NEOM Vendor Cybersecurity Requirements

Saudi Arabia is delivering the largest concentrated construction and technology programme on the planet. NEOM alone runs to roughly $500 billion across approximately 26,500 km², integrating renewable energy, autonomous mobility, IoT, AI, biotechnology, and "cognitive city" data platforms in a way no project has attempted before. Sitting alongside NEOM are Qiddiya (entertainment and sports), Red Sea Global (luxury tourism), Diriyah Gate (cultural heritage), and several other giga projects, each running its own procurement, each tied to Vision 2030 deliverables, and each operating inside the Saudi cybersecurity regulatory environment.

Cybersecurity is now an explicit vendor evaluation criterion across these programmes. This guide explains what publicly disclosed requirements look like, what the Saudi regulatory floor demands of any supplier touching these projects, and how vendors typically structure their cybersecurity documentation before tender response.

Why NEOM and Saudi Giga Projects Require Vendor Cybersecurity Clearance

Three forces converge to make cybersecurity a non-negotiable line item in giga project procurement.

Project architecture is digital by design. NEOM is built as a "cognitive city" with embedded IoT, autonomous mobility, AI services, and integrated data platforms. Every vendor that connects to these systems, supplies a sensor, builds a portal, or processes personal data becomes part of the attack surface of the project as a whole. NEOM's own published material is explicit: maintaining cybersecurity standards is a stated value, and the project requires "third-party suppliers to provide reasonable assurance of their ability to adhere to our relevant cybersecurity requirements".

Saudi regulatory environment. Any vendor operating in Saudi Arabia faces the National Cybersecurity Authority (NCA) framework cluster (ECC 2:2024 for critical infrastructure and government, NCNICC 1:2025 for all private sector), the Personal Data Protection Law (PDPL) administered by SDAIA, and sector-specific overlays such as SAMA for finance and CITC's Cloud Computing Regulatory Framework (CCRF). NEOM's own supplier code explicitly notes that KSA-based suppliers "may have extra legal obligations" beyond the supplier code itself, which is a polite way of saying the regulatory floor still applies in full.

Procurement risk discipline. Giga projects are politically visible and financially material. Procurement teams are under pressure to avoid headline-grade incidents and to demonstrate due diligence. The mature playbook is the same one used at global infrastructure projects: bake cybersecurity into vendor onboarding criteria, request evidence before contract award, and require contractual continuity of controls through the engagement.

The practical consequence for vendors is straightforward. Whether you are a construction contractor running a project portal, a tech vendor supplying IoT devices, a consultancy handling personal data, or a logistics provider running a fleet management platform, your cybersecurity posture is now part of how you are evaluated.

Which Frameworks Apply to Giga Project Vendors

The applicable framework set depends on what you supply and how you connect to the project. The mapping below covers the regulatory floor every vendor should plan against.

NCA ECC 2:2024 (Essential Cybersecurity Controls). Saudi Arabia's flagship cybersecurity framework, originally written for government and critical national infrastructure (CNI). The four domains (Cybersecurity Governance, Cybersecurity Defence, Cybersecurity Resilience, Third-Party Cybersecurity) and 108 controls are the most likely shape of any cybersecurity questionnaire you will see in giga-project tendering. If you are providing services to a CNI-designated operator inside the giga project, you may be expected to align directly.

NCA NCNICC 1:2025 (Non-CNI Cybersecurity Controls). Released January 2026, this framework extends mandatory baseline controls to every private-sector company in Saudi Arabia. It classifies entities by size into Class A (large entities, full obligations including independent audit) and Class B (small and medium enterprises, lighter baseline). For most vendors, this is the floor they cannot fall below.

PDPL (Personal Data Protection Law). Royal Decree M/19, fully enforced from September 14, 2024. Any vendor processing personal data of Saudi residents falls in scope, with administrative fines up to SAR 5 million per violation. Cross-border transfer (PDPL Article 29) and breach notification within 72 hours are the operative obligations.

Sectoral overlays. Smart city and OT/ICS work brings the NCA's Operational Technology Cybersecurity Controls (OTCC). Cloud-hosted services bring CITC/CST's CCRF. Financial services components bring SAMA's Cyber Security Framework. AI workloads bring SDAIA's AI Ethics Principles and the AI Adoption Framework (November 2025). Healthcare touches bring MOH expectations.

International standards as procurement currency. ISO 27001 is the international benchmark most often referenced as evidence of a mature cybersecurity programme. ISO 27017 and ISO 27018 cover cloud-specific controls. ISO 42001 is increasingly relevant for AI deployments. SOC 2 Type II reports are accepted for SaaS vendors. None of these substitute for Saudi regulatory compliance, but they translate well when procurement teams ask "show us your evidence".

What "Cyber Clearance" Actually Means in Procurement Practice

There is no single Saudi document called a "giga project cyber clearance certificate". What procurement teams typically request is a portfolio of evidence that demonstrates the supplier's cybersecurity programme is real, current, and proportionate to the work being awarded. In practice that portfolio falls into six categories.

