In a strategic move aimed at strengthening the Kingdom’s digital economy, the National Cybersecurity Authority issued the “Cybersecurity Controls for Private Sector Entities Not in Critical Infrastructure” document for 2025. This document sets out a strict regulatory framework that obliges private sector establishments to precise standards to ensure business continuity and protect national data.
The context of digital transformation and Vision 2030
These regulatory measures come in response to the rapid pace of digital transformation underway in Saudi Arabia as part of its Vision 2030 goals. With the Kingdom aiming to increase the private sector's contribution to GDP to 65% and raise the share of small and medium-sized enterprises (SMEs) to 35%, cyberspace has become a vital arena requiring maximum protection. These regulations are part of the Kingdom's efforts to enhance its global standing in cybersecurity indices, as digital economies worldwide face increasing challenges such as ransomware attacks and data breaches, necessitating a unified national digital framework.
Classification of facilities and determination of responsibilities
The authority adopted a precise methodology in classifying the targeted entities to ensure that the controls are commensurate with the size of the risks, as companies were divided into two categories:
- The first category (large entities): These are entities with more than 250 employees or annual revenues exceeding 200 million riyals. This category is required to implement 65 basic regulations covering all security and technical aspects.
- The second category (small and medium-sized entities): This includes establishments with between 6 and 249 employees, or revenues between 3 million and 200 million riyals, for which 26 basic officers have been allocated, focusing on protecting core operations without burdening them with excessive regulatory burdens.
Governance: Saudization of leadership and separation of powers
The document brought about a fundamental change in the administrative structure of large companies, mandating the establishment of an independent cybersecurity management unit reporting directly to the head of the organization. This ensures its complete separation from the information technology (IT) department to prevent conflicts of interest. Furthermore, in the interest of strengthening digital sovereignty and localizing knowledge, the regulations stipulate that this unit and its supervisory staff must be full-time, qualified Saudi nationals, thus opening up significant opportunities for employing national talent in this vital sector.
Strengthening technical and cloud defenses
On a technical level, the authority did not limit itself to generalities, but rather specified mandatory procedures that include:
- Mandatory use of Multi-Element Authentication (MFA) for remote login and email.
- Activating global email protection protocols (SPF, DMARC) to counter phishing and impersonation emails.
- Perform periodic backups and recovery tests to address data loss disasters.
- Incorporating cybersecurity requirements into contracts with suppliers and cloud service providers, while ensuring that the entity's data is kept separate from others in shared cloud environments.
These regulations confirm that cybersecurity is no longer a technical option, but a fundamental pillar of economic stability, as the Authority aims through these standards to create a safe and reliable investment environment that supports the growth of the private sector and protects it from evolving threats.
