Healthcare Cybersecurity in Saudi Arabia: NCA and MOH

Saudi Arabia is rebuilding its healthcare system at a pace few other markets can match. Under Vision 2030's Health Sector Transformation Programme, hospital networks are expanding, private operators are scaling, digital health platforms are coming online by the month, and the volume of sensitive patient data flowing through Saudi systems has grown beyond what most existing controls were designed for. The regulatory response has tightened in step but it is regularly misunderstood.

Two common misconceptions get in the way. The first is that healthcare gets a different regulator. It does not the National Cybersecurity Authority is the cybersecurity regulator for healthcare in the Kingdom, working in coordination with the Ministry of Health (MoH). The second misconception is more specific: many Saudi healthcare leaders search for "ADHICS" expecting to find the Saudi framework. ADHICS is not Saudi it is the Abu Dhabi Healthcare Information and Cyber Security Standard, issued by the Department of Health Abu Dhabi. If you arrived here looking for ADHICS to apply your Saudi healthcare organisation against, the section below explains what actually applies and why.

This guide maps the real Saudi healthcare cybersecurity stack: which NCA framework applies to hospitals and health tech, how the MoH coordinates with the NCA, what PDPL means for patient data, what a healthcare-specific penetration test should cover, and how Vision 2030's Health Sector Transformation Program is shaping the compliance posture every Saudi healthcare organisation needs in 2026. For the wider regulatory context, see our guide to what the NCA is.

1. What Cybersecurity Frameworks Apply to Saudi Healthcare
2. NCA ECC and NCNICC for Hospitals and Health Tech
3. MOH Coordination With the NCA
4. PDPL and Patient Data
5. Looking for ADHICS in Saudi Arabia?
6. Penetration Testing for Healthcare Systems
7. Vision 2030 Health Sector Transformation
8. How SecurityWall Supports Saudi Healthcare

What Cybersecurity Frameworks Apply to Saudi Healthcare

A Saudi healthcare organisation sits inside three overlapping regimes, each with a different question to answer.

This is the actual landscape and it is recognisable to anyone who has worked through the fintech compliance stack we cover elsewhere. The frameworks overlap heavily on technical and governance controls; the differentiators are healthcare-specific data sensitivity, clinical-system risk, and the Vision 2030 transformation agenda pushing the sector forward.

NCA ECC and NCNICC for Hospitals and Health Tech

The NCA's frameworks are the primary cybersecurity baseline for Saudi healthcare. Which one applies depends on classification.

Hospitals and large healthcare networks classed as Critical National Infrastructure fall under the Essential Cybersecurity Controls (ECC 2:2024) the NCA's deepest control set, with 4 domains, 28 subdomains, and 108 main controls covering governance, defence, resilience, and third-party and cloud security. Major public and private hospitals operating systemically important services typically sit here.

Smaller hospitals, clinics, health tech platforms, and digital health startups that are not designated CNI fall under NCNICC-1:2025 the NCA's binding standard for non-CNI private sector entities, in force since January 2026. NCNICC is calibrated to size, with Class A (large) and Class B (SME) tiers, and it applies the same people-process-technology backbone with a lighter total footprint for SMEs.

In practice, the obligations are recognisable across both frameworks: governance with a defined cybersecurity function, identity and access management with MFA, encryption, logging and monitoring, vulnerability management, penetration testing, third-party oversight, and the documented evidence to prove the controls operate. Where healthcare differs is in what those controls protect — clinical systems, EMR/EHR platforms, medical devices, telehealth infrastructure, and integration layers between providers, payers, and government health data exchanges.

The right first step is the same as anywhere else in the cluster: classify your organisation, then run a gap assessment against the framework that applies. Trying to implement to ECC when NCNICC is your actual scope wastes money; the reverse leaves you exposed.

MOH Coordination With the NCA

The Ministry of Health does not run a separate, parallel cybersecurity framework that contradicts the NCA's. Instead, the MoH coordinates closely with the NCA on the national healthcare cybersecurity framework the two operate as a joined-up regulatory layer rather than competing regimes.

What this means in practice for a Saudi healthcare organisation is that the cybersecurity obligations you face under the NCA's ECC or NCNICC are reinforced by MoH expectations on health-sector-specific controls: risk management aligned to clinical risk, secure software development for health systems, identity and access governance suited to clinical workflows, data protection sensitive to patient confidentiality, and breach reporting that meets MoH operational expectations alongside NCA ones. The framework also sits alongside the Personal Data Protection Law and the Anti-Cybercrime Law, which together reinforce the obligations on health data and prosecutable cyber offences.

The practical upshot: there is no separate "MoH cybersecurity certification" to chase on top of NCA compliance. Build to the NCA framework that applies to you, build with healthcare-specific risks in mind, and your MoH obligations are largely covered through the same programme.