1. Governance evidence. A documented cybersecurity policy, named accountable officer (CISO or equivalent), board or executive oversight, and a current risk register. NEOM's published cybersecurity expectations explicitly reference governance maturity.

2. Control attestations. Evidence that core controls are implemented. Multi-factor authentication, encryption at rest and in transit, endpoint protection, vulnerability management on a defined cadence, logging and monitoring, identity and access management, and secure software development for any code being delivered.

3. Third-party audit or certification. ISO 27001 certificates are the most portable evidence. SOC 2 Type II reports work for SaaS. For higher-trust deployments, expect questions about whether your audit was performed by an NCA-recognised provider or whether your controls have been independently assessed against ECC or NCNICC.

4. Personal data documentation. Records of processing activities, lawful basis documentation under PDPL Article 6, transfer impact assessments for any cross-border data flow, and a documented breach response procedure that meets the 72-hour SDAIA notification window.

5. Supplier and subcontractor controls. Your own third parties become part of the giga project's risk surface. Procurement teams will ask how you assess and contractually bind your subcontractors, what flow-down clauses you use, and how you would notify the giga project of a downstream incident.

6. Continuity evidence. Business continuity plans, incident response plans, tested backup and recovery procedures, and tabletop exercise records. Giga project work tends to be long-cycle, so procurement teams care that the programme remains operational, not just that it existed at award.

The mature framing is to assemble this portfolio once, to the highest bar that applies to you, and reuse it across tenders. The expensive failure mode is rebuilding evidence for each tender, which produces inconsistency and creates audit risk.

Smart City and IoT Specific Security Requirements

NEOM and other Saudi giga projects are heavily instrumented. Vendors supplying smart city infrastructure, autonomous mobility components, connected building systems, energy infrastructure, or AI services face additional security expectations on top of the regulatory floor.

IoT device security. Connected devices entering the project environment should follow recognised secure-by-design baselines. The relevant references are the NCA OTCC for operational technology, IEC 62443 for industrial control systems, and the ETSI EN 303 645 baseline for consumer IoT. Procurement teams will ask about default credentials, firmware update mechanisms, signed updates, secure boot, and end-of-life support timelines.

Digital twin and platform security. Cognitive city architecture relies on digital twins, simulation environments, and aggregated data platforms. Any vendor providing components here faces both PDPL obligations (personal data flowing through the twin) and traditional platform security expectations (API security, identity, multi-tenancy isolation, data residency).

OT/ICS security. Energy, water, transport, and building management systems sit under the NCA's OTCC. Vendors supplying SCADA components, PLCs, BMS systems, or related services should align with IEC 62443 plus OTCC controls. Air-gap claims rarely survive in modern smart city deployments, so the audit focus is segmentation, monitored interfaces, and incident detection in OT environments.

Autonomous mobility security. Connected and autonomous vehicle suppliers face the additional overlay of automotive cybersecurity standards (ISO/SAE 21434 and UNECE R155 for type approval), plus the data privacy weight of telemetry that often includes location and personally identifiable patterns.

AI service security. Any AI component used in operations brings SDAIA's AI Ethics Principles, the AI Adoption Framework (November 2025), and the technical surface our previous guide covers. See our AI Security Audit for Saudi Arabia for the detailed mapping.

Cloud and data residency. CITC/CST's CCRF and NDMO data classification become operative as soon as Saudi data flows leave the on-premise environment. Cross-border transfer authorisation, SDAIA-recognised mechanisms, and data residency assertions should all be documented in advance, not negotiated mid-engagement.

How Vendor Cybersecurity Differs Across NEOM, Qiddiya, Red Sea Global, and Diriyah Gate

While each giga project runs its own procurement and has its own internal posture, the Saudi regulatory floor is identical across them. What differs is the project context, the technology mix, and therefore the sector overlays each vendor faces.

NEOM. The most digitally ambitious of the giga projects. Cognitive city architecture, autonomous mobility, integrated AI, large data platforms. Expect the heaviest weighting on IoT, OT, smart city, AI security, and platform engineering controls. The published NEOM Cybersecurity Compliance Framework is the most explicit public statement of expectations among the giga projects.

Qiddiya. Entertainment, sports, and large venue infrastructure. Major considerations are ticketing platforms and customer data (PDPL exposure), guest network and IoT in venues, payment infrastructure (PCI DSS plus SAMA for any acquiring), and crowd-safety control systems (OT overlay).

Red Sea Global. Luxury tourism, resorts, and marine environments. Heavy guest personal data (PDPL), hospitality system integrations (PMS, POS, key systems), connected resort infrastructure, and marine OT components. Customer trust is the operative business driver, so data protection maturity carries unusual procurement weight.

