Gray Hat Security (GHS) logo

GRC · NCA Regulations · Private Sector

NCA NCNICC-1:2025: Cybersecurity Controls for Saudi Arabia's Private Sector

July 7, 2026 · 10 min read · GHS Security Team NCNICC-1:2025 GRC SME Compliance

Quick Answer

NCNICC-1:2025 (Non-Critical National Information Infrastructure Cybersecurity Controls — sometimes searched as NCICC) is a new National Cybersecurity Authority (NCA) framework that extends mandatory cybersecurity requirements to every private-sector organization in Saudi Arabia that is not designated as Critical National Infrastructure (CNI).

Until now, ordinary Saudi companies — SMEs, non-CNI enterprises, most of the private sector — sat outside NCA's mandatory scope, which was limited to government entities and CNI operators under ECC. NCNICC-1:2025 closes that gap with a right-sized control set: 3 components, 22 subcomponents, and roughly 65 essential controls, tiered by organization size.