Saudi Arabia: Adopted Data Cybersecurity Controls (DCC-1:2022)

On 1 November 2022, the National Cybersecurity Authority (NCA) of Saudi Arabia published the Data Cybersecurity Controls (DCC-1:2022). The DCC forms part of the NCA's mandate, as set out in Royal Decree number 57231, to guarantee the continuous compliance of organisations with the requisite cybersecurity measures. The DCC requires compliance from Saudi government and private organisation operating Critical National Infrastructure. This regulation provides a structured classification for data protection with distinct security requirements, defining a four-tier system for the protection of data based on its sensitivity. The highest level of classification, Top Secret, necessitates the implementation of rigorous access limitations, secure disposal procedures, and regular audits. In comparison, Secret data requires the establishment of a robust access management system, the installation of monthly patches, and the implementation of enhanced security hardening measures. Access to confidential data is restricted to specific roles, with the data masked to prevent external sharing. In contrast, public data is more open, but still requires basic access control and secure disposal. This framework extends the Essential Cybersecurity Controls (ECC) to encompass the entire data lifecycle.