and enhance business continuity for private sector entities. 

They are structured around the three core pillars of cybersecurity: people, processes and technology. The Controls also align with international best practices, with flexibility to reflect the size, sector, and nature of each private sector entity.

Scope of Application

The Controls apply to all private sector entities operating in Saudi Arabia that are not classified as national critical infrastructure. To help businesses understand their obligations, the NCA has divided entities into two categories based on size and revenue.

Category A – Large Entities:

Who falls under Category A? 

Organisations with:

  • more than 250 full‑time employees; or
  • annual revenues exceeding SAR 200 million.

What do they need to comply with?

Category A organisations must implement a full set of cybersecurity requirements, structured as follows:

  • Three main components: the high level building blocks of the Controls, covering governance, defence, and resilience.
  • 22 sub‑components: practical focus areas within each component, such as access management, risk management, monitoring, incident response, and third party security.
  • 65 essential controls: the specific measures organisations must put in place, for example conducting periodic risk assessments, implementing technical security configurations, maintaining incident response procedures, and ensuring employee awareness training.

Category A organisations therefore must meet the full scope of the Controls, meaning they need to establish strong oversight, well‑defined processes and appropriate technical safeguards throughout their operations.

Category B – Small and Medium-Sized Entities (SME):

Who falls under Category B? 

Organisations with:

  • 6 to 249 full‑time employees; or
  • annual revenues between SAR 3 million and SAR 200 million.

What do they need to comply with?

Category B entities are subject to a more streamlined version of the Controls:

  • One main component: focusing on essential cybersecurity foundations that every SME should have in place, such as basic governance, incident handling and core technical safeguards.
  • 13 sub‑components: core areas such as basic risk management, access controls, backup practices and incident reporting. 
  • 26 essential controls: targeted measures designed to help SMEs establish a minimum cybersecurity baseline.

For SMEs, some controls are classified as “Recommended” rather than “Mandatory”, allowing smaller organisations to prioritise implementation based on their resources and risk profile. This approach provides flexibility for smaller businesses that have limited resources and may not have dedicated cybersecurity teams or the capacity to invest heavily in advanced security measures. 

The NCA is able to impose additional or more advanced controls at any time if needed, for example, if a business operates in a sensitive sector or faces heightened cyber risks. 

Key Themes and Requirements

The Controls group all cybersecurity measures into three core themes. Each theme focuses on a different area of cybersecurity and is broken down into practical requirements that organisations need to follow. 

1. Cybersecurity Governance Control

This theme sets the foundations for how an organisation manages cybersecurity. It emphasises the role of senior leadership in supporting and enforcing cybersecurity practices, and ensures that the organisation has the right oversight, policies and ongoing checks in place.

The main five sub-components are: 

  • Creating a cybersecurity function: assigning responsibility for cybersecurity, whether as a dedicated team or a defined role within the organisation.
  • Setting and enforcing cybersecurity policies and procedures: documenting how the organisation should manage security and ensuring employees follow these rules.
  • Ongoing cybersecurity risk management: regularly identifying and assessing risks to systems and data and taking action to mitigate them.
  • Periodic audits and compliance checks: reviewing cybersecurity practices to ensure they remain effective and up to date.
  • Cybersecurity awareness and training: educating employees so they understand common threats and know how to respond.

This theme is essentially about good governance, clear accountability and continuous oversight.

2. Cybersecurity Defence Control:

This theme focuses on the technical and operational measures an organisation must have in place to protect its systems, networks and data.

It covers a wide range of practical cybersecurity sub-components, including:

  • Asset management: keeping track of all IT systems, devices and software so the organisation knows what needs protecting.
  • Identity and access management: making sure only authorised individuals can access systems and data.
  • System and device protection: applying basic security configurations, antivirus tools, firewalls and secure settings.
  • Data protection and backup: ensuring sensitive data is encrypted, stored securely and backed up regularly.
  • Vulnerability management and penetration testing: checking systems for weaknesses and addressing them before they can be exploited.
  • Incident response and threat management: having a plan to detect, respond to and recover from cybersecurity incidents.

This theme is about day to day protection, making sure systems are secure and resilient.

3. Cybersecurity for Third Parties and Cloud Services:

This theme focuses on how organisations manage cybersecurity risks that arise when working with external vendors or using cloud services.

It includes two core areas:

  • Third party security requirements: ensuring vendors meet cybersecurity standards, typically through contracts, service level agreements (SLAs) and due diligence checks.
  • Cloud and hosting safeguards: making sure cloud service providers apply appropriate security measures and that data stored or processed externally is adequately protected.

This theme aims to ensure that reliance on vendors or cloud services does not create additional cybersecurity vulnerabilities.

Are the Controls legally mandatory? 

For organisations that fall within Categories A and B, the Controls are legally mandatory. The NCA also retains the authority to assess compliance and update the Controls as needed.

In addition, applicability may differ between categories. Some controls apply to both Category A and Category B organisations (especially the Cyber Security Defence theme due to its heightened risks), while other controls apply only to Category A.

For Category B entities (i.e. SMEs), some requirements are listed as “Recommended” rather than mandatory. These tend to be requirements that are more resource-intensive, particularly within  Cybersecurity Governance, such as frequent audits or complex oversight mechanisms. 

“Recommended” controls are not legally required, but they still represent cybersecurity best practice. Implementing these controls helps ensure the organisation has the baseline security measures needed to prevent common vulnerabilities and handle incidents more effectively.

Relationship with SDAIA and PDPL compliance

Although the Controls are issued by the NCA, they sit alongside and directly support an organisation’s obligations under the Personal Data Protection Law (“PDPL”), which is overseen by the Saudi Data and AI Authority (“SDAIA”).

Under the PDPL, organisations must implement strong technical, organisational, and administrative measures when processing personal data, such as encryption, access controls, vendor management and oversight, and breach response mechanisms. The Controls provide the underlying cybersecurity framework necessary to meet these expectations in practice.

Even where certain Controls are marked as “Recommended” rather than mandatory, they may still be relevant from a PDPL compliance perspective. If a personal data breach occurs, SDAIA will consider whether the organisation had appropriate safeguards in place, including those referenced in the NCA’s Controls. Demonstrating alignment with the Controls can therefore help evidence due diligence and may reduce regulatory risk if an incident occurs.

Implications for the Private Sector

The introduction of these Controls signals a clear regulatory direction toward raising the overall cybersecurity baseline across Saudi Arabia’s private sector. Organisations should review their current cybersecurity measures against the NCA requirements, determine which category they fall into, and develop a practical plan for achieving compliance. This will typically involve assessing existing policies, identifying any gaps, and prioritising improvements based on the organisation’s size, operational model and risk exposure. Engaging legal and technical specialists can help ensure the assessment is accurate and that the implementation roadmap is both realistic and aligned with regulatory expectations.

If your organisation requires support in evaluating its posture against the new Controls, determining the applicable category, or developing a tailored compliance plan, our Data and Cyber team is ready to assist. We can advise on understanding the scope and requirements of the Controls, draft or update the necessary cybersecurity policies and procedures, explain how the Controls align with PDPL obligations, support in reviewing vendor and cloud contracts, and assist with incident handling and personal data breach notification requirements. Please contact us if you would like to discuss how we can support your organisation in strengthening its cybersecurity resilience and regulatory compliance.

More insights
TMT - Technology, Media & Telecommunications

Explore more

Event Oman

IP Insights webinar series 2026

28 Apr 2026
Publication Oman

CMS toolkit series

02 Jul 2025 1 min read
Expert Guide International

Digital health apps and telemedicine in Oman

15 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.