PDPL and Patient Data

Health data is among the most sensitive categories of personal data under the Personal Data Protection Law. PDPL is administered by SDAIA, has been fully enforceable since September 2024, and is now in active enforcement — SDAIA's committees issued 48 enforcement decisions through 2025 and early 2026, covering failures to implement technical and organisational safeguards alongside other categories of violation.

For Saudi healthcare, the PDPL obligations that bite hardest are familiar to any GDPR practitioner and a few that are Saudi-specific:

• Lawful basis and consent for processing health data particularly for secondary uses (research, analytics, AI training)
• Data minimisation collecting only what is clinically necessary, retaining only what is justified
• Technical and organisational safeguards the cybersecurity controls already mandated by the NCA, here as PDPL obligations in their own right
• Cross-border transfers Saudi Arabia operates an adequacy regime with SDAIA authorisation and risk assessment requirements; this is where healthcare organisations using foreign cloud providers, telehealth platforms, or international research partners most often have gaps
• Patient rights access, correction, deletion, and withdrawal of consent
• Breach notification within statutory timeframes

The combination of clinical risk, sensitive data, and active PDPL enforcement makes healthcare one of the highest-stakes verticals in the Kingdom for getting data protection wrong.

Looking for ADHICS in Saudi Arabia?

This section exists because a lot of Saudi healthcare leaders search for "ADHICS" expecting to find the Saudi framework. They will not and it is worth being clear about why, because the confusion costs time and budget.

ADHICS the Abu Dhabi Healthcare Information and Cyber Security Standard is a framework issued by the Department of Health Abu Dhabi for healthcare entities operating under DoH Abu Dhabi's jurisdiction in the United Arab Emirates. It is excellent, well-structured, and widely respected in the region. It is also not applicable to your Saudi operations.

If your Saudi healthcare organisation is searching for ADHICS, the framework you actually need to comply with is:

• NCA ECC 2:2024 if you are a hospital or healthcare entity classed as Critical National Infrastructure
• NCNICC-1:2025 if you are a private healthcare entity not classed as CNI — most clinics, health tech platforms, and digital health startups land here
• Coordinated MoH expectations alongside the NCA framework
• PDPL for the patient data flowing through your systems
• Anti-Cybercrime Law as the prosecutable backbone

If you operate across both Saudi Arabia and the UAE, you will face the Saudi stack on your KSA operations and ADHICS on your Abu Dhabi healthcare operations. They share substantial DNA with international standards like ISO 27001, so a well-designed control environment can serve both but the regulatory submission paths and assessment expectations differ. Build to the union of both if you operate in both jurisdictions.

The cheapest mistake to avoid is implementing ADHICS controls thinking they discharge your Saudi obligations they do not.

Penetration Testing for Healthcare Systems

The NCA's penetration testing requirements under the Cybersecurity Defence domain apply to healthcare like any other in-scope sector but the scope of a credible healthcare engagement extends well beyond generic IT testing. A healthcare-aware penetration test should cover:

• Clinical systems and EMR/EHR platforms the systems holding patient records, with attention to authentication, access controls, audit logging, and data exfiltration paths
• Medical device estate networked medical devices are routinely under-protected; testing should cover network exposure, default credentials, segmentation, and the integration paths between devices and clinical systems
• Integration APIs and HL7/FHIR interfaces the data exchange layer between providers, payers, labs, and government health data platforms is a high-value target; testing should exercise the APIs, the authentication, and the abuse cases
• Telehealth and patient-facing platforms increasingly under attack as their footprint grows; web, mobile, and identity attack surfaces all relevant
• Cloud infrastructure most healthcare estates run substantial cloud workloads; configuration, identity, and data-store testing apply
• Network segmentation clinical, corporate, guest, and device networks should be tested for the boundaries that compliance documents claim to enforce
• Conventional infrastructure external perimeter, internal network, web applications, vulnerability management evidence

For healthcare organisations operating systems that fall under the NCA's higher-tier services, segmentation and clinical-system testing are the most common areas where a generic penetration test misses the real risk. Testing should be scoped accordingly, and the report should be formatted to satisfy NCA Defence-domain expectations alongside any MoH evidence requirements.

Vision 2030 Health Sector Transformation

Compliance for Saudi healthcare is not separate from Vision 2030 it is one of its key enablers. The Health Sector Transformation Programme is reshaping the system around expanded access, upgraded infrastructure, greater private-sector participation, and substantial digital health investment. The MoH and NCA's coordinated cybersecurity framework exists to make that transformation safe: the more interconnected and data-rich Saudi healthcare becomes, the larger the attack surface and the higher the regulatory stakes.

