New NCA Regulations: Cyber Security Compliance for the Private Sector

The National Cybersecurity Authority (NCA) has officially released a pivotal regulatory document: the Cybersecurity Controls for Private Sector Entities Without Critical Infrastructure (NCNICC-1:2025).

For years, the NCA cybersecurity framework focused primarily on government entities and Critical National Infrastructure (CNI) sectors like energy and finance. However, with the release of the NCNICC, the NCA is signaling a major strategic shift: cyber security compliance is now a baseline requirement for the wider economy.

Here is what you need to know about the new controls, why they were released, and what they mean for your business.

The Strategic Shift: From "Critical" to "Comprehensive"

Historically, NCA regulations were designed to protect the nation's most sensitive assets. The NCNICC, however, was born out of the economic ambitions of Saudi Vision 2030. The Vision aims to increase the private sector's contribution to the GDP to 65% and raise the SME contribution to 35%.

As the private sector grows, it becomes a larger target for cyber threats. The NCNICC aims to minimize these risks by establishing a minimum standard of information security for small, medium, and large businesses that do not fall under critical infrastructure categories.

Who Needs to Comply? (Class A vs. Class B)

One of the most practical features of this NCA cybersecurity framework is its tiered approach. The NCA classifies private sector entities into two categories based on size and revenue.

Note: Micro-enterprises falling below these thresholds are currently outside the mandatory scope but are encouraged to utilize these controls to enhance their security.

Disclaimer: This article provides a high-level overview of the NCNICC-1:2025 framework. Specific requirements vary by control and entity type, and organizations should refer to the official NCA document for full compliance details.

The Controls: A Risk-Based Framework

To achieve cyber security compliance, the NCNICC framework is built on three main components: Governance, Defense, and Third-Party/Cloud Security.

Here is how the requirements differ between the two classes:

1. Cybersecurity Governance (The "Management" Layer)

• Focus: Policies, Risk Management, and Audits.
• Class A (Mandatory): Large entities must establish a cybersecurity unit independent of IT, define a risk management methodology, and undergo regular independent audits.
• Class B (Recommended): For SMEs, heavy governance structures are largely recommended rather than mandatory. However, the NCA focuses Class B mandates on Awareness, ensuring employees are trained on threats like phishing and password security.

2. Cybersecurity Defense (The "Technical" Layer)

This is the core of the NCA cybersecurity framework. Most controls here are mandatory for BOTH Class A and Class B.

• Identity & Access: Multi-Factor Authentication (MFA) is mandatory for remote access and sensitive systems.
• Asset Protection: Entities must maintain an accurate inventory of assets and ensure they are protected by antivirus/anti-malware solutions.
• Network & Email: Mandatory firewalls, email filtering (using SPF/DMARC/DKIM), and web application protection are required to prevent phishing and unauthorized access.
• Data Hygiene: Encryption of data at rest and in transit is mandatory, as are regular backups to protect against data loss.
• Vulnerability Management: Regular patching and vulnerability scanning are required for everyone. However, Penetration Testing is only mandatory for Class A (Large) entities; it is merely recommended for Class B.

3. Third-Party & Cloud Security

• Supply Chain: Large entities (Class A) must mandate security requirements in contracts with third-party vendors. For Class B, this is recommended.
• Cloud Security: Both classes must ensure that their cloud environments and virtual servers are segregated and secure.

Why This Matters

The release of NCNICC-1:2025 is a clear message: Cyber security compliance is no longer optional for the private sector.

For Large Entities (Class A), this document formalizes practices required to manage cyber risk at scale. The requirement for independent audits will likely drive internal restructuring.

For SMEs (Class B), this represents a significant shift. The NCA mandate for technical controls like MFA, encryption, and backups moves cybersecurity from an IT afterthought to a core business requirement.

Next Steps for Businesses:

1. Classify Yourself: Check if you are Class A or Class B based on the employee/revenue table.
2. Conduct a Gap Analysis: Compare your current security posture against the NCNICC mandates.
3. Focus on Defense: If you are an SME, prioritize the mandatory technical controls (MFA, Backups, Endpoint Protection) immediately.

By adhering to these controls, Saudi businesses not only avoid regulatory penalties but also build the resilience necessary to thrive in the Kingdom's rapidly digitizing economy.