NCA NCNICC 2025: Cybersecurity Controls for Saudi Arabia’s Private Sector

July 7, 2026 · 10 min read · GHS Security Team

Quick Answer

NCNICC-1:2025 (Non-Critical National Information Infrastructure Cybersecurity Controls — sometimes searched as NCICC) is a new National Cybersecurity Authority (NCA) framework that extends mandatory cybersecurity requirements to every private-sector organization in Saudi Arabia that is not designated as Critical National Infrastructure (CNI).

Until now, ordinary Saudi companies — SMEs, non-CNI enterprises, most of the private sector — sat outside NCA's mandatory scope, which was limited to government entities and CNI operators under ECC. NCNICC-1:2025 closes that gap with a right-sized control set: 3 components, 22 subcomponents, and roughly 65 essential controls, tiered by organization size.