NCNICC-1:2025: Every Saudi Private Company Now in Scope

For years, Saudi Arabia's cybersecurity regulations were something most private companies could safely ignore. The National Cybersecurity Authority's rules applied to government bodies and operators of Critical National Infrastructure banks, energy, telecoms and almost everyone else watched from the sidelines. In January 2026, that changed completely, and most companies still do not know it. If you are ready for compliance we have NCA ECC Checklist: Score Your Readiness, No Sign-Up.

The NCA released NCNICC-1:2025 the Cybersecurity Controls for Non-CNI Private Sector Entities. It is the first cybersecurity standard written specifically for ordinary private companies in the Kingdom that are not critical infrastructure, and it is binding regulation, not guidance. If you run a private-sector business in Saudi Arabia and you are not already covered by the NCA's ECC framework as a CNI operator, NCNICC-1:2025 now defines your minimum cybersecurity obligations whether you are a five-person startup or a thousand-person enterprise.

NCA Compliance is the largest expansion of mandatory cybersecurity in Saudi Arabia in years, and there is almost no clear English-language guidance on it yet. This article fixes that: what NCNICC-1:2025 is, exactly who it applies to, what it requires, how it differs from the ECC, what to do now, what happens if you ignore it, and how to satisfy it efficiently alongside the NCA's other frameworks. If you need the bigger regulatory picture first, start with our guide to what the NCA is.

1. What NCNICC-1:2025 Is and Why It Matters
2. Who Does NCNICC-1:2025 Apply To?
3. What NCNICC-1:2025 Requires — The Baseline Controls
4. How NCNICC Differs From the ECC
5. The Compliance Timeline — What to Do Now
6. What Happens If You Ignore NCNICC-1:2025
7. The Smart Path: NCNICC, ECC and SAMA Together
8. SecurityWall's NCNICC Compliance Support

What NCNICC-1:2025 Is and Why It Matters

NCNICC-1:2025 stands for the Cybersecurity Controls for Non-CNI Private Sector Entities. It sets the minimum cybersecurity requirements that private organisations across the Kingdom small, medium, and large must implement to protect the confidentiality, integrity, and availability of their information and to strengthen business continuity.

Two things make it significant. First, it is the first NCA framework aimed squarely at the ordinary private sector rather than government or critical infrastructure. Second, it is mandatory the NCA has been explicit that private-sector cybersecurity compliance is no longer optional.

The driver is economic, not just security. Saudi Vision 2030 aims to raise the private sector's contribution to GDP to around 65%, with small and medium enterprises contributing roughly 35%. As the private sector grows and digitises adopting cloud, integrating vendors, moving operations online it becomes a far larger target for attackers. NCNICC-1:2025 is the NCA's response: a baseline that lifts the whole economy's cyber resilience, not just its most sensitive assets.

Who Does NCNICC-1:2025 Apply To?

The short answer: almost every private company operating in Saudi Arabia that is not already covered by the ECC as a CNI operator. The framework deliberately casts a wide net across the private sector technology companies, SaaS providers, e-commerce platforms, manufacturers, professional services firms, and more.

To make that practical, NCNICC-1:2025 sorts entities into two classes, based on an employee and revenue threshold table:

• Class A — Large Entities. Larger private organisations, which face the fuller set of obligations, including independent third-party audits. For these companies, the standard formalises the practices needed to manage cyber risk at scale.
• Class B — Small and Medium Enterprises. SMEs, which face a baseline calibrated to their size. For many of these businesses, this is the first time cybersecurity has moved from an IT afterthought to a formal, mandated business requirement.

Your first task is therefore simple but essential: determine your class. Classification drives which controls apply and whether you need an independent audit, so it is the foundation of any compliance plan. Getting it wrong assuming you are out of scope, or mis-sizing yourself into the lighter tier is the most common early mistake.

What NCNICC-1:2025 Requires — The Baseline Controls

NCNICC-1:2025 is built around the three core pillars of cybersecurity people, processes, and technology and translates them into a baseline of practical controls. In structure it spans governance, technical defence, operations, and supplier management, and it deliberately aligns with established standards such as ISO 27001 and NIST, so organisations already following those can map across with less effort.

On the technical side, the mandated controls are concrete and familiar:

• Multi-factor authentication on systems and accounts
• Encryption of sensitive data
• Backups with the ability to recover
• Endpoint protection across devices
• Patching and vulnerability management on a defined cadence
• Logging and monitoring of security events

Around those sit the governance and process requirements: defined cybersecurity ownership, risk assessment and treatment, documented policies and procedures, supplier and third-party oversight, and the evidence policies, logs, reports, approvals, and training records that demonstrates the controls actually operate. The recurring theme across every credible reading of the framework is that documentation and evidence are as important as the controls themselves: you must be able to show, not just assert, that you meet the baseline.

How NCNICC Differs From the ECC

Both frameworks come from the same regulator, which causes a lot of confusion. The simplest way to hold them apart: the ECC governs government and critical infrastructure; NCNICC governs everyone else in the private sector.

The Compliance Timeline — What to Do Now

The most important point on timing: NCNICC-1:2025 is already in force. It was released in January 2026 as binding regulation, so the obligation exists now this is not a future requirement you can plan for later. Rather than waiting for a deadline, the right posture is to be moving toward demonstrable compliance today, with Class A entities working toward the independent audit the framework requires of them.

