NCA NCNICC-1:2025: Every Saudi Private Company Now Faces Mandatory Cybersecurity Controls

The National Cybersecurity Authority (NCA) has drawn a line in the sand. With the official release of NCNICC-1:2025, every private-sector company operating in Saudi Arabia — not just Critical National Infrastructure operators — must now implement a defined baseline of cybersecurity controls. For CISOs and compliance officers who assumed NCA mandates only applied to government entities and CNI operators, the compliance landscape has fundamentally shifted.

What Is NCNICC-1:2025 and Why Does It Matter?

NCNICC-1:2025, formally titled the "Cybersecurity Controls for Non-Critical National Infrastructure Private Sector Entities," was published in January 2026 and represents the NCA's most significant regulatory expansion since the original Essential Cybersecurity Controls (ECC) framework. Where ECC-1:2018 and its updated successor ECC-2:2024 targeted government bodies and CNI operators, NCNICC-1:2025 closes a gap that left thousands of Saudi private-sector firms without binding cybersecurity obligations. The framework establishes 65 essential controls organized across three themes — Governance, Defence, and Resilience — with 22 sub-components covering access management, risk assessment, incident response, monitoring, third-party security, and employee awareness training.

Who Must Comply: Category A vs. Category B

The NCA has divided private-sector entities into two compliance tiers based on workforce size and annual revenue. Category A includes large organizations with 250 or more full-time employees or annual revenue exceeding SAR 200 million; these entities must implement the full 65-control set without exception. Category B covers small and medium enterprises with 6 to 249 employees or annual revenue between SAR 3 million and SAR 200 million; while the majority of Defence-themed controls remain mandatory for Category B, certain Governance and Resilience requirements are classified as "Recommended" rather than obligatory. Micro-enterprises with fewer than 6 employees or revenue under SAR 3 million are currently exempt, though the NCA has signaled future updates may extend coverage to this segment as well.

The 65 Controls: Key Requirements Financial Institutions Should Watch

Several NCNICC-1:2025 controls directly mirror or complement existing SAMA Cyber Security Framework (CSCC) requirements, creating an overlap that regulated financial institutions can leverage. Mandatory periodic risk assessments must follow a documented methodology and feed into a risk register reviewed at least annually. Technical security configurations require hardening baselines aligned with vendor guidance or recognized benchmarks such as CIS Controls. Incident response procedures must include documented playbooks, designated response teams, and mandatory reporting to the NCA's National Cyber Threat Center within prescribed timelines. Third-party risk management controls mandate that organizations assess and monitor the cybersecurity posture of vendors, service providers, and cloud platforms — a requirement that aligns with both SAMA's outsourcing circular and PCI-DSS Requirement 12.8. Employee cybersecurity awareness programs must include phishing simulations and role-specific training delivered at least twice annually.

How NCNICC-1:2025 Intersects with SAMA CSCC and ECC-2:2024

For organizations already compliant with SAMA CSCC, the transition to NCNICC-1:2025 is not a ground-up rebuild — but it is not a rubber stamp either. SAMA-regulated banks and insurance firms that have implemented the full CSCC framework will find approximately 70% control overlap with NCNICC-1:2025, particularly in areas like access control, vulnerability management, and logging. However, NCNICC-1:2025 introduces specific requirements around Saudization of cybersecurity roles — all cybersecurity positions, not just senior roles, must now be filled by qualified Saudi nationals. Additionally, NCNICC-1:2025's data localization and sovereignty requirements add compliance obligations that go beyond what SAMA CSCC explicitly mandates. Organizations subject to both ECC-2:2024 and NCNICC-1:2025 should conduct a unified gap assessment rather than treating each framework in isolation, as duplicate audit efforts waste budget and create inconsistent control implementations.

Penalties and Enforcement: What Non-Compliance Looks Like

The NCA has enforcement authority under the Anti-Cyber Crime Law and its own governing regulations. While specific penalty schedules for NCNICC-1:2025 violations have not been published at the granular level, precedent from NCA enforcement actions against government entities and CNI operators suggests that non-compliant organizations face formal warnings, mandated remediation timelines, financial penalties, and potential operational restrictions. For SAMA-regulated entities, non-compliance with overlapping cybersecurity controls could trigger additional supervisory action from the Central Bank, compounding regulatory risk. The NCA has also indicated that compliance audits will be conducted by authorized third-party assessors, creating a new market for certified cybersecurity audit firms in the Kingdom.

Practical Steps to Achieve NCNICC-1:2025 Compliance

1. Determine your category: Verify whether your organization falls under Category A or Category B based on headcount and revenue thresholds. This determines your mandatory control set.
2. Conduct a gap assessment: Map your existing controls against NCNICC-1:2025 requirements. If you are already SAMA CSCC or ECC-2:2024 compliant, focus on the delta — particularly Saudization requirements and data sovereignty controls.
3. Establish a cybersecurity governance committee: NCNICC-1:2025 requires a formal governance structure with defined roles, including a designated cybersecurity officer who reports to executive management.
4. Implement technical baselines: Deploy CIS-benchmarked hardening configurations, enable centralized logging with a minimum 12-month retention period, and ensure endpoint detection and response (EDR) covers all critical assets.
5. Formalize incident response: Document IR playbooks, establish communication channels with the NCA's National Cyber Threat Center, and conduct tabletop exercises at least quarterly.
6. Address third-party risk: Inventory all vendors with access to your systems or data, assess their cybersecurity posture, and include cybersecurity clauses in procurement contracts.
7. Launch a Saudization roadmap: Audit your current cybersecurity workforce composition and develop a hiring and training plan to meet the all-roles Saudization requirement within the NCA's compliance timeline.

Conclusion

NCNICC-1:2025 marks a turning point for cybersecurity governance in Saudi Arabia. Private-sector companies can no longer operate under the assumption that NCA frameworks are someone else's problem. The controls are mandatory, the enforcement mechanisms are real, and the compliance timeline is running. Organizations that act now — conducting gap assessments, aligning existing SAMA or ECC controls, and addressing new requirements like workforce Saudization — will be positioned to meet regulatory expectations without disruptive last-minute remediation.

Is your organization prepared? Contact Fyntralink for a complimentary NCNICC-1:2025 readiness assessment and SAMA Cyber Maturity evaluation. Our GRC consultants will map your current posture against both frameworks and deliver a prioritized remediation roadmap.