GRC · NCA Regulations · Private Sector
Quick Answer
NCNICC-1:2025 (Non-Critical National Information Infrastructure Cybersecurity Controls — sometimes searched as NCICC) is a new National Cybersecurity Authority (NCA) framework that extends mandatory cybersecurity requirements to every private-sector organization in Saudi Arabia that is not designated as Critical National Infrastructure (CNI).
Until now, ordinary Saudi companies — SMEs, non-CNI enterprises, most of the private sector — sat outside NCA's mandatory scope, which was limited to government entities and CNI operators under ECC. NCNICC-1:2025 closes that gap with a right-sized control set: 3 components, 22 subcomponents, and roughly 65 essential controls, tiered by organization size.
If your company operates in Saudi Arabia and you're not a bank, telecom operator, or critical infrastructure provider, you've likely never had a binding NCA cybersecurity requirement to satisfy — until now. NCNICC-1:2025 changes that for the vast majority of the Saudi private sector. Here is what it covers, who's in scope, and how to build toward it without over-engineering your response.
NCNICC-1:2025 stands for Non-Critical National Information Infrastructure Cybersecurity Controls. It's a framework issued by Saudi Arabia's National Cybersecurity Authority (NCA), with an effective timeline around January 2026. You'll sometimes see it written informally as NCICC — the same requirement, just an abbreviation that drops a letter. Whichever way you've heard it referenced, the substance is the same: it's NCA's mandatory baseline for organizations that don't operate Critical National Infrastructure.
NCA's original framework, the Essential Cybersecurity Controls (ECC), was deliberately scoped to government entities and CNI operators — energy, telecom, finance, healthcare, and similar critical sectors. That left a large gap: the ordinary Saudi private sector — retailers, professional services firms, manufacturers, logistics companies, technology startups, and thousands of SMEs — had no NCA-mandated baseline to work toward at all. NCNICC-1:2025 closes that gap. It is effectively the first binding, NCA-mandated cybersecurity standard to reach the general Saudi private sector, rather than only government and critical-infrastructure entities.
This gap mattered more every year. As Saudi Arabia's private sector digitized under Vision 2030 — e-commerce, fintech-adjacent services, cloud adoption, and remote work all expanding rapidly — non-CNI companies became an increasingly attractive target precisely because they were, on average, less mature than regulated CNI operators. Attackers do not particularly care whether a company is formally designated Critical National Infrastructure; a breach at a mid-sized logistics firm or professional services company can still cause significant operational and reputational damage, and can also become a supply-chain entry point into larger, regulated organizations that depend on it. NCNICC-1:2025 is NCA's answer to that exposure.
The name is easy to misread as "not important." It actually just means "not formally designated as Critical National Infrastructure" — i.e., not an energy operator, not a major telecom carrier, not a systemically important financial institution, and so on. Nearly every other private company in the Kingdom — regardless of how much sensitive customer data it holds or how central it is to its own industry — falls into this "non-CNI" category and is therefore squarely inside NCNICC-1:2025's scope.
NCNICC-1:2025 applies to non-CNI private-sector entities operating in Saudi Arabia — small, medium, and large organizations alike. NCA applies the framework using a tiered approach based on organizational size and revenue, generally referred to as Category A and Category B. Some controls are mandatory for both categories; others apply only to Category A (typically larger organizations), while a subset of the more resource-intensive governance controls are listed as "recommended" rather than mandatory for smaller Category B entities. In practical terms: this covers the vast majority of ordinary Saudi businesses, not just large corporates.
If you are unsure which category your organization falls into, the safest planning assumption is to review both the mandatory and recommended control sets — recommended controls for Category B today are a reasonable signal of where mandatory requirements may expand as the framework matures through subsequent versions.
