News

The Saudi National Cybersecurity Authority (“NCA”) has issued the Non-CNI Private Sector Entities Cybersecurity Controls (the “Controls”), establishing a mandatory baseline and detailed requirements for private‑sector entities that are not part of sensitive national critical infrastructure, to strengthen national security and enable a safe digital economy.

The Controls apply to two categories: (A) Large entities (250+ full‑time employees or annual revenue over SAR 200,000,000) and (B) Small and Medium Enterprises (6–249 full‑time employees or annual revenue between SAR 3,000,000 and SAR 200,000,000).

The new controls are tailored by entity size across three components: Governance, Cybersecurity Defense, and Third-party and Cloud Computing Cybersecurity.

Core defense measures include endpoint protection, data classification, backup management and periodic penetration testing. The Controls also mandate establishing a designated leadership function for cybersecurity for each entity.

While the Controls do not specify by when companies are expected to become compliant, we advise in-scope entities to begin assessing their current controls against the baseline, prioritize mandatory items by category, and build a remediation plan that addresses governance, technical, and third‑party/cloud requirements, with documented verification and reporting workflows.