Saudi Arabia: Adopted Essential Cybersecurity Controls

In 2018, the Essential Cybersecurity Controls (ECC) were issued by the National Cybersecurity Authority (NCA). The ECC applies to all private and public organisations and sets the minimum levels of cybersecurity requirements in the Kingdom. The NCA developed the ECC with the following standards: confidentiality, integrity, and availability. Additionally, the ECC includes 5 cybersecurity main domains, 20 subdomains, and 114 cybersecurity controls. The ECC domains are cybersecurity governance, cybersecurity defence, cybersecurity resilience, third-party and cloud computing cybersecurity, and Industrial Control Systems and Devices (ICS) Protection. Cybersecurity governance includes ensuring that businesses have a cyber strategy, clear documentation of its requirements, clear division of responsibilities, and calculating and managing risk in a methodological approach. As for defence, the ECC requires clear and secure identity and access management, email protection, mobile and network security, cryptography to protect information correctly, and comprehensive testing and documentation. The third domain, resilience, is to ensure the businesses' ability to provide continuous protection of their data and systems and to create response plans as well as disaster recovery plans. Moreover, the ECC issues specific cybersecurity requirements for cloud computing and the handling of third parties. For example, contracts should include non-disclosure clauses with third-parties. The ECC requires that cloud computing cybersecurity managed service centres be exclusively conducted in the Kingdom, even when working with third parties. Finally, the ICS Protection contains stricter cybersecurity requirements to effectively protect against cyberattacks.