NCA NCNICC: New Cybersecurity Controls for Saudi Private Sector Companies

The National Cybersecurity Authority (NCA) published a landmark new framework in 2025: the Non-Critical National Infrastructure Cybersecurity Controls (NCNICC-1:2025). For the first time, mandatory cybersecurity requirements extend beyond government and critical infrastructure to cover the broader private sector in Saudi Arabia.

Why NCNICC Matters

Previously, the NCA's Essential Cybersecurity Controls (ECC) applied primarily to government entities and critical infrastructure operators. The NCNICC changes the landscape dramatically:

• Broader scope — Any private sector company operating in Saudi Arabia may fall under NCNICC requirements, regardless of whether it operates critical infrastructure.
• Regulatory enforcement — The NCA has signaled that compliance will be monitored and enforced, with potential penalties for non-compliance.
• Market expectation — Even before enforcement begins, major Saudi enterprises and government entities are including NCNICC compliance in their vendor requirements.

Who Must Comply?

The NCNICC applies to non-critical national infrastructure private sector entities. In practice, this means:

• Technology companies — SaaS providers, cloud services, software development firms, and IT service companies.
• Professional services — Consulting firms, law firms, accounting firms, and recruitment agencies handling sensitive data.
• Retail and e-commerce — Online retailers, marketplaces, and payment-accepting businesses.
• Healthcare providers — Private hospitals, clinics, laboratories, and health-tech companies.
• Education — Private universities, schools, and ed-tech platforms.
• Real estate and construction — Property developers, facility management, and construction firms with digital systems.

Key Requirements

The NCNICC is structured around cybersecurity domains similar to the ECC but tailored for the private sector:

1. Cybersecurity Governance

• Appoint a cybersecurity officer or designate a responsible person.
• Establish and maintain a cybersecurity policy approved by senior management.
• Conduct annual cybersecurity risk assessments.
• Maintain an inventory of information assets.

2. Identity and Access Management

• Implement unique user accounts for all employees — no shared accounts.
• Enforce strong password policies and multi-factor authentication for administrative and remote access.
• Conduct regular access reviews and promptly revoke access when employees leave.

3. Data Protection

• Classify data based on sensitivity and apply appropriate protection controls.
• Encrypt sensitive data at rest and in transit.
• Implement data backup procedures with regular testing.
• Control the use of removable media.

4. Network Security

• Segment networks to isolate sensitive systems.
• Implement firewalls and intrusion detection/prevention systems.
• Secure remote access connections using VPN or equivalent technologies.
• Monitor network traffic for anomalies.

5. Endpoint Security

• Deploy anti-malware protection on all endpoints.
• Keep operating systems and applications up to date with security patches.
• Implement endpoint detection and response (EDR) capabilities.

6. Incident Management

• Establish an incident response plan.
• Report significant cybersecurity incidents to the NCA.
• Conduct post-incident reviews to improve security posture.

7. Awareness and Training

• Provide cybersecurity awareness training to all employees at least annually.
• Conduct phishing simulations to test employee awareness.

Implementation Timeline

The NCA has provided an implementation period for organizations to achieve compliance. While exact timelines vary based on organizational size and sector, the general expectation is:

• Phase 1 (Governance and Planning) — 3-6 months to establish governance structures, policies, and asset inventories.
• Phase 2 (Technical Controls) — 6-12 months to implement identity management, network security, endpoint protection, and data protection controls.
• Phase 3 (Continuous Operations) — Ongoing monitoring, incident management, training, and compliance reporting.

Overlap with Other Frameworks

Organizations already compliant with SAMA CSF, NCA ECC, or ISO 27001 will find significant overlap with NCNICC requirements:

NCNICC and Vision 2030

The NCNICC directly supports Vision 2030's goal of creating a secure and thriving private sector. As the Kingdom diversifies its economy beyond oil, a cybersecurity-aware private sector becomes essential. The framework helps SMEs and larger enterprises alike build the security posture needed to participate in Saudi Arabia's digital economy — from e-commerce and fintech to smart cities and digital health. By extending cybersecurity standards to the broader private sector, the NCA is ensuring that Vision 2030's digital transformation benefits from a resilient, trusted business ecosystem.

How SAMAReady Helps

SAMAReady is adding full NCNICC support to the platform, with a dedicated compliance checklist mapped to every NCNICC requirement. Organizations already tracking SAMA CSF, ECC, or ISO 27001 compliance in SAMAReady will automatically see cross-mapped controls — so you know which NCNICC requirements you already meet. The platform generates the policies, risk assessments, and evidence documentation the NCA expects, helping private sector companies achieve compliance efficiently and at a fraction of the cost of traditional consulting.

Ready to simplify your compliance journey? Start Free Trial