Saudi Arabia: National Cybersecurity Authority adopted Non-CNI Private Sector Entities Cybersecurity Controls (NCNICC – 1:2025)

On 28 December 2025, the National Cybersecurity Authority (NCA) adopted the Non-CNI Private Sector Entities Cybersecurity Controls (NCNICC – 1:2025). The controls apply to private sector entities that are not operators of critical national infrastructure and are used as a mandatory reference for cybersecurity compliance within the Kingdom of Saudi Arabia. The document sets objectives, scope of work, applicability, implementation, compliance, and periodic update and review. It establishes minimum mandatory cybersecurity controls organised under three main components. These components are Cybersecurity Governance, Cybersecurity Defense, and Third-Party and Cloud Computing Cybersecurity. The controls define entity categories, with additional controls for large entities that either have more than 250 full-time employees or generate more than SAR 200 million annual revenue, mandatory and recommended controls, applicability symbols, and implementation responsibilities. The National Cybersecurity Authority is responsible for oversight, assessment of compliance, and issuance of updated versions in line with cybersecurity developments and related regulatory requirements.