ECC and NCNICC-1:2025 share a common lineage — both come from NCA, both use a governance / defense / resilience structure — but they differ meaningfully in reach and depth.
| Aspect | ECC-2:2024 | NCNICC-1:2025 |
|---|---|---|
| Scope | Government + Critical National Infrastructure (CNI) | Private-sector organizations that are NOT CNI |
| Structure | 4 domains, 28 subdomains, 110 controls | 3 components, 22 subcomponents, ~65 controls |
| Rigor | Critical-infrastructure-grade, uniform across scope | Right-sized, tiered by Category A / Category B |
| Typical organization | Ministry, bank, energy or telecom operator | SME, mid-market company, non-CNI enterprise |
NCNICC-1:2025 mirrors ECC's logic at a lighter scale: 3 main components — Governance, Defense, and Resilience — broken into 22 subcomponents covering practical focus areas such as access management, risk management, monitoring, incident response, and third-party security, totaling roughly 65 essential controls. This is intentionally a smaller, more achievable set than ECC's 110 controls — the goal is a baseline every private company can realistically implement, not a critical-infrastructure-grade program.
Saudi Arabia's cybersecurity regulatory map is layered by entity type and sector. Use this table to identify which framework(s) apply to your organization:
| Framework | Entity Type | Scope Trigger | Regulator |
|---|---|---|---|
| NCA ECC | Government + CNI operators | Government status or CNI designation | NCA |
| NCNICC-1:2025 | Non-CNI private sector (any size) | Operating as a private company in KSA, not CNI | NCA |
| SAMA CSF | Banks, insurers, financial institutions | SAMA license or regulated financial activity | SAMA |
| CST CRF | Telecom, ISP, hosting/data center providers | CST ICT service provider license | CST |
Many organizations sit at an intersection — for example, a licensed ICT hosting provider that is also a private company would need to consider both CST CRF and NCNICC-1:2025 depending on its CNI status. A platform like ComplyOS is designed to help map a single control library across multiple applicable frameworks rather than running separate compliance tracks in parallel.
GHS Perspective
The organizations most caught off guard by NCNICC-1:2025 are exactly the ones who assumed NCA regulation "didn't apply to them" because they weren't a bank or a government contractor. That assumption is no longer safe. The good news is that NCNICC-1:2025 was clearly designed with achievability in mind — the 65-control baseline maps closely to security fundamentals most companies should already be doing regardless of regulation.
For a typical SME or mid-market company with no prior formal cybersecurity program, a phased approach works better than attempting all 65 controls simultaneously:
Once these fundamentals are in place, formal alignment to the remaining NCNICC-1:2025 subcomponents — the more detailed monitoring, third-party security, and resilience requirements — becomes a documentation and evidence exercise rather than a ground-up build. Most SMEs that follow this sequence reach a defensible NCNICC-1:2025 baseline within two to three quarters, at a fraction of the cost of building critical-infrastructure-grade controls they don't actually need. GHS's GRC advisory services are built around exactly this phased approach for non-CNI Saudi companies.
NCA is the regulatory authority responsible for monitoring and enforcing NCNICC-1:2025 compliance, and assessment is expected to combine self-assessment, independent audits by NCA-approved third parties, and direct NCA inspections — similar in structure to how ECC compliance is assessed. Practically, the risk of falling behind shows up as adverse audit findings and reduced standing in regulated business relationships, not as a punitive event — which is exactly why building the fundamentals early, rather than scrambling before an assessment, is the lower-cost path.
NCNICC-1:2025 was released with an effective timeline around January 2026, which means most non-CNI Saudi private-sector organizations are now inside or approaching their initial compliance window. Waiting for a formal notice from NCA before starting is not a sound strategy — the framework applies based on your organization's status and category, not on receiving an individual invitation to comply. A sensible near-term sequence looks like this:
Organizations that start early treat this as a manageable, incremental improvement to their existing security practices. Organizations that wait tend to face a much larger remediation backlog compressed into a shorter window before their first assessment.
GHS helps non-CNI private-sector companies map their current security posture against NCNICC-1:2025's 65 essential controls and build a phased, right-sized implementation plan.