Saudi Arabia: Adopted Critical Systems Cybersecurity Controls

On 18 December 2019, the National Cybersecurity Authority (NCA) of Saudi Arabia implemented the Critical Systems Cybersecurity Controls (CSCC - 1: 2019). The CSCC, developed as an extension of the Essential Cybersecurity Controls (ECC), aligns with the objectives set out in Saudi Arabia's Vision 2030. The CSCC applies to all organisations which own or operate critical systems, defined as systems or networks which, if they failed, or if there is unauthorised change in operation or access to data, would have a significant negative impact, as defined by the CSCC. The CSCC introduces a set of 32 principal controls and 73 subordinate controls, which are distributed across four main domains. The four main domains of the CSCC are: Cybersecurity Governance, Cybersecurity Defence, Cybersecurity Resilience, and Third-party and Cloud Computing Cybersecurity. It is required that organisations implement these controls in order to safeguard essential assets, with the NCA conducting periodic reviews to ascertain compliance. Compliance is verified through self-assessments and audits, with updates from the NCA addressing evolving threats on an ongoing basis.