Cybersecurity Compliance In Saudi Arabia: Challenges And Penalties

Introduction

Saudi Arabia's focus on cybersecurity is longstanding. Before the establishment of the National Cybersecurity Authority (NCA) in October 2017, there were already two national centers for information security, one under the Ministry of Interior and another under the Ministry of Communications and Information Technology. Both centers were later transferred to the NCA after its formation.

The Kingdom's emphasis on cybersecurity is underscored by the fact that the NCA reports directly to the King, the ultimate reference of the three branches of government. The government has worked to empower the Authority to create a secure national cyberspace, issuing the necessary policies and regulatory frameworks, and fostering an environment that attracts talent and specialized companies. These collective efforts have made the Kingdom a global leader in cybersecurity. The 2025 IMD World Digital Competitiveness Report ranks Saudi Arabia first worldwide in cybersecurity readiness.

Several royal decrees have been issued requiring compliance with the NCA's regulations, governance frameworks, and technical standards. This reflects the Kingdom's strong commitment to cybersecurity and the growing awareness across the public sector, private enterprises, and society.

1. Major Legislation Related to Cybersecurity

The Saudi legislature has enacted several regulations, decrees, and enabling instruments to support the NCA in achieving its strategic objectives. Key among these are:

1.1 Regulation of the National Cybersecurity Authority

Issued by Royal Order No. (6801) dated 11/02/1439H, this regulation defines cybersecurity as: "Protecting networks, IT systems, operational technologies, and their components, hardware, software, services, and data—from any unauthorized access, disruption, alteration, use, or exploitation. The term also encompasses information security, electronic security, and digital security."

The regulation grants the NCA independent legal personality and financial and administrative autonomy, with direct reporting to the King. It designates the Authority as the competent body and national reference for all cybersecurity matters and assigns it 23 specific powers, including:

• Developing and overseeing the implementation of the National Cybersecurity Strategy, and proposing updates.
• Regulating the exchange of cybersecurity-related data and information among national entities.
• Establishing national encryption standards and monitoring compliance.
• Licensing individuals and private entities to engage in cybersecurity-related activities.
• Promoting innovation, investment, and growth within the national cybersecurity sector.
• Proposing the issuance or amendment of laws and regulations related to cybersecurity.

The NCA Council is granted the necessary powers to oversee operations and approve relevant policies, frameworks, and performance indicators.

And all relevant entities are required to:

• Enable the NCA to fully perform its mandate.
• Immediately report any actual or potential cybersecurity threat or breach.
• Implement the NCA's policies, governance mechanisms, and standards.
• Cooperate during audits, inspections, and assessments.
• Provide the NCA with documents, reports, and data necessary for its duties.

This regulation demonstrates that the Saudi legislator has vested the NCA with broad authority to safeguard national security, protect critical infrastructure, and enhance awareness across sectors. Centralizing cybersecurity governance within a single authority ensures both coordination and effective oversight.

1.2 Statutory Enablers of the NCA

Issued by Royal Decree No. (M/117) dated 21/06/1446H, these enablers reinforce the Authority's mandate by defining seven types of violations, including:

• Conducting cybersecurity-related activities requiring an NCA license without authorization or in violation of license terms.
• Failing to comply with the NCA's policies, governance mechanisms, or controls.
• Providing misleading cybersecurity-related information to the public or other entities.
• Refusing to provide, or providing misleading, data or reports requested by the NCA.
• Trading, manufacturing, or using cybersecurity-related devices or software without required approval.
• Obstructing NCA inspectors from performing their duties or failing to cooperate with them.
• Any other act violating the Authority's regulations or related decisions.

Violations are investigated by inspectors designated by the NCA Governor. A specialized Violations Committee may impose one or more of the following penalties:

• Warning.
• Temporary suspension or revocation of license.
• Service or activity suspension.
• Fines up to 25 million SAR.

Decisions may be appealed before the Administrative Court within 60 days of notification.

