A New Era for Private Sector Cybersecurity in Saudi Arabia
The National Cybersecurity Authority (NCA) has published a landmark framework: the Non-CNI Private Sector Entities Cybersecurity Controls — officially designated NCNICC-1:2025. This is the first dedicated cybersecurity standard specifically designed for private sector organizations in the Kingdom that do not operate Critical National Infrastructure (CNI).
If your business is a small, medium, or large private sector company operating in Saudi Arabia — and you are not already subject to the NCA’s ECC framework as a CNI operator — NCNICC-1:2025 now defines your minimum cybersecurity obligations. This is not guidance. It is binding regulation.
"NCNICC-1:2025 represents the NCA's commitment to ensuring that Saudi Arabia's entire private sector — from SMEs to large enterprises — operates within a secure and trusted digital environment, in direct support of Vision 2030."
What Is the NCNICC-1:2025 Framework?
NCNICC stands for Non-CNI Private Sector Entities Cybersecurity Controls. The framework was developed by the NCA following a comprehensive study of international cybersecurity best practices, and it is built upon the foundations of the NCA’s Essential Cybersecurity Controls (ECC), adapted specifically for the needs and risk profiles of private sector entities.
The framework applies to two distinct entity categories:
- Category A — Large Enterprises: Organizations with more than 250 full-time employees OR annual revenues exceeding SAR 200 million. These entities must implement 3 core components, 22 sub-components, and 65 mandatory controls.
- Category B — Small and Medium Enterprises (SMEs): Organizations with 6 to 249 full-time employees OR annual revenues between SAR 3 million and SAR 200 million. These entities must implement 1 core component, 13 sub-components, and 26 mandatory controls.
The Three Core Components of NCNICC-1:2025
Component 1: Cybersecurity Governance
This component establishes the organizational and administrative foundations for cybersecurity. It covers five sub-domains: cybersecurity management (including the establishment of a dedicated cybersecurity unit independent of IT), cybersecurity policies and procedures, cybersecurity risk management, periodic audit and review, and a cybersecurity awareness and training program. Large enterprises (Category A) must implement all five sub-domains as mandatory requirements.
Component 2: Cybersecurity Defense
The most technically comprehensive component, covering 15 sub-domains that address the full spectrum of technical security controls. These include asset management, identity and access management (IAM) with mandatory multi-factor authentication (MFA), system and endpoint protection, email security (with SPF, DKIM, and DMARC requirements), network security management, mobile device security (including BYOD policies), data protection, encryption, backup management, vulnerability management, penetration testing, security event log management and monitoring, cyber incident management, physical security, and web application protection.
Component 3: Third-Party and Cloud Computing Cybersecurity
Recognizing the modern enterprise’s reliance on outsourced services and cloud infrastructure, this component requires organizations to embed cybersecurity requirements into all third-party contracts and service level agreements (SLAs), establish incident communication procedures with external parties, and implement specific controls for cloud service and hosting providers — including data classification before cloud storage and environment isolation in shared cloud platforms.
Who Enforces NCNICC-1:2025 and What Are the Consequences of Non-Compliance?
The NCA is the regulatory authority responsible for monitoring and enforcing compliance with NCNICC-1:2025, as empowered by Royal Decree No. 6801. The NCA will assess compliance through its chosen mechanisms, which may include self-assessments, independent audits by NCA-approved third parties, and direct NCA inspections. Organizations that fail to achieve and maintain compliance may face regulatory consequences, operational restrictions, and significant reputational risk.
Critically, NCNICC-1:2025 is a living document. The NCA will periodically review and update the framework to reflect evolving cyber threats and regulatory requirements. Organizations must stay current with NCA publications to ensure continued compliance.
How We Help Your Organization Achieve NCNICC-1:2025 Compliance
Our cybersecurity team has deep expertise across the full NCA regulatory ecosystem — including ECC, SAMA CSF, CST CRF, and now NCNICC-1:2025. We offer a structured, proven compliance pathway that takes organizations from gap assessment to full compliance efficiently and cost-effectively:
- NCNICC-1:2025 Scoping and Entity Classification — We determine your category (A or B) and identify all applicable mandatory controls.
- Comprehensive Gap Assessment — We measure your current cybersecurity posture against every applicable NCNICC control and produce a detailed gap report.
- Remediation Roadmap — We build a prioritized action plan with clear timelines, resource requirements, and ownership assignments.
- Policy and Procedure Development — We develop or update all required cybersecurity policies, procedures, and governance documentation.
- Technical Control Implementation — Our engineers deploy the technical security controls required by NCNICC-1:2025, from MFA and endpoint protection to network segmentation and SIEM.
- Awareness Training Program — We design and deliver role-tailored cybersecurity awareness training that satisfies the NCNICC training requirements.
- Independent Audit Preparation — We prepare your organization for NCA compliance assessment and coordinate with approved independent auditors.
- Ongoing Compliance Management — We provide continuous compliance monitoring and annual re-assessment services to keep you compliant as the framework evolves.
Whether you are a large enterprise with 65 mandatory controls to implement, or an SME tackling 26 controls for the first time — our team is ready to guide you through every step of the journey.
Get Started Today
NCNICC-1:2025 is now in effect. The NCA has made clear that compliance is mandatory for all private sector entities within the framework’s scope. The earlier your organization begins its compliance journey, the more time you have to implement controls properly — and the lower your risk exposure.
Contact our certified cybersecurity consultants today for a free initial NCNICC-1:2025 readiness assessment. Let us help you transform a regulatory obligation into a genuine competitive advantage.