For healthcare leaders, the practical implication is to treat compliance as a Vision 2030 lever rather than a compliance tax. A healthcare organisation that can demonstrate strong NCA-aligned cybersecurity, PDPL-compliant data handling, and MoH-coordinated controls is well-positioned for:

• Public-private partnerships and government contracts the kind procurement teams are increasingly conditioning on cybersecurity posture
• Foreign investment and international clinical partnerships investors and partners diligence cybersecurity and data protection seriously
• Telehealth and digital health expansion every new service surface increases regulatory exposure, but also commercial opportunity
• AI-enabled healthcare health AI brings the full SDAIA, PDPL, and NCA stack into play; getting the foundations right matters more here than almost anywhere

The healthcare organisations that move first on this will be the ones positioned to win the digital-health phase of Vision 2030. The ones that wait will be retrofitting under pressure.

How SecurityWall Supports Saudi Healthcare

SecurityWall is an NCA-registered cybersecurity firm working with Saudi healthcare organisations hospitals, clinics, telehealth platforms, health tech startups, and integrated providers across the NCA, MOH-coordinated, and PDPL obligations they face simultaneously. Our team holds OSCP, OSWE, CREST, CRT, CISM, and CISSP credentials, and we approach healthcare security from an offensive perspective: testing whether controls actually work, not just whether they are documented.

Healthcare-Specific Gap Assessment

• Scoping and classification confirming ECC or NCNICC applicability for your organisation
• A single gap assessment mapped across the NCA framework, MoH expectations, and PDPL so controls are built once and serve all three
• Healthcare-specific scoping for clinical systems, EMR/EHR, medical devices, and integration APIs

Healthcare-Aware Penetration Testing

• Penetration testing scoped to the NCA's Defence-domain expectations with healthcare-specific surface coverage
• Clinical systems, medical devices, HL7/FHIR APIs, telehealth platforms, segmentation validation
• Reports formatted for NCA assessment and MoH review, with retesting included

PDPL Technical Safeguards for Patient Data

• The cybersecurity side of PDPL compliance, built alongside privacy specialists handling consent and legal aspects
• Sensitive-tier data classification, access controls, encryption, breach detection
• Cross-border transfer reviews for telehealth and international clinical partnerships

One Programme, Three Regulators

• Coordinated NCA compliance work that satisfies the framework, the MoH coordination layer, and PDPL technical obligations in one engagement
• See our Saudi cybersecurity services for the full scope
• An NCA-registered provider you can verify before engagement

Related reading:

• What Is the NCA? Saudi Arabia's Cybersecurity Authority
• NCA ECC 2:2024 Requirements: Every Control Domain Explained
• NCNICC-1:2025: Every Saudi Private Company Now in Scope
• PDPL Saudi Arabia 2026: The Full Compliance Guide
• NCA Penetration Testing Requirements in Saudi Arabia
• NCA Gap Assessment: What to Expect and How to Prepare
• NCA Registered Cybersecurity Firm in Saudi Arabia

Frequently Asked Questions

What cybersecurity framework applies to Saudi hospitals?

For hospitals classed as Critical National Infrastructure, the NCA's Essential Cybersecurity Controls (ECC 2:2024) apply. For non-CNI private healthcare entities including most clinics, health tech platforms, and digital health startups NCNICC-1:2025 applies. Both are reinforced by MoH coordination and PDPL obligations on patient data, with the Anti-Cybercrime Law underpinning the prosecutable side of cyber offences.

Does ADHICS apply in Saudi Arabia?

No. ADHICS is the Abu Dhabi Healthcare Information and Cyber Security Standard, issued by the Department of Health Abu Dhabi for healthcare entities under UAE jurisdiction. For Saudi healthcare, the applicable frameworks are the NCA's ECC or NCNICC, coordinated MoH expectations, and PDPL not ADHICS.

Who regulates healthcare cybersecurity in Saudi Arabia?

The National Cybersecurity Authority is the primary regulator, working in coordination with the Ministry of Health on the national healthcare cybersecurity framework. The Personal Data Protection Law, administered by SDAIA, governs health data specifically, and the Anti-Cybercrime Law reinforces the prosecutable obligations.

Does PDPL apply to patient data?

Yes. Health data is among the most sensitive categories under PDPL, which has been fully enforceable since September 2024 and is now in active enforcement. PDPL governs lawful basis and consent, data minimisation, technical and organisational safeguards, cross-border transfers, patient rights, and breach notification all directly relevant to healthcare.

Do Saudi healthcare organisations need penetration testing?

Yes. The NCA's penetration testing requirement applies under its Cybersecurity Defence domain. For healthcare, the testing should be scoped to cover clinical systems, EMR and EHR platforms, medical devices, integration APIs (HL7, FHIR), telehealth platforms, segmentation, and conventional infrastructure not just generic network testing.

Do I need to comply with both NCA and MOH frameworks separately?

In practice, no the MoH coordinates with the NCA on the national healthcare cybersecurity framework rather than running a separate, conflicting regime. Building to the NCA framework that applies to your organisation, with healthcare-specific risks in mind, covers the MoH coordination layer through the same programme.