Diriyah Gate. Cultural and heritage destination integrated with significant residential and hospitality components. Visitor data, smart venue systems, ticketing, and connected building systems are the main domains. As with the others, the NCA regulatory floor applies in full.

Other giga projects. Sindalah (luxury island), Oxagon (NEOM industrial city), The Line (NEOM linear city), AlUla (heritage tourism), and additional programmes follow the same pattern: same Saudi regulatory baseline, different sector mix, different procurement teams.

The practical implication for a vendor selling into multiple giga projects is encouraging. The work to build a defensible cybersecurity portfolio is roughly the same across all of them. Once you have a current ISO 27001-aligned programme with documented PDPL handling, NCA control mapping, and the relevant sector overlays for your services, you are not starting from zero with each tender.

Preparing Your Vendor Cybersecurity Documentation Before Procurement

The vendors who win consistently on cybersecurity questions have already done five things before the tender opens.

Build the master evidence pack. A single, version-controlled folder structure containing certificates, policies, attestations, audit reports, control matrices, breach response procedures, and the most recent penetration test summary. Procurement responses become extraction, not authoring.

Map controls to NCA frameworks once. A spreadsheet that maps your existing controls (ISO 27001 Annex A, NIST CSF, or SOC 2 trust criteria) to NCA ECC 2:2024 or NCNICC 1:2025 control identifiers. This makes Saudi-specific questionnaires fast and consistent. Update it annually or after any major control change.

Get an NCA-credible third party in your loop. Saudi giga project procurement teams give weight to evidence assessed by NCA-registered firms. An external readiness assessment, penetration test, or compliance audit performed by an NCA-registered provider produces evidence that procurement teams accept without translation work.

Run a tabletop annually. Document the exercise, the lessons learned, and the resulting improvements. Procurement questionnaires routinely ask whether you have tested your incident response. Saying "yes, last quarter" with documentation beats "yes, we have a plan" by a wide margin.

Be honest about what you do not do. Procurement teams discount overclaims faster than they accept gaps. If your business does not process personal data of Saudi residents, say so clearly. If a control is partially implemented, describe the maturity honestly. The goal is calibrated evidence, not maximum points on a checklist.

For organisations selling into multiple giga projects or operating broader Saudi engagements, see our NCA ECC Requirements and NCNICC 1:2025 guides for the underlying control set. For technology-specific overlays see our AI Security Audit for Saudi Arabia and Arabic LLM Security guides.

Frequently Asked Questions

Do all NEOM vendors need cybersecurity clearance? NEOM's published supplier code requires third-party suppliers to provide "reasonable assurance" of their ability to adhere to its cybersecurity requirements. In practice, the depth of cybersecurity scrutiny varies with what the vendor supplies. A vendor providing connected devices, software, or anything touching personal data faces deeper review than a non-digital goods supplier, but no supplier escapes the Saudi regulatory baseline of NCA NCNICC 1:2025 and PDPL.

What is the difference between NCA compliance and giga project vendor clearance? NCA compliance is the regulatory floor required by Saudi law for all in-scope entities operating in the Kingdom. Giga project vendor evaluation is an additional procurement-driven assessment specific to the project. NCA compliance is necessary but typically not sufficient on its own. Giga projects layer their own evaluation criteria, sector overlays, and contractual cybersecurity obligations on top.

How long does vendor cybersecurity readiness take? For an organisation already running an ISO 27001 or SOC 2 programme, mapping to Saudi frameworks and assembling the evidence pack typically takes four to eight weeks. For an organisation starting from a less mature baseline, building a defensible programme generally takes three to six months, depending on the gaps. Vendors who wait until the tender drops rarely close the gap in time.

Does this apply to subcontractors too? Yes. NEOM's supplier code explicitly applies to "vendors, partners, consultants, manufacturers, contractors, and sub-contractors". The prime contractor remains accountable for subcontractor posture, which means flow-down cybersecurity obligations in subcontractor agreements are operationally important, not just legally tidy.

What documentation do giga project procurement teams request? The typical questionnaire covers ISO 27001 or equivalent certification, the cybersecurity policy and named accountable officer, the records of processing under PDPL, recent penetration test summaries, incident response plans and exercise records, supplier and subcontractor cybersecurity controls, control mapping to NCA frameworks, and evidence of staff cybersecurity training. The exact items vary by project and category.

Is an NCA registered partner required? NCA registration of the supplier itself is not always mandatory for every category of work, but evidence assessed by an NCA-registered third party carries clear procurement weight in Saudi tendering. Working with an NCA-registered cybersecurity firm for your readiness assessment, penetration testing, or audit produces evidence that giga project procurement teams accept without additional translation.

Related reading:

• NCA ECC 2:2024 Requirements: Every Control Domain Explained
• NCNICC 1:2025: Every Saudi Private Company Now in Scope
• AI Security Audit for Saudi Arabia: SDAIA and PDPL Explained
• Arabic LLM Security: SDAIA Compliance Explained
• PDPL Saudi Arabia Compliance Guide