Because specific timelines and any sector-level expectations are set by the NCA and can vary by entity, you should confirm details against the regulator directly but the practical implementation sequence is consistent regardless:

1. Classify yourself : Confirm whether you are Class A or Class B against the employee and revenue thresholds.
2. Define scope: Map the systems, departments, data, and third parties that fall under the controls.
3. Run a gap assessment: Measure your current posture against the applicable NCNICC controls.
4. Prioritise technical defence: Close the concrete gaps first: MFA, backups, endpoint protection, patching, monitoring.
5. Build evidence packs: Policies, procedures, logs, reports, approvals, and training records that prove the controls operate.
6. Self-assess, then audit: complete your self-assessment, and for Class A, prepare for independent third-party audit.

The companies that treat this as a project starting now will be ready when a customer, partner, or the regulator asks for proof. The ones that wait will be doing it under pressure.

What Happens If You Ignore NCNICC-1:2025

Because NCNICC-1:2025 is binding regulation rather than advice, non-compliance carries real exposure. The NCA assesses private-sector compliance through self-assessment submissions, audits by approved third parties (particularly for Class A entities), and its own oversight so gaps are something the regulator can identify, not a theoretical risk.

The consequences fall into familiar categories. There is regulatory exposure, where non-compliant organisations can face action and be required to remediate. There is commercial exposure: as compliance becomes the baseline expectation, it increasingly shows up in contracts, tenders, and partner due diligence and the inability to demonstrate it costs deals. There is operational exposure from the very risks the controls are meant to mitigate; a baseline this concrete exists because the underlying threats are real. And there is reputational exposure, which in a market built on Vision 2030's digital-trust agenda can be the most lasting damage of all.

The honest framing is this: NCNICC-1:2025 is not a box-ticking burden invented to create work. It is a floor and being below the floor is now something your customers, partners, and regulator can all see.

The Smart Path: NCNICC, ECC and SAMA Together

Here is the opportunity hidden inside the obligation. The NCA's frameworks share a common backbone of controls, so the work you do for NCNICC-1:2025 is not wasted effort it is a foundation you can extend.

If your business grows into critical-infrastructure territory, or you acquire systems that bring you into ECC scope, the governance, access, monitoring, and supplier controls you built for NCNICC carry across to the ECC's four domains. And if you operate in financial services, you are very likely regulated by both the NCA and the Saudi Central Bank (SAMA) — and meeting one does not satisfy the other. The efficient approach is to build your control environment once, to the union of the frameworks that apply to you, and map the evidence across them rather than running three disconnected projects.

SecurityWall's NCNICC Compliance Support

SecurityWall is an NCA-registered cybersecurity firm helping private-sector organisations across Saudi Arabia meet NCNICC-1:2025 from first classification through to demonstrable compliance. Our team holds OSCP, OSWE, CREST, CISM, and CISSP credentials and works to the NCA's current requirements.

Classification and Scoping

• Determine whether you are Class A or Class B against the threshold table
• Map the systems, data, departments, and third parties in scope
• A clear answer on exactly which controls apply before you spend on remediation

NCNICC Gap Assessment

• Measure your current posture against every applicable NCNICC control
• A prioritised remediation roadmap with timelines and ownership
• Evidence guidance aligned to how the NCA and approved auditors assess compliance

Implementation and Audit Readiness

• Hands-on implementation of the technical controls MFA, encryption, backups, endpoint protection, monitoring
• Policy, procedure, and governance documentation
• For Class A entities, preparation for the required independent audit

NCA-Registered and Locally Grounded

• A recognised provider within the Kingdom's regulated cybersecurity ecosystem
• Familiar with NCA expectations and the assessment process
• A single partner across NCNICC, the ECC, and SAMA where they apply

Related reading:

• What Is the NCA? Saudi Arabia's National Cybersecurity Authority Explained
• NCA ECC 2:2024 Requirements: Every Control Domain Explained
• NCA ECC Compliance Checklist (Interactive)
• SAMA Cybersecurity Compliance in Saudi Arabia
• NCA Compliance in Saudi Arabia

Frequently Asked Questions

What is NCNICC-1:2025?

NCNICC-1:2025 is the NCA's Cybersecurity Controls for Non-CNI Private Sector Entities the first Saudi cybersecurity standard written specifically for private companies that are not Critical National Infrastructure. Released in January 2026, it is binding regulation that sets minimum cybersecurity requirements for private-sector organisations of all sizes.

Who has to comply with NCNICC-1:2025?

Private sector organisations operating in Saudi Arabia that are not already covered by the ECC as CNI operators small, medium, and large. The framework sorts entities into Class A (large) and Class B (SME) based on employee and revenue thresholds, with Class A facing the fuller set of obligations including independent audits.

Is NCNICC-1:2025 mandatory?

Yes. The NCA has been explicit that private-sector cybersecurity compliance is no longer optional. NCNICC-1:2025 is binding regulation, in force since its January 2026 release, not voluntary guidance.

What does NCNICC-1:2025 require?

A baseline of controls across people, processes, and technology including multi-factor authentication, encryption, backups, endpoint protection, patching, and monitoring, alongside governance, risk management, supplier oversight, and the documented evidence that proves the controls operate.

How is NCNICC different from the ECC?

Both are NCA frameworks, but they cover different organisations. The ECC applies to government entities and CNI operators; NCNICC-1:2025 applies to the non-CNI private sector. If you are a private company that is not critical infrastructure, NCNICC not the ECC is almost certainly the framework that applies to you.

What should my company do first?

Confirm whether you are in scope and which class you fall into, then run a gap assessment against the applicable controls. Because the standard is already in force, the practical move is to start now rather than wait. SecurityWall's NCA-registered team handles classification, scoping, and gap assessment as a first step.