2. Instruments Issued by the NCA

To ensure consistent application of cybersecurity standards, the Authority has issued numerous frameworks, policies, controls, standards, and tools. These instruments assist public and private entities in meeting technical and regulatory requirements.

2.1 Core Frameworks and Standards

• National Encryption Standards (NCS–1:2020):

Define minimum encryption requirements for protecting data, systems, and networks used in civil and commercial contexts, aligned with global best practices.

• Regulatory Framework for Licensing Managed SOC Services:

Establishes a unified framework for entities providing managed Security Operations Center services, ensuring efficiency and accountability.

• National Cybersecurity Risk Management Framework:

Provides a national methodology for identifying and mitigating cybersecurity risks across all sectors.

2.2 Key Policies and Controls

• Essential Cybersecurity Controls (ECC 2–2024):

Set baseline cybersecurity requirements to protect national information and technology assets.

• Cybersecurity Controls for Cloud Computing:

Outline security requirements for cloud service providers and subscribers to reduce risks and enhance readiness.

• Cybersecurity Controls for Operational Systems:

Define minimum protection measures for operational systems in critical industrial facilities, preventing unauthorized access and minimizing national-level risks.

• Cybersecurity Controls for Data:

Establish minimum requirements for protecting data throughout its lifecycle.

2.3 Key Guidelines

• Implementation Guidelines for Cybersecurity Controls:

Assist entities in aligning with NCA standards.

• Cybersecurity Guidelines for E-Commerce:

Provide two documents—one for service providers and another for consumers—offering practical steps for safe online transactions, particularly for SMEs and home-based businesses.

2.4 Tools

• Cybersecurity Tools:

Templates issued by the NCA to help entities design policies, standards, and governance documents. These tools enhance readiness, mitigate risks, and facilitate compliance monitoring.

3. Opportunities

The Kingdom's strong institutional support for cybersecurity has generated substantial economic opportunities.

According to the Saudi Vision 2030 report, total spending on cybersecurity across the public and private sectors amounts to SAR 13.3 billion, with 69% contributed by the private sector. The sector contributes SAR 15.6 billion to the national economy, driven by 355 companies offering cybersecurity solutions and services. Approximately 19,600 professionals are employed in this field.

Despite this impressive growth, the continued expansion of the economy and the influx of foreign and domestic investments have increased demand for cybersecurity solutions. The government's commitment to adopting world-class standards further amplifies this demand.

To regulate the market and enhance transparency, the NCA launched the "Haseen" platform, a national registry for companies providing cybersecurity products and services.

4. Challenges

While Saudi Arabia ranks among the top nations globally in cybersecurity, certain challenges persist—particularly for the private sector—in implementing and complying with NCA frameworks. These include:

The dispersion of regulatory instruments and lack of clarity regarding their binding applicability to specific private-sector markets.

A unique drafting style for NCA frameworks that differs from conventional Saudi legislative drafting.

Limited legal education and specialization in cybersecurity law.

A shortage of targeted training programs for private-sector entities to understand their cybersecurity obligations.

5. Conclusion

Saudi Arabia's government has demonstrated unwavering support for cybersecurity—both through the establishment of a dedicated national authority and through the empowerment it continues to receive. The NCA's initiatives have produced remarkable progress in building a resilient, secure digital environment.

The Authority's mission seeks not to hinder innovation or business but to protect and enable it. This balanced approach has created a dynamic and promising cybersecurity market that contributes directly to the Kingdom's GDP and attracts companies, experts, and national talent.

Although some challenges remain, they are transitional and expected to diminish with continued institutional maturity and awareness. Every entity subject to NCA regulations must now act responsibly—by avoiding violations under the Statutory Enablers, complying with issued frameworks, and keeping pace with new policies and decisions.

Non-compliance could lead to severe penalties, including suspension of activities or fines of up to SAR 25 million.

Cybersecurity in the Kingdom, however, stands today as both a pillar of national security and a driver of digital and economic growth.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.