Cyber compliance in Saudi Arabia
Everything about cybersecurity obligations applicable in Saudi Arabia. Mandatory frameworks, recommended standards, competent authorities, and penalties.
Mandatory frameworks
Compliance frameworks mandated by regulation in Saudi Arabia.
NCA ECC
NCA Saudi
Essential Cybersecurity Controls from the Saudi National Cybersecurity Authority. Mandatory for government entities and critical infrastructure.
PDPPL
SDAIA
Personal Data Protection Law. Saudi data protection law, overseen by SDAIA.
Recommended standards
The most relevant international standards for the Saudi Arabia market.
ISO 27001:2022
ISO/IEC
Information security management system. Certification widely required in Saudi procurement.
View detailsNIST CSF 2.0
NIST
Cybersecurity framework. Reference for structuring the security approach alongside NCA ECC.
SWIFT CSP
SWIFT
Customer Security Programme. Mandatory for the Saudi financial sector using the SWIFT network.
Methodological frameworks
Complementary frameworks to structure your security approach.
CIS Controls v8
CIS
Prioritized critical security controls. Complementary with NCA ECC for enhanced technical coverage.
NIST 800-53
NIST
Exhaustive security controls catalog. Used as reference in Saudi critical sectors.
Saudi Arabia regulatory context
Competent authority
NCA (National Cybersecurity Authority) for cybersecurity. SDAIA (Saudi Data and Artificial Intelligence Authority) for data protection.
Penalties
PDPPL provides fines up to 5,000,000 SAR. NCA can suspend licenses and impose administrative sanctions for non-compliance with ECC.
Vision 2030
Cybersecurity is a pillar of Vision 2030. NCA has published over 10 complementary frameworks covering cloud, IoT, and critical data.
Financial sector
SAMA (Saudi Arabian Monetary Authority) imposes additional cybersecurity requirements for banks and insurers through the SAMA CSF.